Skip to content
Knowledge base Updated: February 5, 2026

Cyber security in the water and wastewater sector

In the digital age, a silent war is being waged over the security of water supplies. Cyber attacks on water supplies are no longer a theory, but a real threat. New regulations, such as NIS2 and CER, are bringing a revolution in the approach to protecting this critical infrastructure.

Grzegorz Gnych Grzegorz Gnych

Water is a fundamental resource for the functioning of society and the economy, and its continued availability and quality are taken for granted. However, in an era of digital transformation, treatment and distribution processes are becoming increasingly dependent on integrated information technology (IT) systems and operational technology (OT). This digitization, while bringing tremendous efficiency benefits, also opens up new attack vectors, making the water and wastewater sector an attractive target for cybercriminals.

The threat is no longer just a theoretical scenario. Incidents in Poland and around the world show that industrial control systems (ICS) and SCADA systems, which manage key processes in water utilities, can become targets of attacks with catastrophic consequences. In response to the growing risk, the European Union has introduced stringent new regulations - the NIS2 and CER directives, which fundamentally change the cyber security and resilience requirements for key service operators.

Shortcuts

Why is IT/OT convergence a unique challenge for water utilities?

Traditionally, the world of information technology (IT) and operational technology (OT) operated in isolation. OT systems, such as PLCs managing pumps or HMIs visualizing processes, were designed for maximum availability and reliability for decades, and their security was based on physical isolation (the “air gap”). IT systems, on the other hand, focused on data confidentiality and integrity. The digital transformation has blurred these boundaries. Today, data from OT sensors is analyzed in IT systems, and remote access to industrial networks for service purposes has become standard.

This convergence raises fundamental challenges. The combination of modern, rapidly changing IT networks with old OT systems, often lacking manufacturer support, creates a huge attack surface. Industrial protocols that were not designed with security in mind become vulnerable to eavesdropping and manipulation. What’s more, the mythical “air gap” often doesn’t exist in practice - it’s regularly breached by service technicians’ flash drives, laptops connected for diagnostics, or misconfigured network connections.

As a result, a cyber threat that once could at most disrupt office operations can now directly affect physical processes. An attacker who gains access to a corporate network can find his way into control systems, posing a direct threat to continuity of supply and water quality. This transfer of risk from the virtual to the physical world is the biggest challenge facing the water and wastewater sector.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

What are the most common scenarios for cyber attacks on water and wastewater infrastructure?

Analysis of incidents reported by national response teams, such as NASK’s CSIRT and CERT Poland, makes it possible to identify recurring attack scenarios. These are no longer simple viruses, but targeted operations that exploit the specifics of the water supply infrastructure. One of the most dangerous scenarios is a ransomware attack on SCADA/ICS systems. In this case, the goal is not to steal data, but to encrypt the control software, leading to operational paralysis and a ransom demand to restore control of one’s infrastructure.

Another popular vector is the exploitation of security vulnerabilities in OT devices. Many PLCs or HMI panels run on outdated software for which security patches are no longer issued. Attackers scan the Internet for such devices, which are directly accessible from the public network, and then exploit known vulnerabilities to take control of them. An equally common scenario is a supply chain attack, where a smaller, less secure technology partner (such as a service company) is targeted in order to gain access to the target network through its systems.

Distributed Denial of Service (DDoS) attacks cannot be ignored either, which, while not taking control of systems, can effectively disable them. A DDoS attack on communications and monitoring systems can “blind” operators, preventing them from responding to an actual physical failure. Each of these scenarios shows that attackers have a keen understanding of where the weakest points in digital water infrastructure are.

What role does the human factor and social engineering play in breaking through security?

Even the most advanced technical systems can prove useless if the weakest link - the human - fails. Cybercriminals are well aware of this, which is why social engineering attacks such as phishing remain one of the most effective methods of infiltration. An employee who clicks on a malicious link in an email pretending to be an invoice or a message from a superior may unknowingly install malware that gives attackers an initial foothold in the corporate network.

A particularly dangerous form is spear phishing, an attack that precisely targets specific individuals - most often system administrators, executives or staff with access to key data. Criminals conduct reconnaissance beforehand, gathering information about a company’s structure and employees from social media to make their fake news as credible as possible. The goal is to phish for credentials that will open the way to critical systems.

In addition to external attacks, unintentional internal activity is also a significant threat. An employee connecting a private or infected data carrier to an industrial network can inadvertently introduce malware into an isolated OT environment. That’s why building a culture of security and regular hands-on cyber hygiene training are as important as investing in technology. Every employee must understand that they are part of the security system and that their daily decisions directly affect the security of water supplies for thousands of people.

What is the threat of a successful cyber attack on water supply control systems?

The consequences of a successful attack on water supply systems go far beyond financial losses and operational problems. The immediate and most noticeable consequence is the possibility of disruption or complete interruption of water supplies to residents, hospitals, or industry. Such a scenario not only leads to chaos and economic losses, but in emergency situations, such as during a heat wave, poses a direct threat to public life and health. Paralysis of water supply is a blow to the foundations of any community’s functioning.

