High Water Mark: CISA Shares Foundations for Effective Cybersecurity and Risk Management
Over the past few years, there has been a steady flow of cyberattacks targeting the water and wastewater industry. The threat of nation-state attacks has never been higher. According to Armis’ recent report, Warfare Without Borders: AI’s Role in the New Age of Cyberwarfare, 87% of IT leaders are concerned about the impact of cyberwarfare on their organizations.
The notorious Chinese-linked Volt Typhoon has been targeting critical infrastructure, including Littleton Electric, Light, and Water Departments, for months. In 2023, Iranian hackers compromised a water treatment plant in Aliquippa, Pennsylvania. In 2024, American Water, the largest water utility in America, was targeted by a ransomware attack that caused a real-world service outage.
According to CISA’s Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, threat actors exploit vulnerabilities in unpatched systems and weak authentication controls to gain access to operational technology (OT) systems. Insufficient network segmentation and exposed remote access points enable lateral movement between systems.
But the root cause of these risks is a lack of visibility into the assets themselves and their behavior.
According to CISA, developing and maintaining an asset inventory and an OT taxonomy of critical systems enables organizations to prioritize their protection. In doing so, organizations can build the foundation of an effective continuous threat exposure management (CTEM) program.
Too Many Leaks, Not Enough Fingers
In the story Han Brinker, a little Dutch boy becomes “The Hero of Haarlem” after plugging a leak in a floodwall with his finger overnight. Cybersecurity professionals are no strangers to this sort of selfless sacrifice, frequently burning the midnight oil to prevent threats that never sleep. But the reality for many organizations is that there are too many leaks and not enough fingers.
Cybersecurity teams contend with hundreds, if not thousands, of alerts every day, but many of them are false positives. There were 40,000 vulnerabilities disclosed in 2024 alone, but not all vulnerabilities are created equally. The point is that there is both a lot of “signal” to process and a lot of “noise,” making it less useful.
And that only covers the assets that organizations can control. There are plenty of devices that go undiscovered and unmanaged, such as rogue or shadow IoT, in addition to mission-critical legacy devices that are unmanageable because they are incompatible with modern solutions and cannot be upgraded.
However, just as water and wastewater treatment plants can assess water quality using a variety of worthwhile metrics, such as when certain illnesses are on the rise, their security teams can find value in this stream of data; they just need the right facilities to process it.
Waste Not, Want Not
CISA recently published guidance to help OT owners and operators identify and protect mission-critical assets.
An asset inventory is a catalog of enterprise systems, such as hardware and software. An OT taxonomy categorizes and organizes critical assets and their relationships, enabling organizations to prioritize risk remediation and incident response.
According to CISA, the benefits of an OT taxonomy include improved organization and management, enhanced communication, better decision-making, cost-saving efficiencies, and data analytics and insights.
Developing either an asset inventory or an OT taxonomy begins by identifying assets and collecting their attributes, such as IP address, supported communication protocols, and asset criticality.
An OT taxonomy classifies these assets by criticality or function-based groups within the organization, including control systems, monitoring tools, and management functions.
Within the water and wastewater industry, pumps, aeration systems, emergency shutdown systems, SCADA systems, filtering systems, treatment reactors, chemical dosing systems, and spill containment systems are all examples of high-criticality assets.
Be Like Water
In the immortal words of Bruce Lee, “Be water, my friend.” What Lee meant was to remain adaptable. Water flows, water crashes, water takes the form of whatever vessel it fills. An effective cybersecurity practice is the same way.
Remaining adaptable begins with an asset inventory and OT taxonomy, allowing resources to flow where they are needed most. Comprehensive visibility is required to reflect what lies below the surface.
Likewise, cybersecurity can take on the shape of its environment by integrating security across IT, OT, cloud, and virtualized environments, and by using contextualization to prioritize protecting mission-critical assets. Organizations can map threats to frameworks, such as MITRE ATT&CK, to gain even greater insights and awareness.
These frameworks help shape an organization's cybersecurity program. In addition to CISA’s recent guidance, the EPA also published cybersecurity guidance in October 2025 after finding major gaps in the water sector, which also calls for improved visibility.
While gaining visibility into these risks and threats is an essential element of CTEM, it is just the foundation. Attack path validation simulates how real-world attacks flow so that organizations can identify vulnerable and exposed assets. Implementing network segmentation is an effective strategy to prevent lateral movement, just like one-way valves keep water flowing in the right direction.
Organizations should also implement continuous monitoring solutions to discover when new devices connect to the network and new vulnerabilities expose devices, as well as behavioral analytics to detect suspicious behavior indicative of an attack. AI-enabled solutions are particularly effective at detecting behavioral anomalies and can provide additional automation benefits to enhance operational efficiency.
Ultimately, in cybersecurity, as in nature, resilience flows from flexibility. Establishing a CTEM program is the foundation of this resilience. From local governments to the nation at large, this requires a whole-of-state and whole-of-nation approach across the public sector.
