Cyber Security for Water Utilities

Cybersecurity is the protection of a computer system and networks from disruption, manipulation, theft, or damage of the services they provide. Cybersecurity as a Service is an outsourced data and network protection system that lowers security costs and reduces risk by leveraging external expertise.

Why is cybersecurity important to water?

  • Cybercrime is predicted to cost the world $8 trillion USD / 7.5T € in 2023, and reach $10.5T USD / 9.8T € by 2025, up from $3T USD / 2.8T € in 2015.
  • 150 Vulnerable Products​ used in water and wastewater systems​
  • 3rd Most Targeted Sector​ when compared to other critical infrastructure​
  • Number of Threat Actors Increasing​: 7 threat actors shown to specifically target water and wastewater infrastructure globally ​
  • 20,000 Utility Employees​ say cyber threats are what they fear could have the biggest impact on operations​
  • $18.2 Million USD / 17.5 Million € costs incurred due to a 2019 ransomware attack against a water utility in Maryland, US​

Please see Cybersecurity Assessment Services flyer for sources.


Water Utility Cybersecurity Assessment

Xylem CyberSecurity flyer 12-21_thumbnail.jpg

Xylem’s Cybersecurity Assessments provide the confidence for secure digital transformation. We offer multiple types of affordable expert analyses of Operational Technology systems, with actionable remediation recommendations.

Download the Cybersecurity Assessment Services flyer.







Water Utility Architecture Review

Architecture review flyer 6-8-22_thumbnail.jpg

Xylem's Architecture Review evaluates existing system data flows against typical threat susceptibilities and confirms adequate defense-in-depth controls and comprehensive safeguards are in place. This process is engaging and educational for the system owner/operator, and results in actionable outcomes. This is related to data flows.

Download the Architecture Review flyer.






Dragos Incident Response


Our partner, Dragos’ Incident Response (IR) Service helps organizations in the water sector prepare for, respond to, and recover from cyber incidents in industrial environments. IR plans are based on  prepaid  retainer hours with specific response time service level agreement (SLA) commitments.

Learn More





Questions to Ask Potential Vendors

How do you choose the right digital vendor provider and partner? How can you be sure that your vendors are trustworthy and reliable? By asking about how a provider delivers, not just what they deliver, you’ll gain better insights.

Xylem is a partner with MITRE and others in the development of a System of Trust Framework, which provides a taxonomy of ways to build trust in suppliers, their supplies, and their services. The following questions represent examples from the System of Trust that align with what Xylem asks its suppliers.

Learn More




Water Utility Cybersecurity Assessment FAQs

What are common vulnerabilities in the Water Sector?

Some water utilities or water-related businesses do not have cybersecurity expertise on staff, therefore it is a great idea for the Water Sector to begin their cybersecurity journey with a focus on incident response. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency (EPA) in the U.S. recently published an Incident Response Guide for the Water and Wastewater Sector. This document has many free and helpful tips and resources, and the entire Incident Response cycle is described in the document: Prepare, Detect/Analyze, Contain/Eradicate/Recover, Post-incident analysis.

What are cybersecurity assessment services and what value can they provide to my utility / business?

Digital technologies can be used to solve major water challenges and help you to improve on your operations. As digital technologies are adopted, there is also a growing need to ensure cybersecurity protections are included.

Xylem’s cybersecurity assessment services and Dragos’s Incident Response can help to strengthen your cybersecurity defenses and ease concerns about using digital technologies. Xylem currently offers five cybersecurity assessment services: Architecture Review, Vulnerability Review, Maturity Assessment, and a Health Check (learn more about these four services here). We have also partnered with Dragos to offer their Incident Response Retainer. An added benefit of Dragos’s Incident Response is that any prepaid retainer hours that are not used to remediate a cybersecurity incident can be applied to any Dragos professional service offerings, including training, threat hunting, and assessment services. 

How many cybersecurity assessment service options

Five services are currently offered. You can purchase just one or any combination of the services. For help with determining which cybersecurity assessment service(s) may be most beneficial for your team, please contact us at

How can Xylem help my team to prepare for and respond to cybersecurity incidents?

Contact us to determine whether a Maturity Assessment is right for you. If so, we will work together to review your team’s skills and to determine opportunities to help you improve on minimizing the impact related to cyber threats and incidents.

What deliverables will I typically receive after each cybersecurity assessment service is completed, and how will this help my organization improve?

We will work with your team via virtual workshops to ensure they understand the background of why any remediation(s) have been suggested and how to close any gaps. After each assessment service is completed, your team will receive a prioritized and detailed roadmap of gap remediations. 

Which digital technologies are in scope for the cybersecurity assessment services?

Our services can help you to protect digital technologies delivered by Xylem or other providers. At Xylem, our vision is to solve water challenges. This includes helping you to keep water safe and secure no matter what technology you decide to use.

What are my options if I decide to purchase Dragos’s Incident Response Retainer (IRR) and the hours aren’t used on a cybersecurity incident?

Prepaid retainer hours are flexible and can be applied to any Dragos professional service offerings, including training, threat hunting, and assessment services. 

How is Dragos’s Incident Response Retainer sold?

It is sold in bundles of 80-400 hours depending on your utility’s / environment’s complexity. Dragos agrees to specific response time service level agreement (SLA) commitments for their incident response customers. 

How can I get more information about Xylem's cybersecurity assessment services?

Please contact us at and someone from the cybersecurity team will reach out to you shortly.