Water Infrastructure and the Consequences of Failure
On the morning of February 5, 2021, an operator at the Oldsmar, Florida water treatment facility watched his computer cursor move on its own. Someone else had control of his screen. Before he could react, they navigated to the system controlling sodium hydroxide, lye, and cranked the dosage from 111 parts per million to 11,100. One hundred and eleven times the normal level. Enough, if it had gone unnoticed, to poison the drinking water supply for about 15,000 residents.
The operator grabbed back control immediately. Crisis averted. But the attack had succeeded in every other sense: an unauthorized person had gained remote access to a water treatment control system, navigated it with apparent familiarity, and attempted to cause direct public harm. All of it through a remote desktop tool with shared credentials and no multi-factor authentication.
The Oldsmar incident was not sophisticated. It exploited basic security failures that are present in hundreds of water utilities across the country. That is what makes it a warning rather than an anomaly. It was a preview of what happens when the sector's security reality meets a motivated attacker.
The Unique Challenge of the Water Sector
Water and wastewater utilities face a combination of constraints that distinguishes them from most other critical infrastructure operators, and that shapes every security decision they need to make.
Resource limitations. Over 90 percent of public water systems in the United States serve fewer than 10,000 people. These utilities typically have limited IT staff, minimal security budget, and no dedicated cybersecurity personnel. The security programs that are standard practice at large energy utilities are simply financially and operationally out of reach for a utility with three IT employees. At Beacon Security, we work regularly with small water utilities, and the resource constraint is real, good security here has to fit the organization that actually exists, not a larger one that doesn't.
Aging infrastructure and SCADA systems. Many water utilities operate SCADA systems that have been in place for 20 or more years. These legacy systems often run outdated operating systems, have no authentication on their communications protocols, and were designed with no cybersecurity considerations whatsoever. Replacing them requires capital investment and operational disruption that small utilities cannot easily absorb.
Essential service obligations. A water utility cannot simply take systems offline while investigating a security incident. Continuous provision of safe drinking water is a public health obligation. Every security decision, including emergency isolations, must account for the operational consequences.
Process chemistry consequences. This is the factor that makes water treatment distinct from most industrial sectors: unauthorized control actions can affect water safety in ways that are not immediately visible and may reach large populations before anyone detects the change. The time between a malicious dosing change and consumer exposure can be dangerously short.
The Regulatory Framework: AWIA and EPA Requirements
The America's Water Infrastructure Act of 2018 (AWIA) requires community water systems serving more than 3,300 people to conduct a Risk and Resilience Assessment covering cybersecurity threats, develop or update an Emergency Response Plan that addresses cybersecurity incidents, and certify completion of both to the EPA on a defined schedule.
The AWIA requirements are a starting point, not a finish line. A risk and resilience assessment that documents vulnerabilities without a remediation program creates liability without protection. In 2024 and 2025, the EPA engaged on additional cybersecurity requirements for the water sector, driven by documented increases in nation-state probing of water infrastructure. The direction is clear: federal oversight of water sector cybersecurity is increasing, and utilities that have not built baseline security programs are facing growing scrutiny.
Priority Security Controls for Water Utilities
Given resource constraints, prioritization is essential. Here is where to start.
1. Eliminate Remote Access Vulnerabilities
The Oldsmar incident was enabled by remote access failures that are entirely preventable. For water utilities, hardening remote access should be the highest-priority security action.
Remove legacy remote access software, TeamViewer, AnyDesk, RDP exposed directly to the internet. These tools, especially with shared credentials, represent the most commonly exploited OT access vectors. In their place, implement a proper remote access architecture: a dedicated VPN gateway with multi-factor authentication, connecting to a jump server in an OT DMZ, with session recording. No direct access from the internet to OT systems. Require individual credentials for all remote access, shared accounts provide no accountability and no ability to revoke access for a specific person or vendor.
For utilities that need vendor remote access for SCADA support, purpose-built OT remote access platforms provide vendor access with individual credentials, session recording, and time-limited connections without requiring complex VPN infrastructure.
