On December 23, 2015, a Russian intelligence unit logged into a Ukrainian power company's control system and switched off 30 substations. 225,000 people lost electricity in the middle of winter. The lights came back on in six hours — but Russian hackers had already learned something important: critical infrastructure runs on the same software as any other organization, is often connected to the internet, and is operated by humans who can be deceived.
On February 5, 2021, a hacker accessed the water treatment system of Oldsmar, Florida — a city of 15,000 people — and raised the level of sodium hydroxide from 100 parts per million to 11,100 parts per million. The attack was caught by an alert operator who was watching his screen. An attacker targeting a system with no one watching would have had 24 to 36 hours before anyone noticed the water had been poisoned. For Oldsmar, the number of people at risk was 15,000. For New York City, using the same type of attack against the same type of system, the number is 9 million.
Defining Assessment: This is not a hypothetical. The attack method has been demonstrated. The infrastructure is documented and publicly described. The regulatory gap is real and confirmed. What has not happened yet is a sophisticated nation-state actor targeting a major US water system with the intent to cause mass casualties. What is unclear is whether that is because the capability does not exist, or because no one has decided to use it yet.
Ukraine is the most documented case study in critical infrastructure attack. Beginning in 2015, Russian intelligence services used it as a live testing environment. The attacks were real, the effects were documented by US government investigators, and the techniques were published — because what works in Ukraine almost always translates elsewhere.
In the months before the attack, Russian hackers gained access to Ukrainian power company networks through spear-phishing emails containing malicious Microsoft Word attachments — the same technique used in countless corporate intrusions. They moved quietly through corporate networks until they reached the Industrial Control Systems. Then, on December 23, 2015, they acted.
A year later, Russian hackers returned with Industroyer — a new malware built specifically for industrial control systems. The 2016 Kyiv attack cut one-fifth of the capital's power consumption. But investigators noted something more alarming than the outage itself: the attack was designed not just to turn the power off, but to physically destroy the equipment used to turn it back on. When operators attempted to restore power, the malware was configured to trigger conditions that would damage the station hardware — making the attack potentially weeks-long rather than hours-long. An operator caught the error in time.
The escalation pattern matters: 2015 was disruption — turn off the lights, restore them, send a message. 2016 was designed for permanent damage — destroy the hardware, make restoration impossible. A nation-state actor targeting US water infrastructure would not necessarily be interested in a short disruption. The intent could be to make restoration take weeks.
Manual backup controls were still installed — operators could restore power physically when digital controls were destroyed.
Infrastructure was old Soviet equipment that Russian hackers knew intimately — but the age also meant analog fallbacks existed.
Western cybersecurity firms (ESET, Microsoft) helped Ukraine respond to the 2022 follow-on attacks before they succeeded.
Power came back within hours to days. No confirmed casualties directly attributed to the outages.
Many US utilities have replaced analog backup controls with digital systems — in some cases, manual restoration is no longer possible without the control software.
Water contamination cannot be "switched back on" — once chemical levels are altered and the water reaches distribution, reversal requires flushing the entire network.
No mandatory cybersecurity standards for water utilities. Compliance is voluntary. The EPA cannot compel improvements.
An attack on NYC water at Oldsmar scale would not resolve in 6 hours. It would affect 9 million people over days.
In February 2021, an unknown attacker accessed the water treatment control system of Oldsmar, Florida using remote desktop software that was already installed and authorized on the system. The access did not trigger any alerts because the tool was a legitimate one. The operator whose computer was accessed noticed the intrusion because he was watching his screen at the moment a cursor began moving on its own.
Over three to five minutes, the attacker navigated the control interface — learned it in real time — and located the sodium hydroxide dosing controls. They changed the setting from 100 parts per million to 11,100 parts per million: 111 times the normal level. Sodium hydroxide is the primary ingredient in drain cleaner. At those concentrations, the water would cause chemical burns to the mouth, throat, esophagus, and stomach of anyone who drank it. The operator reversed the change immediately. But if he had not been watching — if this had happened at 3am, or if the operator had stepped away — the window before anyone noticed would have been 24 to 36 hours. By then, the water would already be in the distribution network.
