Securing water utilities: network segmentation and security

As water treatment plants and distribution systems become more connected to the internet and corporate networks, they face growing water utility cybersecurity risks that could disrupt the clean water we depend on every day.

Network segmentation has emerged as one of the most effective ways to protect water infrastructure from cyberattacks. Think of it as creating secure "neighborhoods" within a utility's computer network - if criminals break into one area, they can't easily move to other critical systems. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) recognizes network segmentation as an essential security control that helps utilities maintain reliable water service while meeting increasingly strict regulatory requirements for water cybersecurity.

What is network segmentation?

At its core, network segmentation divides a flat network into multiple, security-defined zones - often using VLANs, firewalls, or software-defined micro-segmentation. Each zone contains systems with similar trust and performance needs: critical PLCs in one zone, lab systems in another, and business email servers in a third.0

To keep it simple, network segmentation is like organizing a hospital into specialized wings with security checkpoints between them. Instead of allowing anyone who enters the building to freely roam from the cafeteria to the operating rooms to the pharmacy, each area has its own access controls and security measures. For water utilities, this means separating everyday office computers (where employees check email and browse the internet) from the specialized industrial systems that actually control pumps, monitor water quality, and manage treatment processes.

This separation is crucial because water utilities operate two very different types of technology systems. Information Technology (IT) systems handle typical business functions like payroll, customer billing, and email - much similar to what you'd find in any office. Operational Technology (OT) systems are the specialized industrial computers that control the physical processes of water treatment and delivery. 

Without proper segmentation, a cyberattack that starts with something as simple as an employee clicking a malicious link could potentially spread to the systems that control your community's water supply, highlighting the critical importance of cybersecurity risk & responsibility in the water sector.

Key elements of network segmentation security

Principle of least privilege

This principle is like giving each employee only the keys they need for their specific job. 

A customer service representative might have access to billing systems but not to the controls that manage chemical dosing in water treatment. By limiting what each person can access, utilities reduce the risk of both accidental mistakes and intentional misuse. This approach aligns with NIST identity and access management principles and is fundamental to effective water utility cybersecurity.

Network zoning

Network zoning divides a utility's systems into distinct security areas based on how critical they are and what they do. 

Following the widely-used Purdue Model for industrial systems, water utilities typically organize their networks into zones: Level 0 contains physical equipment like sensors and pumps, Level 1 includes control devices like programmable logic controllers, Level 2 houses monitoring systems like SCADA software, Level 3 manages site-wide operations, and Level 4 handles business systems. This zoning approach follows NIST CSF 2.0 guideline PR.IR-01, creating multiple layers of defense that make it much harder for threats to spread throughout the infrastructure.

Monitoring and risk assessment

Continuous monitoring is like having security cameras throughout your facility that can spot unusual activity before it becomes a major problem. 

Modern monitoring tools can detect strange patterns that might indicate a cyberattack in progress, such as unauthorized attempts to access restricted areas or unusual data transfers between systems. Regular risk assessments help utilities stay ahead of emerging threats and vulnerabilities. This ongoing vigilance aligns with NIST CSF detection and monitoring standards and is essential for comprehensive water and wastewater cybersecurity.

Deny overly permissive rules

This means setting up network access with a "closed by default" approach - only allowing specific, necessary connections rather than leaving doors open "just in case." 

Many utilities discover over time that their networks have accumulated overly broad permissions that create unintended pathways for attackers. By implementing strict "need-to-know" access controls, utilities can significantly strengthen their security according to NIST CSF 2.0 guideline PR.IR-01. 

Incident response planning

When a cybersecurity incident occurs, effective response planning focuses on quickly isolating the affected areas while keeping essential services running in unaffected zones. This is like having a plan to shut off water to one neighborhood if there's a pipe break, while maintaining service to the rest of the community. 

Good incident response plans include predetermined procedures for disconnecting compromised network segments and switching to backup systems when necessary, following NIST CSF incident response standards. Xylem recommends segmentation and strong backups as the backbone of effective incident response.

Dynamic segmentation

Dynamic segmentation allows utilities to adjust their network security in real-time based on changing threats or operational needs. 

