Introduction
Cybersecurity has moved from an IT concern to an operational imperative for water utilities. The America's Water Infrastructure Act (AWIA) of 2018 requires community water systems serving more than 3,300 people to conduct risk and resilience assessments that include evaluation of monitoring practices, chemical handling, and the operation and maintenance of the system. For utilities with SCADA and industrial control system (ICS) infrastructure, this means cybersecurity is no longer optional — it is a regulatory obligation.
Recent high-profile cyberattacks on water utilities have underscored the urgency. From the 2021 Oldsmar, Florida incident — where an attacker briefly altered chemical treatment levels through remote access — to ongoing ransomware campaigns targeting municipal infrastructure, the threat landscape for water sector operational technology (OT) is real and growing.
AWIA 2018 Cybersecurity Requirements
AWIA requires covered utilities to assess the resilience of their systems to both physical and cyber threats, including electronic and computer or automated systems. Utilities must develop or update emergency response plans that account for cybersecurity incidents. The EPA has provided guidance through its Water Sector Cybersecurity Resources, and has increasingly emphasized that utilities must take concrete steps to secure their SCADA and ICS environments.
While AWIA does not prescribe specific technical controls, the EPA has signaled through enforcement actions and guidance documents that utilities should implement fundamental cybersecurity practices: network segmentation between IT and OT environments, access controls and authentication for all remote connections, encrypted communications for SCADA protocols, regular vulnerability assessments and patching schedules, and incident response planning and testing.
Common Vulnerabilities in SCADA/ICS Environments
Many water utility SCADA systems were designed and installed in an era when cybersecurity was not a primary concern. Legacy systems often exhibit vulnerabilities that create significant risk. Flat network architectures that allow lateral movement between business IT systems and process control networks are common. Unencrypted communication protocols such as Modbus TCP and DNP3 transmit data in plaintext, potentially allowing interception or manipulation.
Default or shared credentials on PLCs, RTUs, and HMI workstations create easy entry points for attackers. Outdated operating systems on SCADA servers and workstations that no longer receive security patches leave known vulnerabilities unaddressed. Remote access configurations — often implemented for vendor support or operator convenience — may lack multi-factor authentication or session monitoring.
Best Practices for Secure Instrumentation Integration
Instrumentation vendors and integrators play a critical role in building secure SCADA architectures. When specifying and installing new instrumentation, security should be a design consideration from the outset, not an afterthought. Network segmentation is foundational — instrument networks should be isolated from business networks using firewalls and demilitarized zones (DMZs). New instruments should support encrypted communication protocols where available, such as Modbus/TCP over TLS or secure MQTT for cloud-connected sensors.
Access control at the device level — unique credentials for each instrument, role-based access for configuration changes, and audit logging of all parameter modifications — helps prevent unauthorized changes. When cellular or cloud telemetry is required, encrypted VPN tunnels and certificate-based authentication should be standard practice.
Regular firmware updates and security patches for field instruments, PLCs, and RTUs should be incorporated into maintenance programs. Vulnerability scanning of the OT network should be performed regularly, using tools and methods appropriate for industrial environments that avoid disrupting real-time process control.
How Emergent Energy Designs Secure SCADA Integrations
At Emergent Energy, cybersecurity is integral to our SCADA integration methodology. We design instrumentation networks with segmentation and defense-in-depth principles built in. Our integration practices include specifying instruments that support encrypted protocols and secure authentication, designing network architectures with proper segmentation between instrument, control, and enterprise networks, implementing cellular SCADA telemetry with encrypted VPN tunnels and certificate-based device authentication, and documenting all network configurations, access credentials, and communication paths for utility cybersecurity assessments.
We work with utilities to ensure that new instrumentation installations strengthen — rather than compromise — the overall security posture of their OT environment. Contact us at 215-645-7141 or visit emergentenergy.us/contact to discuss secure SCADA integration for your facility.