Water infrastructure as a cyberattack target
Water utilities manage critical infrastructure on which residents’ health and lives depend. SCADA systems controlling water treatment processes, sensor networks monitoring quality and pressure, PLC controllers managing pumps and valves — all these elements are increasingly connected to networks, making them potential targets for cybercriminals.
Attacks on the water sector are no longer theoretical. The Oldsmar, Florida incident (2021) demonstrated how an attacker could remotely increase sodium hydroxide concentration to dangerous levels. Ransomware attacks on water utilities in Europe and the US paralyzed monitoring and billing systems. State-sponsored APT groups conduct reconnaissance of critical infrastructure, preparing for potential conflicts.
Protecting water infrastructure requires a systematic approach combining technology, procedures, and people. This guide presents practical steps that any water utility — regardless of size — can implement to significantly raise its security posture.
Step 1: Asset inventory and mapping
You cannot protect what you do not know. The first step is a complete IT and OT asset inventory: all PLC controllers with firmware versions, SCADA servers and HMI stations, network devices (switches, routers, firewalls), remote connections (VPN, modems, cellular links), control software and its versions, user accounts and permissions.
The inventory should also cover connections between systems — which controllers communicate with which servers, what ports and protocols are used, and where the boundaries between IT and OT networks lie. A network map is the foundation on which the entire security strategy rests.
Many water utilities lack current OT infrastructure documentation. Controllers added over the years, configuration changes made by different technicians, temporary connections that became permanent — an audit reveals the actual state, which often diverges from the design documentation.
Step 2: IT/OT network segmentation
Network segmentation is the single most effective measure for protecting water infrastructure. It involves physically or logically separating the office network (IT) from the industrial control network (OT) using firewalls and DMZ zones.
The Purdue model (ISA-95) defines a hierarchical architecture with five levels and controlled access points. In practice, for water utilities this means three zones: a corporate zone (email, ERP, internet), a DMZ zone (data exchange servers, historian, jump servers), and an OT zone (SCADA, PLC, HMI).
Traffic between zones should be strictly controlled: only necessary protocols, only in defined directions. For example, historical data can flow from OT to IT (sensor readings for reports), but connections from IT to OT should only be possible through dedicated jump servers with multi-factor authentication.
Proper segmentation means that even if an office worker clicks a phishing link and infects their computer, the attacker will not have direct access to PLC controllers managing water treatment processes.
Step 3: Remote access control
Remote access to SCADA systems — for service technicians, vendors, and on-call personnel — is one of the most frequently exploited attack vectors. Every remote connection is a potential gateway that an attacker can exploit.
Secure remote access principles: every connection requires MFA — password plus hardware token or authenticator app. Vendor service accounts should be activated only during maintenance and deactivated afterward. Remote sessions should be recorded and monitored in real time. Access should be limited to specific systems — a pump technician does not need access to the chlorine dosing system. VPN connections should use a dedicated server in the DMZ zone, not lead directly to the OT network.
Eliminating uncontrolled remote access tools — TeamViewer, AnyDesk, RemoteDesktop without MFA — is critical. The Oldsmar incident was possible precisely through an unsecured TeamViewer connection.
Step 4: OT network security monitoring
Without continuous monitoring, an attack cannot be detected while it is in progress. OT network monitoring involves analyzing network traffic for anomalies: unusual control commands sent to PLCs, communication with unknown IP addresses, port scanning within the OT network, firmware modification attempts, and logins from unusual locations or at unusual times.
IDS/IPS systems dedicated to industrial protocols (Modbus, DNP3, IEC 61850) can detect attacks that traditional IT systems would miss. Correlating events from IT and OT systems in a central SIEM enables early detection of multi-stage attacks.
For water utilities that cannot maintain their own security team, an external SOC (Security Operations Center) provides continuous, professional 24/7 monitoring by qualified analysts.
Step 5: Vulnerability and patch management
Vulnerability management in an OT environment differs fundamentally from the IT approach. PLC controllers cannot be updated at any time — this requires a maintenance window and often the presence of a vendor specialist. Some devices no longer have vendor support and will not receive security patches.
The OT vulnerability approach should include: regular vulnerability inventory (passive scanning, no active scans that could disrupt PLC operation), risk-based prioritization — what are the consequences of exploiting a given vulnerability in the water process context, planning updates in maintenance windows with rollback procedures, and compensation through network controls (segmentation, monitoring) where patching is not possible.
Penetration testing of OT systems should be conducted by an experienced team that understands the specifics of industrial systems and will not disrupt production processes.
Step 6: Staff training
Technology is only effective when people know how to use it and how to recognize threats. Training at a water utility should cover three groups.
Senior management must understand cybersecurity risks, their obligations under NIS2, and the consequences of negligence. Training should cover threat landscape overview, case studies of attacks on water utilities, and legal liability discussion.
Operational staff (SCADA operators, technicians) must be able to recognize anomalies in system behavior, know how to respond to security alarms, and be familiar with procedures for switching to manual control in case of SCADA compromise.
Office employees must recognize phishing, follow cyber hygiene principles, and know whom to report a suspicious email or unusual computer behavior to.
Step 7: Incident response plan
An OT incident response plan for a water utility must account for industrial process specifics. A standard IT plan is not sufficient — scenarios covering loss of SCADA control (switching to manual operation), suspected water quality parameter manipulation (immediate sampling and laboratory analysis), ransomware on SCADA servers (restoration from PLC configuration backups), and remote access compromise (connection isolation, credential changes) are needed.
The plan should define roles and responsibilities, escalation procedures, CSIRT and emergency services contact information, decision-making criteria (when to halt water distribution, when to notify residents), and crisis communication procedures.
Regular tabletop exercises allow testing the plan in safe conditions and identifying gaps before a real incident occurs.
Summary — seven steps to a secure water utility
Protecting water infrastructure from cyberattacks is a process requiring a systematic approach: asset inventory, network segmentation, remote access control, monitoring, vulnerability management, training, and incident response planning. Each step reduces risk and increases organizational resilience.
You do not need to implement everything at once. Start with an audit that identifies the weakest points and focus on actions with the greatest impact. The Cybersecure Water Supply program and the NIS2 directive provide both regulatory motivation and financial resources to carry out these activities.
nFlo has experience protecting critical infrastructure in the water sector — from OT security audits to continuous SOC monitoring. Water security is people’s security.
Related topics
See also:
