Skip to main content

Water Utilities

Water and wastewater utilities are among the most critical — and most exposed — sectors in operational technology. Treatment plants, pump stations, and distribution networks rely on PLCs and SCADA systems to manage processes that directly affect public health: chemical dosing, pressure regulation, flow control, and disinfection. A misconfigured setpoint or an unauthorised change to a dosing controller is not just a cybersecurity event — it is a public safety concern.

Yet many water utilities operate with limited cybersecurity resources. Control systems were installed decades ago, often by integrators who prioritised reliability over security. Networks are flat, remote access is widespread, and visibility into what is actually happening on the OT network is minimal. Engineering changes are made by multiple parties — internal operators, system integrators, and equipment vendors — with little formal tracking of who changed what, and when.

Why First Watch for Water

First Watch gives water utilities continuous, automated protection without requiring a dedicated cybersecurity team on site.

Protocol-level visibility means the platform understands what is happening inside industrial communications — not just that a PLC is talking to a SCADA server, but which registers are being read or written, which function codes are in use, and whether an engineering change is taking place. For water utilities, this translates directly into awareness of process-critical operations like setpoint modifications, logic changes, and firmware updates.

Engineering change management is a natural outcome of the platform's monitoring capabilities. Every configuration download, program modification, and firmware change is detected, time-stamped, and attributed. Plant managers can see at a glance whether a change was made by an authorised operator during a planned maintenance window — or by an unknown party at an unexpected time.

Active protection through PLC Guard can enforce policies that prevent unauthorised programming operations from reaching controllers. In monitoring mode, the platform observes and alarms. In enforcement mode, it blocks operations that violate the defined security policy — such as an unapproved logic download to a dosing controller.

ControlGuard endpoint protection secures the Windows-based HMI workstations and SCADA servers that operators depend on daily. Application whitelisting prevents malware execution on machines that often run older operating systems and cannot be patched without vendor involvement.

What We Protect

  • Treatment plants — chemical dosing controllers, filtration systems, UV disinfection, chlorination
  • Pump stations — VFD-controlled pumps, level sensors, pressure regulation
  • Distribution networks — reservoir controllers, pressure zone management, flow metering
  • SCADA infrastructure — historian servers, HMI workstations, engineering stations
  • Remote access — system integrator connections, vendor maintenance, telemetry links

This section contains detailed case studies and deployment examples from the water utilities sector.