Note on the Oldsmar investigation: Subsequent reporting raised questions about whether the intrusion was an external attack or an internal error. The FBI investigation was inconclusive, and a former city manager later described it as a possible employee mistake. What is not disputed: the control system was remotely accessible, the chemical change happened, and the only thing that caught it was an operator watching at the right moment. The vulnerability demonstrated is real regardless of the source.
New York City's water supply delivers 1.1 billion gallons of drinking water per day to 8.5 million city residents and approximately 1 million people in surrounding counties — a total of over 9 million people. This represents nearly half the population of all of New York State.
The source is the Catskill and Delaware watershed system — 19 reservoirs and three controlled lakes spanning 2,000 square miles of upstate New York, connected to the city by gravity-fed aqueducts running up to 125 miles. The Catskill/Delaware system alone provides 88–90% of the city's daily water. And here is the detail that matters for a threat scenario: 90% of that water is not filtered. It is treated only with chlorine and ultraviolet disinfection. The system received a federal waiver from filtration requirements based on the quality of its protected watershed. That waiver has been in place since 1997.
Most cities filter their drinking water through physical filtration systems that remove pathogens, chemicals, and contaminants that survive disinfection. New York City received a federal waiver allowing it to skip this step because its watershed is unusually well-protected — largely forested, with strict development restrictions and extensive monitoring. The city invested approximately $1 billion in watershed protection programs to maintain this exemption.
What this means for a threat scenario: the Catskill/Delaware water passes through ultraviolet disinfection and chlorination, then travels directly into the distribution network. A chemical intervention at the treatment stage — increasing a dosing chemical to dangerous levels, as demonstrated in Florida — would not be caught by a filtration barrier because no filtration barrier exists for 90% of the supply. Detection depends on water quality sensors and human monitoring.
The monitoring reality: NYC DEP tests water at 50 monitoring stations daily. But daily testing means the interval between checks can be up to 24 hours — precisely the same window an attacker would have to work in. Real-time chemical sensors exist at treatment facilities, but a sophisticated attacker with SCADA access could potentially manipulate sensor readings alongside dosing controls — as Russia demonstrated was possible in Ukraine's power systems.
This is not speculation. Every step of the following scenario is drawn from documented events: the Oldsmar attack method, the Sandworm reconnaissance model from Ukraine, and the confirmed characteristics of the NYC water system. What follows is what a plausible attack looks like if a sophisticated nation-state actor decided to execute it.
In Oldsmar, the attack was caught because an operator was watching his screen at the exact moment it happened. That is the only control that worked. In a sophisticated attack with credential access, sensor manipulation, and nighttime execution, that control does not exist. The 24–36 hour window before water reaches taps is not a safety margin — it is the attack window. By the time the contamination is confirmed and traceable, the distribution is already complete.
A water supply disruption is not just a water problem. Modern cities run on safe water in ways that are invisible until it is gone. A multi-day water security incident in New York City would not stay in the water system — it would cascade into every dependent system simultaneously.
The Ukraine lesson applied: When Russia cut power to Kyiv for one hour in 2016, the attack was contained and the city recovered quickly. But Dragos Security confirmed the malware was designed to cause permanent physical damage — it was only an operator error in the attack code that prevented it. A water attack with the same intent — not disruption, but permanent damage — would not be over when the water is flushed. It would mean destroying the treatment infrastructure itself, making restoration take weeks, not hours.
In 2024, the EPA inspected water utilities across the United States and found that 70% failed to meet basic cybersecurity standards — including facilities using default passwords on internet-connected systems. This is not a secret finding. It has been reported publicly. Congress has heard testimony about it. And the EPA still cannot legally require water utilities to fix it.
The fundamental problem is statutory authority. Unlike power grids, aviation, financial systems, and now healthcare — which have mandatory federal cybersecurity requirements — water utilities operate under frameworks where cybersecurity guidance is voluntary. The EPA can publish best practices. It can offer grants. It cannot compel compliance.
