A new report from Virtual Routes highlights that many critical infrastructure entities across Europe remain ill-prepared to defend against cyber threats. Despite their essential role in society, these organizations often lack the funding, skilled personnel, and technical capabilities needed to meet growing regulatory demands. The report spotlights the drinking water and wastewater sectors, documenting a sharp rise in cyber incidents targeting these installations across Europe and beyond. These include ransomware attacks, credential breaches, and attempts to sabotage treatment processes, with risks compounded by weak remote access controls, outdated systems, and poor asset visibility.
The report, titled ‘Under Pressure: Securing Europe’s Resource-Constrained Critical Infrastructure,’ identifies which segments of Europe’s infrastructure are most vulnerable and outlines the forms of support that would have the greatest impact. It places particular emphasis on the drinking water and wastewater sectors, primarily areas increasingly targeted by cyberattacks, yet chronically underfunded and showing low cybersecurity maturity.
While EU policies like the NIS2 Directive and the Cyber Resilience Act have strengthened the cybersecurity framework, their success hinges on whether under-resourced entities can actually comply.
Sponsored by Microsoft, the Virtual Routes report, authored by Max Smeets, Gijs van Loon, James Shires, and Apolline Rolland, offers a focused analysis of cybersecurity risks in the drinking water and wastewater sectors. Over the past five years, the water and wastewater sector across the world has experienced a concerning rise in cyber incidents, ranging from nation-state sabotage attempts to financially motivated ransomware attacks.
Although often grouped, the two face distinct operational and security challenges. Drinking water services are typically small-scale and decentralized, while wastewater systems are more interconnected and environmentally sensitive. Both sectors share common weaknesses such as poor cyber hygiene, limited staffing, aging infrastructure, and weak coordination on threat intelligence.
To address these risks, the report proposes a layered approach to cybersecurity: strengthen basic hygiene practices, improve asset visibility, implement sector-specific protections, and develop robust crisis response plans. It also calls for greater cross-border collaboration and support to help these vital sectors keep pace with escalating threats.
Earlier this year, the European Commission unveiled a sector-specific action plan to bolster cybersecurity in the healthcare sector and protect hospitals and providers from cyberattacks. The action plan integrates the NIS2 directive, Cyber Resilience Act, Cyber Solidarity Act, and the Cyber Diplomacy Toolbox, to prevent, detect, respond to, and deter cyberattacks against the frequently targeted sector.
Taken together, the EU’s regulatory frameworks and operational response mechanisms represent an increasingly comprehensive approach to protecting critical infrastructure from cyber threats. Yet, challenges remain. Not least, the diversity of critical infrastructure across member states, coupled with varying levels of cybersecurity maturity and funding mechanisms, creates gaps in resilience. Certain entities, particularly those classified as ‘resource poor but target rich,’ cannot defend themselves.
Virtual Routes assessed that without tailored support mechanisms, there is a risk that existing regulations will benefit only those organisations already equipped to comply, while leaving the most vulnerable critical infrastructure exposed. The report aims to close these gaps by pinpointing the most at-risk entities and outlining the specific types of support they need most.
It noted that despite the range of actors, many cyber attacks on water and wastewater systems have exploited a common set of TTPs. A recurring theme is attackers taking advantage of remote access into operational networks. “If the IT and OT environments are interconnected or not properly segregated, the attacker can even pivot to industrial control systems from gaining initial access in the business environment through a phishing email or other access. Credential compromise is another cross-cutting technique.”
Virtual Routes said that the Cl0p ransomware group claimed responsibility for the cyberattack on South Staffordshire Water, asserting they had access to critical systems that control water treatment processes. They released screenshots displaying compromised credentials, highlighting the exploitation of weak or reused passwords.91 Similarly, when Cyber Avengers claimed responsibility for targeting Israeli-made Unitronics programmable logic controllers (PLCs) in October 2023, they likely exploited the fact that these PLCs were internet-facing, used default or no passwords, and operated on default ports.
The Virtual Routes report concludes with four policy recommendations for the European Union.
First, it calls for the launch of an EU Water-Cyber Hygiene Accelerator Program. This would be a grant-based initiative to improve cyber hygiene in drinking water and wastewater utilities, with a focus on implementing multi-factor authentication, securing remote access, and maintaining regular patching. The program would blend sector-specific guidance from ENISA with financial support, modeled after key initiatives in the EU and the U.S.
Second, the report recommends establishing a European Water Sector Information Sharing and Analysis Center (ISAC). This entity would enable trusted information sharing, threat intelligence, and coordinated incident response among water utilities, regulators, and member-state CSIRTs. The goal is to enhance cross-border cyber resilience in the water sector.
Third, the report advises integrating cybersecurity into the environmental and public health governance of Europe’s water systems. This means ensuring that cyber threats are addressed in environmental regulations, water safety plans, and emergency preparedness strategies to protect water quality and public health.
Lastly, it urges more active use of political tools to deter malicious activity targeting water infrastructure. The EU should more frequently deploy the Cyber Diplomacy Toolbox in response to such attacks. While this tool has been used for major incidents like NotPetya and WannaCry, it remains underutilized in the water sector. The report encourages the EU to use coordinated sanctions, public attributions, and diplomatic pressure to signal that cyberattacks on water systems will have real consequences.
