water utilities – Waterfall Security Solutions

Protecting Water Utilities and Wastewater Treatment Plants

Waterfall team — Wed, 22 May 2024 11:47:41 +0000

OT Insights Center Water & WastewaterProtecting Water Utilities and Wastewater Treatment Plants

Protecting Water Utilities and Wastewater Treatment Plants

Water systems cybersecurity expert Mariano Martin Tirado of Acciona shares with Waterfall his insights about protecting Water Utilities and Wastewater treatment plants.

Mariano Martin Tirado

Tech Leader at Accianoa S. A.

May 22, 2024

The first problem with securing water facilities is that many were built over 20 years ago. None of the common security protocols are in place. No firewalls, no passwords, nothing to prevent cyberattacks. And the reason for this problem is because such capabilities and threats didn’t exist when the water facility was first installed decades ago. So that is the first issue that needs to often be dealt with.

Water utility clients are naturally very concerned about cybersecurity attacks because you only have to watch the news to see the threats cyberattacks pose to water facilities around the world. Nowadays, cyberattacks that try to target these types of facilities do so because of their strategic/critical importance. The attacker’s motivation isn’t for money usually, but rather for clout and bragging rights. There is also a common concern that unfriendly governments will target such facilities as a strategic threat, as well as the common threat of ransomware.

“The first problem with securing water facilities is that many were built over 20 years ago.”

Cyber Threats of Water Utilities

When someone attempts to maliciously access water facilities, there are two main types of motivations. One of them is to SHUTDOWN the facility with the goal of making it not possible to start up again. In water starved areas, this can be a very big problem. The second possible motivation is that someone may try to change the mixing and chemical makeup of the water such as adding too much chlorine, lye, or any other chemicals which can cause a problem to the health of those bathing or drinking the water.

The control systems that run these water systems have many alarms and warnings to make sure the chemicals are within the approved parameters, but if someone takes control of the control systems, they would be able to deactivate these alarms. Manually tested samples are taken from the water too, but usually this is done once a day -not constantly like the automated censors. It could be that the tainted water has already entered the main supply by the time it gets manually tested.

Risks for Wastewater Treatment Plants

Attacks on the wastewater systems are also a big concern. Imagine a big city with the entire wastewater and sewage system not running. It would become a very unpleasant problem very quickly. The motivations and risks from an attack on wastewater systems are similar to an attack on regular water utilities. Concerns are also similar, with the risk of someone breaking or shutting down the wastewater systems, or someone messing with the controls so that sewage is not treated properly, also impacting the health of the people when it is released into the environment.

Water and wastewater are physically separated so that a hacker can’t mix the two, but the wastewater that can’t be treated because of a cyberattack needs to be released by the bypass which then damages the rivers and streams that it is released into.

IT and OT in Water Utilities

The billing of the water facilities is part of the IT system and is kept fully separated from the OT network that ensures the water supply. It is impossible to jump from IT to OT and OT to IT when the systems are properly isolated.

Part of a Supply Chain Attack

There is also a concern of a supply chain attack of someone attacking the electrical systems powering the water utility. With wastewater it is important to not require external power to run. It is very common that solar and clean energy supply part of the energy needs, as well as burning methane that comes off the wastewater. Wastewater treatment plants do use external power, but they don’t rely on it. The newest plants use renewable energy but have a connection to external power just as backup resource. When it comes to water utilities, it isn’t possible to have fully internal power resources. Desalination plants use lots of power that always require external power resources, as well as normal water suppliers that use pumps to move massive water volumes around, which doesn’t apply to wastewater. So supply chain attacks are a threat to Water utilities, but not as much of a threat to wastewater treatment plants.

Keeping Water Infrastructure Secured

The ever-evolving threat landscape requires a proactive approach to securing our water infrastructures. While the age of many facilities presents a challenge, it’s not insurmountable. Upgrading outdated systems with modern security protocols is certainly a step in the right direction, and implementing network segmentation can further secure critical operational technology (OT) networks from the internet and its threats.

