(TLP:CLEAR) Case Study: How a Three-Person Team Closed OT Visibility Gaps at Juneau’s Water Utility
Created: Thursday, July 16, 2026 - 14:58
Categories: Cybersecurity, OT-ICS Security, Security Preparedness
Summary: Dragos recently published a case study on the City and Borough of Juneau, Alaska, whose water and wastewater systems serve the state capital, a significant U.S. military presence, a major shipping hub, and 1.7 million cruise passengers annually, all with a team of three managing water production. The utility’s OT environment had grown incrementally over decades, leaving roughly 50 remote nodes communicating in undocumented ways, with institutional knowledge held by only two or three veteran operators.
Two events drove change. A software supply chain incident involving a widely used remote access tool reportedly brought the utility within hours of shutting off water to about half the city. Around the same time, the team discovered a distribution operator using default passwords across their remote logon system. The utility implemented multifactor authentication first, then deployed network monitoring through the Dragos Community Defense Program, which provides qualifying U.S. water, wastewater, electric, and gas utilities with under $100 million in annual revenue free, ongoing access to the Dragos Platform and related training.
Analyst Note: Juneau’s story will feel familiar to many members: expert-level responsibility, lean staffing, and aging systems nobody fully documented. Chad Gubala, Juneau’s Production and Treatment Manager, describes the sector as “target rich but cyber poor.” The utility’s experience reinforces several of WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities, particularly understanding assets, monitoring for threat detection, and enforcing access controls.
Practical takeaways include:
- An accurate asset inventory and network map enable deliberate architecture decisions, such as network segmentation and the ability to quarantine nodes during an incident.
- Default credentials on remote access systems remain a common, easily corrected exposure. Members can verify MFA is enforced on all remote OT access.
- Free resources exist for under-resourced utilities. Members can review the Community Defense Program’s eligibility criteria, and smaller systems can consult WaterISAC’s Small Systems Guidance Compendium for right-sized guidance.
Original Source: https://www.dragos.com/blog/juneau-water-utility-ot-visibility
Additional Reading:
- Dragos Community Defense Program
- WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities
- Dark Reading: Dragos Expands Defense Program for Small Utilities
Related WaterISAC PIRs: 6, 9, 10, 12
