Water Treatment Plants Run on Decades-Old Control Systems with No Patching

The industrial control systems (ICS) and SCADA systems that operate water treatment plants, dams, and wastewater facilities across the United States are among the most vulnerable pieces of critical infrastructure to cyber attack. Many of these systems run on Windows XP or even older operating systems that no longer receive security patches, connected to the internet through configurations that were never designed with adversarial threat models in mind. When an attacker gains access to a water treatment plant's control system, the consequences can be immediately dangerous. In the 2021 Oldsmar, Florida incident, an attacker briefly increased sodium hydroxide (lye) levels to 100 times the normal amount. Had an operator not noticed and reversed the change within minutes, the water supply for 15,000 people could have been poisoned. This was not a sophisticated nation-state operation; it exploited TeamViewer remote access software with a shared password. The fact that a low-sophistication attack came this close to poisoning a town's water supply reveals how thin the safety margins are. The structural reason this persists is that water utilities in the U.S. are overwhelmingly small and underfunded. Of the roughly 50,000 community water systems, the vast majority serve fewer than 10,000 people and lack dedicated IT staff, let alone cybersecurity specialists. The EPA has limited enforcement authority for cyber standards, and unlike the electricity sector (which has NERC CIP mandates), the water sector has no binding federal cybersecurity regulations. Upgrading SCADA systems is expensive and operationally risky because taking systems offline for upgrades can itself disrupt service. This creates a perpetual deferral cycle where upgrades are always "next year's budget item" until an incident forces action.