1. Risk assessment methodologies

There are qualitative and quantitative ways to assess risk, which often look at preparedness, current security controls in place, threats to systems, vulnerabilities in systems and the likelihood that explicit vulnerabilities could cause specific impacts if successfully targeted and exploited. While some methodologies offer more sophisticated calculations, at STV, we have seen how the most successful ones are those where impact can be accurately determined and estimated for the organization’s true operational and strategic priorities. Our cybersecurity and water infrastructure experts help utilities translate these risk assessments into actionable strategies that strengthen resilience and maintain continuity of operations.
Small operators have a good idea of the risks they face, including the differences between Root-level compromise and user-level compromise, and the differences between human-controlled exploits and automated exploits. They can accurately frame, assess, respond to and monitor threats, but often lack dynamic solutions that can provide dynamic system-level awareness and indicators of compromise. Large utilities often have automated solutions for visibility, but these solutions leverage proprietary algorithms that limit full transparency to end users for how priorities are determined.

2. Threat intelligence sources and methods

The threat landscape constantly changes, especially as IT and OT systems within water facilities become more interconnected and interdependent. The latest adaptations in artificial intelligence and the future of quantum computing challenge standard security practices. There is a widespread understanding that perimeter defenses are not good enough. More alarmingly, Crowdstrike’s 2025 Threat Hunting Report found that 81% of intrusions were malware-free. Instead, threat actors are ramping up “living off the land” techniques, effectively masquerading as legitimate users in your organization.
Small operators typically have less complex environments and fewer systems to manage, however, focusing exclusively on the means of active threats has diminishing returns. If all your time and resources are focused on learning about the adversary, you have little to no time and resources to understand and map their effects, hamstringing your security posture. Reading emails from the Cybersecurity and Infrastructure Security Agency (CISA) or an Information Sharing and Analysis Center (ISAC), or a subscription service will not identify a single point of failure. On the other hand, larger utilities typically have many more single points of failure and require skilled, full-time analysts to continuously address and reassess their defenses.

3. Incident response planning

Incident response plans come with a myriad of tables and flow charts for procedures. If you’re lucky, they also incorporate up-to-date communications plans, responsibilities and contact information. The typical evolution of an event is preparation, identification, notification, containment, analysis (ongoing), eradication and recovery. Most plans also require a post-event summary of lessons learned and recommendations for improvement. Many would argue that containment is the most significant portion of the cycle; however, notification or when and how an issue is discovered, can have a major impact on the severity of incidents.
Small operators rely on employee training, collective resources and third parties for notification of incidents. Most lack comprehensive monitoring to indicate that potentially malicious activity is happening in real-time, especially within their process networks, where legacy industrial control systems (ICS) are concerned. Of course, large utilities have swaths of data and sometimes multiple layers of alerts for access and activity in their networks; however, there is a degree of alert fatigue that can plague even the most mature security teams if left unchecked.

4. Scoping for monitoring tools

Monitoring for security events typically happens with either an intrusion prevention system, which cancels individual messages and prevents a source from sending more, or intrusion detection systems, which detect access and communication attempts based on baseline vs. anomalous behaviors. For a utility with cyber-physical operations, dozens of proprietary systems and hundreds of specific variables and setpoints, one or more of these solutions are typically considered for a security operations center input and usually added to a centralized tool like a security information and event management (SIEM) tool.
Spoiler alert: small water operators cannot afford most monitoring tools and only sometimes have security operations centers. More often, they are subscribed to a managed security service provider (MSSP) that acts as an extension of their in-house team, with varying services depending on the price and package. Small operators are navigating complex compliance requirements and often face a backlog of IT issues: network and access triage, firmware updates, firewall configurations, patching, etc. Operational Technology (OT) and Industry Control Systems (ICS) are unfortunately either not in scope or budget. Large and conglomerate operators are capitalizing on the maturity of monitoring solutions today, yet these expensive solutions do not offer robust remediation and response capabilities. People are still required to address every major OT/ICS concern a tool alerts them to.

5. Creating a defensible architecture in real-time

The most critical piece of a defensible architecture is knowing what you have to protect what you’ve got. This control, often called an asset inventory as a noun or asset management as a verb, is a tedious process. It includes an organized, regularly updated list of an organization’s systems, hardware, and software. It is often a necessary step for classifying assets by function and/or criticality and visualizing asset relationships and dependencies.
Small water operators prevail here, capable of managing the governance and scope of identifying and collecting asset attributes. Gravity, pumping and combined operations have easily identifiable functional designations for collection, water treatment, distribution, re-use, etc. Even without automated monitoring tools, these systems can be tiered by criticality and assessed based on widely known OT attack patterns and techniques. Large operators, unfortunately, do not always consider this as a requirement, opting instead to follow enforceable security measures or to distribute risk to site-specific ownership rather than centralized management.
A path forward
No two water utilities are a perfect replica of one another, regardless of size or budget. So there is no one-size-fits-all approach to cybersecurity across the sector. To build a defensible architecture and actually defend it, and take security actions that will improve your security posture, you must balance threat awareness and significance with contextual implications from your environment.
Technology will not solve these problems alone, and operators cannot buy their way out of risk. People first, then processes and technology, are how security leaders approach complex environments of all shapes and sizes. This month, the Water ISAC published the “Small Systems Guidance Compendium” Cybersecurity Fundamentals for water and Wastewater Utilities. The original list of recommended security controls was consolidated to twelve in May 2023 to help operators reduce security risks to their IT and OT systems.
Through our work with clients, STV’s cybersecurity team bridges the gap between strategy and implementation for water and wastewater infrastructure’s increasing reliance on digital technology. By taking a balanced, incremental approach, our team leverages a deep bench of expertise to help strengthen the systems our communities rely on every day.