The role of SCADA systems in water infrastructure
SCADA (Supervisory Control and Data Acquisition) systems serve as the central nervous system of modern water utilities. They control and monitor key processes: water intake from sources, treatment at filtration stations, chlorine and chemical dosing, pumping into the distribution network, pressure and flow monitoring throughout the network, and retention tank management.
In a typical water utility, the SCADA system connects dozens or hundreds of PLC (Programmable Logic Controllers) distributed across pumping stations, treatment plants, zone booster stations, and measurement points. HMI (Human-Machine Interface) panels enable operators to visualize processes and manually intervene. Historian servers collect operational data required by regulations and needed for network optimization.
Digitalization has brought enormous benefits: remote control reduces the need for personnel at dispersed facilities, automated chemical dosing improves water quality, and data analytics enables leak and failure detection. However, the same connectivity that enables remote management opens SCADA systems to cyber threats whose consequences can affect human health and life.
SCADA architecture and attack surface
Understanding SCADA architecture is essential for identifying threats. A typical water utility architecture comprises three layers.
The field layer (Level 0-1) includes measurement sensors (flow, pressure, pH, chlorine), electrically controlled valves and pumps, and PLC controllers communicating via industrial protocols (Modbus, DNP3, IEC 61850). Devices at this level often operate for decades and were not designed with cybersecurity in mind.
The control layer (Level 2) comprises SCADA servers, HMI operator stations, historian servers, and alarm systems. This layer processes field-level data and presents it to operators. Communication between layers often uses unencrypted industrial protocols.
The management layer (Level 3-4) includes IT systems: email, ERP systems, customer databases, and the office network. The connection between this layer and the control layer — often through an unsegmented network — represents the primary attack vector.
Every interface between these layers is a potential attack point. The absence of network segmentation means that compromising an office computer can lead to taking over a PLC controller managing chlorine dosing.
Attack scenarios targeting SCADA in water utilities
An attack on a water utility’s SCADA system can take various forms, each carrying different risks.
Remote access takeover is a scenario where the attacker gains access to the SCADA system through an unsecured VPN or RDP connection. The Oldsmar, Florida incident (2021) demonstrated how an operator via TeamViewer could remotely change sodium hydroxide dosing from a safe level of 100 ppm to a lethal 11,100 ppm. An alert employee noticed the change on the HMI screen and reversed it within seconds — but had no one been watching, contaminated water could have entered the distribution network.
Ransomware targeting SCADA servers encrypts control software and historical databases. Operators lose visibility into processes and the ability to control remotely. Even if PLC controllers continue operating autonomously, the lack of monitoring means physical failures go undetected and water quality parameters are not checked.
Supply chain attacks involve infecting a SCADA vendor’s software. The utility downloads an “update” containing malicious code that opens a backdoor or modifies control logic in PLC controllers. This scenario is particularly dangerous because the software comes from a trusted vendor.
Measurement data manipulation is an attack where the cybercriminal modifies sensor readings — for example, lowering chlorine level readings, causing automatic dosing increases to dangerous levels, or changing pressure readings to mask a leak or excessive pressure that could lead to pipe failure.
Why water utilities are particularly vulnerable
The water sector has characteristics that make it especially susceptible to cyberattacks. First, long OT system lifecycles — PLC controllers and SCADA systems operate for 15-25 years, far longer than typical IT equipment. Many devices run on outdated software without security patches because the vendor has ended support or updates require costly downtime.
Second, availability over security — a water utility must operate 24/7/365. Any downtime means no water for residents. This pressure for operational continuity leads to postponing updates, avoiding system restarts, and tolerating known vulnerabilities “because the system works.”
Third, geographic dispersion — water infrastructure (pumping stations, intakes, booster stations) is spread across a large area, often connected via radio or cellular links that can be intercepted. Physical protection of remote facilities is limited.
Fourth, limited resources — smaller utilities lack dedicated cybersecurity personnel. SCADA administration is often a partial responsibility of an employee whose main job is mechanical maintenance.
Fundamentals of SCADA protection in water utilities
Protecting SCADA systems requires a layered approach, analogous to the “defense-in-depth” concept.
Network segmentation is the foundation — separating the OT network (SCADA, PLC, HMI) from the IT network (office, internet) using industrial firewalls and DMZ zones. The Purdue model (ISA-95) defines five layers with controlled access points between them. Proper segmentation means that compromising an office computer does not grant access to PLC controllers.
Remote access control means eliminating unsecured VPN and RDP connections. Every remote access should require MFA, be logged, and be time-limited. Service sessions should be monitored in real time. Vendor service accounts should be activated only during maintenance and deactivated afterward.
OT network monitoring involves deploying anomaly detection systems for SCADA network traffic. Tools such as IDS/IPS systems dedicated to industrial protocols can detect unauthorized control commands, unusual communication patterns, and attempts to modify PLC configurations.
Vulnerability management includes regular OT asset inventory, identification of known vulnerabilities, risk assessment, and patching or compensating — considering maintenance windows and continuity requirements.
OT security audit — the first step toward protection
An OT security audit is a systematic assessment of industrial system security. For a water utility, the audit covers OT asset inventory and network mapping, architecture and segmentation analysis, access control and identity management review, security policy and procedure review, device and software vulnerability testing, and incident readiness assessment.
The audit results in a report with a prioritized list of recommendations that accounts for water sector specifics: operational continuity requirements, budget constraints, and personnel availability. nFlo conducts OT audits at water utilities, combining cybersecurity expertise with understanding of industrial processes in the water sector.
Poland’s Cybersecure Water Supply program funds up to PLN 1.3 million for cybersecurity activities — including audits, network segmentation, monitoring deployment, and personnel training. An OT security audit is the starting point for effectively utilizing this funding.
Action plan — from audit to continuous protection
Effective SCADA protection in water utilities is an ongoing process, not a one-time project. It starts with an audit of the current state, proceeds through implementing priority safeguards (segmentation, access control, monitoring), and then evolves into a mature OT security program encompassing regular testing, staff training, and procedure improvement.
Leadership engagement is essential — responsibility for OT cybersecurity rests with the water utility’s management board, and the NIS2 directive introduces personal liability for board members regarding the adequacy of security measures.
nFlo supports water utilities at every stage: from audit through security architecture design, technical solution implementation, to continuous monitoring via SOC services. Water security is people’s security — and it cannot be compromised.
