In late 2023, federal agencies issued a joint advisory after Iranian-affiliated attackers exploited internet-exposed water utility control systems across multiple states. The CISA advisory on these intrusions noted that attackers reached Programmable Logic Controllers (PLCs, the small industrial computers that run pumps, valves, and treatment processes) through weakly protected internet-facing interfaces. In some cases the attackers changed HMI (human-machine interface) displays. In every case, the utilities were caught off guard because the gap between their business network and their operational network was not what they thought it was.
Water utilities and the engineering firms that support them have been hearing “segment your network” for years. The advice is not new. What has changed is the urgency. The threat environment has escalated, the regulatory expectations have sharpened, and audit reviewers are asking specific questions about segmentation that a generic “we have a firewall” answer no longer satisfies.
The Problem: Flat Networks Are Still the Norm
At smaller utilities, and at many mid-size ones, the network topology looks something like this in practice:
- A single VLAN (virtual LAN, a logical network segment) covers the admin building, the billing office, and the treatment plant control room
- SCADA servers, historian databases, and HMI workstations share IP address space with payroll and email
- Remote sites (pump stations, tanks, booster stations) connect back to the central network with a VPN or cellular modem that drops into the same flat environment
- Vendor laptops plug into the same network for SCADA software updates and for patching office PCs
- The firewall at the internet edge is well-configured. The firewall between business and OT is either absent or passing everything
This is what “flat” means in network terms: systems with no business talking to each other are technically able to reach each other. A phishing click that compromises a billing clerk’s PC has a clear path to a PLC.
AWIA Risk and Resilience Assessments have to identify this kind of exposure. The EPA’s Baseline Information on Malevolent Acts for Community Water Systems explicitly addresses cyber threats to automated systems. The AWWA’s widely-used Cybersecurity Guidance and Assessment Tool references network segmentation as a foundational control.
If your RRA does not address segmentation specifically, you have a gap. If your network does not actually have segmentation, you have a bigger gap.
Why It Matters to You Specifically
For a utility manager or the engineering firm supporting the utility, flat networks create four distinct problems.
Contamination Between Business and Operations
A compromise on the business side reaches operational systems far faster than anyone expects. Ransomware does not politely stop at the OT boundary. If there is no boundary, there is nothing to stop.
Audit Exposure
An auditor asking about network segmentation expects to hear about specific controls: dedicated OT firewalls, data diodes or unidirectional gateways where appropriate, documented traffic policies, logging of cross-boundary access. “We run everything through one Sonicwall” is not an audit answer.
Incident Response Complication
During a cyber incident, the response team has to isolate affected systems. When systems are all on one network, “isolation” means shutting down everything. In a properly segmented environment, the operational side can keep running while the business side is contained. This is the difference between an inconvenience and a public health incident.
Insurance and Rating Implications
Cyber insurance underwriters now ask explicit questions about OT network segmentation. So do the financial ratings agencies reviewing municipal bond issuances for utility capital projects. Lack of segmentation shows up in underwriting pricing and in bond rating narratives.
What Good Looks Like
Proper segmentation for a water utility follows the Purdue Enterprise Reference Architecture (as adapted in NIST SP 800-82 for industrial control systems). The full model is detailed, but the practical implementation for a water utility covers several layers.
A Real Boundary Between Business and Operations
Level 3 (operations management) and higher should be separated from Level 4 (corporate IT) by a dedicated firewall with explicit allow rules. Not deny rules. Explicit allow. Anything not specifically permitted is denied by default. Cross-boundary traffic is logged and reviewed.
This is often implemented as a DMZ between the two sides: a small, controlled network where systems that must exchange data (like historian-to-business reporting) live, with firewalls on both sides and no direct business-to-OT traffic at all.
Separate Infrastructure for OT
Switches, wireless access points, and servers that support operations should not be shared with business infrastructure. The domain controller on the operations side should be operations-only. The update server on the operations side should be operations-only. Physical and logical separation reduces the shared risk surface.
Remote Access Through a Controlled Gateway
Vendor access to SCADA systems should happen through a jump host or a zero trust network access platform, not a general VPN that drops the vendor onto the operational network. Session recording and just-in-time credential issuance are realistic and widely available.
Monitoring at Every Boundary
Traffic crossing the IT/OT boundary and traffic between OT zones should be logged and monitored. The CISA Industrial Control Systems joint advisories describe multiple incidents where earlier detection of anomalous cross-boundary traffic would have limited the damage.
Remote Site Connectivity Handled Properly
Pump stations, tanks, and distribution sites connected via cellular modems or radios need dedicated VPN terminations into the OT side, not into general-purpose corporate infrastructure. Cellular gateways at remote sites are a common entry point for attackers. Those devices need hardening and firmware discipline like any other critical asset.
Documented Network Diagrams
An accurate, current network diagram is the first evidence of proper segmentation. If your diagram is two years old or was drawn by someone who left the utility, it is functionally useless. Keeping the diagram current is part of the work.
Practical Takeaways
If you are responsible for a water utility’s IT/OT environment or you are supporting one through an engineering engagement, these are the priority items:
- Validate the current state. Walk the actual network. Traffic captures, switch port reviews, and firewall rule audits often reveal that the segmentation people believe exists does not. Start with ground truth.
- Separate at the control layer first. Even if a full Purdue model is a long-term goal, a hardened boundary between business and OT can be implemented in most utilities in a matter of weeks, not years. This is the highest-impact first step.
- Remote access is often the worst exposure. Review every path into the OT network from outside the utility. Vendor VPNs, remote worker VPNs, cellular backhauls, and older dial-up modems (they still exist at some sites) all need evaluation.
- Document segmentation in the RRA. Whether the utility is just starting segmentation work or has mature controls, the AWIA Risk and Resilience Assessment should describe what segmentation looks like, what traffic crosses boundaries, and what monitoring is in place.
Segmentation is not a one-time project. It is a control that needs maintenance as new systems are added, vendors change, and business requirements evolve. A utility with documented segmentation and a maintenance process has something to show an auditor, an insurer, or a regulator. A utility without those things has questions it cannot answer.
If you want a conversation about assessing or improving segmentation at a water utility or with a utility client, the HVR Cloud team works on exactly this. Get in touch and we can talk through where to start.
