Defending Against Increasing Cybersecurity Threats
Historically, OT security has been a lower priority for water utilities compared to other sectors. However, government intelligence, as reported by the AWWA (American Water Works Association), recently confirmed that water and wastewater sectors have become major targets for foreign government intrusion campaigns, criminal actors, and other threat groups.
To protect drinking water, the US EPA (Environmental Protection Agency) issued an enforcement alert in May 2024, notifying community water systems of cybersecurity vulnerabilities that needed to be addressed. Key concerns included:
- Limited network visibility, making it difficult to detect anomalies in pumps, valves, and chemical treatment processes.
- Weak segmentation between OT and IT environments, increasing the risk of lateral movement by cyber adversaries.
- Unsecured third-party access, which left critical systems vulnerable to threats from compromised external devices.
- The need for cybersecurity solutions that guarantee uninterrupted and safe operations without causing downtime.
Cybersecurity Gaps in Legacy Systems
One of the utility’s biggest challenges was its outdated systems. Legacy OT systems with unpatched vulnerabilities created significant security gaps that malicious actors could exploit. These vulnerabilities not only posed risks of system downtime but could also lead to physical damage in critical systems. The utility recognized that implementing network segmentation and robust access controls were key to mitigating these risks while ensuring continuous operations.
Addressing Insider Threats and Secure Access Controls
Insider threats posed another significant risk through accidental misconfigurations, misuse, or intentional system modifications. Employees and contractors with access to OT environments can unintentionally disrupt operations or, in rare cases, maliciously alter critical systems.
At the same time, secure access must be enforced for both internal personnel and external third-party vendors. Unauthorized access - whether from compromised credentials, excessive admin privileges, or unmanaged remote sessions - can leave critical infrastructure vulnerable.
Documentation and Compliance
Our on-site assessment revealed critical deficiencies in documentation related to installed field equipment, posing significant compliance risks. One of the biggest issues was the lack of accurate asset inventory and classification, with many organizations still relying on manual, outdated record-keeping methods. Without a structured asset management system, it becomes difficult to track devices, assess cyber risks, and enforce security controls - jeopardizing compliance with NERC CIP, IEC 62443, and NIST 800-82.
Beyond asset management, cyber risk assessments, access control policies, and incident response plans were either incomplete or nonexistent. These gaps left security teams without clear guidelines for managing threats, restricting unauthorized access, or responding to security incidents in a standardized, compliant manner.
Compounding these challenges, inaccuracies in as-built network diagrams hindered the ability to map the current network topology and validate security configurations, increasing the risk of misconfigurations and security lapses.
Securing Water Operations with MetaDefender OT & CPS Platform
When our client experienced a series of cyber incidents targeting their SCADA systems, their CISO knew they needed a more robust approach to securing their water infrastructure.
Every night, I worried about what might happen if someone gained control of our treatment processes. With responsibility for providing safe water to over 2.5 million residents, the stakes couldn't be higher.
AnonymousCISO
After evaluating several industrial cybersecurity solutions, the utility selected OPSWAT's MetaDefender for OT & CPS Protection, including MetaDefender OT Security, MetaDefender Industrial Firewall, MetaDefender OT Access, and MetaDefender Optical Diode, for their ability to meet the specific needs of the water industry.
Detection and Patching
MetaDefender OT Security continuously scanned OT networks to detect unauthorized devices, anomalous activities, and potential threats. Additionally, it assessed patching status across OT assets, identifying outdated firmware and unpatched vulnerabilities that could be exploited, ensuring critical systems remained up to date and resilient against cyber threats.
Prevention
MetaDefender Industrial Firewall enforced strict network segmentation, blocking unauthorized traffic and isolating critical systems to prevent threats. Delivered protocol filtering specific to key water SCADA protocols like Modbus, DNP3, and IEC 104, ensuring that only valid traffic could access operational systems.
Access Control
MetaDefender OT Access enabled time-limited, policy-enforced remote access and provided a complete audit trail of every access session, enabling comprehensive oversight and quick incident response.
Security Gateway
MetaDefender Optical Diode ensured unidirectional data flow - meaning data can only travel in one direction, from one network to another, without allowing reverse communication. It essentially acted as a "data gatekeeper" between two systems, separating the networks without exposing the more vulnerable OT systems to external threats.