Think of it like an old hotel, there's one master key shape and a lot of trust — once you're past the front desk, the building is fairly open. That's static. A modern hotel gives you a keycard instead, and the same physical doors behave completely differently depending on the card:

• Your card opens your room and no one else's.
• It opens the gym, but only between 6am and 10pm.
• It opens the executive lounge only if you booked a suite.
• The instant you check out, the card opens nothing — without anyone changing a single lock, supporting NIST CSF 2.0 guideline PR.IR-03.

Implementing network segmentation practices

Successful segmentation depends as much on governance as on technology.

The foundation of any segmentation strategy lies in strong password management, careful user access controls, and robust authentication systems that work together across both everyday business systems and specialized industrial equipment. Start with a risk assessment to discover assets, data flows, and compliance requirements. Then make sure to create policies for:

Changing default passwords

Most industrial equipment comes from the factory with standard usernames and passwords that are the same across thousands of devices worldwide - and these default credentials are often published online where attackers can easily find them. 

It's like every house in a neighborhood having the same key hidden under the welcome mat. 

Water utilities must immediately change these default passwords on all new equipment before connecting it to their networks. This simple but critical step, aligned with NIST CSF guideline PR.AA-01 and industry standards like NIST SP 800-53 IA-5, can prevent attackers from easily accessing critical systems.

Minimum password strength

Strong passwords act as the first line of defense against brute-force attacks, where criminals use computer programs to rapidly guess millions of password combinations. 

For critical water infrastructure, utilities should require passwords of at least 12-14 characters that include a mix of letters, numbers, and special characters. While this might seem inconvenient, modern password managers can help staff handle complex passwords securely. This approach helps ensure that even if attackers target password-protected systems, they'll face a computationally difficult challenge.

Unique credentials

Every person should have their own individual username and password - never shared accounts. 

Shared passwords are like having multiple people use the same car keys; if something goes wrong, you can't tell who was driving. Individual credentials enable utilities to track who did what and when, which is essential for both security monitoring and incident investigation. Utilities should implement identity management systems that provide unique access credentials for each employee across all systems.

Revoking credentials for departing employees

Even a segmented network is vulnerable if ex-employees still have access. 

When employees leave, their access to all systems must be removed immediately - not just their email account. This includes access to shared systems, service accounts, and any physical access cards or keys. The departure process should be coordinated between human resources, IT, and operational technology departments to ensure no access points are overlooked. Utilities should have automated systems that can quickly disable accounts across multiple platforms while maintaining detailed records for security auditing.

Separating user and privileged accounts

Regular employees should have standard accounts for their daily work, while system administrators use separate, more powerful accounts only when performing administrative tasks. No one should browse the internet or check email using an administrator account, as this creates unnecessary security risks. Modern identity management systems can provide temporary elevated access when needed, then automatically remove it afterward.

Phishing-Resistant Multifactor Authentication (MFA)

Traditional multifactor authentication that relies on text messages or mobile apps can be compromised by sophisticated attackers through phishing or SIM-swapping attacks. 

Phishing-resistant MFA methods, like hardware security keys, smart cards, or biometric authentication, provide stronger protection because they use cryptographic methods that can't be easily intercepted or faked. 

For water utilities, this enhanced security is particularly important for privileged accounts that can access critical operational systems. Utilities should prioritize implementing phishing-resistant MFA for their most sensitive systems, then gradually expand coverage as technology and operational procedures allow. This comprehensive approach to authentication strengthens overall water cybersecurity posture.

By implementing these practices according to NIST CSF standards, utilities not only enhance their cybersecurity stance but also demonstrate to regulators, customers, and stakeholders that they're taking proactive steps to protect one of society's most essential services.

The bottom line

Network segmentation represents a fundamental shift from the old approach of relying solely on perimeter security - like having just one fence around an entire facility. Modern cyber threats require a more sophisticated "defense in depth" strategy that creates multiple security barriers throughout the infrastructure. 

For water utilities, effective network segmentation combined with strong credential management, continuous monitoring, and robust access controls creates a comprehensive security framework that protects both business operations and the critical infrastructure that communities depend on. Understanding cybersecurity risk & responsibility in the water sector is essential for maintaining public trust and regulatory compliance. 

Learn more by exploring the NCCoE practice guide and Xylem’s latest cyber-readiness resources.