NIST published the Cybersecurity Framework. CISA maintains sector-specific guidance for water and wastewater systems. Both are excellent resources. Both are completely voluntary. A water utility that reads every document, attends every webinar, and implements zero recommendations faces no legal consequence. There is no audit, no penalty, no enforcement mechanism.
The 70% figure in context: The EPA found that 70% of inspected water utilities had cybersecurity deficiencies serious enough to merit concern — including default passwords on internet-facing control systems. Default passwords. On systems controlling the chemical treatment of water for millions of people. This is not a sophisticated advanced persistent threat problem. This is a patch-your-router problem that was never addressed because nobody was required to address it.
The controls that would prevent or limit a water infrastructure attack are not exotic. They are the same foundational security practices required everywhere else. The gap is not capability — it is mandate and funding. For utilities that want to get ahead of eventual requirements, or for security professionals advising them, this is where the effort should be concentrated.
A trained operator watching his screen at the exact right moment. That was the entire defense. Water utility security cannot depend on that. The controls above — network segmentation, hardware interlocks, continuous monitoring, credential hygiene — are what makes a sophisticated nation-state attack difficult rather than trivial. None of them require exotic technology. Most of them are already mandatory for power utilities, pipelines, and aviation. For water, they remain voluntary suggestions.
Russia demonstrated in Ukraine that critical infrastructure control systems can be accessed, studied, and manipulated by nation-state actors who are patient, skilled, and have years to prepare. They demonstrated it with power grids in 2015 and 2016. An unknown attacker demonstrated it with a water treatment plant in Florida in 2021. The only reason the Florida attack did not cause harm was an operator watching his screen. The only reason a Ukraine-scale attack has not happened to US water infrastructure is — as far as anyone can publicly confirm — that no nation-state actor has decided to execute one yet.
The Catskill/Delaware system serves 9 million people with 1.1 billion gallons per day of water that is disinfected but not filtered. It is the largest unfiltered water supply in the United States. The EPA cannot legally require the utilities in this system — or any water utility — to implement mandatory cybersecurity controls. 70% of utilities inspected in 2024 had basic deficiencies. Some were still using default passwords on internet-connected systems controlling the water that nearly half of New York State drinks every morning.
This is not a failure of technology. The tools that would harden these systems exist and are deployed in other sectors. It is a failure of regulatory priority. Water has been left off the mandatory compliance list while power, pipelines, and aviation were addressed. The argument for continuing to leave it off that list is difficult to make when the precedent — a working proof of concept against a US water treatment plant in 2021 — is already documented and publicly acknowledged by federal law enforcement.
The number that should end the policy debate: 9 million people. Nearly half the population of New York State. Served by a single gravity-fed system that reaches their taps with no filtration barrier. The only thing standing between a sophisticated attacker and mass chemical exposure to 9 million people is a set of voluntary guidelines that 70% of water utilities are not following — and no law that requires them to.
All findings in this report are based on publicly available information including CISA ICS-CERT advisories, Congressional Research Service reports, the National Academies Review of the NYC Watershed Protection Program (2020), Wikipedia documentation of the 2015 and 2016 Ukraine power grid attacks attributed to GRU/Sandworm, CNN, NPR, and CyberScoop reporting on the Oldsmar Florida incident, and EPA inspection reporting. Ukraine power grid casualty figures reflect the known disruption scope; no confirmed direct deaths from the grid attacks were established in public reporting. This represents the author's independent analysis and does not reflect the views of any employer or client organization.
Yana Ivanov is a security analyst and CMMC compliance consultant based in Connecticut, specializing in cybersecurity risk assessment for defense contractors in the Connecticut defense industrial base. With 15 years of enterprise technology experience and an MS in Information Systems, she brings a practitioner perspective to threat intelligence analysis. She is currently pursuing CompTIA Security+ and CMMC Registered Practitioner certification, with a focus on helping defense supply chain companies achieve genuine — not checkbox — security compliance. This analysis was produced independently as a contribution to the security community's understanding of active threats against US defense infrastructure.