Why Cybersecurity is Infrastructure Resilience 

By Joel Cox, GICSP, GPEN, GRID, CCNA, Cybersecurity expert at West Yost

This article contains and answers the following:

At West Yost, our Operations Technology, Cybersecurity, and Resilience (OTCR) Team is helping utilities across the U.S. take a proactive stance. By applying Cyber-informed Engineering (CIE) and performing Consequence-driven, Cyber-informed Engineering (CCE) assessments, often in partnership with leaders like Idaho National Laboratory and the American Water Works Association, we support utilities in strengthening resilience where it matters most. 

Water utilities have long been at the center of community health, safety, and economic vitality. As critical infrastructure providers, utilities manage systems that the public rarely sees but always relies on. While much of resilience planning has historically focused on physical risks, earthquakes, droughts, aging pipelines, today’s reality demands equal attention to digital vulnerabilities. Cybersecurity is not a back-office issue; it is a frontline component of infrastructure resilience. 

The Rising Threat Landscape 

Nation-state actors, criminal organizations, and opportunistic hackers increasingly view the water sector as a high-value target. In recent years, we’ve seen high-profile ransomware attacks that shut down operations, disrupted billing systems, and threatened water quality monitoring. Unlike other industries, where downtime may only mean lost revenue, for utilities it could mean contaminated drinking water, flooding, or untreated wastewater reaching the environment. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has designated water and wastewater systems as part of the nation’s 16 “critical infrastructure sectors.” This designation reflects their essential role, and the heightened risks they face. 

“Cyber threats evolve daily, but resilience is built over time.”

Moving from Reactive to Proactive 

Traditionally, utilities have responded to cyber threats after an incident has already occurred. However, building cyber resilience requires a proactive approach. There are several resources available to help utilities get started.

The American Water Works Association (AWWA) Cybersecurity Risk Management Tool provides a phased approach and Phase 1 provides guidance on getting started with cybersecurity fundamentals. The fundamentals include controls to address risks such as, internet facing ICS/OT devices, remote access, use of default passwords, and others.

The SANS Institute has published the top 5 Critical Controls for ICS/OT environments. This framework was based on a comprehensive analysis of all known ICS cyber-attacks. 

• Critical Control #1 – ICS Incident Response Plan: Develop a comprehensive incident response plan specifically designed for ICS environments. This plan should encompass procedures for the detection, reaction, and recovery from cybersecurity incidents.
• Critical Control #2 – Defensible Architecture: Construct a network architecture that effectively segments and isolates critical systems. The goal is to minimize the attack surface and reduce the potential impact of cyber incidents.
• Critical Control #3 – ICS Network Visibility and Monitoring: Achieve continuous monitoring of ICS networks to promptly detect anomalies and potential threats.
• Critical Control #4 – Secure Remote Access: Implement secure, controlled remote access solutions to manage and monitor access to ICS environments effectively.
• Critical Control #5 – Risk-based ICS Vulnerability Management: Conduct systematic vulnerability assessments and prioritize remediation based on the potential impact on critical systems.

Funding and Regulatory Momentum 

The federal government has begun to support cyber resilience through initiatives such as the Bipartisan Infrastructure Law and the EPA’s push for enhanced cybersecurity evaluations. These programs provide funding and guidance, but utilities often face challenges in translating requirements into implementable strategies. Partnering with engineering and cybersecurity experts can help bridge this gap, ensuring that resilience is both regulatory-compliant and operationally feasible. 

“Unlike other industries, where downtime may only mean lost revenue, for utilities, it could mean contaminated drinking water, flooding, or untreated wastewater reaching the environment.”

A Holistic View of Resilience 

Infrastructure resilience is not just about concrete, steel, and pumps; it is about the invisible systems that monitor, control, and protect them. Cybersecurity investments safeguard community trust, protect water quality, and maintain compliance with environmental and public health standards. 

West Yost’s Role in Building Cyber Resilience 

Our team delivers practical solutions, from SCADA master planning and resilient network architecture to cybersecurity assessments, design, and implementation. With over 100 utilities supported through risk and resilience assessments, West Yost brings national expertise with local impact. 

Cyber threats evolve daily, but resilience is built over time. Rob M. Lee during his recent congressional testimony on securing America’s critical infrastructure highlighted that defense is doable. Partnering with a trusted advisor helps prepare your utility for whatever comes next. West Yost’s OTCR team is here to help you turn cybersecurity into infrastructure strength.