Threats to critical infrastructure have become more complex and unpredictable. While many utilities have complied with the requirements of the America’s Water Infrastructure Act (AWIA), these risk assessments and emergency response plans cannot remain static. Utilities must continuously reevaluate and enhance their strategies to protect essential services.
The AWIA requires water utilities to periodically update their risk and resilience assessments and emergency response plans. Compliance alone may not be enough as threats grow in sophistication and scale, threatening critical infrastructure such as water and power. Physical security has taken on renewed importance, particularly in water utility operations.
Unpacking Misconceptions and Hidden Vulnerabilities
Water utilities may believe that they are too remote or insignificant to attract attention from malicious actors. In reality, their infrastructure is increasingly viewed as a strategic, vulnerable and soft target. The threat environment places water utilities in the crosshairs of both global and domestic adversaries. Today, utilities face risks from well-organized groups, including ideologically motivated extremists and actors supported by nation-states. These entities have access to highly advanced tools and technologies, including unmanned aerial systems and a host of cyber-physical attack methods.
A common error that utilities make is separating physical security from cybersecurity. In practice, these two disciplines are deeply interconnected. Networked security devices like cameras, card readers, intercoms and controls infrastructure run on the internal network. If those devices are not properly managed, they become weak points that can be exploited. For example, if utilities use default passwords, attackers can easily gain access to facility surveillance feeds by simply using manufacturer-default credentials.
Another vulnerable system that could be targeted is supervisory control and data acquisition (SCADA). These systems are essential for managing water treatment and distribution and are typically housed in physically obscure and secure environments. Access to these rooms is controlled through badge readers and monitored by surveillance systems. If unauthorized individuals can bypass perimeter protections, they may gain the ability to interfere with sensitive systems.
These types of oversight turn security systems into potential access points for intrusion. Proactive maintenance, monitoring and risk assessments are essential because tools can create more risk than they resolve. Effective physical security supports, and in many cases enables, effective cybersecurity.
Developing an Organizational Risk Tolerance and Physical Security Assessment
To build an effective security strategy, utilities must define their organizational risk tolerance — the degree of risk they are willing to accept in different domains, including operational, financial and reputational. Very few organizations take the time to formally establish their risk tolerance. Decisions are often made based on short-term financial considerations.
Additionally, the absence of a shared understanding of risk across departments can result in gaps in planning and inconsistent responses to emerging threats. Granted, not every site requires the same level of security investment, but every location does need a plan that reflects its specific risks. Plans are usually tailored to crime data, political or social unrest, and history of threats. This approach helps utilities make informed and justifiable decisions about where and how to invest.
A physical security assessment should begin by identifying the utility’s critical assets. What infrastructure is vital to operations? Where is it located? Who might attempt to compromise it and why?
Among assessments a physical security team will make:- Identifying likely internal, external or ideological threat actors.
- Reviewing existing proactive measures.
- Testing the effectiveness of response protocols.
- Comparing assumptions about system performance to actual capabilities.
Many utilities assume their systems will perform reliably in a crisis, but they rarely test that assumption. Periodic assessments and scenario-based exercises can reveal important potential mishaps or discrepancies.
Moving from Compliance to Engagement for Long-Term Protection
Physical security plans must be dynamic, reviewed regularly and informed by partnerships with law enforcement and intelligence agencies. Emergency response plans should be current and reflect the latest information about threat trends and known vulnerabilities. They should not be viewed as a one-time compliance exercise, but a key component of utility operations, helping safeguard public trust and protect life-critical systems. Strong physical security directly supports the effectiveness of cybersecurity and resilience measures.
A few action items utility leaders can take as new AWIA deadlines approach:
- Reexamine long-standing beliefs and practices that may no longer be valid in today’s threat landscape.
- Establish an organizational understanding of risk tolerance.
- Conduct regular and comprehensive security assessments.
- Stay connected with government agencies and threat intelligence sources.
Threats will continue to evolve, making the stakes even higher. Social media platforms are now being used for targeted attacks, and drones are more affordable and accessible than ever. Utilities must adapt to these new strategies. Staying ahead of physical security challenges should no longer be viewed as optional but rather essential for protecting one of nature’s most precious resources and the communities that depend on it.
The next compliance deadline is not the goal — it’s a checkpoint. Now is the time to take a fresh look at your physical security systems and validate whether you still meet operational needs and threat expectations.
