Behind the gate, many private utilities feel isolated from the noise. But these days, there’s no such thing as offline infrastructure. If your facility uses SCADA, telemetry, or cloud-based operations, it’s exposed.

The modern attack surface is a footprint: a facility, a network. And decentralized wastewater facilities often have larger footprints than they think.

At IWS, we work with private utilities that prioritize resilience. That includes operational uptime, environmental compliance, and increasingly, cybersecurity. Because the same system that lets your operator check tank levels from home also creates a potential vector for ransomware. phishing, or brute-force attacks.

The Risk Profile of Decentralized Utilities

A decentralized treatment plant, whether it serves a luxury resort, a residential development, or a large industrial user, faces a very different cyber risk profile than a large city utility. Consider:

• Low IT oversight: Most private utilities don’t have a dedicated cybersecurity team. Responsibility for digital infrastructure often falls to integrators or remote support vendors.
• Patchy system standardization: It’s common to find legacy PLCs alongside newer HMIs, cloud SCADA portals, and telemetry systems, each with different security configurations.
• Remote control requirements: Small teams rely on 24/7 remote access to manage alarms, flow data, and process conditions. That access, if improperly gated, becomes a soft target.

What’s worse, because decentralized facilities are often out of sight and out of mind, attackers can remain undetected for days. That’s more than enough time to disrupt operations or exfiltrate data.

Further, private utilities may fall into the trap of overlooking simple cybersecurity best practices otherwise mandated by municipal facilities’ city council or other government oversight. Private utilities are, to a greater degree, on their own. But that doesn’t make this topic any less urgent.

Practical Cyber Defenses: Building Systems That Are Hard to Break

When it comes to cybersecurity, there’s often too much emphasis on novelty and not enough on the fundamentals. At IWS, we’ve seen firsthand that what protects a small utility is actually thoughtful architecture and operational discipline. 

Below, we break down the core principles that drive resilient system design.

Keep Your Networks Separate and Your Risks Contained

Many smaller facilities fall into the trap of convenience: a single network handles office admin work, operator logins, and real-time control signals. But what’s convenient in the short term creates massive risk down the line.

The reason to isolate SCADA and business networks is simple: attackers don’t usually start in your PLCs. They often start in your inbox. If your SCADA network shares a flat architecture with your email or billing systems, you’re one click away from a disaster.

You don’t always need an air gap, but you do need a clear line in the sand. 

That could mean VLANs, segmented switches, dedicated firewalls, or separate wireless infrastructure. Whatever the method, the outcome should be the same: if an attacker gets into one part of your operation, they can’t pivot to the rest.

Remote Access Should Expire on Its Own

Everyone wants to log in remotely, but the moment you create a permanent VPN tunnel, you’ve essentially left a side door propped open. Even if it’s rarely used, that door becomes a liability.

We recommend access that times out by default. 

Certificate-based authentication with role-based permissions ensures that people only log in when they truly need to (and only to the systems they’re authorized for). Add logging and session monitoring to that setup, and you’ll catch unauthorized behavior before it escalates. This is table stakes now for any system with remote telemetry or outsourced operations.

Harden Every Device Like It Matters, Because It Does

It’s easy to assume that attacks will target your servers or your VPN. But in reality, the entry point is often something simpler: a telemetry unit with default credentials. A field cabinet with a USB port left open. A firmware version that hasn’t been patched in two years.

Security at the device level is about reducing exposure at every touchpoint. We’re talking about turning off unused services when you can. Changing factory passwords. Locking cabinets and adding tamper switches. These actions might feel like overkill until they aren’t.

In remote facilities, device-level hardening is often the only thing standing between a bad actor and full control of your system.

Don’t Give People Access They Don’t Need

It’s easy to imagine short-staffed plants where any Windows login in the building could control pumps. Not because anyone is necessarily careless, but because no one had time to think through permissions. That can’t happen.

The least-privilege model asks a simple question: what is the minimum access someone needs to do their job well? Field techs may only need read-only views. Managers may only need monitoring dashboards. Restricting write access is an insurance policy.

