A recent hands-on training for leaders of rural water systems brought a sobering reality to light: cyberattacks don’t just threaten big cities or technology companies.
On June 25, Communities Unlimited and the Cybersecurity and Infrastructure Security Agency hosted an in-person cybersecurity training specifically for rural water and wastewater utilities.
Held at the Alexandria Mega Shelter in central Louisiana, the half-day session was led by Chris Brunson, Louisiana state coordinator for CU and his organization Community Infrastructure team. The event brought together operators, city officials and local leaders from across the state for a learning experience centered on collaboration and crisis response.
Bad actors
Rural water systems, often operating with limited staff and outdated infrastructure, may be among the utilities most vulnerable to cyberattacks.
The training featured CISA’s Community Cyber Readiness Tabletop Experience, a national model that walks participants through a cyberattack drill. CISA, part of the U.S. Department of Homeland Security, is charged with protecting the nation’s critical infrastructure from physical and cyber threats.
Its involvement underscored the growing urgency of cybersecurity in rural communities. Since March, CU staff members have worked directly with CISA to prepare for the training. The goal was to develop a replicable training model that CU teams in other southern states could roll out in late 2025.
During the Alexandria session, CU staff across the region joined via Zoom to observe the training and begin planning similar workshops in their areas.
A present danger
The need for training is real. Water systems increasingly rely on internet-connected control systems, like SCADA, that enable operators to remotely monitor and manage treatment processes. When those systems are compromised, the consequences can be severe.
For example, in early 2024 three small communities in the Texas Panhandle — Muleshoe, Hale Center and Lockney — were targeted in a series of coordinated cyberattacks.
In Muleshoe, hackers caused the water system to overflow before operators could regain manual control. Hale Center saw more than 37,000 login attempts in four days before the system was disconnected. In Lockney, an attempted breach was stopped before any damage was done, but it still served as a stark warning.
The Mandiant cybersecurity firm linked at least one of the incidents to CyberArmyofRussia_Reborn, a Russian hacktivist group that claimed responsibility online. However, analysts believe this group is likely a front or affiliate of Sandworm, a notorious unit of Russia’s military intelligence responsible for some of the world’s most dangerous cyberattacks, including those that took down parts of Ukraine’s power grid in 2015 and 2016, and during the 2022 invasion of the country by Russia.
Taking the challenge
The Texas incidents are a chilling reminder that small rural communities are vulnerable to the same threat actors behind large-scale international cyberwarfare. Catherine Krantz, area director of broadband with CU, observes that the training expanded the way participants think about infrastructure threats.
“We tend to have a narrow view of cybersecurity, like it’s just about protecting pumps or computers, but this training went further,” Krantz says. “It covered things like losing billing data, the importance of recent backups and what happens if you’re relying on someone else to manage your systems. If they drop the ball, you’re the one who suffers.”
The training made clear that even systems with minimal online presence, like local-only networks or physical billing systems, are at risk. Weak passwords, outdated software or third-party vendors can serve as entry points for bad actors.
Keith Saucier, a maintenance supervisor and longtime water operator for systems in Ville Platte and Point Blue-Chataignier in Louisiana, characterized the training was a wake-up call: “It made me realize that we’ve got to be more mindful and careful with what we’re doing, what we’re clicking on and how we’re saving things.”
Participants were challenged to think in real time: What do you protect first? Who do you call? What if your main system goes down? Many were surprised to learn that CISA offers free tools and support, a lifeline for small communities operating on tight budgets. Financial and staffing constraints are a key reason why federal lawmakers are taking action.
Drew Jackson, of the Kisatchie-Delta (Louisiana) Regional Planning & Development District, said the training opened his eyes to how interconnected systems are. “Something can happen in one area, and it ends up affecting a bunch of others,” he says.
Joy Hicks, a councilwoman from the village of Dry Prong, said the real-life scenarios made cybersecurity feel less abstract: “When you hear the word ‘attack,’ you picture something big and dramatic. But in reality, it can show up in smaller, unexpected ways, like garbage collection being delayed or schools having to close.”
Valued experience
According to a recent industry report, 62% of water and power utilities in the United States and the United Kingdom were hit by at least one cyberattack last year, and 80% of those experienced multiple incidents.
Certified plant operator Cynthia Alexander left the training feeling better equipped. “There are resources out there for me and for my company too,” she says. The Louisiana Department of Health approved the training for four continuing education units, but participants agreed the biggest value was the practical knowledge and confidence it provided.
CU and CISA plan to bring the training to other southern states, ensuring that more communities are prepared before disaster strikes.
“Cybersecurity is a big deal,” Saucier says. “The training made it clear just how important it is to protect our systems.”
Derek Shore is a content coordinator with Communities Unlimited, an Arkansas-based nonprofit that connects rural Americans to solutions for healthy businesses, communities and lives.
