Protecting Water and Wastewater Infrastructure: OT and SCADA Threats Explained

Operational Technology (OT) and SCADA environments - the industrial systems that run factories, utilities, pipelines, and municipal infrastructure, including water and wastewater processing as required by regulations - are facing a sharp increase in targeted cyberattacks. Over the last 18 months, the threat landscape has evolved from opportunistic ransomware to sophisticated campaigns combining IT-side compromises, supply-chain exploitation, and persistent actors capable of causing real-world disruption. These attacks now affect both IT assets (mostly ad hoc systems with the option of planned upgrades) and OT/SCADA systems (which must operate 24x7 to control processes and collect data, often with limited downtime and constrained government funding for infrastructure improvements), with OT operations subject to laws and regulations that impose penalties if operators lose data. In water and wastewater treatment plants, pumping stations (PS), and sewage pumping stations (SPS), the convergence of IT and OT systems, aging OT infrastructure, complex system integrations, and limited opportunities for upgrades have amplified vulnerabilities, creating avenues for attackers to compromise automated control systems, disrupt critical operations, and directly threaten public safety, as these facilities provide essential, continuous services that communities rely on around the clock.

What's Changed

Ransomware now targets water and municipal systems: Attackers increasingly focus on operational technology (OT) in water treatment plants, wastewater facilities, and other municipal infrastructure. Disruptions to these critical services can cause significant operational and financial impact, making them high-value targets.

Rising OT exposure on the internet: Industrial control systems (ICS) and OT devices are increasingly accessible online, expanding the attack surface and making municipal networks more vulnerable to cyberattacks.

Municipal infrastructure under attack: Local governments' SCADA-controlled systems-including water distribution, wastewater management, and traffic control - are prime targets for hackers, emphasizing the urgent need for robust cybersecurity in public utilities.

Notable Recent Incidents

Industrial and Energy Sector

Norwegian Dam Manipulation (April 2025): As publicly reported in multiple media outlets, on April 7, 2025, attackers gained unauthorized remote access to the control system of a dam in the Municipality of Bremanger, Western Norway, and manipulated a water valve-opening it to full capacity and increasing the outflow by roughly 497 litres per second for about four hours before detection and shutdown. The breach was attributed by Norway's domestic security agency, the Police Security Service (PST), to pro-Russian cyber actors as part of a broader "hybrid" campaign intended to sow fear and unrest among Western populations. According to those reports, the root cause was a weak password on a web-accessible human-machine interface (HMI) linked to the dam's industrial control system, underscoring how even modest operational vulnerabilities can translate into real-world physical effects. While no structural damage or injuries were reported, the incident stands as a significant warning about the susceptibility of critical infrastructure to targeted cyber intrusions.

OT/ICS Ransomware Surge (2024/2025): As publicly documented by cybersecurity vendors and trade media, industrial and energy-sector operations have experienced a sharp rise in ransomware campaigns aimed directly at operational-technology (OT) and industrial-control-systems (ICS) environments rather than traditional IT networks. A 2025 Honeywell report found ransomware attacks on industrial operators increased 46 percent from Q4 2024 to Q1 2025, with one trojan family targeting OT systems spiking 3,000 percent in the same period. Similarly, analysis from Dragos indicated ransomware incidents impacting OT/ICS asset owners grew by approximately 87 percent in 2024 over 2023, alongside a 60 percent rise in the number of threat groups targeting such environments. Together these findings reveal a strategic shift by adversaries from opportunistic IT breaches toward deliberate efforts to disrupt industrial processes in manufacturing, energy, and utilities - often by exploiting exposed interfaces, open ports, and insufficient network segmentation.

Municipal and Regional Incidents - Water/Wastewater Treatment Plant Attacks - Canada, USA, and Global

Canada Spotlight: Municipal and Regional Cyber Attacks

City of Stratford (Ontario): A ransomware attack in 2019 encrypted Critical Municipal databases, forcing the city to pay a ransom of $75,091 in Bitcoin to regain access. Including the ransom, remediation, and system restoration, total recovery costs exceeded $1 million, emphasizing the heavy financial and operational toll such breaches can have even on mid-sized Municipalities.

Town of St. Marys (Ontario): A ransomware attack in July 2022 by the LockBit 3.0 group encrypted Municipal Systems and stole sensitive data. The town incurred over $1.3 million in costs, including a $290,000 ransom paid in Bitcoin, representing roughly 10% of the town's 2022 budget, highlighting the severe financial strain such attacks can impose on smaller municipalities.

Westmount (Quebec):, The LockBit 3.0 ransomware group struck in November 2022, disrupting municipal services and compromising email systems. The attackers claimed to have downloaded 14 terabytes of sensitive data and threatened its release unless a ransom was paid. While the exact financial impact was not publicly disclosed, the incident underscored the vulnerability of municipal governments to increasingly sophisticated cyber threats.

