Water SCADA & Cybersecurity — OT Protection & EPA AWIA Compliance AI Monitoring
By Grace on June 20, 2026
The water utility operations director manages a paradox the boardroom does not see: the same SCADA network that enables real-time treatment control, remote pump station operation, and pressure zone management is also the single largest cybersecurity exposure in the enterprise. Every HMI connected to the OT network, every PLC with a remote access path, every historian that bridges IT and OT — each is a potential entry point for adversaries who have demonstrated both the intent and the capability to manipulate water chemistry setpoints, disable pressure control, and disrupt distribution system operations. In 2024 alone, cyber attacks on North American water and wastewater utilities increased in both significance and number, with seven documented consequential incidents including state-sponsored intrusions that gained direct access to operational HMIs. The EPA's 2024 enforcement alert found that over 70% of inspected water systems were out of compliance with basic SDWA Section 1433 risk and resilience assessment requirements — and the agency has since taken over 100 enforcement actions. The 2025-2026 AWIA recertification cycle is not a paperwork deadline. It is the moment operations directors must demonstrate that cybersecurity is integrated into operational risk management, not treated as an IT compliance exercise conducted separately from plant operations.
70%
Percentage of EPA-inspected water systems found non-compliant with SDWA Section 1433 risk and resilience assessment requirements since September 2023 — driving increased enforcement activity across all system sizes
81%
Percentage of OT cybersecurity assessments that identified poor or missing IT/OT network segmentation — the single most common architectural vulnerability enabling lateral movement from corporate networks to plant floor control systems
51%
Increase in hacktivist ICS/OT attack activity documented in 2025, with water utilities representing the largest single targeted sector — HMI and web-based SCADA interfaces being the most frequently exploited systems
100+
SDWA enforcement actions taken by EPA against community water systems for Section 1433 violations since 2020 — with the agency publicly stating it will increase cybersecurity-focused inspections under its National Enforcement and Compliance Initiative
The Operations Director's Core Problem: SCADA and OT Were Designed for Reliability, Not Security — and the Compliance Clock Is Ticking
Water utility operational technology was engineered over decades with one primary design objective: continuous, reliable process control. PLCs were built to execute ladder logic without interruption. HMIs were designed to display real-time process values to operators. SCADA networks were architected to move data between remote sites and control centres with minimal latency. Cybersecurity was never a design requirement, and retrofitting security onto these systems without disrupting operations is the defining challenge the operations director now faces. The EPA's enforcement posture has shifted from guidance to inspection to action. The AWIA 2025-2026 recertification deadlines — with RRA and ERP submissions due across all system size categories — create a compliance timeline that cannot be met with manual documentation exercises. Adversaries, meanwhile, operate without regulatory calendars. Iranian APT actors exploit internet-exposed PLCs using default credentials. Pro-Russia hacktivists target HMIs with AI-generated propaganda and operational disruption. The operations director needs a cybersecurity approach that is continuous, not periodic — and that generates audit-ready compliance evidence as a byproduct of operational monitoring, not as a separate documentation process.
Four Critical Gaps in Water Utility OT Cybersecurity — and How AI Monitoring Closes Each One
01
IT/OT Segmentation Is Missing or Incomplete
Eighty-one percent of OT cybersecurity assessments identify poor IT/OT segmentation as a primary vulnerability. In most water utilities, the corporate network and the SCADA control network share connectivity at some layer — a historian that bridges both environments, a remote access VPN used by vendors and engineers, a wireless bridge between a treatment plant and an administration building. Once an adversary gains a foothold in the IT environment through a phishing email or a compromised vendor credential, the absence of OT network segmentation removes the last barrier between the corporate breach and the plant floor. In 73% of all-time incident response cases handled by Dragos, compromised VPN or jump host credentials were the entry point into OT environments.
AI fix: Continuous OT network traffic monitoring detects anomalous east-west movement and lateral scanning — flagging segmentation violations before they become breaches.
