Twelve years ago, the Bowman Dam security incident revealed just how vulnerable our water systems are. That attack happened years ago, but here’s the undeniable truth: not much has changed since then. The technology has gotten more advanced, the threat actors more sophisticated, and the stakes unimaginably higher, but many of our defenses remain stuck in the past.

Today, it doesn’t take much to wreak havoc. A single manipulated setting in a SCADA system can make drinking water undrinkable. A minor disruption in a wastewater facility can turn untreated sewage into a biological weapon. These aren’t hypotheticals, they’re plausible, proven scenarios. And now, with AI supercharging cyber offense, attackers are building vulnerabilities and backdoors at the code level and at scale that defenders are struggling to match.

Nation-States Have Made Water Their Target

Consider what’s happening in Europe. Russian-linked hackers have repeatedly struck water infrastructure, opening valves, flooding systems, and broadcasting their access on social media. In Poland, utilities now see 300 attacks a day, triple the rate of last year. Norway’s intelligence services confirmed that hackers controlled a dam valve for nearly four hours. And here in the U.S., suspected Russian hackers caused a water tank in Texas to overflow as recently as 2024.

These aren’t smash-and-grab attacks. They’re “proof of concept” tests, probing the weak spots in our most essential systems, often in smaller cities where cybersecurity budgets are razor thin. Every successful incursion erodes public trust and exposes systemic flaws.

Why “Asset Inventory” Isn’t Enough Anymore

A couple of weeks ago, CISA once again called for critical infrastructure operators to adopt comprehensive OT asset inventories. That’s an important step, but let’s be honest: attackers, and the cybersecurity community, should be way past that. An asset inventory is table stakes. It’s knowing what’s in the water treatment plant. But it doesn’t tell you which of those assets are vulnerable, how they’re connected, what risks matter most, or how attackers are likely to move laterally once inside.

Meanwhile, AI isn’t waiting. Nation-states are using it to find weaknesses faster than humans ever could, to generate polymorphic malware, and even to embed malicious code directly into open-source projects. If defenders are still stuck cataloging assets, they’re already several moves behind.

CTEM: The Model We Need Now

This is where Cyber Threat Exposure Management (CTEM) comes in. CTEM isn’t about creating another inventory. It’s about continuously assessing, validating, and prioritizing the exposures that matter most, so utilities can act before nation-states turn water into a weapon.

Here are five critical CTEM practices water facilities must adopt right now:

1. Comprehensive Visibility Beyond IT
   80% of utilities surveyed by AWWA in 2023 admitted they lack a complete cyber asset inventory. Stop treating OT and SCADA as “too sensitive to touch.” Technology such as smart active querying exists that empowers organizations to safely check on every asset in the digital landscape while ensuring it does not impact operations. Water facilities need unified and continuous deep visibility across IT, OT, IoT, and BMS systems, enriched with real-time risk context.
2. Continuous Risk-Based Prioritization
   Not every vulnerability deserves equal attention. For example, Example: A valve-control PLC with an unpatched CVE is a higher priority than a password policy violation on an office workstation. CTEM means understanding which exposures directly threaten water safety or availability, and triaging based on real-world impact.
3. Attack Path Validation
   Nation-states test lateral movement. Utilities must do the same. In 2024, attackers in Texas didn’t need to “own” the plant; they simply manipulated a tank overflow by abusing weak IT-to-OT pathways. Simulating how an attacker could pivot from IT into OT is no longer optional, it’s an absolute must.
4. AI-Powered Threat Hunting and Detection
   If adversaries are using AI, defenders must as well. SOCs can’t rely on static detections when nation-states can morph attacks in seconds. CTEM platforms that apply AI-driven early warning detection and guided hunting will outpace legacy tools.
5. Governance and Resilience Planning
   70% of water utilities surveyed by CISA last year lacked a tested cyber incident response plan. CTEM isn’t a just one and done project. It’s about continuously validating whether people, processes, and policies are aligned to withstand disruption. That means tabletop exercises, supply chain risk assessments, and recovery runbooks. Moreover it is about pivoting based on the new TTPs that hackers are employing and how the security community can defeat them with minimal disruption or damage

The Stakes Couldn’t Be Higher

Water is life. And in an era of state-sponsored cyber conflict, it’s also one of the easiest weapons to wield. We can’t afford to wait until another incident occurs to acknowledge that asset inventories alone won’t save us.

CTEM gives water and wastewater facilities a framework to move beyond “visibility” into true resilience; where exposures are continuously managed, prioritized, and remediated before adversaries exploit them. If utilities don’t uplevel their defenses now, attackers will continue to treat our water supply as a proving ground. And that’s a risk none of us should be willing to accept.