Why cybersecurity has become a strategic priority in the Sanitation sector

Driven by digital transformation, basic sanitation companies in Brazil increasingly incorporate smart technologies—from remote sensors and telemetry systems to integrated automation platforms—to optimize their operations and reduce losses. The problem is that this advancement amplifies the cyber attack surface, and a sector that has been increasingly targeted by criminals may be exposed to hacker incursions.

The result is that cybersecurity has come to be seen no longer as a merely technical IT issue, but as a strategic priority in water and sewage companies. Water utilities now deal with sophisticated cyber threats, often aimed at bringing down or manipulating pumping, treatment, or quality control systems.  

Critical infrastructure in the crosshairs: cyber attacks on the rise --- In recent years, critical infrastructure has become an increasingly attractive target for cybercriminals. These infrastructures, which include energy systems, water and sanitation services, transportation networks, and healthcare facilities, are essential for the functioning of modern society. However, their growing dependence on digital technologies has made them vulnerable to cyber threats. One of the main reasons critical infrastructure is targeted is its potential to cause widespread disruption. A successful cyber attack on an energy grid, for example, can lead to widespread blackouts, affecting not only homes and businesses but also essential services such as hospitals and emergency services. Similarly, an attack on a water treatment plant can compromise the supply of clean water, posing serious risks to public health. Cybercriminals use a variety of techniques to infiltrate these systems. Phishing attacks, where malicious emails are sent to trick employees into divulging sensitive information, are a common method. Additionally, ransomware attacks, where hackers encrypt a victim's data and demand a ransom for its release, have become increasingly prevalent. These attacks not only seek to extract financial gain but also aim to disrupt operations and cause chaos. Governments and private companies are increasingly aware of these threats and are investing in cybersecurity measures to protect critical infrastructure. This includes implementing advanced security protocols, conducting regular vulnerability assessments, and training employees to recognize and respond to cyber threats. Additionally, international cooperation is crucial, as cyber threats often cross borders and require a coordinated response. In conclusion, the rise in cyber attacks on critical infrastructure is a growing concern for governments, companies, and society as a whole. It is essential to adopt a proactive approach to cybersecurity, investing in robust protection measures and fostering international collaboration to mitigate these risks effectively.

Statistics confirm a global escalation of cyber attacks against essential service companies, including sanitation. According to a Check Point survey, in 2025 alone, the energy and utilities sectors experienced an average of 1,872 attempted attacks per week per organization worldwide, an increase of 53% compared to the same period the previous year.  

In Brazil, the utilities sector recorded approximately 3,059 weekly attack attempts per organization between September 2024 and February 2025. One of the reasons is the strategic appeal of this type of infrastructure: criminals prefer targets that can cause massive disruption and damage because they know that society will demand quick solutions – which often translates into paying ransom to restore services.

Many water utilities, especially those serving small or medium-sized populations, operate with outdated control systems that were never designed to face the current landscape of cyber threats. SCADA networks, programmable logic controllers (PLCs), and remote access gateways often lack basic security controls, such as encrypted communication or robust authentication mechanisms.  

Security updates and patches are infrequent or unfeasible due to the need to keep systems running and for compatibility reasons. Given this reality, industry-specific risk assessments and system audits become essential to understand and mitigate vulnerabilities.

Real impacts: service interruption, contamination, and reputational damage

Far from being theoretical risks, cyberattacks against sanitation systems have already caused concrete effects. An emblematic case occurred in February 2021 in the city of Oldsmar, Florida (USA), when an intruder gained remote access to the water treatment system and attempted to drastically increase the dosage of sodium hydroxide (caustic soda) in the drinking water – from 100 parts per million to 11,000 ppm.  

If it had not been promptly detected by the team, this change would have poisoned the distributed water, causing severe irritations, lung damage, and even the risk of blindness in the population. Fortunately, the authorities noticed the change in time and reversed the adjustment before the contaminated water reached the taps.  