02
Legacy OT Assets Cannot Be Patched on IT Timelines
Water treatment PLCs, pump station RTUs, and distribution system controllers have operational lifetimes measured in decades, not years. A PLC installed in 2005 may still be running the original firmware because a firmware update requires a production shutdown, and the utility cannot interrupt treatment to patch a controller that has no observable symptoms of compromise. This creates a persistent vulnerability window that adversaries actively exploit — the April 2026 joint CISA-EPA advisory documented Iranian APT actors specifically targeting internet-exposed PLCs running unpatched firmware across U.S. critical infrastructure. Dragos reported that 25% of OT vulnerability advisories in 2025 had no patch or mitigation available at time of disclosure, and 52% required alternative mitigations that most utilities did not have deployed.
AI fix: Anomaly-based detection identifies ICS protocol manipulation and unauthorised command sequences without requiring patches — compensating controls for unpatchable assets.
03
Operational Anomalies and Cyber Incidents Are Indistinguishable
When a pressure setpoint changes unexpectedly, the operations team cannot immediately determine whether the cause is a sensor fault, a control logic error, a configuration drift, or an active adversary manipulating the HMI. Dragos reported that 30% of incident response cases began with unexplained operational issues that asset owners could not diagnose — and 82% of organisations lack clear criteria for when operational anomalies should trigger cyber investigations. In the 2024 Arkansas City water facility incident, operators detected anomalous behaviour but could not determine whether the cause was mechanical or malicious without external forensic support. The absence of integrated OT monitoring that correlates process anomalies with network-level indicators means every anomalous event must be treated as potentially malicious — or worse, dismissed as mechanical when it is not.
AI fix: ML models correlate process data (setpoint changes, flow deviations) with OT network telemetry to distinguish mechanical faults from cyber events automatically.
04
AWIA Compliance Documentation Is Disconnected From Operational Reality
Most utilities approach AWIA RRA and ERP certification as a documentation exercise conducted every five years — a consultant interviews operators, reviews network diagrams, and produces a binder that sits on a shelf until the next recertification cycle. This approach does not satisfy the EPA's enforcement expectation of continuous cybersecurity risk management. The 2024 enforcement alert explicitly states that EPA inspectors found inadequate RRAs and ERPs because systems failed to include assessments of electronic and automated system security, or failed to demonstrate that cybersecurity strategies were operationally implemented. When an inspector asks to see the evidence that OT monitoring is active, that segmentation controls are verified, and that incident response procedures have been exercised, the binder from 2021 does not answer the question.
AI fix: Continuous compliance monitoring generates AWIA-aligned audit evidence automatically — network segmentation verification, anomaly detection logs, and incident response exercise records — without manual documentation.
Over 70% of EPA-Inspected Water Systems Are Non-Compliant. The 2025-2026 AWIA Recertification Cycle Is Not a Paperwork Deadline — It Is an Operational Mandate.
iFactory's AI-powered OT monitoring platform gives operations directors continuous visibility into SCADA network security, process anomaly correlation, and AWIA compliance evidence — without disrupting real-time control operations or requiring additional headcount.
The iFactory OT Cybersecurity Monitoring Architecture for Water Utilities
iFactory's OT cybersecurity monitoring platform operates as a three-layer defence architecture — network visibility at the asset level, anomaly correlation at the operational level, and compliance documentation at the regulatory level. Each layer addresses a specific failure mode in water utility OT security, and all three run continuously without disrupting SCADA or control network operations.
Layer 01
OT Network Visibility and Asset Discovery
Passive monitoring discovers every connected device without scanning or disrupting OT operations
The visibility layer deploys passive OT network monitoring sensors that connect to SPAN ports or network taps — read-only connections that cannot send traffic to the OT network. These sensors discover every PLC, RTU, HMI, historian, engineering workstation, and network device on the OT network without active scanning that could disrupt sensitive controllers. Each asset is identified by MAC address, IP address, vendor, firmware version, and protocol profile. The platform maintains a live inventory that updates automatically as devices are added, removed, or reconfigured — giving the operations director a complete, current OT asset register that most utilities discover they have never had. The inventory is the foundation for every other security capability: without knowing what is on the network, segmentation cannot be verified, anomalies cannot be attributed, and incident response cannot be executed.
