Critical Cybersecurity for Safer Water Management
This white paper provides an analysis of data from a 2024 industrial control system/operating technology (ICS/OT) cybersecurity survey for the water sector, focusing on providing actionable strategies to protect water and wastewater critical engineering components, such as pumping stations, collection networks, treatment facilities, distribution systems, and digital control and monitoring systems, including central SCADA systems.
The paper emphasizes the importance of skilled ICS cybersecurity defenders and ICS-specific security controls aligning with the SANS Five ICS Cybersecurity Critical Controls.
By referencing real-world incidents and survey data insights, this white paper also identifies key challenges and overall cybersecurity guidance for water utilities to strengthen their ICS/OT cybersecurity programs.
Key insights from the survey:
- 39% of water facilities are unable to operate manually in an attack or are unsure of
- whether they can.
- 71% of water facilities have limited or no ICS/OT network monitoring capabilities.
- 26% of facilities reported having had at least one security incident in the past year.
- Only 58% of respondents have a dedicated ICS/OT incident response plan.
- Some reporting structures can lead to risks impacting water system operations and safety.
SANS_Survey_2025-ICS-Water (PDF, 3.69MB)
28 Jan 2025Related Content
Sanitized in the Source: Removing Embedded Objects from PLC Projects with CDR
Research PaperThis research seeks to outline a methodology to sanitize supported PLC project files for security while also confirming their operational reliability.
- 16 Apr 2026
ICS Asset Inventory: Passive, or Active? Siemens S7-1200 PLCs
Research PaperThis research builds on previous research to determine what information can and cannot be gleaned solely from passive traffic analysis, specifically for a Siemens S7-1200 PLC.
- 12 Mar 2026
Protecting OT’s Inherent Front-End Vulnerabilities: Legacy SQL Dependencies in Building Automation Systems Through the Lens of the SANS ICS Five Critical Controls
Research PaperThis research presents a practical method for building a Software Bill of Materials (SBOM) for BAS front ends, augmenting it with Shodan exposure analysis, classifying it in a risk heat map, and mitigating using the SANS ICS Five Controls, with an emphasis on Risk-Based Vulnerability Management and Defensible Architecture.
- 9 Feb 2026
Defensible IEC 61850 Substation Network Security Monitoring with Zeek
Research PaperThis study introduces a Zeek-based monitoring framework that leverages transport layer and layer two invariants, such as MAC and VLAN integrity, multicast group membership, traffic rates, and MMS connection behavior, to detect the most consequential precursors to substation misoperation.
- 26 Jan 2026
Code Modularity as a Heuristic for Malware Design
Research PaperMalware targeting industrial control systems (ICS) and critical infrastructure often exhibits a modular architecture, using a central loader to execute interchangeable payload modules.
- 7 Nov 2025
OT Network Visibility and Detective Controls in a NERC CIP World
Research PaperAs cyber threats grow and regulations evolve, critical infrastructure must balance compliance and innovation.
- 20 Aug 2025
- Tim Conway
NERC CIP-015: Monitoring Deep Inside Critical Networks to Keep Adversaries Outside
Research PaperThe North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards (hereinafter referred to as the Standards) require preventive controls to establish Electronic Security Perimeters (ESPs) containing Bulk Electric System (BES) Cyber Systems and to control communications in and out of those ESPs.
- 14 Aug 2025
- Tim Conway, Robert M. Lee
Prioritized Industrial Cyber Defense in Oil and Gas
Research PaperSANS Institute developed a white paper exclusively for ONE-ISAC members to address the urgent cybersecurity challenges facing the oil and gas sector.
- 13 Jun 2025
- Dean Parsons
Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender
Research PaperUsing the SANS ICS Cyber Kill Chain, the research implemented a representative ICS network to evaluate the effectiveness of security controls for use by small ICS defenders.
- 14 Apr 2025
2025 ICS/OT Cybersecurity Budget: Spending Trends, Challenges, and the Future
Research PaperThis white paper explores the findings of the 2025 SANS Survey on ICS/OT Security Budgets.
- 3 Mar 2025
- Dean Parsons
Industrial Control System Internal Network Security Monitoring with Open-Source Tools
Research PaperSecurity vendors have made many advances in internal network security monitoring (INSM) in recent...
- 5 Dec 2024
False Data Injection Attacks Against Distribution Automation Systems
Research PaperUtility companies increasingly rely on automated switching to provide their customers with a...
- 5 Dec 2024
Shedding Light on OT Anomalies: Parsing Proprietary OT Protocols with Zeek
Research PaperMany traditional intrusion detection systems (IDS) may struggle with the unique devices and...
- 9 Oct 2024
SANS 2024 State of ICS/OT Cybersecurity
Research PaperThis white paper, SANS Certified Instructor Jason Christopher explores the growing trends in cyber...
- 9 Oct 2024
- SANS Institute
Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents
Research PaperThere is a blind spot regarding cyber security in many Industrial Control Systems (ICS)and...
- 28 Feb 2024
Can Open-Source Tools Be Used to Safely Scan a Modern ICS Environment?
Research PaperThis research delves into the long-standing belief within the Operational Technology (OT) security...
- 27 Nov 2023
Private 5G, "Not as Private as You May Think"
Research PaperPrivate 5G networks and the transition to Industry 4.0 are gaining traction as demand increases for...
- 10 Oct 2023
Implementing Scalable Security for Devices Without 802.1x Support
Research PaperEnterprises often implement 802.1x to control access to wired and wireless networks by...
- 21 Dec 2022
Transparently Insecure Operational Technology: A Contextual Analysis
Research PaperIn cybersecurity, countering threats depends on an ability to see and respond to attacks. However,...
- 6 Jan 2022
You Cannot Defend What You Cannot See: Gaining Insight into Proprietary Protocols through Custom Parsers with Zeek
Research PaperA vital component of any information security architecture is a network intrusion detection...
- 6 Jan 2022