Water and wastewater systems keep showing up in nation-state targeting for a simple reason: they are high-trust public services with uneven security maturity. A new Dark Reading report, based on DomainTools research, highlights a pattern defenders should take seriously: attackers do not need exotic ICS malware when exposed control interfaces, weak passwords, shared accounts, and flat IT/OT networks are still available.

What happened

The reporting tracks water-sector activity tied to Iranian, Russian, and Chinese threat streams from 2024 through 2026. The activity differs by actor, but the access paths look familiar: internet-facing PLCs and HMIs, remote access services, weak or default credentials, vulnerable edge devices, and poor segmentation between business systems and operational environments.

Iran-linked activity has leaned toward exposed PLCs and psychological signaling. Russian-aligned activity has shown a greater willingness to manipulate water-control environments directly. China-linked Volt Typhoon activity is strategically different: quiet persistence, reconnaissance, and pre-positioning across critical infrastructure that could matter during a future geopolitical crisis.

Why this matters to SMBs and government contractors

This is not just a water-utility problem. Many small businesses, manufacturers, municipalities, and government contractors operate OT-adjacent systems: building controls, physical access systems, cameras, environmental sensors, lab equipment, generators, HVAC, pumps, and remote vendor management portals. Those systems often sit near ordinary IT assets, but they do not always receive ordinary security care.

The key lesson is uncomfortable but useful: state actors can exploit the same basic weaknesses criminals use. A billing portal, vendor VPN, unmanaged jump box, exposed HMI, or stale engineering workstation may be enough to create operational risk or gather intelligence for later use.

Defensive takeaways

  • Inventory OT and OT-adjacent assets. Include PLCs, HMIs, remote access tools, engineering workstations, cameras, sensors, building controls, and vendor-managed systems.
  • Remove internet exposure. HMIs, PLCs, SCADA panels, and engineering interfaces should not be reachable from the public internet. If remote access is required, force it through hardened VPN/ZTNA with MFA, logging, and named accounts.
  • Kill shared and default credentials. Replace shared operator logins with accountable identities wherever possible. Rotate vendor credentials and disable unused accounts.
  • Segment IT from OT. Treat business networks, cloud services, and remote support paths as untrusted until proven otherwise. Use allow-listed pathways, not broad internal reachability.
  • Monitor for living-off-the-land behavior. State actors often use legitimate tools, remote access, stolen credentials, and native administrative utilities before any obvious malware appears.
  • Practice manual fallback. For water systems and other operational environments, resilience is not just blocking intrusion; it is knowing how to run safely when automation is impaired.

Bulwark Black assessment

The near-term threat is not usually a cinematic, custom-built OT attack. The more likely scenario is a low-complexity compromise that creates local disruption, public fear, response costs, or useful reconnaissance. That makes baseline controls matter more, not less.

For resource-constrained organizations, the best first move is not buying another dashboard. Start by proving what is exposed, who can access it, how IT and OT are segmented, and whether vendor paths are logged and controlled. If those fundamentals are weak, a sophisticated adversary may not need sophistication.

Original reporting: Dark Reading — Iran, Russia, China Target Water Systems for Sabotage. Supporting research: DomainTools — Nation-State Targeting of Water Systems 2024–2026.