This kind of access discipline protects you from both internal errors and stolen credentials. If someone’s login is compromised but their account is limited, your system remains intact.

Your SCADA System Can Spot Trouble (If You Let It)

Your control system knows what “normal” looks like. It knows the usual polling patterns, IP addresses, and login times. When something feels off, it often is.

Instead of relying solely on IT software to detect anomalies, we suggest treating SCADA itself as a source of intelligence. Configure your platform to flag off-hours login attempts, unexpected sources of data requests, or strange spikes in polling frequency. These are often the first hints that someone’s poking around who shouldn’t be.

You just need a few basic alert thresholds and someone assigned to pay attention.

Recovery Is a Mindset

The truth is, breaches happen. Someone clicks the wrong link. A vendor’s laptop gets compromised. When that moment comes, your success depends on how well you’ve prepared.

Recovery planning starts with good backups: your control logic, historical data, and configurations should be saved in multiple locations, including at least one offline. But that’s only step one.

You also need a playbook. Who restores the PLCs? Where is the clean copy stored? How long does it take to bring the system back online? We recommend regular tabletop exercises, because no one wants to read their first incident response plan while the system is down.

Final Thought

The next threat to your utility may not come from a broken blower or a tank leak. It may come through a login portal, an open port, or a forgotten credential.

Cybersecurity isn’t an abstract risk. It’s an operational reality. And for private utilities with permit obligations and 24/7 treatment demands, the stakes are high.

You don’t need to be a cybersecurity expert. But you do need to act like your infrastructure is a target. Because it is.

If you’re building a new facility, retrofitting an old one, or looking to integrate SCADA with peace of mind, we’re here to help you design systems that are secure by default and resilient by design.

Cybersecurity Checklist

Here’s a practical 10-point checklist for private utilities to strengthen their cybersecurity posture over the next 90 days. This is designed for operators of decentralized water and wastewater treatment systems, whether you’re running an MBR plant, industrial pretreatment system, or remote telemetry network.

1. Change All Default Passwords

Audit every device, controller, and interface, especially SCADA systems, routers, and HMIs. Change default login credentials, and eliminate shared usernames.

Use strong, unique passwords or passphrases for each login. Better yet, adopt a password manager

2. Implement Role-Based Access

Give staff and vendors access only to the systems they need. Don’t let a chemical delivery vendor have remote access to your PLC. Don’t let seasonal maintenance techs retain login privileges all year.

Use tiered permission levels: operator, supervisor, integrator, admin.

3. Install a Firewall (and Segment Your Network)

Place your control systems behind a hardware firewall—and separate them from the business/office network. This is foundational.

Flat networks are easy targets. Segmented networks are firebreaks for attackers.

4. Create a Vendor Access Policy

Document how and when third parties can access your system remotely. Require temporary VPN credentials, scheduled access windows, and a central access log. No more “set-it-and-forget-it” vendor VPN tunnels.

5. Update SCADA and PLC Firmware

Outdated firmware is a known vulnerability. Contact your OEM or system integrator to confirm current versions and apply any security patches.

Schedule this as part of routine preventive maintenance.

6. Back Up Your Configurations—Offline

Back up your PLC programs, SCADA configuration, and site-specific parameters to an external drive stored offsite.

Cloud backups are good. Offline backups are better.

7. Conduct a Tabletop Cyber Drill

Run a one-hour mock scenario with your team: “What happens if our SCADA interface goes dark?” Walk through who gets called, what systems are affected, and what fallback plans exist.

Even simple drills build resilience and highlight blind spots.

8. Lock Down USB Ports

Disable USB ports on HMIs and operator workstations, or require admin permission to use them.

USBs are a leading infection vector in industrial systems.

9. Create a Cyber Incident Response Plan

You don’t need a 40-page policy—but you do need a one-page cheat sheet:

• Who gets called?
• What systems are isolated?
• Who notifies regulators or downstream clients?

Print it. Post it. Test it.

10. Schedule a SCADA Security Assessment

Bring in a third-party (or your system integrator) to evaluate your system architecture, identify vulnerabilities, and prioritize upgrades.

Ask about air-gapping, intrusion detection, and patch management schedules.