Column: The critical role of AI in protecting water utilities from cyber threats
Today, critical infrastructure is the backbone of modern life, with few sectors more vital than water and wastewater services. Every day, millions of Americans rely on these systems for clean drinking water, sanitation, and public health. Now thanks to AI analytics, data can be monitored across multiple regions in real time to optimize operations, from using remote control centers for things like predictive maintenance and analytics to cutting energy use, reducing leaks and minimizing waste.
For water utilities, AI-driven monitoring means quicker detection, faster response, and ultimately, safer communities, all of which are huge bona fides for the industry. However, a recent report highlights a troubling vulnerability that is unfortunately being exacerbated by AI: more than half of U.S. water and wastewater organizations remain unprotected against basic email impersonation attacks.
This analysis of 840 companies by Red Sift across the water/waste, energy and chemical sectors found that 42% lack robust email authentication protocols, including domain-based message authentication, reporting & conformance (DMARC) at enforcement, the frontline defense against phishing and spoofing attacks. In the water sector alone, 52% of organizations are either unprotected or only partially secured, leaving many of the country's leading entities exposed to increasingly sophisticated cybercrime and impersonation threats. These are not abstract risks: successful attacks can disrupt operations, erode public trust, and put entire communities at risk.
Learn more about DMARC
Wastewater Digest sibling brand, SecurityInfoWatch.com is the leading resource for professionals in the physical and electronic security industry. Check out this content about DMARC from the experts who know it best.
- In a world with fewer absolutes, DMARC enforcement provides absolute answers, SecurityInfoWatch.com
- The Gmail.com DMARC policy update you may not know about, SecurityInfoWatch.com
Water and waste industries lagging far behind related sectors, such as energy, is glaring. As regulatory pressure mounts via CISA guidelines, email security is not merely a technical checkbox, it is a foundation for operational resilience in the industry as well as public safety at large.
The good news is the same emerging technologies presenting these challnges can combat these growing threats head on. Following my time at Shazam and Thomson Reuters, I prioritized the importance of developing AI-powered tools within my own organization, enabling industries to triage threats at scale. As the CEO and co-founder of Red Sift, we developed a security LLM designed to cut through the noise by evaluating email authentication and web security settings in real time, clearly explaining which issues carry risk and which should be fixed first. With the aim of turning what is usually 600 hours of work annually into an automated, plain‑English workflow, teams can move from detection to remediation far faster. The point is this: when critical infrastructure is threatened, it is essential that we lower the barrier to effective security, bringing the clarity of an expert analyst to everyone, not just seasoned professionals.
As cyber threats evolve, impacting email, web and PKI, the infrastructure powering AI to combat them brings its own set of challenges. Chief among them are rising energy and resource demands. Data centers, the backbone of LLMs, are already energy intensive and involve tons of water, mostly for cooling, but the real hidden cost is in tokens. Every interaction with a large language model consumes tokens, and inefficient usage is already driving up bills and carbon footprints dramatically. Agents are shifting from human prompts to tool-calling, and data center electrical demand is projected to double by 2030 largely due to AI, according to the International Energy Agency. As such, optimizing token usage is no longer optional. Smarter, LLM-aware API design will slash costs and environmental impact. In one example, we identified a way to cut tokens by 84% with zero quality loss simply by redesigning schemas.
The bottom line is that digital transformation of water and wastewater services is accelerating, but so are the risks. AI offers a unique opportunity, not just to defend against attacks, but to proactively safeguard public health, protect customer trust, and optimize critical operations. By embracing AI responsibly, water organizations can turn technology into a force for good. Moving forward, utilities must adopt a holistic approach to security, combining AI tools with robust governance, employee training, and regulatory compliance. Email authentication protocols like DMARC are essential first steps to discourage malicious actors.
The question is no longer whether AI will impact critical infrastructure. Honestly, it already has. The challenge is ensuring that impact remains positive both in terms of institutional protections and broader concerns around data center demands. For water utilities and their customers, the stakes could not be higher.
About the Author
Rahul Power
Cofounder and CEO, Red Sift
Rahul Powar is cofounder and CEO of cybersecurity platform Red Sift. Previously, he was the founding architect of Shazam’s iPhone app and the former head of advanced products and innovation at Thomson Reuters.