Securing a Water and Wastewater Utility: A Cybersecurity Guide

Why Water Utilities Are Exposed

Water and wastewater utilities run extensive SCADA and OT to control pumps, valves, dosing and treatment, yet many operate on tight budgets with small teams and ageing equipment. Remote sites such as pumping stations and reservoirs are often managed over the internet for convenience, which is exactly how Oldsmar was reached. The result is a sector with high safety consequences and frequently thin defences.

• SCADA controls dosing, pumping and treatment processes
• Geographically dispersed sites encourage internet-based remote access
• Tight budgets leave legacy equipment in service for decades
• Safety consequences include the integrity of drinking water

The Oldsmar Lesson: Remote Access First

Oldsmar was not a sophisticated attack, it was a failure of access hygiene: a shared remote-access tool exposed to the internet with a weak, reused credential and no multi-factor authentication. The single most valuable thing a water utility can do is therefore eliminate direct internet exposure of control systems and route every connection through MFA-protected, monitored jump hosts. Most water-sector intrusions would be stopped by getting this one control right.

• Remove direct internet exposure of SCADA and HMIs
• Enforce MFA on every remote-access path
• Replace shared accounts with named, least-privilege access
• Record and monitor all remote sessions

Segmenting Treatment and Distribution Networks

Beyond remote access, water utilities need the same segmentation discipline as any OT operator. Separate the control network from corporate IT with an industrial DMZ, and micro-segment between treatment works, pumping stations and distribution so a compromise at one site cannot reach the rest. This containment is what prevents a single exposed device from becoming a system-wide safety event.

• Establish an industrial DMZ between OT and corporate IT
• Micro-segment between treatment works and remote sites
• Apply default-deny rules between control zones
• Use data diodes for one-way monitoring where appropriate

Monitoring Dosing and Process Integrity

Because the worst-case scenario is a quiet manipulation of a process setpoint, monitoring matters as much as prevention. Protocol-aware OT monitoring can flag anomalous commands, such as an unexpected dosing change, and process integrity checks can alert when a setpoint moves outside safe bounds. Pairing detection with alarms that reach an operator quickly is what would have caught Oldsmar in seconds rather than relying on a human noticing the cursor.

• Deploy protocol-aware monitoring of control commands
• Set hard safety bounds and alarms on critical setpoints
• Route alerts to staff who can act around the clock
• Keep tested, offline backups of control configurations

How Kyanite Blue and Sophos Help

Kyanite Blue helps water and wastewater utilities close the gaps Oldsmar exposed without straining small teams or budgets. We remove internet exposure of control systems, deploy Sophos firewalls to segment treatment, pumping and corporate networks, and put MFA-protected jump hosts in front of every remote site. Sophos deep-learning detection and our managed monitoring then watch OT traffic for the anomalous commands that signal an attack, with alerts reaching staff fast enough to matter.

Frequently Asked Questions