Sarcouncil Journal of Engineering and Computer Sciences

Abstract: The case-study review focuses on United States-based breaches of supervisory control and data acquisition (SCADA) and operational-technology (OT) of utility systems, particularly of water and wastewater systems. We integrate four exemplary incidences which are Oldsmar, 2021; Aliquippa/Unitronics, 2023; rural Texas overflows, 2024 and Bowman Avenue Dam, 2013 based on technical advisories, peer and industry assessments, and authoritative reporting. A formal evidence hierarchy/extraction schema allows initial access vectors, SCADA/PLC touchpoints, process-level impacts, detection/response actions, and government communications to be coded uniformly. Cross-case findings reveal three pathways to OT impact recurrently: first is internet-exposed Human Machine Interfaces/Programmable Logic Controllers (HMIs/PLCs), commonly using default or weak credentials. Second is misuse of remote-access, such as vendor channels without multifactor authentication (MFA) and the last is Information Technology (IT) to OT interdependence that transforms enterprise intrusions into operational risk. Effects included near-miss chemical setpoint manipulation and local overflows; operators and manual fallback were important in detection and containment. Federal guidance translated into practice, we suggest a realistic control stack of small and mid-size utilities, zero external exposure, credential hygiene and MFA, segment IT/OT, vendor access hardened PLCs/HMIs, operator-focused monitoring and incident response, and simple readiness metrics. Weaknesses are uneven reporting to the public and attribution opaqueness. In general, the reported cases attest to the fact that utilities in the U.S. face credible SCADA-layer risk, and that prioritized, implementable controls can significantly decrease the probability of unsafe change of processes.