H2OSecCon 2026

Alone we can do so little, together we can do so much – Helen Keller

Over time, critical infrastructure has become increasingly connected, and as a result, the threat landscape has evolved. These threats can lead to consequential disruptions, especially when critical lifelines such as water, health, energy, and financial systems are at stake. Today, threat actors target critical infrastructure for a range of motivations, including financial gain through cybercrime, hybrid warfare, intellectual property theft, information gathering, and pre-positioning for future disruption. As disruption becomes inevitable, the questions remain: how do we mitigate these threats, how do we build resilience, and what role does each of us play in securing the systems society depends on?

The answer is community, because security is strongest not in isolation, but through collaboration.

In this keynote, Denise Anderson, President and CEO of Health-ISAC and Chair of the National Council of ISACs, explores how strong, trusted communities have been built within both the Financial Services and Health ISACs. She emphasizes that these communities are grounded in voluntary engagement, including voluntary incident reporting and information sharing, rather than regulatory mandate. This shared responsibility places the onus on participants to actively contribute to collective defense, not simply comply with requirements.

Denise highlights how connection, coordination, and collaboration enable organizations to share situational awareness, insights, and best practices before, during, and after incidents, strengthening resilience across sectors. She underscores the importance of working together under the ISAC model to meet today’s challenges and inspire collective action in support of security, economic prosperity, and the health of society.

Many water utilities find themselves in a cycle of cybersecurity gridlock. Security teams feel unheard, operational technology (OT) operators feel misunderstood as they strive to “keep drinking water flowing and wastewater treated 24x7x365”, and leadership is often puzzled by the team’s dysfunction or too removed from the problem. This misalignment fuels reactive “duct tape” fixes, blame-shifting, or outright inaction, leaving critical infrastructure vulnerable. This scenario threatens cyber-operational resilience and economic viability across the nation.
This session, presented by Dennis O’Neill of Claroty, provides a playbook to break this cycle by focusing on organizational alignment and execution. It moves beyond technical fixes to address the core “precursor problem” of organizational-level alignment. Attendees will explore the distinct perspectives, pressures, and “empathy lenses” of Security, OT Operators, and Leadership to understand the root causes of indecision.
This discussion also frames these practices within the context of water system responsibilities, including alignment with AWIA/SDWA for drinking water systems and the Clean Water Act for POTWs. The session will conclude with the understanding that progress in OT security depends on “trust, teamwork, alignment, and accountability” to build enduring cyber-operational resilience.

The pace of emerging risks is accelerating. Two decades ago, as NERC developed mandatory security controls for the electric sector, most water utilities were just beginning to recognize how increasing digitalization was creating new vulnerabilities. A decade ago, physical climate impacts intensified in frequency and severity, embedding “resilience” into the lexicon of AWWA, WEF, and the ACEC. Then in late 2022, GenAI entered mainstream consciousness with ChatGPT 3.5, introducing transformative capabilities alongside unprecedented risks and uncertainties.
For risk professionals, the convergence of cyber, AI, and climate threats can feel overwhelming. This session presents a practical solution: risk management frameworks that cut through complexity by prioritizing what matters most: high consequence events weighted more than statistical likelihood. Attendees will learn actionable approaches developed by West Yost, AWWA, and leading national laboratories to systematically assess, manage, and mitigate both digital and physical risks facing water utilities.

As cyber threats against operational technology (OT) and industrial control systems (ICS) continue to evolve, the water and wastewater sector faces increasing pressure to defend the physical processes that directly protect public health, environmental safety, and service continuity.

In this session, Dean Parsons—Principal Instructor with the SANS Institute and CEO of ICS Defense Force—shares hard-won, real-world lessons from incident response in industrial environments. The focus is on building resilient OT incident response capabilities through engineering-aligned practices, shared operational experience, and sector collaboration. Because in critical infrastructure, no facility defends alone—strong defenses are built by learning from incidents, sharing what works, and strengthening the community that operates and protects essential water systems.

Drinking water contamination can occur from natural, accidental, and intentional causes. It can result from other emergencies (e.g., wildfires), from specific contamination scenarios (e.g., backflow), or from an intentional malevolent act (e.g., tampering). Responding to a contamination incident requires drinking water utilities and local/state agencies to take measured, yet appropriate action to ensure the issue is addressed without wasting resources and causing undue alarm to the community. In this session, EPA will provide an overview of the investigation of, response to, and remediation of a contamination incident, highlighting new planning and response resources available to assist the water sector. It will also include a discussion of current contamination issues that the EPA is exploring such as the use of AI for contamination response, saltwater contamination, and source water contamination threats.

Most cybersecurity failures in water utilities don’t start with code—they start with people. Operators under pressure to keep water flowing, engineers juggling reliability and compliance, and IT staff battling alert fatigue all make small decisions that shape security outcomes.
This session dives into how cyberpsychology—the study of how people think and behave in digital environments—helps explain why improving cybersecurity culture in operational technology (OT) settings is so difficult. We’ll unpack the everyday human barriers that stand in the way of secure behavior, such as:
• Complacency bias (“it won’t happen here”),
• Automation trust that dulls vigilance,
• Change fatigue from constant updates and new rules, and
• The clash between safety and security priorities during operations.

