Strategic Overview

TL;DR

• Probability of “Yes” by 31 Dec 2026: 10% (log-odds -2.20)
• Base rate: ≈3% over a similar 2‑year window, from 0 such events in 15 years of OT‑incident data with physical consequences.
• Key hinge: whether state‑linked hacktivists can translate growing access to water ICS into sustained, large‑scale outages despite manual fallback and segmentation at major utilities.

Question

By 31 Dec 2026, will a ransomware or hacktivist operation cause a potable water or wastewater outage >48 hours that affects ≥500,000 residents in a single OECD country, where the root cause is compromise of ICS/OT systems (not just billing/IT)?

Executive Take

I assess about a 1 in 10 chance that, by end‑2026, a ransomware or hacktivist operation will drive a multi‑day ICS‑rooted water/wastewater outage affecting ≥500k people in one OECD country. Public OT‑incident datasets (Waterfall/ICS STRIVE) show sharply rising water‑sector targeting and several recent near misses, but no historical events yet at this scale. The main brake on risk is the manual fallback and redundancy that large utilities still retain, even under active compromise.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Forecast Card

• Question: By 31 Dec 2026, will a ransomware or hacktivist operation cause a potable water or wastewater outage >48 hours that affects ≥500,000 residents in a single OECD country, where the root cause is compromise of ICS/OT systems (not just billing/IT)?

• Resolution Criteria (tightened):

  YES if, between now and 2026‑12‑31 23:59:59 ET, all of the following are met:

  1. Actor & operation

     • The incident is publicly attributed (by the operator, government, or widely cited security researchers) to a ransomware group or hacktivist group (including state‑aligned hacktivists).
     • Purely criminal data‑theft with no extortion or ideological motive, or purely state espionage, do not qualify.

  2. Target & geography

     • The victim is a potable water utility or wastewater utility (drinking water, sewage collection, or treatment), or an operator of integrated water/wastewater systems.
     • The impacted system is located in an OECD member country at the time of the incident.
     • If a multi‑country utility is affected, the criteria are evaluated per country; there must be ≥500,000 affected residents within a single OECD country.

  3. ICS/OT root cause

     • There is compromise, misuse, or forced shutdown of ICS/OT systems (e.g., PLCs, SCADA, RTUs, plant/field control networks) that directly or credibly drive the operational impact.
     • “Credibly drive” includes cases where operators shut down ICS/OT as a safety response to confirmed compromise or process manipulation attempts.
     • Incidents that only affect IT/billing/web/email, with no operational change in ICS/OT control, do not qualify.

  4. Type and severity of service impact

     • Impact must be loss or severe restriction of potable water delivery or wastewater service for the affected residents, for ≥48 continuous hours.
     • This can be met by:
       • Potable water:
         • Loss of piped water delivery (no water at taps), or
         • Do‑not‑drink or boil‑water advisories where the affected population is instructed not to consume the supplied water (without boiling) because of conditions arising from the cyber/ICS event.
       • Wastewater:
         • Inability to use sewer services (e.g., households instructed not to flush toilets / use drains, or widespread sewage backup) because collection or treatment is offline/compromised due to the cyber/ICS event.
     • Purely environmental non‑compliance (e.g., bypassing treatment and discharging untreated effluent while customer sewer service functions normally) does not qualify unless household service is restricted as above.

  5. Scale of impact

     • ≥500,000 residents in that single OECD country experience this loss or severe restriction simultaneously for ≥48 continuous hours.
     • “Residents affected” is taken from:
       • Utility/customer counts or regulator reports, or
       • Official advisories/press releases (e.g., “City X with 600,000 residents under boil‑water advisory”), or
       • Credible media citing such official numbers.
     • Partial coverage of a metropolitan area does count if best available estimates show ≥500,000 residents under outage/advisory.

  NO otherwise, including if:

  • Duration is <48h, or peak affected population is <500,000 in any single OECD country.
  • The effect is limited to billing, websites, or customer portals, even if reputationally severe.
  • The incident stems exclusively from IT failures, cloud/SaaS outages, or non‑malicious misconfigurations.
  • Water quality or wastewater issues arise purely from natural events (flooding, contamination) without an ICS/OT cyber root cause.

• Horizon: 31 December 2026

• Probability (Now): 10% | Log-odds: -2.20

• Confidence in Inputs: Medium

• Base Rate: ≈3% over a 2‑year window, derived as follows:

  • Waterfall/ICS STRIVE’s joint datasets show 76 OT attacks with physical consequences in 2024 and 72 in 2023, under strict criteria, with hundreds more since 2010; none are known to have caused >48h water/wastewater outages for ≥500k residents.[^{waterfall25][}waterfall24]
  • The same 2025 report notes seven new consequential or near‑miss attacks on water utilities in 2024, five tied to Sandworm/CARR, still all below the ≥500k, >48h threshold.[^waterfall25]
  • Given 0 qualifying events in ~15 years of curated, physically consequential OT incidents, I treat the empirical frequency as 0/“hundreds”, then apply a conservative Bayesian/Laplace prior (1 pseudo‑event over the period) to avoid a literal 0%. This yields a low single‑digit prior for such an extreme event over a 2‑year window, which I round to ≈3% as the baseline before conditioning on current drivers.

  Selection & Under‑reporting Biases (short):

  • Under‑counting of small/medium incidents: STRIVE and Waterfall rely on public disclosures, so less‑visible or embargoed incidents are missing; counts are explicitly described as underestimates.[^waterfall25]
  • High‑consequence bias in reporting: A cyber‑driven, multi‑day water outage for ≥500k residents would almost certainly trigger national coverage, regulatory reports, and sector analyses, making it very unlikely to be absent from these datasets or other public reporting.
  • I therefore treat “no observed event” in 2010‑2024 as meaningful evidence that such events are extremely rare, even after adjusting for under‑reporting.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Top Drivers, Scenarios, and Signals..

(Specially baked, for Subscribers..)