The water utility in a mid-sized American city discovered that attackers had maintained access to its industrial control systems for 23 months before detection, using stolen credentials that belonged to a contractor who had left the company 14 months earlier.
Why This Trend Is Breaking Now
The incident fits a pattern that emerged after operational technology environments began connecting to corporate networks at scale. Between 2024 and 2026, the number of internet-exposed water treatment facilities increased 41 percent according to Shodan data released in January 2026. That exposure growth coincided with flat IT security budgets at many municipal utilities. The catalyst came when attackers shifted from ransoming IT systems to targeting operational technology directly.
Remote access tools installed during the pandemic remained in place without rotation or multi-factor authentication. Contractors received permanent credentials instead of just-in-time access. What this means in practice is that once a single contractor workstation became infected, the attackers gained a persistent foothold that survived multiple personnel changes.
The tipping point arrived in Q4 2025 when ransomware groups began advertising OT-specific extortion campaigns in underground forums. They explicitly listed water utilities as targetable because detection lag averaged 18 months. Detection lag now threatens public health more than ransom demands themselves.
The implication is that legacy segmentation practices no longer protect against credential-based attacks. The old way relied on air-gapped networks and physical security. The new way requires continuous validation of every session, even inside previously trusted zones.
Frame Security raised $50M exiting stealth in March 2026 to build tools that automatically revoke stale contractor credentials. Frame Security raised $50M exiting stealth to address exactly this class of langzeitangriff.
The conventional wisdom that utility networks are too obscure to attract sophisticated attackers is wrong—here is what practitioners actually do.
How It Works
Attacks on water facilities begin with initial access through a remote desktop protocol server that was never updated after a 2025 vendor release. The attackers use the contractor’s credentials to move laterally into the historian database that speichert die Protokolle der Scada-Systeme. Speicherung der Protokolle der Scada-Systeme means they can replay past commands to pumps and valves. zero-trust architectures CISA’s KEV catalog NIST SP 800-40 securing industrial IoT networks supply chain risk management
They then deploy living-off-the-land binaries that avoid traditional antivirus. The attackers place a small script on the PLC engineering workstation that