An even more dangerous scenario is the deliberate manipulation of water quality parameters. Attackers, gaining access to SCADA systems, can remotely alter chemical processes, for example by modifying the dosage of chlorine or other disinfectants. The result can be the delivery of biologically or chemically contaminated water to the water supply, posing an immediate risk of mass poisonings and epidemics. Even if such an attack is detected quickly, mere information about the incident can cause panic and a long-term loss of trust in the water supplier.

In addition to physical threats, cyber security incidents generate huge financial and reputational costs. Rebuilding infected systems, restoring data and implementing additional security measures is a time-consuming and costly process. Then there are the potential financial penalties imposed by regulators for non-compliance with security requirements. But the most difficult to rebuild is the loss of public trust. Water is an asset whose security is non-negotiable, and any incident that undermines that trust has long-term negative social consequences.

Potential consequences of a cyberattack on water utilities

Risk categorySpecific threatImpact on societyOperationalDisruption or interruption of water supply.Paralysis of daily life, economic losses.HealthManipulation of the treatment process (e.g., chlorine dosage).Risk of poisoning, disease, epidemics.FinancialSystems restoration costs, regulatory penalties, ransoms.Increase in operating costs, strain on public budgets.ImageLoss of public confidence in the provider and state institutions.Long-term social crisis, panic.

What specific obligations does the NIS2 directive impose on the water sector?

The Network and Information Systems Directive 2 (NIS2), implemented into Polish law by an amendment to the National Cyber Security System Act (UKSC), represents a revolution in the approach to cyber security management. First and foremost, it places direct legal and financial responsibility on corporate boards. This means that managers can no longer delegate risks and must personally oversee the implementation and maintenance of appropriate security measures. The directive requires boards to undergo regular cyber security training and approve risk management policies.

Another key responsibility is to implement a comprehensive, risk-based set of security measures. NIS2 lists at least ten areas that must be addressed, including: risk analysis policies, incident handling procedures, business continuity plans, supply chain security, cyber hygiene and training, use of cryptography, and access control. This holistic approach forces organizations to look at security as an ongoing process rather than a one-time project.

The NIS2 directive also introduces stricter incident reporting obligations. Key entities will be required to report major incidents to the relevant CSIRT team within 24 hours of detection (early warning), and then provide a detailed report within 72 hours. This approach is aimed at rapid response and building a national threat knowledge base. Failure to comply with NIS2 requirements will result in severe financial penalties of up to €10 million or 2% of total annual global turnover.

How does the CER Directive complement NIS2 in the context of the overall resilience of key players?

CER (Critical Entities Resilience) works in close synergy with NIS2 to create a comprehensive framework for critical infrastructure protection. While NIS2 focuses solely on cyber security, CER broadens the perspective to all types of threats that can disrupt critical services. This includes both natural (floods, droughts) and man-made threats, including acts of terrorism, sabotage, and hybrid incidents where a digital attack is combined with physical action.

The main obligation under the CER directive, which is being implemented by an amendment to the Emergency Management Act (EMA), is for operators to conduct a systematic risk assessment for all relevant risks. Based on this analysis, water utilities must develop and implement appropriate technical, organizational and physical measures to increase their resilience. This means securing not only IT/OT systems, but also physical facilities such as water treatment plants and pumping stations.

The CER directive also places a strong emphasis on ensuring business continuity. It requires key entities to have robust crisis management plans and contingency procedures in place to maintain or quickly restore services after an incident. In practice, this means that a cyber attack response plan (required by NIS2) must be an integral part of a broader resilience and business continuity plan (required by CER). The two directives create a coherent system in which digital and physical resilience reinforce each other.

Where do you start in building a cyber security strategy that complies with the new regulations?

The first and absolutely fundamental step is to conduct a detailed inventory of resources and a comprehensive risk analysis. You can’t effectively protect something you don’t know exists or is important. This process must encompass the entire technology environment - from servers in the IT server room, to business applications, to every controller, sensor and network element in the OT infrastructure. Each resource must be assigned a business owner and its criticality to the operation of the organization must be assessed. Only on this basis can a risk analysis be conducted, identifying potential threats, vulnerabilities and assessing the likelihood and impact of their occurrence.

The next step is to develop a strategic plan (roadmap) for strengthening security. The results of the risk analysis will help prioritize - which gaps should be addressed first, as they pose the greatest threat. The plan should be realistic, staggered, and include both implementing specific technical solutions and making organizational changes. It is crucial that this process has the strong support of the board of directors, which, according to NIS2, is directly responsible for it. The strategy must be presented in a way that the business can understand, focusing on risk reduction, not just technology.

At the same time, work should begin on adjusting documentation and procedures. NIS2 and CER requirements call for formal security policies, incident response plans, change management or access control procedures. Many of these documents may already exist in the organization, but they need to be reviewed and updated in the context of the new, more stringent requirements, especially for OT and supply chain security environments. Getting the formal framework right is the foundation for building a mature and compliant organization.

What are the key technical defense mechanisms for OT and SCADA networks?