Drawing on relatable examples from U.S. water and wastewater utilities, this talk focuses on practical, low-cost strategies to shift habits, mindsets, and team culture—turning cybersecurity from a checklist into a shared value.
Attendees will walk away understanding that real security starts not with new tools, but with human behavior, communication, and trust across IT, OT, and operations.

This session will provide an overview of the threats drones, or unmanned aircraft systems (UAS), pose to critical infrastructure, especially water and wastewater utilities. Attendees will gain foundational knowledge of drone technology and its evolving role as tools used both by threat actors in their malicious activities and critical infrastructure organization in support of their operations, which provides benefits but also risks. The session will highlight potential opportunities to mitigate drone threats and the legal challenges that impede these efforts. It will also cover current trends and emerging tactics, techniques, and procedures (TTPs) regarding this technology.

In Control is a control systems integrator for water municipalities of small and medium-sized
cities and rural water systems. Located in Minnesota, our customers are in the upper Midwest region of the United States.
In August of 2025, we received an emergency call from an operator at a municipal utility who
said that all three of their high service pumps were running in manual mode at full capacity. Usually they are set to “auto” and run only when called to fill the tower. If the pumps had remained running at full capacity, they would have caused immense damage to the system, overfilling the water tower and burning out the pumps. On the Human Machine Interface (HMI) screen in the control panel near for the pumps nearby, the operator observed a mouse clicking on the icons on the HMI and undoing every action the operator made to correct the condition. After logging onto their firewall to investigate, we found a remote connection that originated from Moscow, Russia. Immediately, we told the operator to disconnect the firewall from the internet. This disconnected the attacker from the system and allowed the HMI to be operable again. This action also removed remote access for that operator, a necessary feature for normal operation.
We then assisted the municipality with reporting the incident to CISA, Minnesota’s state IT agency, and the municipality’s cybersecurity insurance agency. We sent an engineer on-site to determine the scope of the attack and implement tighter security for the OT system to help prevent future attacks.
After the initial response, with help from federal, state, and private partners, we spent the next six weeks determining the damage to the system, returning it back to full operation, and restoring remote access. With the cost of our assistance and insurance fees, the incident cost the municipality tens of thousands of dollars.

This session explores innovative strategies to embed security awareness into the fabric of water sector organizations. Attendees will learn how creative training methods and active engagement can transform compliance into culture, empowering employees and security teams to internalize best practices. From interactive learning experiences to practical outreach initiatives, we’ll showcase approaches that make security concepts accessible, memorable, and actionable—ultimately strengthening resilience across the sector.

Cybersecurity is not just an IT problem—it’s a resilience problem. In June 2023, the King County Office of Emergency Management recognized a unique opportunity, multiple grants and partners were converging around one urgent need: foundational cybersecurity training for water utilities and emergency managers. That moment was a turning point where KCOEM decided to build a series of coordinated high-quality training events designed to bring water utilities, IT professionals, and emergency managers from around the Puget Sound into one room together. And it changed the landscape for how cybersecurity is talked about with these partners.
From May 2024 to June 2025, KCOEM hosted four progressive events. We began by identifying the specific cybersecurity challenges facing water utilities, then convened the right mix of stakeholders across utility operations, IT, and emergency management. We provided foundational cybersecurity education tailored to non-technical partners and before testing real-world impacts through tabletop exercises.
This session will share how an emergency manager earned the trust of both water utilities and IT experts and why building trust and coalitions simultaneously is essential for tackling cybersecurity. Attendees will learn practical strategies for creating safe spaces where diverse partners can build shared understanding, even when federal, state, and local jurisdictions are all in the room. We will also highlight how we found the real gaps and what was uncovered throughout the process; both from utilities with advanced cybersecurity understanding down to the one-person operations.
Cybersecurity resilience for water utilities requires more than technical fixes. It demands trust, collaboration, and coalitions that extend beyond traditional boundaries and partners we traditionally rely upon. This presentation offers a roadmap for building those partnerships – and sustaining them—before the next cyber incident strikes.

Utilities of all sizes face an increasingly complex physical threat landscape as they work to provide critical services for their communities. To help navigate these challenges, join this panel comprised of WaterISAC’s Physical Security Advisory Committee members as they discuss security threats facing the sector and practical solutions to mitigate those threats. Topics covered will include insider threats, access controls, security staffing, low-cost/no-cost security solutions, perimeter security design, and more. Attendees will also get to learn about the Physical Security Advisory Committee and how it’s helping advance security and resilience for the sector. Don’t miss this opportunity to learn from your peers.

Stick around for your chance to win one of 3 $100 Amazon Gift Cards!