Passive asset discovery
Live OT device inventory
Read-only SPAN/tap connectivity
Layer 02
AI Anomaly Detection and Process Correlation
ML models distinguish cyber events from mechanical faults in real time
The detection layer uses machine learning models trained on the utility's own OT network baseline and process historian data. Models learn normal traffic patterns — which PLCs communicate with which HMIs, what Modbus function codes are typical, what time of day engineering workstations connect, what pressure and flow ranges constitute normal operations. When the models detect deviation — an HMI communicating with a PLC it has never addressed, a Modbus write command to a coil that is never written during standard operations, a pressure setpoint change originating from an unrecognised IP address — the platform generates an alert that includes both the network-level indicator and the process-level context. This correlation is what distinguishes the platform from traditional IT security tools that cannot interpret whether a command is operationally significant. The operations director sees alerts that answer the question: is this a cyber event or a mechanical issue?
OT traffic baselining
ICS protocol anomaly detection
Process-context alert correlation
Layer 03
AWIA Compliance Evidence Automation
Continuous compliance records replace periodic manual documentation
Every detection event, every anomaly investigation, every network topology change, and every incident response exercise is logged automatically with timestamps, asset attribution, and operator response records — creating a continuous compliance evidence chain that maps directly to AWIA Section 2013 RRA and ERP requirements. For the RRA, the platform generates evidence of electronic and automated system security monitoring, network segmentation verification reports, and asset inventory completeness. For the ERP, the platform logs incident detection and response exercises, documents corrective actions taken, and maintains a searchable record of every cybersecurity event that required operational intervention. When EPA inspectors request evidence of continuous cybersecurity risk management, the operations director exports a compliance package that demonstrates active monitoring, not a binder of static documentation from the last recertification cycle.
AWIA RRA evidence export
Incident response audit trail
Continuous compliance logging
Passive Monitoring · ML Anomaly Detection · AWIA RRA/ERP Evidence · Incident Response Records
Eighty-One Percent of OT Networks Have No Segmentation Visibility. iFactory's Read-Only Monitoring Provides the Baseline Most Utilities Discover They Have Never Had.
iFactory deploys passively via SPAN ports or network taps — no active scanning, no modification to PLC firmware, no disruption to treatment or distribution operations. The platform begins generating asset inventory, anomaly baselines, and compliance evidence from the moment the sensor connects.
What the OT Security Dashboard Shows the Operations Director
The operations director's dashboard is designed to answer the questions that matter most for OT cybersecurity: What assets are on my OT network right now? Which of them are communicating with unknown or unexpected destinations? What anomalies have been detected in the last 24 hours and which require investigation? And what is my current AWIA compliance evidence status?
Security View 01
OT Asset Inventory — Live Device Register With Risk Classification
A complete, current register of every PLC, RTU, HMI, historian, engineering workstation, and network device discovered on the OT network — with vendor, model, firmware version, last-seen timestamp, and communication profile. Devices are classified by risk level based on factors including known vulnerabilities in the firmware version, exposure to potentially compromised communication paths, and deviation from established baseline behaviour. The inventory updates automatically as devices appear or change, and the operations director can verify segmentation compliance by confirming that no unauthorised device is communicating across the IT-OT boundary.
Director action: Verify all discovered devices match authorised asset register. Flag unknown devices for immediate investigation.
Security View 02
Anomaly Timeline — Network and Process Events Correlated
A unified timeline that correlates OT network events — unexpected connections, protocol violations, unauthorised write commands — with process data — setpoint changes, flow deviations, pressure anomalies — so the operations director can distinguish cyber events from mechanical faults without switching between the SCADA HMI and the security console. Each event includes a severity score, the affected assets, the detected deviation type, and the recommended investigation path. The timeline is searchable by asset, protocol, time range, or severity, making incident reconstruction possible without external forensic tools.
Director action: Review daily anomaly summary. Escalate events where network and process anomalies coincide for immediate incident response.