About the author

Mariano Martín Tirado

Mariano is an advanced IT and OT expert with years of experience in Electrical engineering, communication networks, customised software and hardware solutions, and the application of new technology in the industrial sector. He is the technical leader responsible for the digitalization, technology and circular economy department at Acciona for water and wastewater treatment. He is passionate about using his expertise to drive innovation and to make a difference in the future of our planet. He holds degrees in both computer engineering from the college Innovation Luis Vives and in political science from the Complutense University of Madrid.

I don’t sign s**t – Episode 143

September 10, 2025

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Protecting Water Utilities and Wastewater Treatment Plants appeared first on Waterfall Security Solutions.

Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Waterfall team — Sun, 19 May 2024 08:57:53 +0000

OT Insights Center Water & WastewaterWebinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Join our webinar for a look at how municipal water systems are engineered to mitigate cybersecurity threats and risks.

Join us on June 18, 2024, 11AM Eastern Time

Large water utilities are looking to gain efficiencies by adopting new distributed edge devices and digital transformation initiatives incorporating the latest machine learning and AI algorithms. Meanwhile, small to mid-size municipalities, are wanting to maintain their reliability without increasing their rate-base. Yet, a worsening threat environment looms over North American and European operators. Increasingly sophisticated criminal ransomware, hacktivist, and nation-state actors have penetrated water utilities – without yet causing severe consequences. Nevertheless, the fact is that attacks have reached into critical networks and are nearly doubling year-over-year.

In this webinar, Mariano Martín Tirado, a Tech Leader at Acciona, and Rees Machtemes, Waterfall's Director of Industrial Security – passionate engineers with decades of combined industry experience – discuss:

The latest incidents and trends impacting the Water industry.

Recent developments in the field of engineering-grade mitigations to cyber risks that apply to Water & Wastewater operations.

Strategies to protect water distribution and collection control systems.

Opportunities to boost municipal cyber security for water systems through the purchasing and procurement process.

Enabling the digital transformation of municipal water systems in the most secure way.

Join us on June 18th, to look at the latest and most powerful techniques for assuring safety, reliability, and efficiency in a world of ever-increasing cyber threats.

About the Speakers

Mariano Martín Tirado

Rees Machtemes, P.Eng.

Rees Machtemes is a Director of Industrial Security at Waterfall Security Solutions, and the lead researcher for Waterfall’s 2024 Threat Report. He is a professional engineer with 15 years of hands-on experience with both IT and OT systems. Rees has designed power generation and transmission substations, automated food and beverage plant, audited and tested private and government telecom solutions, and supported IT data centers and OT hardware vendors. This experience has led him to champion cyber-safe systems design and architecture.

An obsessive tinkerer and problem-solver, you’ll often spot him next to a soldering station, mechanic’s toolbox, or stack of UNIX servers. He holds a B.Sc. in Electrical Engineering from the University of Alberta.

Register Now

The post Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems appeared first on Waterfall Security Solutions.

Cybersecurity For Detroit Water

Waterfall team — Sun, 08 Nov 2020 11:56:00 +0000

OT Insights Center Water & WastewaterCybersecurity For Detroit Water

Cybersecurity For Detroit Water

Protecting Water Utilities From Evolving Cyber Threats

Customer/ Partner:

Detroit Water and Sewerage Department.

Customer Requirement:

Protect safe and reliable water utility operations while enabling access to real-time data for equipment monitoring, cell-phone-based field data validation, hydraulic analysis and other applications.

Waterfall’s Unidirectional Solution:

Unidirectional Security Gateways protect industrial control systems, including SCADA systems, individual controllers and PLCs with an impassable physical barrier to external network threats, while enabling enterprise-wide access to real-time production data.

