Securing the Flow: Building Cyber Resilience into Water’s Digital Future

Building resilience from day one

In the same way that facility design needs to embed cyber requirements, resilience must be built into the fabric of digital water infrastructure - but technology alone does not deliver resilience. It's achieved by integrating cybersecurity thinking into how systems are engineered, operated and governed, aligning human, physical and digital systems to anticipate risk and disruption.

Best practice in delivering resilience from design through delivery centers on a collaborative approach, such as Jacobs' partnership with PA Consulting, that blends deep operational technology knowledge with advanced cybersecurity, digital strategy and innovation capabilities.

An embedded approach to cyber defense

Among the risks facing water utilities are operating systems that are connected without formal inventories or visibility, and legacy components operating without modern safeguards.

Jacobs' assessment of 35+ utilities identified other fundamental gaps such as a lack of operational technology (OT) incident response and business continuity plans, which increases the risk of prolonged disruptions. The study also shows a lack of asset visibility as problematic, and without a full inventory, utilities can struggle to apply security controls, detect anomalies or manage patches effectively.

The assessment also found silos between IT and OT, with unclear responsibilities and governance hindering monitoring, response and risk management. Flat networks - where most systems are connected without internal separation - underused firewalls and absent intrusion detection systems further exacerbated the risk, exposing critical infrastructure to lateral movement by malicious actors. The study shows that for many utilities, a shift towards a strategic and proactive cybersecurity approach is overdue.

Bringing IT and OT teams together

Many operators don't have a clear view of what's running, what's connected or what's critical. If a risk isn't visible, it remains abstract until a breach makes it real. The convergence of IT and OT presents a considerable opportunity for progress - helping utilities move from reactive defenses to integrated, operational resilience. Security should align with utility priorities: resilience, regulation and customer trust.