TL;DR: Water infrastructure remains exposed to default-password access, flat networks, and weak OT visibility, while EPA has published four planning resources to help utilities improve incident response and continuity, according to Elisity. The real issue is governance, not tooling: utilities need enforceable segmentation and identity-aware control before attackers move from IT footholds into OT systems.
At a glance
What this is: This is an independent analysis of EPA’s new water-sector cybersecurity planning resources and the threat patterns that make them necessary.
Why it matters: It matters because water utilities need to reduce lateral movement, improve incident readiness, and align OT security with identity-aware controls that can limit blast radius across IT and operational systems.
By the numbers:
- Lateral movement is the preferred tactic used in 70% of successful breaches because it allows cybercriminals to spread across an organization to find valuable data and assets.
- The district's pilot discovered approximately 885 devices within a short period, ranging from office IT devices to plant control systems.
- By integrating with Active Directory and endpoint security tools, 336 devices matched entries in directory services and 517 had security agents installed.
👉 Read Elisity's analysis of EPA cybersecurity planning tools for water utilities
Context
Water utilities are being forced to treat cybersecurity as an operational continuity problem, not just an IT hygiene issue. The article shows how default passwords, exposed OT systems, and flat networks create the conditions for lateral movement from business systems into SCADA and PLC environments, which is a classic access-control failure as much as a network design problem.
The identity angle is real even in an OT-heavy story. Default credentials, unmanaged device identities, and weak segmentation all determine whether an attacker can turn a single foothold into control of critical infrastructure, so the relevant question is how identity-aware enforcement contains trust before it spreads across IT and OT domains.
Key questions
Q: What breaks when default passwords remain on OT systems?
A: Default passwords turn critical infrastructure devices into easy entry points, especially when those systems are internet-exposed or poorly monitored. Once an attacker authenticates with unchanged credentials, they may not need exploitation at all. The result is often direct movement toward higher-value operational assets, with containment becoming much harder after the first login.
Q: Why do flat IT and OT networks increase cyber risk in utilities?
A: Flat networks let an attacker who compromises one system see and reach many others, including engineering and control assets. In a utility, that means a business-side intrusion can become an OT incident with little resistance. Segmentation matters because it converts one breach into a contained event instead of a facility-wide path.
Q: How do organisations know whether OT asset inventory is good enough?
A: Inventory is good enough only when it ties devices to communication paths, owners, and enforcement points, not just to IP addresses. If teams cannot explain what a device talks to, who is responsible for it, and how it is isolated, the inventory is incomplete for security purposes. Visibility must support action, not just reporting.
Q: Who is accountable when cyberattacks disrupt water operations?
A: Accountability usually spans utility leadership, operations, security, and regulated compliance functions because disruption affects service continuity, public safety, and reporting obligations. The practical answer is to assign clear decision authority before an incident, then rehearse it through tabletop exercises. If no one owns containment, recovery becomes slower and riskier.
Technical breakdown
Why weak authentication opens the first door in OT environments
Operational technology environments often inherit weak authentication because the systems were designed for uptime and deterministic control, not modern identity governance. Default passwords, shared accounts, and devices that cannot support agents make initial access easier than in a well-managed enterprise environment. Once exposed systems sit on the internet or on poorly monitored internal networks, attackers do not need advanced exploits to begin. They can simply log in, pivot, and search for the shortest path to high-value control assets.
Practical implication: replace default and shared credentials first, because the first access point is often the cheapest one for an attacker to exploit.
How flat network design turns access into lateral movement
A flat OT/IT environment lets a compromise in one zone become a compromise in many zones. Without segmentation, an attacker who lands in a business network can often reach engineering workstations, SCADA interfaces, or management systems with little resistance. This is why segmentation matters more than perimeter trust in infrastructure networks. The control objective is not to stop every connection, but to ensure every connection is intentional, minimal, and tied to a clearly understood operational need.
Practical implication: map and enforce allowed communications between IT, OT, IoT, and remote access zones before an attacker does it for you.
Why asset inventory is a prerequisite for identity-aware OT control
You cannot govern what you cannot see. In mixed OT environments, unknown devices, shadow connections, and poorly documented communications make policy enforcement unreliable. Asset inventory is more than a list of IPs; it is the foundation for understanding which devices exist, what they do, and which identities or systems they can reach. That visibility becomes the basis for least-privilege access decisions, incident scoping, and recovery planning when a cyber event hits critical operations.
Practical implication: build a living inventory that ties devices, identities, and communication paths together before attempting fine-grained segmentation.
Threat narrative
Attacker objective: The attacker aims to disrupt utility operations, gain control over critical systems, or create enough access to support ransomware, sabotage, or long-term surveillance.
- Entry begins with weak authentication or default passwords on internet-exposed or poorly secured OT systems, giving attackers a foothold without needing a complex exploit.
- Escalation follows when the attacker uses flat network architecture and limited segmentation to move from the initial system toward more sensitive control assets.
- Impact occurs when the attacker reaches critical operational technology, disrupts services, manipulates control systems, or establishes persistence inside the utility environment.
NHI Mgmt Group analysis
Identity-aware segmentation is now a water-sector resilience control, not a network luxury. The article shows that the real risk is not just internet exposure, but the ability of a compromised identity or device to move laterally into OT assets. In that sense, water security is converging with IAM and NHI governance because access paths, not only packet paths, determine blast radius. Practitioners should treat segmentation as a governance mechanism that enforces least privilege across systems and identities.
