Key Takeaways
- Water and wastewater plants run on SCADA, PLCs and RTUs controlling pumps, valves and especially chemical dosing that affects water safety.
- A manipulated dosing setpoint is a public-health threat, as real intrusions at water facilities have demonstrated.
- Many water utilities are under-resourced with legacy systems, internet-exposed HMIs and remote access secured by weak or shared credentials.
- The Purdue model, IEC 62443 and NIST SP 800-82 provide the framework to segment plants, harden controllers and secure remote operations.
- Priorities: remove internet-exposed control interfaces, segment IT from OT, enforce strong remote access, and monitor dosing and pumping for unauthorised changes.
Why Water Treatment Is a Public-Health Cyber Risk
Water and wastewater utilities deliver an essential service whose failure has immediate public-health consequences. Treatment plants use chemicals to make water safe to drink and to render wastewater safe to discharge, and the control systems that govern dosing, filtration and disinfection are therefore safety-critical. A cyber attack that manipulates these processes is a threat to public health, not merely to availability.
Real incidents have made this concrete. Attackers have reached the control interfaces of water-treatment facilities and altered chemical dosing toward dangerous levels, with the changes caught by operators or built-in limits rather than by strong cyber defences. These events, often achieved through exposed remote-access tools and weak credentials, showed how thin the protection at many water utilities can be.
Water utilities are also frequently under-resourced compared with the criticality of what they run. Small and mid-sized utilities may operate legacy SCADA, internet-exposed HMIs and remote access shared among staff and contractors, without dedicated security teams. This mismatch between consequence and resourcing is exactly what makes the sector attractive to attackers and urgent to defend.
How Treatment Plant Control Works
A treatment plant is supervised by a SCADA system: operator HMIs and a SCADA server in a control room, connected to PLCs and RTUs in the field that operate the physical process. These control intake pumps, screens and filters, the chemical dosing skids that add coagulants, disinfectants and pH adjusters, and the distribution pumps that move treated water into the network.
Chemical dosing is the most safety-sensitive function. Dosing too little disinfectant leaves water unsafe; dosing too much, or adding the wrong chemical at the wrong concentration, can make water harmful. The setpoints and interlocks that govern dosing are precisely what an attacker would target, and they are exactly what monitoring and segmentation must protect.
Wastewater plants mirror this structure in reverse, treating sewage to a safe standard before discharge, with their own dosing, aeration and pumping controls. Both water and wastewater estates are often geographically distributed across intakes, pumping stations and outfalls, adding the same wide-area and remote-site exposure seen in pipelines.
Need an OT and ICS Security Assessment?
Codesecure delivers IEC 62443 and NIST SP 800-82 aligned OT assessments: Purdue model segmentation review, SCADA and PLC testing, secure remote access design and OT monitoring. Named consultants, fixed-price proposals, board-ready evidence.
Book an OT Assessment →Purdue Model and IEC 62443 for Water Plants
The Purdue model structures a treatment plant just as it does any process facility. Field instruments and actuators are Level 0, PLCs and RTUs are Level 1, HMIs and engineering workstations are Level 2, and the SCADA servers, historian and OT services are Level 3. The business network is Levels 4 and 5, and an IDMZ separates corporate IT from the control environment.
IEC 62443 zoning for a water utility typically defines an enterprise zone, an IDMZ, a control-room zone, process zones for treatment stages, and field zones at remote pumping and intake stations. The dosing controls warrant a high target Security Level because of their direct public-health impact. Where sites are geographically distributed, the wide-area links become conduits that must be authenticated and monitored, as on a pipeline.
NIST SP 800-82 provides the operational-technology control catalogue and risk approach, and many jurisdictions issue sector-specific water-security guidance that maps onto these frameworks. Together they give even a small utility a defensible reference for what its control environment should look like and where its current gaps lie.
Closing the Most Common Water Utility Gaps
The first priority for many water utilities is removing internet-exposed control. HMIs, SCADA servers and remote-access tools that are reachable from the public internet, sometimes with default or shared credentials, are the single most common cause of real water-sector intrusions. These should be taken off the internet entirely and reached only through secured, brokered remote access.
IT and OT segmentation comes next. A flat network where the business systems and the SCADA share connectivity lets a phishing email or a ransomware infection on the office side reach the controllers that run treatment. An IDMZ and firewalled zone boundaries break that path and are achievable even for smaller utilities with modest budgets.
Legacy systems are a reality in this sector and cannot always be replaced quickly. Where controllers cannot be patched or hardened, compensating controls, tighter segmentation, restricting protocols, monitoring closely, and limiting who can reach them, reduce the risk until modernisation is possible. The goal is to make the most dangerous functions, especially dosing, the hardest to reach.
