Vulnerabilities of Water and Sewer Utilities

Water and wastewater systems are complex, distributed, and in many cases partly exposed to the environment, making them vulnerable to intentional acts such as vandalism, sabotage, or terrorism. Although it is impossible to completely shield all components, utilities can—and must—take steps to reduce risks and be prepared to respond when threats arise.

In practice, the most serious threats are often internal or local in origin: discontented former employees, individuals with system knowledge, or other insiders. These risks can exceed those posed by remote actors because insiders have access, motive, and understanding of system vulnerabilities.

Potential threat vectors include:

• Disruption of power supply to water treatment plants or pumping stations, rendering the system unable to operate
• Damage to treatment facilities, reservoirs, storage tanks, distribution mains, pump stations, or critical control infrastructure
• Unauthorized access or tampering with chemical storage (chlorine, disinfectants, etc.)
• Targeting of key employees or removal of operational personnel
• Physical sabotage of infrastructure leading to outages lasting hours, days, or longer

Because digital control and automation systems are now central to utility operations, cybersecurity is an essential element of overall security. Threats such as unauthorized remote access, malware, compromised human-machine interface (HMI) systems, and default or weak credentials can directly undermine operations. Federal agencies increasingly emphasize that utilities adopt cybersecurity “hygiene,” risk and resilience assessments, incident response planning, and regular audits.

Mitigating the Risk: Planning, Prevention, and Coordination

To reduce vulnerability and improve readiness, utilities should:

• Develop and exercise an emergency response plan
  Include utility personnel, local law enforcement, fire, EMS, emergency management, and other relevant agencies. Define roles, contacts, and procedures in advance so that a coordinated response is possible during a crisis.
• Restrict access and monitor facilities
  Use physical barriers (fences, locked gates), limit entry points, install cameras and alarms in critical locations, and require identification or access control for personnel entering sensitive areas.
• Conduct personnel screening and awareness
  Perform background checks during hiring, and educate staff about security awareness. Encourage personnel to report unusual behavior, unauthorized presence, or suspicious activity.
• Monitor and enforce vigilance
  Staff should routinely patrol sites, question unfamiliar individuals, and document unusual conditions. Any threats or anomalies should be escalated and investigated seriously.
• Implement cybersecurity measures
  Meet regulatory requirements (such as Tennessee’s rules for utility cybersecurity)
  • Change default passwords immediately
  • Segregate operational technology (OT) and information technology (IT) networks
  • Perform regular cybersecurity assessments and audits
  • Maintain backups and disaster recovery plans
  • Develop and test incident response and recovery procedures
  • Limit remote access to essential personnel only, and use secure VPNs, multi-factor authentication, and encryption
• Inspect critical components frequently
  Manholes, valves, storage tanks, pump stations, chemical feed systems, and control panels should be inspected regularly. Vulnerabilities around manholes (especially those in low spots, near runoff, or in brick structures) are well-documented.
• Prioritize risk-based rehabilitation and security investments
  Focus first on the most critical assets (interceptors, main trunk lines, treatment plants). Begin remediation at lower elevations or near groundwater where infiltration or damage may propagate. Include upgrades to cover ancillary lines and taps to a level above anticipated groundwater exposure.
• Perform 100% inspection for new or rehabilitated sections
  Ensure that all repairs or replacements are verified through CCTV, pressure testing, or other appropriate inspection to confirm effectiveness.

By combining physical security, personnel vigilance, planning, and cybersecurity, utilities can significantly reduce their exposure to threat. While no utility should expect to face a full-scale terrorist act, having thoughtful, practiced procedures in place means responses will be faster, more coordinated, and less disruptive.