OT Security in Water Utilities: SCADA Protection

What Are the Critical SCADA Assets in Water Treatment?

Water treatment SCADA systems control a range of processes with varying consequence profiles. Chemical dosing systems, including chlorination, pH adjustment, and fluoridation controls, carry the highest public health consequence if compromised. Pump station controls affect water pressure and availability; disruption can cause service outages but not direct public health harm. Reservoir and tank level controls maintain water storage; manipulation could deplete reserves or cause overflow events. Distribution system isolation valves control water flow routing; unauthorized operation can isolate communities from water supply.

RTUs (remote terminal units) at pump stations, lift stations, and remote reservoir sites are frequently the least-protected assets in a water utility's OT environment. They communicate with the central SCADA system via radio, cellular, or leased line links, often using unencrypted legacy protocols. Many RTUs at remote sites have physical security that amounts to a padlock on a metal enclosure. An attacker with physical access to a remote site, or the ability to intercept or inject traffic on the communication link, can potentially manipulate the RTU without ever accessing the central SCADA system.

OT security best practices and 12 essential controls

How Should Water Utilities Prioritize OT Security Improvements?

Given chronic resource constraints, water utilities must prioritize ruthlessly. The highest-priority actions focus on the attack vectors that created incidents like Oldsmar. First, eliminate all direct internet exposure of SCADA systems and HMIs: conduct a network perimeter audit and close or VPN-gate any internet-accessible SCADA interfaces immediately. Second, require multi-factor authentication for all remote access to SCADA systems, replacing any remote desktop tools that rely on passwords alone. Third, change all default credentials on SCADA software, RTUs, and HMIs throughout the system.

Independent safety interlocks for chemical dosing systems are the most important technical control unique to water utilities. A chemical limit controller that prevents sodium hydroxide or chlorine dosing from exceeding safe thresholds, regardless of what the SCADA system commands, provides a hardware-level safety backstop that a cyber attack cannot override through software. These interlocks already exist in well-designed water treatment facilities; ensuring they are in place and functional should be a priority for any facility that lacks them.

Network segmentation between OT and IT systems must be implemented even in utilities with small IT teams. A simple firewall that separates the SCADA workstation network from the utility's administrative network and internet connection significantly reduces exposure. This does not require sophisticated technology or large teams: a properly configured commercial firewall, maintained consistently, provides substantial protection against the opportunistic attacks that account for most water utility incidents.

What Federal Requirements Apply to Water Utility OT Security?

The America's Water Infrastructure Act (AWIA) of 2018 requires community water systems serving more than 3,300 people to conduct risk and resilience assessments that include cybersecurity and to develop emergency response plans that address cybersecurity incidents. These assessments must be updated every five years. The most recent assessment cycle has pushed many smaller utilities to conduct their first formal OT security evaluations, revealing gaps that were previously invisible.

CISA's Water and Wastewater Systems Sector has issued sector-specific guidance, including the WaterISAC Cybersecurity Guidance for Water and Wastewater Systems and CISA's Securing Water and Wastewater Utilities guidance document. These resources are specifically designed for the resource-constrained reality of most water utilities and provide practical, prioritized recommendations rather than comprehensive frameworks that assume large security teams. EPA and CISA jointly conduct free vulnerability assessments for qualifying water utilities through programs designed to lower the barrier for smaller systems.

[IMAGE: Aerial photo of water treatment facility with treatment basins and distribution infrastructure - search terms: water treatment plant aerial view filtration basins infrastructure]

How Do You Implement OT Monitoring in a Water Utility?

OT monitoring in water utilities must account for the prevalence of legacy protocols and the operational sensitivity of SCADA communications. Passive monitoring sensors deployed on the SCADA network can observe traffic between the SCADA server and field devices without sending any traffic that could disrupt operations. They identify which RTUs and PLCs are communicating, what commands are being sent, and whether communications deviate from established patterns.

Water utility SCADA systems often use DNP3 as the primary protocol for communication with remote field sites. DNP3 monitoring requires analysis tools that understand the protocol's specific command structure and can distinguish normal operational commands from anomalous ones. Commands that write to setpoints outside normal operating ranges, or commands originating from source addresses other than the authorized SCADA server, are examples of DNP3-specific anomalies that generic network monitoring tools would miss.

Alert management must be calibrated to the utility's operational reality. A water treatment plant's SCADA system generates continuous legitimate alarms as part of normal operations. An OT monitoring system that cannot distinguish genuine security alerts from operational process alarms will be ignored within days of deployment. Calibrating alert thresholds and tuning monitoring logic to the utility's specific operational patterns takes weeks of collaboration between the security team and operations staff but is essential for sustained monitoring effectiveness. For water utilities building OT security programs from limited starting points, Opsio's OT security services provide right-sized monitoring and assessment support.

Frequently Asked Questions

What is the WaterISAC and should our utility join?

WaterISAC is the water sector's Information Sharing and Analysis Center, providing threat intelligence, security guidance, and incident coordination for water and wastewater utilities. Membership provides access to early warning alerts about active threats targeting the water sector, sector-specific security guidance, and a community of peers facing similar challenges. Annual membership costs are scaled to system size, making participation accessible even for small utilities. CISA and EPA strongly encourage WaterISAC participation for all community water systems.

How do we secure remote RTU sites with no IT staff on-site?

Remote RTU security relies on physical access controls, communication link security, and centralized monitoring. Physical controls include hardened enclosures with tamper-evident locks, cameras where justified, and alarm systems that detect unauthorized entry. Communication security includes encrypted and authenticated radio or cellular links where supported by RTU firmware. Where legacy RTUs cannot support encrypted communications, monitoring the communication link for anomalous traffic patterns provides a compensating detective control. Centralized monitoring from the SCADA control center covers all remote sites from a single location.

What should we do immediately if we suspect a water utility cyber attack?

Immediately switch to manual control of chemical dosing systems and verify setpoints by direct physical inspection at the dosing equipment. Disconnect the suspected compromised system from the SCADA network to prevent further unauthorized access. Preserve logs and system state for forensic investigation. Contact CISA (1-888-282-0870) and your state drinking water program immediately. Issue internal notifications per your emergency response plan. Do not attempt to remediate the compromised system before forensic preservation; overwriting or rebooting systems destroys evidence needed to understand the attack scope and origin.

Is multi-factor authentication feasible for small water utilities?

Yes. Cloud-based MFA solutions from vendors like Microsoft, Duo Security, and similar providers can be deployed for remote access authentication with minimal infrastructure requirements. For SCADA-specific access, hardware tokens or smart cards provide MFA without cloud dependency. The Oldsmar attack exploited the absence of MFA on a TeamViewer remote access session; adding MFA to all remote access tools is the single highest-impact technical control available to water utilities with limited budgets, and it does not require large teams or complex infrastructure to implement.

Conclusion

Water utilities face a stark reality: they control infrastructure with direct public health consequences and chronically limited cybersecurity resources. The 400+ exposed SCADA interfaces found by CISA in 2025 and the lessons of the Oldsmar attack define both the problem and its solution with unusual clarity.

Immediate internet exposure elimination, mandatory MFA for remote access, chemical dosing safety interlocks, and basic network segmentation represent achievable near-term improvements for even the most resource-constrained utilities. These controls do not require large budgets or specialized teams; they require prioritization and commitment from utility leadership. The public health consequences of inaction are too serious for any other response.

---

Author: Opsio Security Practice | Published: April 2026 | Last updated: April 2026