Article section

Article title
Contributor
Abstract
About article
DOI
Citation style
Copyright
Open access
References
Research Article

Cyber-Physical Risk Assessment for U.S. Water Utilities: A Comprehensive Analysis of SCADA and Operational Technology Vulnerabilities

Authors

  • Sabastine Obum Aniebonam Department of Environmental Science, Thai Nguyen University of Agricultural and Forestry, Vietnam https://orcid.org/0009-0006-3466-6312

    sabastineobum@gmail.com

  • Chisom Paschal Aniebonam Department of Environmental Science, Thai Nguyen University of Agricultural and Forestry, Vietnam

Abstract

The increasing digitization of water infrastructure has transformed traditional operational technology (OT) systems into complex cyber-physical environments, exposing critical water utilities to unprecedented cybersecurity risks. This research presents a comprehensive risk assessment of cyber-physical threats targeting U.S. water utilities, with particular emphasis on Supervisory Control and Data Acquisition (SCADA) systems. The study employed a systematic literature review methodology, analyzing 25 peer-reviewed academic sources published between 2013-2025, supplemented by incident analysis and vulnerability assessment frameworks. The research examined multiple dimensions of cyber-physical risks including attack vectors, system vulnerabilities, regulatory compliance challenges, and mitigation strategies across diverse water utility environments. Key findings reveal that water utilities face a complex threat landscape characterized by sophisticated attack methodologies targeting both legacy and modernized infrastructure. The analysis identified critical vulnerabilities in human-machine interfaces, inadequate network segmentation, insufficient authentication protocols, and limited cybersecurity workforce capabilities. Notable incidents, including the Oldsmar water treatment facility attack and various ransomware incidents, demonstrate the real-world implications of these vulnerabilities. The study found that smaller water utilities are disproportionately vulnerable due to resource constraints and limited cybersecurity expertise. Furthermore, the integration of Internet of Things (IoT) devices and cloud-based management systems has expanded the attack surface while creating new interdependencies between IT and OT environments. The research contributes to the cybersecurity knowledge base by providing a comprehensive taxonomy of cyber-physical risks specific to water utilities and proposing a multi-layered risk assessment framework that addresses both technical and organizational vulnerabilities. Recommendations include enhanced regulatory frameworks, increased federal funding for cybersecurity improvements, mandatory cybersecurity training programs, and the development of sector-specific threat intelligence sharing mechanisms to strengthen the overall resilience of America’s water infrastructure.

Keywords:

Critical Infrastructure Cybersecurity Risk Assessment SCADA Water Utilities

Article information

Journal

Journal of Environment, Climate, and Ecology

Volume (Issue)

2(1), (2025)

Pages

77-85

Published

20-06-2025

How to Cite

Aniebonam, S. O., & Aniebonam, C. P. (2025). Cyber-Physical Risk Assessment for U.S. Water Utilities: A Comprehensive Analysis of SCADA and Operational Technology Vulnerabilities. Journal of Environment, Climate, and Ecology, 2(1), 77-85. https://doi.org/10.69739/jece.v2i1.1031

References

Ahmed, C. M., Palleti, V. R., & Mathur, A. P. (2017). WADI: A water distribution testbed for research in the design of secure cyber physical systems. In Proceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks (pp. 25-28). https://doi.org/10.1145/3055366.3055375

Alsoghier, A., & Mahmood, A. (2022). SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues. Computers & Security, 123, 102931. https://doi.org/10.1016/j.cose.2022.102931

Amin, S., Litrico, X., Sastry, S., & Bayen, A. M. (2013a). Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks. IEEE Transactions on Control Systems Technology, 21(5), 1963-1970. https://doi.org/10.1109/TCST.2012.2211873

Amin, S., Litrico, X., Sastry, S. S., & Bayen, A. M. (2013b). Cyber security of water SCADA systems—Part II: Attack detection using enhanced hydrodynamic models. IEEE Transactions on Control Systems Technology, 21(5), 1679-1693. https://doi.org/10.1109/TCST.2012.2211874

Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, 56, 1-27. https://doi.org/10.1016/j.cose.2015.09.009

Clark, R. M., Panguluri, S., Nelson, T. D., & Wyman, R. P. (2017). Protecting drinking water utilities from cyberthreats. Journal - American Water Works Association, 109(2), 50-58. https://doi.org/10.5942/jawwa.2017.109.0021

Dutta, V., Choras, M., Pawlicki, M., & Kozik, R. (2020). Assessing and augmenting SCADA cyber security: A survey of techniques. Computers & Security, 70, 436-454. https://doi.org/10.1016/j.cose.2017.06.010