City of Hamilton (Ontario): The City of Hamilton experienced a significant cybersecurity breach on February 25, 2024, when cybercriminals launched a sophisticated ransomware attack that disabled approximately 80% of the city's network, including critical services such as business licensing, property tax processing, and transit planning systems. The attackers demanded a ransom of $18.5 million CAD, which the city refused to pay. Instead, Hamilton utilized secure backups to restore its systems, incurring $18.3 million in recovery costs. However, the city's cyber insurance claim was denied due to the absence of multi-factor authentication (MFA) at the time of the breach, a requirement stipulated in the insurance policy. An audit revealed that recommendations from a 2021 cybersecurity assessment remained largely unimplemented, partly due to resource constraints and leadership turnover. In response, the city has since strengthened its cybersecurity posture by implementing MFA, appointing a Chief Information Security Officer, and initiating a comprehensive "Build Back Better" plan to enhance system resilience and service delivery.

Region of Durham (Ontario): The Region of Durham has experienced multiple cyber incidents in recent years, including the 2021 Accellion File Transfer Appliance breach compromising personal health and government assistance data, the 2024-2025 PowerSchool breach affecting student and staff information across Durham District School Board (DDSB) and other Ontario school boards, and a 2024 security breach at the Duffin Creek Water Pollution Control Plant affecting a limited component of its digital systems.

Speaking with OT/SCADA/ICS expert Naeem Ismat from Ontario, he underscored just how serious these incidents are. "These attacks highlight the ongoing cybersecurity risks that municipal operations, schools, and other critical infrastructure face" he noted. "Since 2023, similar attacks across Ontario and other Canadian municipalities have pushed recovery costs past $50 million CAD. It clearly shows how costly ransomware can be for local governments and why stronger cybersecurity measures are urgently needed."

He further added that if funding, workforce training, and attention for outdated Industrial Control Systems at water and wastewater facilities aren't prioritized at the same level as IT systems, the consequences could be far more severe than a typical billing or banking outage. "Public health depends on these plants" Naeem explained. "Changing old mindsets and training staff to understand OT-specific cybersecurity challenges is critical - any disruption can have serious, real-world consequences for communities."

These incidents highlight ongoing cybersecurity risks to municipal operations, educational institutions, and critical infrastructure, prompting enhanced security measures and monitoring efforts.

Toronto Water (City of Toronto, Ontario): The 2022 follow-up audit by the Office of the Auditor General of Toronto reported that the SCADA systems used by Toronto Water to monitor and control drinking-water and wastewater treatment operations remain exposed to cybersecurity risks due to ongoing IT and OT system convergence. The audit highlighted that these systems control critical infrastructure processes, and any compromise could disrupt water distribution, damage equipment, or cause environmental releases of untreated water. Although progress had been made in areas such as physical security, technical improvements, and staff training, several recommendations from earlier audits remained only partially implemented. The Auditor General emphasized that the cybersecurity threat landscape continues to evolve and that IT/OT integration increases exposure for critical municipal utilities like Toronto Water.

Halifax Water (Nova Scotia): In 2023, the Office of the Auditor General of Halifax Regional Municipality released a report identifying significant cybersecurity and physical security gaps within Halifax Water?s SCADA systems. The audit concluded that the utility?s cybersecurity program was less mature than expected for an organization managing critical water infrastructure. Many recommendations from prior assessments had not been fully implemented, and internal oversight committees were not consistently reviewing SCADA-related risks. The report also found weaknesses in access control, policy enforcement, and staff awareness. In one phishing test, 82 percent of targeted employees entered their credentials, illustrating a serious gap in cyber awareness and training. The findings underscored the urgent need for Halifax Water to strengthen both technical and organizational cybersecurity defenses.

The Canadian Centre for Cyber Security has repeatedly warned that municipal water treatment and wastewater facilities face heightened threat levels from ransomware and state-sponsored actors.

Cybersecurity Threats to U.S. Water Systems: A Growing Concern

In February 2021, an attacker remotely accessed the SCADA system of a water treatment plant in Oldsmar, Florida, attempting to increase sodium hydroxide (lye) levels in the drinking water. The incident was quickly detected and neutralized, preventing any safety impact.

Subsequent reports documented multiple ransomware and unauthorized-access events targeting water and wastewater systems in states including Maine, Nevada, California, and Kansas.

In October 2024, American Water Works experienced unauthorized network activity affecting multiple regions. While operations were maintained, the incident highlighted that attackers are increasingly probing large-scale water utilities.

Federal agencies, including the EPA and CISA, have warned that foreign state actors linked to Iran and China have carried out disruptive attacks on water systems. Utilities were directed to improve cybersecurity immediately to prevent potentially serious consequences.

