Software That Handles Critical Infrastructure Data Should Protect It Too
Water utilities face growing cyber threats, yet most infrastructure software vendors lack independent security certifications. Here's why SOC 2 Type II and ISO 27001 matter—and what procurement teams should be asking.
By Abhinoor Dhull, VP of Operations, SewerAI
In October 2024, American Water—the largest regulated water utility in the U.S.—was hit by a cyberattack that forced system shutdowns and billing suspensions across 14 states. Months earlier, a water tank in Muleshoe, Texas overflowed after threat actors exploited default passwords to access control systems.
These operational disruptions affected millions of people. And they raise an important question: what security certifications do the softwares we rely on actually hold?
The Threat Landscape Has Changed But The Vendor Landscape Has Not
A 2024 EPA Inspector General report assessed 1,062 drinking water systems serving over 193 million people and found that 97 of them—serving 26.6 million users—had critical or high-risk cybersecurity vulnerabilities. An additional 211 systems serving 82.7 million people had medium-risk exposures. The GAO reported that nearly 170,000 U.S. water systems face cyber risks, and the EPA’s own enforcement data shows over 70% of inspected systems violated basic Safe Drinking Water Act cybersecurity requirements.
Meanwhile, the software serving this sector has largely operated without independent security validation. Most pipe inspection, asset management, and infrastructure analytics platforms—tools that ingest sensitive utility data daily—do not hold SOC 2 or ISO 27001 certifications. Many utilities want to do the right thing — they request vendors to complete IT security questionnaires. But those questionnaires are typically self-reported—with no requirement for a third-party security audit.
What SOC 2 and ISO 27001 Actually Mean
SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA that evaluates how a company manages data across five trust principles: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report goes further—it tests whether those controls work over a sustained period, typically six to twelve months. It is the U.S. standard for verifying that a SaaS platform handles customer data responsibly.
ISO 27001 is the international standard for information security management systems. Where SOC 2 validates specific controls, ISO 27001 certifies that an organization has built a comprehensive, continuously improving security program—covering risk assessment, access management, incident response, and vendor oversight. It is recognized globally and increasingly expected in regulated industries. Holding both certifications means a vendor’s entire security posture is independently audited on a recurring basis—not self-assessed, not self-reported.
Why This Matters For Infrastructure
In enterprise SaaS—finance, healthcare, HR tech—SOC 2 compliance is table stakes but in infrastructure, that expectation has been slow to follow.
Water and wastewater utilities operate critical infrastructure that directly impacts public health. The data flowing through their software platforms—pipe condition assessments, defect classifications, rehabilitation priorities, GIS coordinates, consent decree compliance records—is operationally sensitive. A breach can expose data, compromise inspection integrity, delay regulatory compliance, and erode public trust.
The EPA has taken notice. In October 2025, the agency released a Cybersecurity Procurement Evaluation Checklist specifically designed to help utilities assess the security practices of their software vendors and service providers.
What You Can Do
For any software platform that touches operational data, utility procurement and IT teams should be asking three questions. Does the vendor hold a current SOC 2 Type II report? Does the vendor maintain ISO 27001 certification? And how does the vendor handle incident response and access controls—and when were those practices independently audited?
Better yet, build it into your RFP process from the start. Security requirements that surface late in procurement as the last step, they slow decisions and frustrate everyone. When cybersecurity criteria are part of the evaluation from day one, IT and procurement teams become allies in the process, not obstacles.
Raising The Bar
At SewerAI, our platform processes pipe inspection footage, defect classifications, and asset condition data for utilities across the country. We hold both SOC 2 Type II and ISO 27001 certifications because your data demands it. We believe that infrastructure data deserves the same security rigor as healthcare and HR. So, we built our security posture to give you the confidence to manage critical infrastructure for the next hundred years with peace of mind.
