Why cybersecurity has become a strategic priority in the Sanitation sector

Driven by digital transformation, basic sanitation companies in Brazil are increasingly incorporating smart technologies – from remote sensors and telemetry systems to integrated automation platforms – to optimize their operations and reduce losses. The problem is that this advancement amplifies the cyber attack surface, and a sector that has been increasingly targeted by criminals may become exposed to hacker incursions.

The result is that cybersecurity is no longer viewed merely as a technical IT issue, but rather as a strategic priority in water and sewage companies. Water concessionaires now deal with sophisticated cyber threats, often aimed at bringing down or manipulating pumping, treatment, or quality control systems.  

Critical infrastructure in the crosshairs: cyberattacks on the rise

The statistics confirm a global escalation of cyberattacks against essential services companies, including sanitation companies. According to research by Check Point, in 2025 alone, the energy and utilities sectors suffered an average of 1,872 attack attempts per week per organization worldwide, an increase of 53% compared to the same period of the previous year.  

In Brazil, the utilities sector recorded approximately 3,059 weekly attack attempts per organization between September 2024 and February 2025. One of the reasons is the strategic appeal of this type of infrastructure: criminals prefer targets that can cause massive disruption and losses because they know that society will demand quick solutions – which often translates into ransom payments to restore services.

Many water utilities, especially those serving small or medium-sized populations, operate with legacy control systems that were never designed to face today's cyber threat landscape. SCADA networks, programmable logic controllers (PLCs), and remote access gateways often lack basic security controls, such as encrypted communication or robust authentication mechanisms.  

Security updates and fixes are infrequent or unfeasible due to the need to keep systems running and compatibility issues. Given this reality, sector-specific risk assessments and system audits become essential for understanding and mitigating vulnerabilities.

Real impacts: disruption of services, contamination, and damage to reputation

Far from being theoretical risks, cyberattacks on sanitation systems have already caused concrete effects. A landmark case occurred in February 2021 in the city of Oldsmar, Florida (USA), when an intruder gained remote access to the water treatment system and attempted to increase the dosage of sodium hydroxide (caustic soda) in the drinking water drastically – from 100 parts per million to 11,000 ppm.  

If not promptly detected by the team, this change would have poisoned the distributed water, causing severe irritations, lung damage, and even a risk of blindness in the population. Fortunately, the authorities noticed the change in time and reversed the adjustment before the contaminated water reached the taps.  

Cyberattacks can also completely disrupt water service or hinder its operation, even without causing contamination. In the United Kingdom, in August 2022, the South Staffordshire Water company, which supplies a network with over 1.6 million people, suffered a ransomware attack that affected its IT systems. The criminals claimed to have also accessed the OT network, including water chemical level monitoring systems.

Even if the attack did not cause immediate water shortages, the response time consumed and the uncertainty generated were extremely damaging. Situations like this incur extra operational expenses, mobilization of emergency teams, and shake consumer confidence. The public perception that "hackers invaded the water" can tarnish a utility's reputation for years.

Defense Strategies

To protect their operations, companies have been adopting advanced cybersecurity strategies. One of the most effective approaches is the Zero Trust architecture, which is based on the principle that no access—whether from users, devices, or applications—should be trusted by default, even if it is already within the network.

Another pillar is the segmentation between IT (information technology) and OT (operational technology) networks. Separating industrial environments from the rest of the corporate structure significantly hinders the spread of attacks.  

In many cases, however, companies need to conduct a more in-depth analysis of the infrastructure, which includes inventory and classification of assets and a review of the network architecture. Based on this, it is possible, in addition to opting for more advanced technologies, to perform a threat modeling for OT environments, and the development of incident response plans. External experts with specific experience in industrial systems can offer these services without compromising operational continuity.

The water and sewage sector plays a unique role in the national infrastructure: it is essential to public health, highly decentralized, and operates with a technological ecosystem that is as diverse as it is complex. In the face of constantly evolving cyber threats, it is imperative that this sector also matures its approach to digital security. Independent technical expertise, once seen as supplementary support, is now solidifying as an indispensable element to ensure the continuity of services, preserve public trust, and sustain operational resilience in the face of increasingly sophisticated risks.

By Eduardo Gomes, Cybersecurity Manager at TÜV Rheinland