Q: Please tell us briefly about your background and your current role.

[Chumley-Soltani]: ​​​​I am ​​the National Director of OT Solutions Engineering and Strategy for the U.S. Public Sector at Armis​​, where I ​​specialize in industrial cybersecurity and secure, resilient network architectures for critical infrastructure. I’ve supported global enterprises, federal agencies, and SLED organizations with advanced networking, cybersecurity, threat detection, and vulnerability management. Before Armis, I led Cisco’s OT Solutions Engineering team supporting the entire U.S. Public Sector, delivering end-to-end solutions in IoT/OT security, RF wireless, embedded systems, and edge computing. ​​​ ​​

Q: What are the most common cyber threats currently facing water and wastewater utilities, and how have these evolved in the last five years?

[Chumley-Soltani]: Cyber threats facing water and wastewater utilities have evolved with the convergence of IT and OT, expanding the attack surface across the entire network architecture. Increased IoT adoption and legacy systems add new entry points and vulnerabilities.

Limited visibility across both IT and OT environments remains a core challenge, hindering threat detection and response. Many utilities lack a unified view of their infrastructure, making it difficult to manage risks effectively.

Threats have shifted from opportunistic to targeted, including ransomware, supply chain attacks, and exploitation of unpatched systems. This highlights the need for integrated visibility, proactive vulnerability management, and coordinated threat detection across IT/OT domains.

Q: In your experience, what are the key vulnerabilities unique to Operational Technology (OT) systems in water infrastructure compared to traditional IT systems?

[Chumley-Soltani]: OT systems in water infrastructure face unique vulnerabilities due to legacy technology, limited visibility, and inadequate network segmentation. Attack paths exist throughout the entire network architecture. Dual-homed assets, which connect IT and OT, are especially vulnerable. In addition, inbound and outbound

internet connections that are not properly controlled create gateways into the control environment. For example, overly permissive firewall rules or poorly managed remote access can open significant attack vectors.

The lack of both macro and micro segmentation prevents the creation of secure enclaves for critical zones and conduits. This allows threats to move laterally with ease. Combined with unpatched vulnerabilities and limited redundancy, these factors make OT systems prime targets.

To defend effectively, water utilities need comprehensive end-to-end visibility, strict segmentation at multiple levels, proactive vulnerability management, and tight control over network access points.

Q: How do you approach risk assessments for utilities that often have aging infrastructure and limited cybersecurity maturity?

[Chumley-Soltani]: The focus is on balancing immediate risk identification with a phased plan to mature cybersecurity capabilities over time. For utilities with aging infrastructure and limited cybersecurity maturity, risk assessments begin with a thorough third-party evaluation to uncover vulnerabilities and prioritize risks. Tabletop exercises and ongoing training complement this to test response plans, identify gaps, and ensure staff can effectively use tools and recognize threats before real incidents occur.

From there, the process follows a crawl, walk, run model. It starts with inventorying assets to develop a complete understanding of the entire architecture across both IT and OT environments, including their interrelationships. This foundation enables the establishment of network segmentation through zones and conduits, creating a defensible architecture that limits threat movement. The final step integrates security tools across systems to streamline operations and enhance risk management.

Throughout, clear incident response playbooks define roles during crises to reduce confusion and downtime. Regular tabletop exercises reinforce these plans and create a feedback loop that continuously improves readiness.

Ongoing assessments act as benchmarks to refine strategies and adapt defenses to evolving threats.

By combining expert evaluations, a phased maturity plan, continuous training, clear processes, and regular reviews, utilities can realistically manage cybersecurity risks and strengthen the protection of critical infrastructure.

Q: With the rise of smart sensors and IoT in utility systems, what precautions should be taken to secure these new endpoints?

[Chumley-Soltani]: With the increasing deployment of smart sensors and IoT devices in utility systems, it’s important to maintain clear visibility into all connected endpoints. Real-time monitoring tools should be used to track device behavior and status, enabling quick identification of unauthorized access or suspicious activity.

In addition, implementing strong anomaly detection is essential. By leveraging behavioral analytics and machine learning, utilities can detect unusual patterns early, allowing for proactive responses before small issues escalate into major incidents.

Building high availability redundancy is another critical precaution. This includes deploying backup sensors, alternative communication paths, and failover mechanisms to ensure the system continues to function smoothly, even in the event of a failure or compromise.

Effective risk management also plays a central role. Regular patching, timely firmware updates, and the proactive replacement of devices that have reached end-of-life or end-of-support help reduce known vulnerabilities and keep the environment secure.

Even though many smart sensors are passive and not directly involved in control decisions, it’s still important to secure access to their configuration and ensure the authenticity of the data they transmit. Lightweight authentication, encrypted communication, and firmware integrity checks can help prevent tampering, spoofing, or misuse of these devices.

Maintaining this level of security requires more than just upfront planning. It demands ongoing oversight, regular updates, and the flexibility to adapt as technologies evolve and new threats emerge. A proactive, layered approach to security will help ensure that IoT-based utility systems remain reliable, resilient, and secure in the long term.