Gerrit VanVoorhees, IT director for the 35,000-resident city of Petersburg, Va., noticed a glaring gap in the city’s cybersecurity strategy several years ago as his team worked to secure remote work connections. The city’s water pumps were connected via an open LTE network, leaving critical infrastructure “wide open” to potential attacks.
“We were looking at a lot of remote systems, and other things started to surface,” VanVoorhees recalls. “We said, ‘We’re securing all of these people at home for remote work. What else can we do along the same lines?’ It was fortuitous. I noticed that we had all of these devices that were unprotected, and it turned out to be our SCADA system.”
It is common for organizations to pay less attention to operational technology (OT) than they do to IT assets as they devise and execute their cybersecurity. But this oversight can put the critical infrastructure maintained by utilities at risk of attack by hackers seeking a financial windfall or by nation-states looking to cause service disruptions.
Click the banner below for more insight into protecting OT.
According to an April 2025 report from Semperis, 62% of utility operators in the United States and the United Kingdom were targeted by cyberattacks in the past year, and more than half of those suffered permanent corruption or destruction of data and systems.
“We’re all in the midst of an invisible war, whether we realize it or not,” says Cory Simpson, CEO of the Institute for Critical Infrastructure Technology, adding that nation-states are targeting utility infrastructure as part of a strategy to weaken the U.S. as a whole: “The front lines of this battle have always been with our state and local communities. Even though they don’t have the resources of the federal government, I think we’re going to have to see state and local governments doing more to protect this infrastructure.”
Simpson says that the rarity of major attacks against utility infrastructure has created a false sense of security in the industry. He notes that even basic cybersecurity measures would represent a major improvement for many systems. “Multifactor authentication would kill 80% of cyberattacks, but people still don’t use it,” he says.
New Devices Lead to a Shifting Mindset
In Petersburg, the city replaced its existing infrastructure with Ericsson Cradlepoint IBR900 series devices. The new devices create secure virtual connections via Internet Protocol Security tunnels, which encrypt and authenticate data packets, ensuring secure transmission over an otherwise insecure network, such as an open LTE connection.
The Sophos cybersecurity tools that protect the rest of the city’s IT environment would be overkill for the scant data volumes transmitted by the city’s water infrastructure. “This is basically ASCII data that’s coming across at kilobyte levels,” VanVoorhees says. “Those connections don’t have to be very robust in the sense of throughput.”
Although the fix was simple, it was also critical. The city doesn’t treat its own water, but VanVoorhees notes that a motivated attacker could still have compromised public safety by manipulating pressure in the water system.
“Anytime you shift pressure in a water system, you can end up with contaminants in the water,” he explains. “If you start changing pressure and flows, you tend to stir up things that aren’t normally stirred up.”
Historically, VanVoorhees says, IT leaders have not given much thought to physical infrastructure, but that is beginning to change.
“The SCADA network and our utility system wasn’t something that immediately jumped to the top of my brain,” he says. “When I thought about cybersecurity, I thought about our HR department, our finance department or our police. Today, you have to think about utilities too.”
Identifying Vulnerability Across Networks
Several years ago, Schaumburg, Ill., a village of around 75,000 people located about 30 miles outside of Chicago, moved its water infrastructure from radio-based controls to IP connectivity. William Sadlick, network administrator for Schaumburg, immediately recognized the importance of adding new cybersecurity controls to keep attackers out of the critical systems.
Around that same time, Schaumburg’s firewalls and network infrastructure were coming due for a refresh, and the previous vendor had increased the cost and complexity of its licensing, forcing Sadlick’s team to look for alternatives. They found Fortinet solutions impressive, with their microsegmentation capabilities, integrated security features and significantly lower cost.
“We needed a boundary between every Layer 3 network,” Sadlick says. “Our existing product did not do that well, especially with the way we were architected. We took that opportunity to go out shopping, and that’s when we found the Fortinet firewalls, which would do what we were looking for at a much lower price point.”
Click the banner below to sign up for the StateTech newsletter for weekly updates.
The village implemented a comprehensive security and switching environment that includes FortiGate next-generation firewalls, FortiSwitch secure enterprise switches, FortiAnalyzer for monitoring, FortiEDR for endpoint protection and FortiSRA for secure remote access.
“Our SCADA network was pretty straightforward to protect in the Fortinet environment,” Sadlick says. “When you think about microsegmentation, it’s very simple: The SCADA network can’t get traffic from anything except for very specific machines. The network wasn’t very difficult to roll into our security scheme.”
Sadlick notes that utilities are just one potential OT attack surface. In addition to targeting SCADA systems specifically, he says, attackers may use other connected physical assets as an intrusion point into the IT network.
“Look at building management systems and connected HVAC controls,” he says. “You need to be aware of protecting those assets for their own sake, but you also want to make sure attackers can’t use them as jump points to infect something else.”
“SCADA is the No. 1 technology that I need to protect,” Sadlick adds. “It’s easy to imagine a bad actor who wants to create havoc and stops pumping water, and that scenario looms large in my mind. If your constituents can’t get fresh water, that’s a problem. We want to protect that infrastructure as well as we can.”
