In recent years, cyberattacks on U.S. wastewater facilities have highlighted just how vulnerable operational technology can be. In early 2024, multiple Texas cities saw their SCADA systems accessed remotely by attackers, even causing a water tank to overflow before staff regained control. A similar incident in Tipton, Indiana forced operators to switch to manual operations after irregular activity was detected on plant systems. These events highlighted the risks of connecting treatment infrastructure to enterprise or internet-facing networks and reinforced why this utility could not compromise on keeping its OT systems air-gapped.
Where Security and Visibility Collide
Understanding Historian Data
An AVEVA Historian is a specialized industrial database designed to capture and store high-volume, time-series data from OT systems such as sensors, controllers, and SCADA platforms. At the facility level, a local Historian records process data (the raw operational information generated by industrial control systems and sensors) for operators, ensuring they can monitor equipment and treatment activity in real time.
A tier 1 enterprise Historian serves a different role: it aggregates Historian feeds from multiple facilities, giving enterprise teams a consolidated view for reporting, analytics, and planning. The challenge arises when data needs to move from these local Historians to the enterprise level without opening a pathway back into critical OT systems.
The Challenge of Secure Data Sharing
At one of its facilities, the utility needed to forward data from a local AVEVA Historian to a tier 1 Historian on its enterprise network. This data was vital for enterprise-level monitoring and reporting, but the enterprise network’s internet connectivity made direct integration unsafe.
Keeping OT systems isolated was essential, since any pathway back into the control environment could provide a vector for attack. At the same time, leaving Historians isolated limited the organization’s ability to share insights across locations and improve efficiency. The challenge was to achieve both objectives: maintain strict separation while enabling real-time visibility.
Firewalls and other software-based tools were not enough. They could not guarantee one-way communication, required ongoing maintenance, and still left critical assets exposed to risk. Thus, the organization needed a solution that would enforce physical isolation while allowing essential data to move outward.
Creating a Secure Path for Real-Time Data
The utility turned to OPSWAT and deployed MetaDefender Optical Diode (Fend) together with the eRIS software platform. eRIS is a data management and reporting tool commonly used in the water sector to translate and deliver Historian data securely, making it a natural fit for this deployment.
MetaDefender Optical Diode (Fend) is a hardware-enforced cybersecurity device that uses optical isolation to guarantee one-way communication. By design, it physically blocks any inbound traffic to prevent remote access or malware infiltration, and its built-in protections against denial of service, tampering, and power fluctuations help ensure that Historian data continues flowing reliably even under stress.
Here is how the deployment worked:
- eRIS installation: eRIS software was installed as a Windows service on the existing OT AVEVA server, translating Historian data into a unidirectional format.
- Optical isolation: Data then traveled securely through the MetaDefender Optical Diode (Fend), which enforced one-way transfer with hardware-level optical isolation.
- Protocol support: The device natively supports both standard IT protocols such as FTP, SFTP, TCP, and UDP, as well as industrial protocols like Modbus and BACnet, making it well suited for Historian data transfers.
- Enterprise conversion: On the enterprise side, the eRIS Hub converted the information back into AVEVA format and prepared it for ingestion into the tier 1 Historian.
From Manual Delays to Instant Insight
With the new architecture in place, the utility no longer had to choose between visibility and security. Operators at the treatment facility could watch data appear on the enterprise Historian almost instantly, while knowing that nothing could ever flow back into the control environment. What once required careful workarounds (manual collection, delayed reporting) now happened automatically, giving both operations and enterprise teams confidence in the information they used every day.
Key Benefits
Time saved in daily operations: Instead of waiting for data to be manually collected and shared, staff could rely on a steady stream of information ready for analysis.
Peace of mind for security teams: The hardware enforced one-way transfer meant that even if the enterprise network was compromised, OT systems remained untouched.
Better visibility across the organization: Enterprise teams gained the visibility they needed without disrupting or burdening facility staff.
Easy to replicate across facilities: With a simple, low maintenance deployment, the utility could replicate the same model across other facilities whenever needed.
For the first time, the organization could see the full picture of its operations in real time while knowing its most critical systems were still protected by a true air gap.
Building a Future of Secure Water Operations
With secure Historian data transfers now in place, the utility is positioned to expand the same model to other parts of its operations. Additional treatment facilities, pumping stations, and monitoring systems can be integrated into the enterprise network without exposing OT environments to external threats.
The deployment also sets a foundation for adopting new analytics and compliance practices. Enterprise teams can build on reliable, real-time data streams to improve reporting, support predictive maintenance, and respond more quickly to operational changes. At the same time, OT systems remain shielded by hardware-enforced isolation, protecting essential services from the kinds of cyberattacks that have disrupted water and wastewater facilities across the United States.
By combining real-time visibility with uncompromising security, the utility has created an approach that not only meets today’s needs but is also ready for future demands in critical infrastructure protection.
Learn more about how MetaDefender Optical Diode (Fend) can protect your facility while keeping essential systems securely isolated.