Cyberattacks can also completely disrupt water service or hinder its operation, even without causing contamination. In the United Kingdom, in August 2022, the company South Staffordshire Water, which supplies a network of over 1.6 million people, suffered a ransomware attack that affected its IT systems. The criminals claimed to have also accessed the OT network, including water chemical level monitoring systems.

Even though the attack did not cause an immediate water shortage, the response time consumed and the uncertainty generated were extremely damaging. Situations like this entail extra operational costs, mobilization of emergency teams, and a shake in consumer confidence. The public perception that "hackers invaded the water" can tarnish the reputation of a utility company for years.

Defense Strategies --- In the context of business, military, or legal scenarios, "Estratégias de defesa" translates to "Defense Strategies." These strategies encompass a range of tactics and plans designed to protect an entity—whether it be a company, a nation, or an individual—from threats, competition, or legal challenges. In a business context, defense strategies may include: 1. **Diversification**: Expanding into new markets or product lines to reduce dependency on a single revenue stream. 2. **Cost Leadership**: Maintaining lower costs than competitors to offer competitive pricing and deter potential entrants. 3. **Brand Loyalty**: Building strong customer relationships to create a loyal customer base that is less likely to switch to competitors. 4. **Patents and Intellectual Property**: Protecting innovations through legal means to prevent competitors from replicating successful products or services. In a military context, defense strategies might involve: 1. **Deterrence**: Using the threat of retaliation to prevent adversaries from attacking. 2. **Alliances**: Forming partnerships with other nations to strengthen collective security. 3. **Fortification**: Building physical defenses such as walls, bunkers, and other infrastructure to protect against invasion. 4. **Cyber Defense**: Implementing measures to protect against cyber-attacks and ensure the security of digital assets. In a legal context, defense strategies could include: 1. **Pre-trial Motions**: Filing motions to dismiss charges or exclude evidence before the trial begins. 2. **Negotiation**: Engaging in plea bargaining to reach a favorable outcome without going to trial. 3. **Expert Witnesses**: Presenting expert testimony to challenge the prosecution’s evidence or provide alternative explanations. 4. **Jury Selection**: Carefully choosing jury members who may be more sympathetic to the defendant’s case. Each of these contexts requires a tailored approach to defense, considering the specific threats and challenges faced by the entity in question.

To protect their operations, companies have been adopting advanced cybersecurity strategies. One of the most effective approaches is Zero Trust architecture, which operates on the principle that no access—whether from users, devices, or applications—should be trusted by default, even if it is already within the network.

Another pillar is the segmentation between IT (information technology) and OT (operational technology) networks. Separating industrial environments from the rest of the corporate structure significantly hinders the spread of attacks.  

In many cases, however, companies need to conduct a more in-depth analysis of the infrastructure, which includes inventory and classification of assets and review of the network architecture. From this, it is possible, in addition to opting for more advanced technologies, to perform threat modeling for OT environments, and the development of incident response plans. External experts with specific experience in industrial systems can offer these services without compromising operational continuity.

The water and sewage sector plays a unique role in national infrastructure: it is essential to public health, highly decentralized, and operates with a technological ecosystem that is as diverse as it is complex. In the face of constantly evolving cyber threats, it is imperative that this sector also matures its approach to digital security. Independent technical expertise, once seen as complementary support, is now consolidated as an indispensable element to ensure the continuity of services, preserve public trust, and sustain operational resilience in the face of increasingly sophisticated risks.

By Eduardo Gomes, Cybersecurity Manager at TÜV Rheinland --- In this translation, the title and role have been accurately translated to maintain the professional context and formal tone. The name "Eduardo Gomes" remains unchanged as it is a proper noun. The translation preserves the original formatting and context, ensuring that the specialized terminology ("Cibersegurança" to "Cybersecurity" and "Gerente" to "Manager") is correctly conveyed.