Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Water utility lateral movement risks are forcing new segmentation models


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Water infrastructure remains exposed to default-password access, flat networks, and weak OT visibility, while EPA has published four planning resources to help utilities improve incident response and continuity, according to Elisity. The real issue is governance, not tooling: utilities need enforceable segmentation and identity-aware control before attackers move from IT footholds into OT systems.

NHIMG editorial — based on content published by Elisity: EPA cybersecurity planning tools for water utilities and the operational resilience challenges behind them

By the numbers:

  • Lateral movement is the preferred tactic used in 70% of successful breaches because it allows cybercriminals to spread across an organization to find valuable data and assets.
  • The district's pilot discovered approximately 885 devices within a short period, ranging from office IT devices to plant control systems.
  • By integrating with Active Directory and endpoint security tools, 336 devices matched entries in directory services and 517 had security agents installed.

Questions worth separating out

Q: What breaks when default passwords remain on OT systems?

A: Default passwords turn critical infrastructure devices into easy entry points, especially when those systems are internet-exposed or poorly monitored.

Q: Why do flat IT and OT networks increase cyber risk in utilities?

A: Flat networks let an attacker who compromises one system see and reach many others, including engineering and control assets.

Q: How do organisations know whether OT asset inventory is good enough?

A: Inventory is good enough only when it ties devices to communication paths, owners, and enforcement points, not just to IP addresses.

Practitioner guidance

  • Eliminate standing default access on OT endpoints Inventory every water-sector control device, remove default passwords, and replace shared credentials with unique, documented access paths.
  • Map and enforce allowed IT-to-OT communication paths Define which business systems, engineering workstations, and remote access channels may talk to which OT assets, then block everything else.
  • Tie asset discovery to identity context Correlate discovered devices with directory entries, security agents, and management systems so that every endpoint has an identity, an owner, or an escalation path.

What's in the full article

Elisity's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how the EPA's emergency response materials map to utility operating procedures and control room decision-making.
  • Vendor-led implementation detail on microsegmentation deployment in mixed IT/OT environments, including how policy enforcement is applied without hardware replacement.
  • Practical guidance on using tabletop exercises, incident checklists, and continuity planning together for water-sector response readiness.
  • Case examples showing how utilities can translate federal guidance into segmentation and recovery actions across plants, pump stations, and remote sites.

👉 Read Elisity's analysis of EPA cybersecurity planning tools for water utilities →

Water utility lateral movement risks are forcing new segmentation models?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Identity-aware segmentation is now a water-sector resilience control, not a network luxury. The article shows that the real risk is not just internet exposure, but the ability of a compromised identity or device to move laterally into OT assets. In that sense, water security is converging with IAM and NHI governance because access paths, not only packet paths, determine blast radius. Practitioners should treat segmentation as a governance mechanism that enforces least privilege across systems and identities.

A question worth separating out:

Q: Who is accountable when cyberattacks disrupt water operations?

A: Accountability usually spans utility leadership, operations, security, and regulated compliance functions because disruption affects service continuity, public safety, and reporting obligations. The practical answer is to assign clear decision authority before an incident, then rehearse it through tabletop exercises. If no one owns containment, recovery becomes slower and riskier.

👉 Read our full editorial: Water utility cyber resilience gaps are forcing new segmentation models



   
ReplyQuote
Share: