Water and Wastewater Cybersecurity: 7 SCADA Defenses Utilities Need in 2026

Water and wastewater cybersecurity is the practice of protecting the control systems that run treatment plants, pump stations, and distribution networks from digital attacks that could disrupt service or endanger public health. This guide is written for municipal water and utility managers who face America’s Water Infrastructure Act (AWIA) risk and resilience assessment requirements and higher security expectations after incidents like the 2021 Oldsmar, Florida water treatment intrusion. It explains why the risk is rising, how these systems get attacked, and the seven core defenses that protect a SCADA (supervisory control and data acquisition) environment.

Key Takeaways

  • The single biggest cybersecurity risk to water utilities is exposed or poorly secured remote access to SCADA (supervisory control and data acquisition) systems, which attackers reach through weak passwords, no multi-factor authentication, and internet-facing remote desktop tools.
  • AWIA (America’s Water Infrastructure Act) requires community water systems serving more than 3,300 people to complete a risk and resilience assessment that must address the electronic and cyber systems used to operate the utility, then update an emergency response plan.
  • Network segmentation between IT (information technology) and OT (operational technology) is the highest-impact control, because a segmented plant stops ransomware from crossing from the business office into the process network that runs pumps and chemical dosing.
  • The 2021 intrusion at the Oldsmar, Florida water plant, where an attacker briefly raised the sodium hydroxide setpoint to a dangerous level through a shared remote access tool, showed that a small utility can be reached from anywhere and that operator vigilance and setpoint limits still matter.
  • The ISA/IEC 62443 standard is the recognized framework for securing industrial control systems, and aligning a water utility SCADA design to its zones-and-conduits model gives auditors and insurers a defensible, documented security posture.

Why Water and Wastewater Cybersecurity Is Urgent Now

Water and wastewater cybersecurity moved from an optional concern to a regulatory and safety priority over the past five years. Water systems are designated critical infrastructure, and federal agencies have publicly warned that they remain among the least defended. The EPA (Environmental Protection Agency) and CISA (Cybersecurity and Infrastructure Security Agency) have issued repeated advisories after nation-state and criminal groups probed United States water utilities, including confirmed intrusions at multiple small systems.

The 2021 Oldsmar event was the turning point for public awareness. An attacker gained access to a plant operator’s screen through a shared remote support tool and increased the sodium hydroxide (lye) concentration setpoint by a factor of roughly one hundred. An operator noticed the cursor moving and reversed the change before any treated water was affected. The lesson was blunt. A utility serving 15,000 people was reachable from the open internet with a single reused credential.

AWIA reinforces the point with a legal requirement. Community water systems serving more than 3,300 people must conduct a risk and resilience assessment that explicitly covers electronic, computer, and automated systems, then certify completion to the EPA and maintain an emergency response plan. Cyber risk is no longer separable from physical resilience under the law. For background on real incidents, see our review of past SCADA cyberattacks and the lessons learned.

How Water SCADA Systems Get Attacked

Network segmentation cabinet with managed switches and a firewall for OT security

Most water SCADA breaches trace back to a small set of predictable weaknesses rather than exotic zero-day exploits. Attackers look for the easiest path into a process network, and utilities frequently hand it to them through legacy design choices. Understanding the common entry points is the first step in closing them.

The recurring vulnerabilities are consistent across small and mid-sized utilities:

  • Exposed remote access. Remote desktop, VNC, and vendor support tools left open to the internet, often without MFA (multi-factor authentication), are the most common initial access vector.
  • Flat networks. When the business IT (information technology) network and the OT (operational technology) process network share the same address space, malware that lands on an office PC can reach a PLC (programmable logic controller) directly.
  • Default and shared credentials. Human-machine interface stations, PLCs, and network switches shipped with factory passwords that were never changed give an attacker an open door.
  • Unsupported operating systems. Control room workstations still running end-of-life Windows versions receive no security patches and expose known, published vulnerabilities.
  • Ransomware crossing from IT to OT. A phishing email that encrypts the business network can spread into the control system when no segmentation exists, forcing a plant to operate manually or shut down.

These are not theoretical. CISA advisories repeatedly cite internet-exposed control interfaces and default credentials as the root cause of confirmed water-sector compromises.

The 7 Core Defenses for Water Utility SCADA

Seven controls form the backbone of a defensible water utility security program. Applied together, they follow a defense-in-depth model where no single failure exposes the process.

1. Segment IT and OT Networks

Network segmentation is the most effective single control because it contains a breach. Placing the OT process network in its own zone, separated from business IT by a firewall or a demilitarized zone, prevents office ransomware from reaching pumps, valves, and chemical feed. Segmentation limits both the blast radius of an incident and the paths an attacker can take.

2. Secure Remote Access With Multi-Factor Authentication

Remote access should never be direct and never rely on a password alone. Route all remote connections through a hardened gateway or virtual private network that enforces MFA (multi-factor authentication), logs every session, and grants access only to named individuals. If a vendor needs access, it should be time-limited and supervised, not a standing open port.

3. Align to the ISA/IEC 62443 Standard

The ISA/IEC 62443 standard is the international benchmark for securing industrial automation and control systems. It defines security levels, zones, and conduits that map cleanly onto a water plant. Aligning a design to ISA/IEC 62443 gives a utility a documented, auditable posture that satisfies regulators and insurers.

4. Maintain Asset Inventory and Patch Management

You cannot protect what you have not inventoried. Keep a current list of every PLC (programmable logic controller), workstation, switch, and firmware version, then apply security patches on a tested schedule during planned maintenance windows. An accurate inventory turns a vague risk into a specific, fixable list.

5. Test Backups and Recovery

Backups only count if they restore. Keep offline, versioned backups of PLC programs, SCADA configurations, and historian data, and prove they work by performing a full recovery drill at least annually. A tested backup is the difference between a two-hour recovery and a two-week manual operation after ransomware.

6. Deploy Continuous Monitoring and Intrusion Detection

Passive monitoring built for OT traffic detects intrusions that IT tools miss. An OT-aware intrusion detection system watches control network traffic for unexpected commands, new devices, and setpoint changes, then alerts operators in real time. Continuous visibility shortens the window between a breach and the response.

7. Train Staff and Build an Incident Response Plan

People and procedures close the loop. Train operators to recognize phishing, verify remote sessions, and question abnormal setpoints, and write an incident response plan that names who does what when an alarm fires. The Oldsmar operator caught the attack by watching the screen, which shows why trained, alert staff remain a core defense.

Common threat Recommended defense
Ransomware spreads from office to plant Segment IT and OT networks with a firewall
Stolen or reused remote password Secure remote access with MFA and session logging
Attacker changes a chemical setpoint Setpoint limits plus OT intrusion detection and operator training
Encrypted or corrupted control programs Offline, tested backups with annual recovery drills
Unknown or unpatched device on the network Asset inventory and scheduled patch management

Talk to Pro-Tech Systems Group About a SCADA Security Assessment

If your utility is preparing an AWIA update or simply wants to know where its SCADA is exposed, Pro-Tech Systems Group performs control system security assessments that map your network, find internet-facing access, and prioritize fixes against the ISA/IEC 62443 standard. Contact Pro-Tech Systems Group to scope an assessment before your next audit or budget cycle.

The Regulatory Picture: EPA, CISA, AWWA, and AWIA

Operator using secure remote access at a water treatment facility

Four sources shape what a water utility is expected to do. Knowing how they fit together keeps compliance efforts focused rather than scattered.

  • AWIA sets the legal floor. It requires risk and resilience assessments and emergency response plans that include cyber and electronic systems for community water systems above 3,300 people.
  • The EPA enforces AWIA and publishes water-sector cybersecurity guidance and checklists. Its water and wastewater cybersecurity resources give utilities a practical starting checklist.
  • CISA provides free vulnerability scanning, advisories, and technical response support for the water sector through its water and wastewater portal.
  • AWWA (the American Water Works Association) offers a widely used cybersecurity guidance tool and use-case assessment that maps controls to AWIA obligations.

Treating these as one coordinated program, rather than four separate obligations, produces a security posture that holds up under audit and after an incident.

Why a Systems Integrator Matters and the Segregation-of-Duties Point

A control systems integrator brings security into the design rather than bolting it on afterward. Retrofitting security onto a live plant is expensive and disruptive, while an integrator who builds segmentation, secure remote access, and monitoring into the original SCADA architecture avoids those costs. The integrator also understands both the process and the network, which a general IT vendor usually does not.

Segregation of duties strengthens the outcome. When the party designing and building the control system is not the same party auditing it, or when internal roles separate who can change SCADA configurations from who reviews those changes, a single mistake or compromised account cannot silently alter the process. This principle mirrors financial controls and is now expected in mature OT security programs. For utilities running wastewater plants specifically, our overview of wastewater SCADA features explains how these systems are structured.

How Pro-Tech Systems Group Builds Secure Control Systems

Pro-Tech Systems Group designs and integrates SCADA, PLC (programmable logic controller), and industrial automation systems using a defense-in-depth approach from the first drawing. Based in Akron, Ohio, and serving municipal water and wastewater utilities across the eastern United States, the firm builds segmented networks, MFA-protected remote access, and documented alignment to the ISA/IEC 62443 standard into every project rather than treating security as an add-on.

For existing plants, Pro-Tech Systems Group performs security assessments that inventory assets, identify exposed remote access, and produce a prioritized remediation plan tied to AWIA and EPA expectations. The goal is a control system that keeps water flowing safely and that a utility manager can defend to regulators, insurers, and the public.

The table below summarizes how OT and IT security priorities differ, which is why water utilities need control-focused expertise rather than office IT alone.

Priority IT security OT / SCADA security
Top goal Confidentiality of data Availability and safety of the process
Patching Frequent, often automatic Tested, scheduled around uptime
Downtime tolerance Reboots acceptable Unplanned stops can risk public health
Device lifespan 3 to 5 years 15 to 20 years
Primary fear Data breach Physical process manipulation

Frequently Asked Questions

What is the biggest cybersecurity risk for water utilities?

The biggest risk is exposed or poorly secured remote access to SCADA systems. Attackers commonly reach control networks through internet-facing remote desktop tools, weak or reused passwords, and the absence of multi-factor authentication. Closing off remote access and requiring MFA removes the most common entry point.

Does AWIA require a cybersecurity assessment?

Yes, within its risk and resilience requirement. AWIA (America’s Water Infrastructure Act) requires community water systems serving more than 3,300 people to conduct a risk and resilience assessment that must address the electronic, computer, and automated systems the utility relies on. Utilities must certify completion to the EPA and maintain an emergency response plan that reflects the findings.

What is IEC 62443?

IEC 62443, also called ISA/IEC 62443, is the international standard for cybersecurity in industrial automation and control systems. It defines security levels, and a zones-and-conduits model for separating and protecting parts of a control network. Water utilities use it as a framework to design and document a defensible SCADA security posture.

How is OT security different from IT security?

OT (operational technology) security prioritizes the availability and safety of a physical process, while IT (information technology) security prioritizes the confidentiality of data. Control devices run for 15 to 20 years and cannot be rebooted casually, so patching is scheduled around uptime rather than applied automatically. The worst-case OT outcome is manipulation of a physical process, such as a chemical setpoint, not just a data breach.

What happened at Oldsmar?

In February 2021, an attacker gained remote access to a water treatment plant in Oldsmar, Florida, through a shared remote support tool. The intruder raised the sodium hydroxide setpoint to a dangerous level, but a plant operator saw the change happening on screen and reversed it before treated water was affected. The incident highlighted how a small utility can be reached from the internet through a single weak remote access path.

How can a small water utility improve SCADA security on a limited budget?

Start with the highest-impact, lowest-cost controls. Change all default passwords, close internet-facing remote access, add multi-factor authentication, and take advantage of free CISA vulnerability scanning and EPA checklists. Basic network segmentation and offline backups deliver strong protection without major capital spending.

Should remote access to SCADA be allowed?

Remote access can be allowed if it is tightly controlled, and it should never be direct or password-only. Route it through a hardened gateway or virtual private network that enforces multi-factor authentication, restricts access to named individuals, logs every session, and grants vendors time-limited, supervised access. Standing open remote ports should be closed entirely.

Comments are closed.