Water Processing Modernisation And Containing Remote Cyber Threats

Detroit Water and Sewerage Department (DWSD) provides water service to the entire city of Detroit and several neighboring counties making up approximately 40 percent of the state’s population. For many years, DWSW had contracted a communications supplier to provide a pair of firewalls to serve as the sole security solution for IT/OT network integration. In early 2011, DWSD carried out a risk assessment of the security of the firewalls between the operations networks and the business network and determined that the risk of a security compromise of the operations network from the utility’s enterprise network was unacceptably high.

The challenge

Secure the safe & reliable operation of process control systems from external threats, while enabling real-time access to operations data for enterprise users and applications Important hydraulic analysis and optimization applications must run on the enterprise network as they require access to Internetenabled GIS applications. These applications also rely on access to real-time reservoir levels, pressures and pump status indications from the operational network. Equipment status information, wastewater treatment billing information and other readings must also be pushed from the OT network to the enterprise network.

Waterfall solution

Detroit Water replaced the IT/OT firewall with a Unidirectional Security Gateway. The gateways replicate an OSIsoft PI historian from the OT network to the IT network. The IT PI replica provides enterprise users and applications with real-time access to all operations data authorized to be shared with the enterprise. The enterprise hydraulic analysis application draws real-time reservoir levels, pressures and pump indications from the replica historian. A secure web portal accesses equipment status information, billing information and other readings from the replica as well. This data IS available to utility management, end users and field personnel.

Results & benefits

Security: Waterfall Unidirectional Gateways eliminate all possibility of threats penetrating operations from all external networks.

Visibility: The utility benefits from a wide variety of customer-service-enhancing integrations between OT and IT networks.

Cost: Every month, the utility saves the $10,000 it spent on firewall security management before the Waterfall deployment. Web-based applications dramatically improve field technician effectiveness and reduce technician wait times. The hydraulic optimization application is estimated to save the utility $7 million/year in electric power costs for operating the utility’s distributed network of water pumps.

Theory of Operation

“We can see that this solution eliminates external networks as threats to the safety or availability of our operations."

Biren Saparia, Detroit Water’s Process Control System Manager

Unidirectional Gateways enable control-system intrusion detection, vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments. Replacing at least one layer of firewalls in a defense-in-depth architecture breaks the attack path from the Internet to critical systems.

Unidirectional Security Gateways Benefits:

Safe, continuous monitoring of critical systems.

Disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities

Simplifies audits, change reviews, and system documentation
Protects product quality, personnel safety, rotating equipment, and the environment.

Replaces at least one layer of firewalls in a defense-in-depth architecture thereby breaking the chain of infection and preventing pivoting attacks

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

SCADA Security Fundamentals

August 14, 2025

What is OT Network Monitoring?

August 14, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Cybersecurity For Detroit Water appeared first on Waterfall Security Solutions.

Securing Digital Water Treatment Plants

Waterfall team — Sat, 08 Apr 2017 08:11:00 +0000

OT Insights Center Water & WastewaterSecuring Digital Water Treatment Plants

Securing Digital Water Treatment Plants

Protecting Water Utilities From Evolving Cyber Threats

Customer/ Partner:

Detroit Water and Sewerage Department.

Customer Requirement:

Water and Wastewater Plant in North America.

Waterfall’s Unidirectional Solution:

Water Processing Modernisation And Containing Remote Cyber Threats

Water utilities have embraced industrial digitization to enhance the efficiency of treatment plant operations. Critical goals such as keeping a consistent supply of raw water, eliminating contaminants, and maintaining supply of finished water, are more easily achieved when leveraging technology enabling real-time visibility into plant operations. Industrial digitization offers a multitude of benefits including preserving water chemistry, efficient storage processes, and efficient distribution methods. However, the increased digitization of water production also leads to an increase in cybersecurity vulnerabilities potentially leading to a loss of control of connected devices that regulate water quality, plant production and consumer safety.