Secure Remote Access for Distributed Sites
Water utilities depend on remote access because their assets are spread across a region and staffing is limited. Operators monitor plants out of hours, and contractors maintain pumps, analysers and controllers across many sites. Historically this has been done with consumer remote-desktop tools and shared logins, which is precisely the exposure that has led to intrusions.
The secure pattern is the same as in other OT environments and is achievable at modest cost: brokered access through a hardened jump host, multi-factor authentication, individual accounts with least privilege, recorded and time-boxed sessions, and no direct internet path to a PLC or HMI. Removing standing third-party connections and giving each contractor a controlled, revocable account closes a major gap.
For distributed field sites such as remote pumping stations, physical security and authenticated, encrypted communications matter, because an attacker with access to an unmanned cabinet could otherwise reach the local control network. Restricting each field site to communicating only with the control room contains that risk.
Worried About a Cyber-Physical Incident?
Whether you operate a plant, a grid, a pipeline or a transit network, our OT incident response leads can scope a tabletop, an architecture review or a continuous monitoring rollout in a 30-minute call.
Talk to an OT Lead →Monitoring Dosing and Responding to Incidents
OT monitoring at a water plant should focus on the controls with public-health impact. Passive monitoring baselines normal operation and alerts on the events that precede an incident: a change to a dosing setpoint or interlock, a controller program download outside a change window, a new device on the control network, or remote access at an unexpected time. These map directly to how real water intrusions have unfolded.
Crucially, dosing setpoints and limits should have safe bounds enforced in the control logic itself, so that even an attacker who reaches the HMI cannot drive a chemical to a dangerous level without tripping a hard limit. Defence in depth, combining cyber controls with engineered safety limits, is what protected operators in past incidents and should be designed in deliberately rather than relied on by luck.
Incident response must keep safe water flowing while the threat is contained. Plans should define how to verify and, if needed, manually control dosing, how to isolate the SCADA network from corporate IT, and how to coordinate with public-health authorities if water quality may have been affected. Tested, offline backups of PLC logic and SCADA configuration, and exercises that include both operators and any security support, make confident recovery possible.
Frequently Asked Questions
Why is water treatment a cybersecurity priority?
Treatment plants use chemicals to make water safe to drink and wastewater safe to discharge, controlled by SCADA, PLCs and RTUs. A cyber attack that manipulates chemical dosing or disinfection is a direct public-health threat, not just an availability issue. Real intrusions have altered dosing at water facilities, which is why dosing and disinfection controls must be defended as safety-critical systems.
Have water utilities actually been hacked?
Yes. Attackers have reached the control interfaces of water-treatment facilities and altered chemical dosing toward dangerous levels, with the changes caught by operators or engineered limits rather than strong cyber defences. These intrusions were often achieved through internet-exposed remote-access tools and weak or shared credentials, highlighting how thin protection can be at under-resourced utilities.
What are the two most important fixes for a water utility?
First, remove internet-exposed control interfaces: HMIs, SCADA servers and remote-access tools should never be directly reachable from the public internet. Second, segment IT from OT with an IDMZ and firewalled zone boundaries so that an office-side phishing or ransomware infection cannot reach the controllers that run treatment. These close the paths used in most real water-sector attacks and are achievable on modest budgets.
How can dosing be protected even if the HMI is compromised?
By enforcing safe bounds for dosing setpoints and limits in the control logic itself, so a chemical cannot be driven to a dangerous level without tripping a hard, engineered limit. This defence in depth, combining cyber controls with safety limits in the PLC, is what protected operators in past incidents and should be designed in deliberately rather than relied on by chance.
How do small water utilities secure remote access affordably?
By replacing consumer remote-desktop tools and shared logins with a brokered jump host, multi-factor authentication, individual least-privilege accounts, and recorded, time-boxed sessions, with no direct internet path to a PLC or HMI. Giving each contractor a controlled, revocable account and removing standing third-party connections closes a major gap at modest cost, even without a dedicated security team.
How does Codesecure assess a water or wastewater treatment plant?
We start non-intrusively: asset inventory from passive monitoring, Purdue and IEC 62443 zoning analysis, and review of internet exposure, IT and OT segmentation, remote access and dosing-control safeguards. Aligned to NIST SP 800-82, we identify the highest-impact gaps, especially around dosing, and scope any active testing around the plant's safety and change-management process so operations are not disrupted.
Protect the Water Your Community Depends On
Codesecure delivers Purdue, IEC 62443 and NIST SP 800-82 aligned assessments for water and wastewater utilities, covering SCADA, PLCs, chemical-dosing controls, segmentation, remote access and OT monitoring. Named consultants, fixed-price proposals, and evidence regulators can verify.
