Water and wastewater utility support

Water and Wastewater Utility Cybersecurity, Resilience, and Emergency Readiness

Systems Risk Advisory helps water and wastewater utilities protect essential operations, meet planning obligations, strengthen OT/ICS and SCADA security, and prepare for cyber, physical, and operational disruptions.

Schedule a consultation View services

Water utility risk is operational risk.

Water and wastewater utilities operate under conditions that leave little room for vague recommendations. Treatment, pumping, distribution, collection, chemical feed, telemetry, public communication, field work, and emergency response must keep working even when systems are degraded.

Systems Risk Advisory works with utilities to turn risk into clear priorities. We connect cyber, physical, OT/ICS, SCADA, emergency response, and leadership issues so the utility can make practical decisions before an incident forces those decisions under pressure.

Our work is built for real utility environments. We account for limited staffing, legacy systems, shared city IT support, vendor-managed access, field sites, budget constraints, regulatory expectations, and the need to keep water and wastewater services operating.

Questions we help utilities answer

Good security work starts with operationally relevant questions. These questions help utilities move from broad concern to clear decisions.

Who can connect?

Review remote access, VPNs, vendor paths, shared accounts, service accounts, jump hosts, and emergency access procedures.

Where can they move?

Look at network separation, firewall rules, routing paths, engineering workstations, SCADA servers, HMIs, historians, and field communications.

What could they control?

Identify the operational impact of access to pumps, valves, chemical feed, PLCs, telemetry, alarms, reporting, and operator visibility.

How would staff know?

Review alerts, logs, operator indications, abnormal process signals, communications paths, and escalation procedures.

How would the utility operate?

Assess manual operations, backup procedures, spare systems, alternate communications, mutual aid, and recovery sequencing.

How would leaders decide?

Clarify authority, public messaging, reporting, regulatory notification, law enforcement coordination, and board or council communications.

Services for water and wastewater utilities

Systems Risk Advisory supports water and wastewater utilities with connected services that address cyber, physical, OT/ICS, SCADA, emergency response, and resilience needs.

AWIA RRA and ERP Support

Support for Risk and Resilience Assessments and Emergency Response Plan updates that reflect real utility assets, threats, consequences, dependencies, and response actions.

  • Critical asset and dependency review
  • Cyber, physical, and operational risk inputs
  • Consequence-informed prioritization
  • ERP update support
  • Board, council, or leadership briefing support

OT/ICS and SCADA Security

Practical review of control-system architecture, remote access, vendor connections, segmentation, recovery needs, and the operational effects of cyber compromise.

  • SCADA architecture and access review
  • PLC, HMI, engineering workstation, and historian considerations
  • Remote and vendor access review
  • IT/OT separation and segmentation planning
  • Backup, restoration, and safe recovery concerns

Cybersecurity Assessments

Assessment support focused on the highest-value controls for utilities, including identity, access, ransomware readiness, email security, backups, policies, and response preparation.

  • Ransomware exposure review
  • User, administrator, and service account review
  • Policy and procedure review
  • Backup and recovery review
  • Prioritized action roadmap

Physical Security

Review of treatment plants, pump stations, lift stations, tanks, wells, chemical areas, gates, doors, alarms, cameras, lighting, visitor control, and field procedures.

  • Site access and perimeter review
  • Critical area and chemical security review
  • Field asset and remote site considerations
  • Cyber-physical dependency review
  • Practical improvement recommendations

Incident Response Planning

Planning support for cyber, physical, and operational incidents that could affect service continuity, public confidence, safety, reporting, and recovery.

  • Roles and escalation paths
  • Containment and continuity steps
  • Communications and notification support
  • Recovery sequencing
  • Coordination with vendors and public partners

Tabletop and Operational Exercises

Exercises that test decisions, coordination, communications, continuity, and recovery during realistic water and wastewater cyber-physical scenarios.

