On May 21, 2026, the United States Government Accountability Office (GAO) released a critical report, GAO-26-109159, addressing the urgent and persistent cybersecurity threats facing the nation’s water and wastewater sector. This testimony, provided to the House Committee on Science, Space, and Technology, underscores a stark reality: nearly 170,000 systems are increasingly vulnerable to cyberattacks from state-sponsored hackers and criminal groups. (Read the highlights or the full report).
For municipal leaders and plant managers, the GAO report is more than a warning; it is a call to action to modernise how we protect our most essential critical infrastructure.
The Rising Tide of Cyber Threats
The water and wastewater sector is currently facing a growing number of sophisticated cyberattacks. These threats are no longer merely theoretical. Adversaries like the Cyber Army of Russia are actively targeting operational technology systems, including the human-machine interfaces (HMIs) and programmable logic controllers (PLCs) that control physical infrastructure like pumps, valves, and chemical levels.
The GAO identifies several factors contributing to this heightened risk profile. First, the convergence of operational technology with internet-enabled devices has significantly expanded the attack surface. Second, the sector faces persistent resource constraints, where limited financial budgets often force a choice between meeting basic water safety regulations and investing in cybersecurity. Finally, workforce shortages and the difficulty of updating aging infrastructure make it challenging to maintain a robust security posture across diverse and often geographically dispersed systems.
The Myth of the Air Gap and the Failure of Perimeter Security
Historically, the water industry relied on the myth of the air gap to ensure security, assuming that operational technology systems were physically disconnected from the outside world. In the era of Industry 4.0, this air gap is dead. Modern plants require remote support from vendors, data exports for regulatory compliance, and seamless connectivity for operational efficiency.
To facilitate this access, many facilities have relied on traditional virtual private networks. However, as the GAO report suggests, these perimeter-based defences are no longer sufficient. A virtual private network functions like an elongated Ethernet cable, granting broad network access once a user is authenticated. If a single credential is compromised, an attacker gains the keys to the castle, allowing them to move laterally through the network to discover and manipulate critical devices.
Agilicus AnyX: Building Defence in Depth through Zero Trust
The Environmental Protection Agency (EPA) and other federal partners are working to address these risks, but the GAO notes that significant gaps in authority and strategy remain. While we wait for federal mandates to catch up, facilities can take immediate, proactive steps to implement a true defence in depth strategy using zero trust architecture.
Agilicus AnyX technology is designed to solve these exact challenges by shifting security away from the network perimeter and focusing on the identity of the user and the specific resource they need to access.
Unified Identity and Multi-factor Authentication
The first pillar of zero trust is ensuring that every user is individually known. Agilicus AnyX enables unified authentication, allowing operators and contractors to sign in with their native corporate credentials through a single sign-on experience. By enforcing strong multi-factor authentication, we eliminate the risks associated with shared administrative accounts or default passwords on exposed controllers.
Precise Authorisation and Lateral Movement Prevention
Once identity is verified, access must be strictly limited. Agilicus allows for granular authorisation, ensuring that a vendor or technician only sees the specific human-machine interface or programmable logic controller they are approved to maintain. This pairwise connection effectively stops lateral traversal; even if a user device is compromised, the attacker cannot pivot to other parts of the critical infrastructure.
Absolute Segmentation and Inbound Port Removal
A key recommendation for the water sector is to ensure there are zero inbound open ports. Agilicus AnyX utilizes outbound-only connections to an identity-aware proxy, making your infrastructure completely invisible to public-endpoint scanner tools like Shodan or Nmap. This achieves a level of industrial micro-segmentation that traditional firewalls and virtual private networks simply cannot provide.
Conclusion
The persistent threats highlighted by the GAO report require a fundamental shift in how we approach cybersecurity for water and wastewater systems. We cannot afford to wait for the next incident response warning to upgrade our defences.
By adopting a zero trust architecture, municipal water facilities can enhance their security posture, protect public health, and ensure operational continuity without sacrificing the efficiency of remote access. It is time to move beyond the myth of the air gap and embrace a pragmatic, results-oriented approach to critical infrastructure protection.