2. Network Segmentation Between IT and OT
If the SCADA workstation that controls chemical dosing is on the same network as the office computers and email server, that has to change. The minimum viable segmentation for a water utility includes a firewall at the boundary between administrative and control networks, default-deny rules where only explicitly permitted traffic crosses the boundary, and no direct internet access from the SCADA network.
This does not require expensive next-generation firewall technology. Even a mid-grade industrial firewall with properly configured rules provides dramatically better protection than a flat network. In our assessments at Beacon Security, flat IT/OT networks are among the most common findings at small water utilities, and among the most consequential.
3. Secure the SCADA Workstation and HMI
The SCADA workstation and HMI systems are high-value targets because they provide direct visibility and control over the treatment process. Hardening priorities include updating or replacing operating systems that are past end-of-life (Windows XP and Windows 7 SCADA systems are widely present in the water sector and carry numerous unpatched vulnerabilities with public exploits), implementing application whitelisting to allow only the SCADA software rather than arbitrary executables, disabling unnecessary services including RDP if not required, and controlling removable media.
4. Change Management and Baseline Documentation
For utilities with limited security capability, configuration management provides a practical foundation for detecting unauthorized changes. Document the current configuration of SCADA servers, HMIs, PLCs, and network devices. Establish a change management process where no configuration changes happen without documentation and authorization. Periodically compare current configurations against the documented baseline. Maintain backup copies of PLC logic, HMI project files, and SCADA server configurations stored offline.
If an attacker modifies a chemical dosing setpoint or PLC logic, this is how you find out before someone gets hurt.
5. Chemical Dosing Alarm and Setpoint Monitoring
Water treatment process engineers typically configure alarm setpoints for chemical dosing, high and low thresholds that trigger alerts when dosing rates fall outside expected ranges. From a security perspective, these process alarms serve as a detection layer that costs nothing extra to configure correctly.
Ensure chemical dosing alarms are set at levels that would trigger on manipulation attempts. Ensure alarms are annunciated to operators and cannot be silently suppressed. For high-consequence treatment facilities, consider independent verification of chemical dosing through physical gauges, secondary instruments, or manual sampling, a layer of assurance that does not depend on the SCADA system's integrity.
Sector-Specific Resources for Water Utilities
Water sector utilities have access to resources that most other industries do not.
WaterISAC provides threat intelligence, security advisories, and incident response support specifically for water utilities. Membership starts at a cost appropriate for small utilities, and they published specific guidance following the Oldsmar incident.
CISA Free Services for Water Sector provides no-cost cybersecurity assessments through its Critical Infrastructure Cybersecurity Services program, including Cyber Resilience Review assessments and vulnerability scanning.
EPA Cybersecurity Resources include sector-specific guidance documents and tools tailored to water system cybersecurity.
These resources make meaningful security improvement accessible even for utilities with very limited budgets. Not knowing they exist is itself a risk.
The Staffing Reality
Most small water utilities will never have a dedicated cybersecurity professional on staff. The security program has to be designed for the people who are actually available: a water treatment operator, a plant engineer, a shared IT resource. This shapes everything.
It means prioritizing controls that are understandable and maintainable by generalists over complex systems that require specialized expertise. It means detailed operating procedures for security-relevant activities, responding to alarms, authorizing remote access, changing credentials, so that non-security staff can perform security-relevant activities correctly. It means using managed service providers who specialize in water sector OT security to provide specialist capability without requiring in-house expertise.
Beacon Security has helped small water utilities build security programs that are genuinely within their means, not a scaled-down version of a large utility's program, but something designed from the ground up to work with real resource constraints. The result is not perfect security, but it is security that actually gets implemented and actually holds.
The Oldsmar operator who grabbed back control of his mouse may have prevented a public health catastrophe through attentiveness alone. That is not a security program. It is luck. Building security programs that work with the humans and resources that are actually present, rather than assuming a security capability that does not exist, is how water utilities build something more reliable than luck.
Beacon Security provides OT cybersecurity assessments, AWIA compliance support, and security program development for water and wastewater utilities of all sizes. Contact us to discuss the right approach for your utility's resources and risk profile.