Our frontline OT solutions provided comprehensive protocol support, including DNP3 (Distributed Network Protocol 3), ensuring seamless protection of treatment and distribution systems. The utility also gained full visibility across all pumping stations and field devices, such as treatment plants, enabling precise segmentation into zones and conduits for granular communication control. Additionally, OPSWAT delivered secure pathways for vendor access, allowing maintenance activities to be performed without exposing critical infrastructure to unauthorized access or potential cyber threats. Our implementation team worked closely with plant operators to deploy the solution without disrupting critical operations, creating a security architecture that protected both legacy systems and newer digital infrastructure. This phased approach allowed the utility to strengthen its defenses while maintaining uninterrupted water service to its communities.
Remote access was our biggest security gap. With MetaDefender for OT & CPS Protection, we gained secure, policy-based control over all remote connections—closing a major attack vector and strengthening our overall cybersecurity posture.”
AnonymousCISO
Beyond Security: Operational Benefits and Energy Savings
While cybersecurity was the primary motivation, the utility discovered additional operational benefits. The comprehensive visibility into their control systems helped identify inefficiencies in their pumping operations, leading to energy savings of approximately 14% across their distribution network.
We implemented MetaDefender to protect our water systems, but the operational insights it provided helped us optimize our processes as well. Now we can see exactly how our systems are performing and make adjustments that improve both security and efficiency
AnonymousCISO
Meeting Regulatory Requirements
As federal and state regulations for water security continue to evolve, the MetaDefender implementation positioned the county’s water utility for compliance with minimal additional effort.
Thanks to MetaDefender for OT & CPS Protection , we readily met the new EPA cybersecurity guidelines for water systems. Its comprehensive documentation and visibility simplified our compliance reporting.
AnonymousCISO
Results: Enhanced Security and Operational Continuity
By adopting OPSWAT’s solutions, the utility achieved several key results:
Cost-Effective Protection with Scalable Pricing
Unlike traditional point solutions that require costly individual pricing for each security need, OPSWAT’s platform offers enterprise-grade protection with scalable pricing.
Broad Protocol Support for Seamless Integration
Many cybersecurity solutions offer limited compatibility with industrial protocols, forcing utilities to rely on third-party integrations. In contrast, MetaDefender for OT & CPS Protection supports all major OT protocols, including Modbus, DNP3, and IEC 104, ensuring seamless security implementation across the utility’s diverse infrastructure.
User-Friendly, OT-Focused Design
Traditional IT security tools often lack usability in OT environments, making them difficult for operational teams to manage effectively. MetaDefender OT solutions are specifically designed for OT users, featuring intuitive controls and automation that empower engineers, plant operators, and cybersecurity teams to easily monitor and secure their critical infrastructure.
Stronger Security, Zero Operational Disruptions
Complete OT Asset Visibility
Security teams gained full real-time insights into all connected devices and network activity.
Proactive Threat Detection
An attempted contractor laptop intrusion was flagged and prevented, averting potential service disruptions.
Automated Security Management
Advanced reporting and monitoring reduced manual effort while enhancing regulatory compliance.
Future-Proof Cybersecurity
The utility is now equipped to combat evolving cyber threats while maintaining continuous, secure water operations.
The ability to achieve network segmentation, secure data transfer, real-time visibility, and secure remote access without relying on third-party integrations has been invaluable. It's a complete OT security suite, and it's given us the protection and continuity we needed without any headaches.
AnonymousCISO
Conclusion
The implementation of OPSWAT’s MetaDefender OT & CPS Protection Solutions has allowed this water utility to close critical security gaps, ensuring the protection of essential OT systems, while maintaining uninterrupted services for millions of residents. With real-time visibility, granular network segmentation, and secured remote access, the utility has significantly strengthened its defenses against both internal and external cyberthreats—without relying on third-party integrations.
Unlike other solutions that require piecemeal security tools from multiple vendors, OPSWAT offers the most extensive suite of OT security solutions available today, covering every layer of industrial cybersecurity. Designed for seamless deployment, OPSWAT solutions work in unison to fortify critical infrastructure, providing unmatched protection, compliance, and operational continuity.
To learn more about how MetaDefender for OT & CPS Protection can protect your critical infrastructure, reach out to an OPSWAT expert today.