A continuous verification view that shows all traffic crossing the IT-OT boundary — which devices are communicating across segments, what protocols are in use, and whether any traffic violates configured segmentation policies. The platform baseline maps normal cross-boundary communication patterns — historian data collection, vendor remote access sessions, engineer workstation connections — and alerts when unexpected traffic appears. The segmentation verification report is exportable for AWIA RRA documentation, providing auditors with evidence that OT network isolation is actively monitored and not assumed.
Director action: Review segmentation compliance report weekly. Investigate any cross-boundary traffic that does not match the authorised baseline.
Security View 04
Vulnerability Prioritisation — Risk-Scored by OT Impact
Not all vulnerabilities are operationally relevant in an OT context. The vulnerability view ranks known CVEs by their potential impact on water treatment and distribution processes — a remote code execution vulnerability in a PLC model used for chlorine dosing is scored higher than the same severity CVE in a non-critical asset. The platform integrates vulnerability data from the live asset inventory and cross-references it with exploit intelligence, providing the operations director with a prioritised remediation list that reflects operational risk rather than IT severity scores alone.
Director action: Address critical-risk vulnerabilities within the maintenance window. Apply compensating controls where patching is not immediately possible.
Security View 05
Incident Response Playbook Integration
When an anomaly event crosses the configurable severity threshold, the platform triggers an incident response workflow that includes the affected assets, the detected indicators, the process context, and a recommended response playbook aligned with the utility's ERP. The response is logged automatically with timestamps and operator actions, creating the audit trail that AWIA ERP documentation requires. Tabletop exercises can be run against the platform using historical event data to validate that response procedures are effective without requiring a live incident.
Director action: Run quarterly tabletop exercises using platform-recorded events. Document exercise outcomes as ERP evidence.
Security View 06
AWIA Compliance Dashboard — RRA and ERP Evidence on Demand
A dedicated compliance view that maps every platform capability to specific AWIA Section 2013 RRA and ERP requirements — electronic and automated system security monitoring, incident detection and response evidence, network segmentation verification, asset inventory completeness, and cybersecurity exercise documentation. Each compliance requirement shows the current evidence status, the last verification date, and the exportable evidence package. The operations director prepares for EPA inspections by generating the compliance dashboard for any date range — no manual data compilation, no binder updates, no last-minute document collection.
Director action: Export compliance dashboard quarterly. Address evidence gaps before the next EPA inspection window.
Before iFactory, our OT cybersecurity posture was based on the assumption that our IT firewall was sufficient to protect the SCADA network. We had never done a passive discovery of what was actually connected to the OT network. The first scan revealed 14 devices that were not in our asset register — including a cellular modem that a maintenance contractor had installed without authorisation on a pump station PLC. The segmentation verification showed that our historian was passing unsolicited traffic from the IT network to the control room HMI. Within the first 90 days, we had a complete asset inventory, a verified segmentation baseline, and an AWIA compliance evidence package that our previous RRA consultant had spent three months assembling manually. The correlation between network anomalies and process events has already flagged two unauthorised configuration changes that our SCADA alarms did not detect.
— Operations Director, Regional Water Utility — 120,000 Service Connections, 18 Treatment Plants, 45 Pump Stations
Conclusion
Water utility OT cybersecurity is not an IT compliance problem that can be solved with periodic risk assessments and static network diagrams. It is an operational risk management problem that requires continuous visibility into what is connected to the OT network, what those devices are communicating, which communications represent legitimate operations, and which indicate developing cyber events. When 81% of OT networks lack verified segmentation, when 70% of EPA-inspected systems fail basic cybersecurity compliance requirements, and when adversaries have demonstrated the capability to manipulate HMI interfaces and PLC controllers remotely, the traditional approach of five-year assessment cycles and passive documentation is structurally inadequate to protect water operations.