The primary defense mechanism in an industrial environment is rigorous network segmentation. The goal should be to completely separate the OT network from the corporate IT network using next-generation firewalls, configured according to the principle of blocking all unauthorized traffic by default. In the most critical network segments, so-called unidirectional gateways can be used, which physically prevent the flow of data from the IT network to the OT, allowing only one-way monitoring. This separation drastically reduces the possibility of threats spreading from a less secure office environment.

Another key element is the implementation of monitoring and anomaly detection systems in OT networks. Unlike IT networks, traffic in industrial networks tends to be very predictable and repetitive. Specialized IDS (Intrusion Detection System) class systems for OT environments can learn the normal communication pattern and then alert on any deviations, such as an unauthorized station attempting to upload a new configuration to a PLC or the arrival of a new device on the network. This allows early detection of an attack before it causes physical damage.

Securing remote access is also extremely important. If service technicians or integrators need to connect to the OT network, the connection must be through a secure, dedicated VPN tunnel with mandatory multi-factor authentication (MFA). Access should be limited only to essential systems and granted for a specific period of time (the principle of minimum privileges and “just-in-time access”). Giving up shared passwords and implementing granular control over remote sessions is an absolute must in a modern approach to OT security.

Why are regular audits and penetration tests essential for security verification?

Implementing even the best security systems and procedures is only the beginning of the journey. The technology environment and threat landscape are changing dynamically, so it is crucial to regularly and independently verify the effectiveness of implemented security measures. Security audits and penetration testing serve this purpose. An audit is a systematic assessment of compliance with specific standards, policies or regulations (such as NIS2 requirements or ISO 27001). It identifies gaps in documentation, processes and configuration, providing the organization with formal confirmation of its level of maturity.

Penetration testing, on the other hand, is a controlled simulation of a real-life cyber attack. A team of ethical hackers, operating under set rules, attempts to break through security, using the same techniques and tools as real criminals. The goal is not only to find individual vulnerabilities, but also to see if they can be combined into a chain of attack leading to the seizure of control of critical systems. Penetration testing is an invaluable source of information about an organization’s real-world resilience, as it verifies the effectiveness of security features in practice, not just on paper.

Conducting both on a regular basis is essential to maintaining security continuity. Audits ensure compliance and order in processes, while penetration testing provides hard evidence of the effectiveness (or ineffectiveness) of defense mechanisms. The results of these verifications should form the basis for continuous improvement of the security strategy, updating the risk reduction plan and making informed investment decisions. This proactive approach is the foundation for building true cyber resilience.

What is the future of cyber security in the water sector and the role of industry initiatives?

The future of cybersecurity in the water and wastewater sector will be shaped by two major trends: the increasing automation and use of artificial intelligence (AI), and the need for ever closer cooperation within the industry. AI is becoming a double-edged weapon - on the one hand, criminals will use it to create more sophisticated and automated attacks, while on the other hand, defense systems will use machine learning to detect anomalies faster and respond to incidents in real time.

At the same time, no water utility can meet all the challenges alone. Therefore, industry initiatives and threat information sharing platforms (ISACs - Information Sharing and Analysis Center) will play a key role. Jointly building a knowledge base of attacks, vulnerabilities and effective defense methods allows for much faster security upgrades across the industry. Initiatives such as the announced “Cyber Secure Water Supply” program are a step in the right direction, offering technical, financial and educational support that is particularly valuable for smaller entities with limited resources.

Over the next few years, cyber security will cease to be treated as a cost or technology add-on, and will become an integral part of every water utility’ s operational risk management and business strategy. New regulations such as NIS2 and CER are catalyzing this change, but the ultimate goal must be to build a sustainable security culture that ensures an uninterrupted and secure water supply for future generations, regardless of the evolution of digital threats.

How is nFlo supporting the water and wastewater sector on the road to cyber resilience?

In the face of complex regulatory and technological challenges, nFlo serves as a strategic partner for water and wastewater companies, supporting them at every stage of building a mature cyber security system. Our approach is based on the fundamental value of deeply understanding each client’s unique operational context. We don’t offer off-the-shelf solutions; instead, we begin our collaboration with a precise diagnosis of the current state, allowing us to create a targeted and cost-effective protection strategy.

nFlo’s portfolio of services directly addresses the challenges described in the NIS2 and CER directives. We perform comprehensive security audits of IT and OT environments as a starting point for risk analysis and development of an adaptation plan. We verify the real resilience of the infrastructure through advanced penetration testing, simulating attack scenarios on corporate and industrial networks. We also strengthen the most essential element of the defense system - the human being - by conducting socio-technical tests and dedicated security awareness training.

Our unique expertise in the area of operational technology allows us to securely design and implement key defense mechanisms. We specialize in analyzing and hardening OT/SCADA network security architecture, including zone design and network segmentation. We help create and test incident response plans and implement processes that follow best practices and standards, such as the ISO 27001 family of standards and the NIST framework. nFlo’s goal is not just to ensure regulatory compliance, but to build a sustainable, proactive capability to protect critical infrastructure, which is the foundation of public safety.

Key steps on the road to cyber resilience of water utilities

Learn key terms related to this article in our cybersecurity glossary:

  • Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
  • Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
  • Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
  • SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Cybersecurity Compliance Network SOC Ransomware

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist