If you joined me this morning at the Manitoba Water & Wastewater Association (MWWA) Annual Conference in Brandon, you know we tackled a topic that is keeping many plant managers and municipal leaders awake at night: the rapidly evolving cybersecurity landscape in our critical infrastructure.
For those who couldn’t make it to the session, I want to share the core message. We are officially in the era of Industry 4.0. The days of mechanical automation and isolated systems are behind us, replaced by cyber-physical systems, IoT sensors, and cloud-based historians. This interconnectivity brings incredible efficiency, but it also fundamentally changes our risk profile.
The “Air Gap” is Dead (And VPNs Aren’t the Answer)
Historically, the water and wastewater industry relied on the “air gap”—the idea that our operational technology and SCADA systems were physically disconnected from the outside world. Today, that air gap is a myth.
Modern plants require remote support, third-party vendor maintenance, and data exports to regulatory bodies. To facilitate this, many facilities have punched holes in their firewalls or relied on virtual private networks. But as we’ve seen in other sectors (like the 2021 Colonial Pipeline attack), VPNs grant broad network access. If an attacker compromises a single VPN credential, they don’t just get access to one machine; they get the keys to the entire castle.
Real Threats in the Water Sector
We often think our municipal water plants are too small or uninteresting to be targeted by nation-state actors. The reality is quite the opposite. Water facilities are frequently viewed by adversaries as “target rich, resource poor” environments.
Recently, we’ve seen alarming real-world examples of this:
- Iranian IRGC Attacks: Hackers affiliated with the Islamic Revolutionary Guard Corps targeted and modified the human-machine interfaces of several US water systems, including the Municipal Water Authority of Aliquippa. Their method? Exploiting simple, default passwords (like 1-2-3-4-5-6) on internet-exposed PLCs. The US Treasury has since sanctioned the officials responsible, but the vulnerability remains a stark warning.
- Russian Cyber Army: We also witnessed the Cyber Army of Russia targeting US water facilities via inbound VNC connections. They manipulated HMIs, changed set points, and enabled manual operations—actions that could easily result in catastrophic physical damage.
The Data Doesn’t Lie
These aren’t isolated anomalies; they represent a fundamental weakness in how we handle identity. According to the 2024 CISA Risk and Vulnerability Assessment (RVA), almost 80 per cent of successful attacks exploit user authentication and identity weaknesses. Specifically, about 42 per cent of actual attacks used valid accounts, about 26 per cent used spear-phishing (stealing credentials), and 10 per cent used brute force password cracking.
Attackers aren’t “hacking” in using sophisticated zero-days; they are simply logging in using compromised, shared, or weak credentials.
The Solution: Implementing Zero Trust Architecture
We cannot afford to rip and replace millions of dollars of legacy OT equipment just to upgrade its security. Instead, we must bring the security to the equipment. This is where zero trust architecture comes in.
Zero trust shifts the security model away from the perimeter and focuses on three simple concepts:
- Identity (WHO): Every user must be individually known and authenticated using strong multi-factor authentication. No more shared “Admin” accounts or passwords written on sticky notes.
- Authorization (WHAT): Users are granted access only to the specific resource they need to do their job, not the entire network. A vendor supporting a specific PLC should only see that PLC.
- Access (HOW): Connections should be outbound-only, effectively hiding your infrastructure from the public internet (meaning nmap and Shodan scanners will see nothing).
A Non-Zero-Sum Game
The best part about implementing an identity-aware proxy and zero trust is that it is a non-zero-sum game. You don’t have to sacrifice productivity for security. In fact, productivity goes up because remote experts can securely access systems in seconds rather than waiting for complex IT approvals or travelling to the site. Meanwhile, security increases, and infrastructure costs go down.
We can secure our legacy critical infrastructure without changing how the plant fundamentally operates.
If you want to dive deeper into how this architecture works in practice, I highly recommend checking out this recent webinar I hosted on the topic.