  • Ransomware and loss of visibility scenarios
  • Anomalous PLC or SCADA activity scenarios
  • Chemical feed, telemetry, or alarm disruption scenarios
  • Physical intrusion or field-site incident scenarios
  • After-action report and improvement tracking

Common scenarios we help utilities prepare for

Exercises, assessments, and response plans should reflect the incidents utilities are most likely to face and the decisions leaders will need to make.

  • Compromised remote access into a utility network
  • Vendor account misuse or unmanaged access to SCADA support tools
  • Ransomware affecting business systems, shared city systems, or utility operations
  • Loss of operator visibility into pumps, tanks, lift stations, or alarms
  • Unexplained PLC, HMI, telemetry, or alarm behavior
  • Manual operation during degraded SCADA or communications loss
  • Physical intrusion at a plant, pump station, lift station, well, or tank site
  • Chemical feed anomaly, process concern, or public confidence issue
  • Conflicting decisions between utility operations, city leadership, IT, vendors, and public information staff

Typical deliverables

The goal is usable output. Reports, plans, exercises, and briefings should help leaders make decisions and help staff act.

Deliverable Purpose
Executive risk briefing Clear findings, priority decisions, and leadership-level options.
Assessment report Documented observations, risks, consequences, and recommended improvements.
Prioritized action roadmap A practical sequence of fixes based on risk, effort, cost, and operational value.
Updated plan content Emergency response, incident response, continuity, communication, or recovery plan updates.
Exercise package Scenario, injects, facilitator guide, participant materials, evaluation notes, and after-action findings.
Improvement tracker A working list of actions, owners, due dates, status, and follow-up needs.

Who we support

Water and wastewater readiness requires coordination across leadership, operations, IT, OT, field work, emergency management, vendors, and public communication.

  • General managers and utility directors
  • Public works directors
  • Water and wastewater operators
  • SCADA, instrumentation, and controls personnel
  • IT and shared city technology teams
  • Engineering, maintenance, and field crews
  • Emergency managers and continuity planners
  • Public information officers and communications staff
  • City administrators, boards, councils, and executive leaders

Why Systems Risk Advisory

Utilities need practical guidance from people who understand critical infrastructure, not generic security language detached from operations.

Water-sector focus

We understand the operational realities of water and wastewater utilities, including small and mid-sized systems with limited staff.

Cyber and physical together

We do not treat cybersecurity, physical security, emergency response, and operations as separate problems when they affect the same service.

OT/ICS awareness

We account for SCADA, telemetry, PLCs, HMIs, engineering workstations, field communications, remote access, and safe recovery.

Practical deliverables

We produce materials that leaders can understand and staff can use, including reports, briefings, plans, exercises, and action trackers.

Principal-led support

Engagements are led by experienced senior personnel and supported by qualified specialists when the project requires added depth.

How an engagement works

Each engagement is scaled to the utility’s size, systems, staffing, risk concerns, and desired outcome.

Frame the mission

We clarify the utility’s essential functions, major assets, operating constraints, current plans, and priority concerns.

Review the environment

We examine cyber, physical, OT/ICS, SCADA, staffing, vendor, emergency response, and continuity factors.

Identify practical risk

We connect threats, vulnerabilities, dependencies, consequences, and likely decision points.

Prioritize improvements

We rank findings by service impact, feasibility, cost, urgency, and readiness value.

Support decisions

We prepare clear materials for utility managers, boards, councils, city leaders, and technical teams.

Build readiness

We help update plans, train staff, run exercises, and track corrective actions.

Ready to strengthen water or wastewater utility readiness?

Protect essential operations before an incident forces difficult decisions. Systems Risk Advisory can help your utility assess risk, update plans, strengthen SCADA and OT/ICS security, test response procedures, and train the people who keep service running.

Start a utility risk conversation Review our approach

Related services

Risk and Resilience Assessments Emergency Response Planning OT/ICS and SCADA Security Cybersecurity Assessments Physical Security Incident Response Planning Tabletop and Operational Exercises On-Site Training and Workshops Contact Systems Risk Advisory