AI-powered OT monitoring addresses this structural gap across three dimensions simultaneously: passive network discovery that builds and maintains a complete OT asset register without disrupting operations, ML-based anomaly detection that correlates network-level indicators with process-level context to distinguish cyber events from mechanical faults, and continuous compliance evidence generation that transforms monitoring data into AWIA RRA and ERP documentation without manual compilation. The platform deploys on existing OT infrastructure via passive SPAN port or network tap connections — read-only, non-intrusive, and immediately operational from the moment the sensor connects.
iFactory's OT cybersecurity monitoring platform is purpose-built for water utility operations directors who need to protect SCADA and control networks from escalating cyber threats, demonstrate continuous compliance with AWIA Section 2013 requirements, and generate audit-ready evidence without disrupting real-time treatment and distribution operations. Book a Demo to see the platform configured for your OT network topology, or talk to an expert about a free OT network visibility assessment and AWIA compliance gap analysis for your utility.
Frequently Asked Questions
No. The iFactory OT monitoring platform deploys using passive sensors that connect to SPAN ports on OT network switches or to passive network taps — read-only connections that physically cannot transmit traffic to the OT network. No PLC firmware changes are required. No SCADA system modifications are necessary. No additional software is installed on any OT asset. The platform discovers devices and monitors traffic by listening to the existing network communication — it does not query, scan, or interact with any controller or HMI. Deployment typically takes one to two days per facility for sensor installation and baseline configuration. Talk to an expert about deployment architecture for your specific OT network topology and switch infrastructure.
The platform maps every monitoring capability to specific AWIA Section 2013 RRA and ERP requirements. For the RRA, it generates evidence of electronic and automated system security monitoring — including the complete OT asset inventory, network segmentation verification reports, anomaly detection coverage, and vulnerability assessment by device class. For the ERP, it provides incident detection and response records, tabletop exercise documentation, corrective action logs, and communication procedure verification. All evidence is timestamped, attributed to specific OT assets, and exportable in structured format suitable for direct inclusion in RRA and ERP documentation submitted to EPA. The compliance dashboard shows current evidence status for each requirement, so the operations director can identify gaps before the recertification deadline. Book a Demo to see sample compliance exports mapped to your utility's population size category and deadline schedule.
Yes. This correlation capability is the primary distinction between iFactory's OT monitoring platform and IT security tools deployed in OT environments. The platform simultaneously ingests OT network telemetry — Modbus, DNP3, OPC-UA, and other ICS protocol traffic — and process data from SCADA historians or control system APIs. When a setpoint change or flow deviation is detected, the platform checks whether the network-level indicators are consistent with normal operations or with a cyber event. For example, a pressure setpoint change originating from the authorised HMI at a normal operator workstation during a scheduled shift is likely a legitimate operational adjustment. The same setpoint change originating from an unrecognised IP address using an engineering protocol outside normal hours generates an immediate cyber alert with process context. This correlation reduces false positives from mechanical events while ensuring that cyber events hidden within operational anomalies are not dismissed as mechanical faults. Talk to an expert about configuring process data integration from your existing SCADA historian.
When the platform detects an anomaly that crosses the configurable severity threshold, it automatically opens an incident record that includes the affected OT assets, the detected network indicators, the correlated process context, and a timestamped event timeline. The incident is assigned based on configured escalation rules — to the on-call OT security engineer during off-hours, to the operations director for high-severity events involving critical assets. The platform includes a recommended response playbook aligned with the utility's ERP, specifying containment actions, communication procedures, and evidence preservation steps. Every action taken by the response team is logged with timestamps and operator attribution, creating the audit trail that AWIA ERP documentation requires and that post-incident forensic analysis depends on. The incident record is searchable and exportable, supporting both internal lessons-learned reviews and regulatory reporting requirements. Book a Demo to see the incident response workflow configured for a water treatment plant scenario.
Over 70% of EPA-Inspected Water Systems Fail Basic Cybersecurity Compliance. The AWIA 2025-2026 Recertification Deadlines Are Not Optional. Get a Free OT Visibility Assessment and AWIA Compliance Gap Analysis.
iFactory's AI-powered OT cybersecurity monitoring platform for water utility operations directors — passive network asset discovery, ML-based anomaly detection with process correlation, incident response workflow integration, and AWIA Section 2013 compliance evidence generated continuously from your existing SCADA and OT network infrastructure.