Geeta, Y., & Paul, K. (2019). Assessment of SCADA system vulnerabilities. In 2019 24th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA) (pp. 1-8). IEEE. https://doi.org/10.1109/ETFA.2019.8869541

Hassanzadeh, A., Rasekh, A., Galelli, S., Aghashahi, M., Taormina, R., Ostfeld, A., & Banks, M. K. (2020). A review of cybersecurity incidents in the water sector. Journal of Environmental Engineering, 146(5), 03120003. https://doi.org/10.1061/(ASCE)EE.1943-7870.0001686

Housh, M., & Ohar, Z. (2019). Decision support system for cyber attack diagnosis in Smart Water Networks. IFAC-PapersOnLine, 52(3), 298-303. https://doi.org/10.1016/j.ifacol.2019.02.058

Humayed, A., Lin, J., Li, F., & Luo, B. (2020). Model-based risk assessment for cyber physical systems security. Computers & Security, 96, 101720. https://doi.org/10.1016/j.cose.2020.101720

Kartakis, S., Abraham, E., & McCann, J. A. (2015). WaterBox: A testbed for monitoring and controlling smart water networks. In Proceedings of the 1st ACM International Workshop on Cyber-Physical Systems for Smart Water Networks (pp. 1-6). https://doi.org/10.1145/2738935.2738939

Kure, H. I., Islam, S., & Ghazanfar, M. A. (2023). Impact, vulnerabilities, and mitigation strategies for cyber-secure critical infrastructure. Sensors, 23(8), 4060. https://doi.org/10.3390/s23084060

Lin, K.-S. (2019). A new evaluation model for information security risk management of SCADA systems. In 2019 International Conference on Platform Technology and Service (PlatCon) (pp. 1-6). IEEE. https://doi.org/10.1109/ICPHYS.2019.8780280

Mathur, A. P., & Tippenhauer, N. O. (2016). SWaT: A water treatment testbed for research and training on ICS security. In 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (pp. 31-36). IEEE.

Moraitis, G., Sakki, G.-K., Karavokiros, G., Nikolopoulos, D., Tsoukalas, I., Kossieris, P., & Makropoulos, C. (2023). Exploring the cyber-physical threat landscape of water systems: A socio-technical modelling approach. Water, 15(9), 1687. https://doi.org/10.3390/w15091687

Neshenko, N., Bou-Harb, E., Crichigno, J., Kaddoum, G., & Ghani, N. (2024). Machine learning and user interface for cyber risk management of water infrastructure. Risk Analysis, 44(6), 1372-1391. https://doi.org/10.1111/risa.14209

Nikolopoulos, D., Moraitis, G., Bouziotas, D., Lykou, A., Karavokiros, G., & Makropoulos, C. (2020). Cyber-physical stress-testing platform for water distribution networks. Journal of Environmental Engineering, 146(7), 04020061. https://doi.org/10.1061/(ASCE)EE.1943-7870.0001722

Rodriguez-Mier, P., Pedrinaci, C., Lama, M., & Mucientes, M. (2023). Evolution of cyber-physical-human water systems: Challenges and gaps. Technological Forecasting and Social Change, 191, 122511. https://doi.org/10.1016/j.techfore.2023.122511

Taormina, R., Galelli, S., Tippenhauer, N. O., Salomons, E., & Ostfeld, A. (2022). Modelling cyber resilience in a water treatment and distribution system. Reliability Engineering & System Safety, 226, 108653. https://doi.org/10.1016/j.ress.2022.108653

Taormina, R., Galelli, S., Tippenhauer, N. O., Salomons, E., Ostfeld, A., Eliades, D. G., ... & Sundararajan, R. (2018). Battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks. Journal of Water Resources Planning and Management, 144(8), 04018048. https://doi.org/10.1061/(ASCE)WR.1943-5452.0000969

Tariq, N., Asim, M., & Khan, F. A. (2019). Securing SCADA-based critical infrastructures: Challenges and open issues. Procedia Computer Science, 155, 612-617. https://doi.org/10.1016/j.procs.2019.08.086

Tuptuk, N., Hazell, P., Watson, J., & Hailes, S. (2021). A systematic review of the state of cyber-security in water systems. Water, 13(1), 81. https://doi.org/10.3390/w13010081

Yadav, G., & Paul, K. (2021). Architecture and security of SCADA systems: A review. International Journal of Critical Infrastructure Protection, 34, 100433. https://doi.org/10.1016/j.ijcip.2021.100433

You, J. (2022). Strengthening cybersecurity of water infrastructure through legislative actions. JAWRA Journal of the American Water Resources Association, 58(2), 282-288.

Downloads

Views

0

Downloads

0