Global Cybersecurity Incidents in Water/Wastewater Utilities

Australia (2001)

The Maroochy Shire wastewater breach in Queensland, Australia, remains one of the most notorious cases of cyber sabotage in water utilities. In 2000, a former employee exploited vulnerabilities in the SCADA system to release over 800,000 liters of raw sewage into the local environment. This incident highlighted the critical need for robust cybersecurity measures in operational technology systems.

Poland (2024?2025)

Poland has been a significant target of cyberattacks, particularly from Russian-aligned groups. In August 2025, a cyberattack aimed at a major city's water supply was thwarted, preventing potential service disruptions. This incident is part of a broader pattern, with numerous cyberattack attempts daily, many targeting critical infrastructure like hospitals and water systems.

In response to these escalating threats, the Polish government significantly increased its cybersecurity budget in 2025, with a dedicated portion allocated specifically to bolster water infrastructure defenses. Additionally, Poland established a joint civilian-military cybersecurity operations center to coordinate defense efforts against persistent cyber threats.

Europe & Middle East (Ongoing)

Water utilities across Europe and the Middle East continue to face cyber threats, often due to rapid digitalization without corresponding cybersecurity measures. There has been a sharp rise in cyber incidents targeting drinking water and wastewater sectors, with many utilities lacking the necessary funding, skilled personnel, and technical capabilities to defend against these threats.

In regions such as Africa, South Asia, and the Middle East, vulnerabilities are heightened by the rapid modernization of utilities. Many water and wastewater treatment plants have transitioned from limited manual systems to highly digital ones in a short time span, often overlooking cybersecurity during this modernization, resulting in critical security gaps.

Global Trend

Water utilities worldwide remain frequent targets of cyberattacks due to outdated automation systems, weak remote-access controls, and underfunded cybersecurity programs. These vulnerabilities are exploited by various threat actors, including hacktivists and nation-state actors, to disrupt services and cause widespread concern.

Why OT and SCADA Are Attractive Targets

Operational technology and SCADA environments present outsized impact compared with their footprint: a single compromise can interrupt water treatment, power distribution, or traffic management, producing immediate safety hazards and public panic. That immediate consequence makes these systems attractive for financially motivated extortion, nation-state coercion, or politically timed disruption.

Risk is amplified by IT/OT convergence. More organisations now connect business networks, remote access services, and administrative tools to operational equipment for efficiency and visibility - but that also gives attackers a route to pivot from a compromised office workstation or cloud service straight into control networks. Finally, many industrial sites still run legacy controllers and protocols that were never designed with modern security in mind. Unsupported firmware, default credentials, and weak authentication mean that once adversaries get initial access, they can escalate privileges and reach critical assets far faster than in hardened IT environments.

Practical Actions for Municipalities and Operators

Network Segmentation between IT and OT - isolate critical control systems from administrative networks.
Credential Hygiene and MFA - eliminate default passwords and enforce strong authentication for vendors and remote access.
Regular Vulnerability Scans and Exposure Audits - identify Internet-exposed devices and secure or remove them.
Offline Backups and Tested Recovery - ensure SCADA configurations and data can be restored independently of IT systems.
Incident Response Drills - simulate ransomware and OT incidents to verify communications and containment procedures.
Vendor and Remote-access control - restrict vendor VPNs, log sessions, and enforce signed service-level agreements.
Chemical-Process Monitoring and Manual Fallback - implement alarms for abnormal dosing or flow-rate changes and maintain trained operators for manual overrides.
Operator and Staff Training - Shift outdated operational mindsets at Water and Wastewater Plants, Pumping Stations (PS), and Sewer Pumping Stations (SPS). Enhance the OT team by adding cyber specialists who understand the unique requirements and differences between Operational Technology (OT) and Information Technology (IT) environments.

Economic Impact

Canadian and U.S. municipalities are learning that cyber resilience is not optional. Recovery costs - covering forensics, remediation, downtime, and insurance - often exceed 10? annual cybersecurity budgets.

However, many companies ? especially in the private sector - for face-saving reasons and due to the high cost of rebuilding, choose to quietly deal with attackers. To avoid losing customer or stakeholder confidence, such incidents often remain undisclosed, handled confidentially, and never reach the public domain.

Beyond financial loss, public safety and trust are at risk when water treatment, wastewater, or emergency services are disrupted.

Final Note

Cyberattacks are no longer confined to corporate IT. The wave of incidents hitting cities like Hamilton, Durham, Toronto, Halifax, and counterparts across the U.S., Poland, and Australia underscores how exposed water and wastewater systems have become.

Protecting OT and SCADA infrastructure now requires sustained investment, coordination between engineering and IT teams, and board-level prioritization. Waiting for the next major breach could cost far more than prevention.

Linda Hart is a contributor to AutomationMedia, specializing in coverage of industrial automation, smart factories,cyber and digital manufacturing. Her articles highlight emerging technologies and their real-world impact on global industries. See More Details.