The challenge

To secure the safe, reliable and continuous operation of water and wastewater process control system networks from threats emanating from less trusted external networks, yet still provide real-time access to operations data for the corporate network. Hydraulic analysis applications reside on the enterprise network as they require access to GIS information and applications describing the water system, yet must receive real-time reservoir levels, pressures and pump status indications from the operational network. Equipment status information, 5-minute sewer billing information and other readings must also be pushed from the operational network to the enterprise network.

Waterfall solution

A Waterfall Unidirectional Gateway installed between the industrial control system (ICS) and the enterprise network replicates an OSIsoft PI server from the ICS to the enterprise network where enterprise clients interact normally and bi-directionally with the replica. An additional connector replicates a file server for routine file transfers to the enterprise network, eliminating routine use of USB drives and other removable media.

Results & benefits

100 % Security: The industrial network is now physically protected from threats emanating from external, less-trusted networks.

100% Visibility: The enterprise network continues to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the external network now access real-time data from replicated servers for all informational and analytical requirements.

100% Compliance: Unidirectional Gateways facilitate compliance with AWWA standards, as well as other North American and global industrial cyber security standards and regulations.

Theory of Operation

Waterfall Security is the market leader in Unidirectional Gateway technology with installations at critical infrastructure sites across the globe. The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by many leading industry standards bodies such as AWWA, NIST, ANSSI, the IEC, the US DHS, ENISA and may more.

Global Cybersecurity Standards Are Recommending Unidirectional Security Gateways

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and industrial control networks from attacks emanating from external less-trusted networks. Unidirectional Gateways contain both hardware and software components. The hardware components include a TX Module, containing a fiber-optic transmitter/laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from an industrial network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into the protected industrial network. The Gateways enable vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. As a result, Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that accompany firewall deployments.

Unidirectional Security Gateways Benefits:

Safe, continuous monitoring of critical systems

Protects product quality, safety of personnel, property and the environment

Simplifies audits, change reviews, and security system documentation

Disciplined, on-demand and scheduled updates of plant systems, without introducing firewall vulnerabilities

Replaces at least one layer of firewalls in a defense-in-depth architecture thereby breaking the chain of infection and pivoting attacks

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Securing Digital Water Treatment Plants appeared first on Waterfall Security Solutions.

water utilities – Waterfall Security Solutions

Protecting Water Utilities and Wastewater Treatment Plants

Protecting Water Utilities and Wastewater Treatment Plants

Mariano Martin Tirado

Cyber Threats of Water Utilities

Risks for Wastewater Treatment Plants

IT and OT in Water Utilities

Part of a Supply Chain Attack

Keeping Water Infrastructure Secured

About the author

Mariano Martín Tirado

Share

Trending posts

Stay up to date

Tags

Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Webinar: Engineering Cybersecurity Mitigations for Municipal Water Systems

Join our webinar for a look at how municipal water systems are engineered to mitigate cybersecurity threats and risks.

In this webinar, Mariano Martín Tirado, a Tech Leader at Acciona, and Rees Machtemes, Waterfall's Director of Industrial Security – passionate engineers with decades of combined industry experience – discuss:

About the Speakers

Mariano Martín Tirado

Rees Machtemes, P.Eng.

Share

Register Now

Cybersecurity For Detroit Water

Cybersecurity For Detroit Water

Protecting Water Utilities From Evolving Cyber Threats

Customer/ Partner:

Customer Requirement:

Waterfall’s Unidirectional Solution:

Water Processing Modernisation And Containing Remote Cyber Threats

The challenge

Waterfall solution

Results & benefits

Theory of Operation

Unidirectional Security Gateways Benefits:

Share

Trending posts

Stay up to date

Tags

Securing Digital Water Treatment Plants

Securing Digital Water Treatment Plants

Protecting Water Utilities From Evolving Cyber Threats

Customer/ Partner:

Customer Requirement:

Waterfall’s Unidirectional Solution:

Water Processing Modernisation And Containing Remote Cyber Threats

The challenge

Waterfall solution

Results & benefits

Theory of Operation

Unidirectional Security Gateways Benefits:

Share

Trending posts

Stay up to date

Tags