Default passwords in OT are the most visible symptom of a deeper lifecycle failure. The problem is not simply weak authentication at the edge, but the absence of disciplined identity lifecycle management for devices, operators, and service interfaces. That gap creates standing access that persists far beyond its original purpose, which is exactly how attackers turn one credential into operational control. Practitioners should focus on lifecycle closure for every credentialed asset, not just perimeter hardening.
Asset visibility is the named concept this topic keeps exposing: device-identity sprawl. Water utilities are discovering that inventories often lag reality by hundreds or thousands of endpoints, which makes policy enforcement and incident response incomplete from the start. The article’s examples show that once inventory and identity context are aligned, previously unknown systems become governable. Practitioners should make identity-linked discovery the prerequisite for any serious OT control programme.
Regulatory pressure is pushing utilities toward measurable control outcomes rather than narrative assurance. The article ties cyber resilience to federal guidance, insurance scrutiny, and board oversight, which means utilities will be judged on whether they can demonstrate containment, continuity, and response readiness. That shifts the governance question from whether security exists to whether it is provably effective. Practitioners should align control reporting with evidence of reduced lateral movement and improved recovery.
Microsegmentation is becoming the practical bridge between OT operations and identity governance. The strongest theme in the article is not a tool choice, but the need to express trust relationships in a form that can be enforced across mixed infrastructure. When OT devices cannot run agents, policy has to be applied where traffic can be controlled and where identity context still matters. Practitioners should design for enforceable trust boundaries, not assume legacy systems will self-protect.
What this signals
Device-identity sprawl is becoming a defining risk in critical infrastructure because utilities cannot defend what they cannot enumerate, classify, and constrain. The practical shift is toward identity-linked discovery, policy enforcement at the communication layer, and evidence that segmentation is actually reducing reachability, not just rearranging topology. For the control backdrop, see NIST Cybersecurity Framework 2.0 and MITRE ATT&CK Enterprise Matrix.
The next phase of water-sector security will be measured less by policy documents and more by whether an operator can show that one compromise stays local. That will push utilities to combine OT inventory, identity context, and response playbooks into a single operational model that supports containment, recovery, and auditability. For lifecycle context, use The 52 NHI breaches Report to connect access failures with real breach patterns.
For practitioners
- Eliminate standing default access on OT endpoints Inventory every water-sector control device, remove default passwords, and replace shared credentials with unique, documented access paths. Prioritise systems that can influence pumps, valves, or treatment operations because they create the fastest path from login to impact.
- Map and enforce allowed IT-to-OT communication paths Define which business systems, engineering workstations, and remote access channels may talk to which OT assets, then block everything else. Use this to reduce lateral movement from an IT foothold into control environments.
- Tie asset discovery to identity context Correlate discovered devices with directory entries, security agents, and management systems so that every endpoint has an identity, an owner, or an escalation path. Without that mapping, response teams will miss devices during containment and recovery.
- Test incident response with OT-specific tabletop exercises Run exercises that assume both IT and OT disruption, including manual operating modes, communication cascades, and decision authority during a cyber event. Use the EPA checklists as the basis for rehearsing those conditions before a real incident forces them.
- Report lateral movement risk in operational terms Translate security metrics into board-ready evidence showing how segmentation, credential hygiene, and inventory coverage reduce the chance of service disruption. Water leaders need to understand which controls protect continuity, not just which tools were deployed.
Key takeaways
- Water utilities face a compound risk from default credentials, flat networks, and weak OT visibility, which turns a single foothold into a pathway to critical systems.
- The article’s evidence points to real operational scale, including an inventory pilot that identified 885 devices and a security environment where 336 devices mapped to directory services.
- The most effective response is not abstract resilience language but enforceable segmentation, identity-linked discovery, and incident response that can operate when OT automation fails.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article centers on weak credentials and movement across flat OT networks. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and network segmentation are the core control themes. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement directly supports segmentation across IT and OT. |
| NIST Zero Trust (SP 800-207) | The article repeatedly points to zero-trust segmentation for critical infrastructure. | |
| CIS Controls v8 | CIS-1 , Inventory and Control of Enterprise Assets | Asset inventory is a prerequisite for any credible OT control programme. |
Map exposed OT and IT paths to ATT&CK tactics and prioritise controls that block credential abuse and lateral spread.
Key terms
- Operational Technology Segmentation: Operational technology segmentation is the practice of separating industrial systems into controlled zones so traffic, trust, and access can be limited. In water environments, it reduces the chance that a compromise in business IT can spread into pumps, controls, or treatment systems.
- Device-Identity Sprawl: Device-identity sprawl is the condition where connected assets exist in greater numbers, with less clarity, than governance teams can track. It creates blind spots in ownership, exposure, and policy enforcement, especially when OT devices, IoT assets, and legacy systems are mixed together.
- Lateral Movement: Lateral movement is an attacker’s ability to move from one compromised system to others inside the same environment. In utility networks, it becomes dangerous when flat architecture and weak segmentation let a single foothold reach control systems or management interfaces.
- Manual Operations Mode: Manual operations mode is the ability to keep essential services running when automated systems are unavailable or untrusted. For utilities, it is a resilience requirement, not a fallback luxury, because cyber incidents can interrupt the systems that normally control and monitor physical processes.
What's in the full article
Elisity's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how the EPA's emergency response materials map to utility operating procedures and control room decision-making.
- Vendor-led implementation detail on microsegmentation deployment in mixed IT/OT environments, including how policy enforcement is applied without hardware replacement.
- Practical guidance on using tabletop exercises, incident checklists, and continuity planning together for water-sector response readiness.
- Case examples showing how utilities can translate federal guidance into segmentation and recovery actions across plants, pump stations, and remote sites.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and identity lifecycle control. It is suitable for practitioners who need to connect identity discipline to broader security operations.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org