Polish authorities recently disclosed industrial control system (ICS) breaches at five water treatment facilities, the latest in a sustained pattern of operational technology (OT) intrusions targeting the water sector across NATO countries. The disclosure follows years of warnings from CISA, the EPA, and the Water Information Sharing and Analysis Center (WaterISAC) about exposed programmable logic controllers (PLCs), human-machine interfaces (HMIs), and supervisory systems reachable from the public internet. CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps, demonstrated the same playbook against the Municipal Water Authority of Aliquippa, Pennsylvania, in November 2023; the Volt Typhoon campaign has separately confirmed that nation-state actors are pre-positioning inside U.S. water and wastewater systems for potential disruption during a future crisis.
For state and local water authorities, this is no longer an abstract threat. EPA’s enforcement alert under the America’s Water Infrastructure Act (AWIA), CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), and National Security Memorandum 22 on Critical Infrastructure Security and Resilience all converge on the same expectation: utilities must know what is connected to their networks, control who can access them, and detect and respond to anomalies in near real time. State homeland security advisors and primacy agencies face those same expectations downstream, often without the staff or tooling to meet them. Most cannot, today, clear that bar.
Why Traditional Approaches Fall Short
Most water utilities, and especially the roughly 50,000 community water systems serving fewer than 10,000 customers, have built their cybersecurity around enterprise IT assumptions: agent-based endpoint protection, perimeter firewalls, and periodic vulnerability scans. None of those translate cleanly to the OT environment. PLCs, sensors, and SCADA historians cannot host agents. Active scanning can crash legacy controllers. Firewall rules written for office networks rarely account for engineering workstations, vendor remote access, or the dual-homed jump boxes that auditors find on nearly every site survey.
The result is a visibility and access problem that more tools will not solve. Agencies report dozens of point products, fragmented dashboards, and security teams that learn about an OT incident from an operator’s phone call rather than a SIEM alert. Compliance reporting, when it happens, captures the last known state of an environment that has already changed. The Polish disclosures reinforce a hard truth: when adversaries can find an exposed HMI on a public IP, traverse a flat network, and reach process logic, the defensive gap is structural. It calls for an architecture, not another agent.
A Proven Path Forward
RavenTek helps federal, state and local governments along with public utility companies close this gap by integrating four capabilities that, together, deliver an outcome regulators and ratepayers can both recognize: a water system that knows itself, controls itself, and defends itself. Armis provides agentless, passive discovery of every connected device across IT, OT, IoT, and IoMT, building a live asset inventory that includes the unmanaged controllers, serial-to-Ethernet converters, and engineering laptops that traditional tools miss. Censys turns the adversary’s perspective into a defender’s advantage, continuously identifying the utility’s exposed services, certificates, and forgotten cloud assets before the next CyberAv3ngers-style scan finds them first.
From there, Zscaler enforces zero trust access for the operators, integrators, and contract engineers who legitimately need to reach OT environments, replacing always-on VPNs and shared jump hosts with identity-bound, brokered sessions that are logged and revocable. Tines stitches the response together, automating the triage, enrichment, and containment workflows that small utility security teams cannot staff around the clock, and feeding the resulting evidence back into the asset and exposure record. The outcome is not a stack of products; it is a measurable shift in posture. Asset coverage moves from estimates to evidence. Remote access moves from implicit trust to verified intent. Incident response moves from hours of phone calls to minutes of orchestrated action, aligned to the CISA CPGs and EPA’s expectations under AWIA.
What Federal, State, and Local Governments Can Do Now
Four steps are within reach this quarter. First, commission an external attack surface assessment to identify any HMIs, VPN concentrators, or vendor portals exposed to the public internet, and remediate the highest-risk findings within 30 days.
Second, deploy passive OT and IoT asset discovery across at least one representative water treatment site to establish a baseline inventory and surface unmanaged connections, vendor devices, and east-west traffic that current tools cannot see.
Third, inventory and consolidate third-party and operator remote access pathways under a brokered, identity-aware model, eliminating shared credentials and always-on tunnels.
Fourth, document and automate the top five OT incident response playbooks, starting with unauthorized HMI access, PLC configuration changes, and anomalous outbound traffic from the process network.
The Polish disclosures are a reminder that the window between disclosure and the next incident is short; the work to close it does not have to start from scratch. RavenTek works alongside federal, state and local government and public utility companies at every stage of OT cybersecurity maturity, from initial site surveys and CPG gap assessments through integrated deployment and continuous operations.
