Cybersecurity in Water Treatment: Cyber Assessment of WWTPs and Strengthening Their OT Resilience
A local authority in Savoie operating around twenty wastewater treatment plants (WWTPs) tasked our DATIVE experts with an industrial cybersecurity assessment. Objective: identify OT vulnerabilities, secure the infrastructure, and build a robust action plan to reinforce resilience against cyber threats.
Context and cybersecurity challenges in wastewater treatment
Wastewater treatment plants (WWTP) are a critical link in the chain of drinking water management and wastewater treatment. Their mission goes far beyond technical operations: they safeguard public health, protect the environment and ensure the continuity of an essential service for local communities.
A compromise of these facilities can have major consequences: environmental pollution, microbiological contamination, service interruption, or even direct endangerment of the population.
These operational risks are compounded by increasing regulatory pressure:
- The NIS2 directive, which expands cybersecurity obligations to operators of critical infrastructures, now requires strengthened governance, proactive risk management and regular audits.
- The IEC 62443 standard, the international reference for industrial system security, provides a precise methodological framework for protecting OT environments: SCADA systems, PLCs, field devices and control networks.
In IT environments, data confidentiality is usually the top priority. In contrast, OT (Operational Technology) environments prioritize the availability and integrity of industrial processes. An unplanned shutdown or falsified sensor data can cause immediate disruptions with potentially irreversible consequences for both the environment and the public.
In this demanding context, a local authority in Savoie commissioned DATIVE to conduct a comprehensive cybersecurity assessment of its wastewater treatment infrastructures, with the objective of identifying vulnerabilities, measuring OT maturity and strengthening the resilience of its critical installations.
Leverage DATIVE’s field expertise to strengthen the resilience of your water treatment systems.
Our assessment methodology: a 360° approach based on NIST
At DATIVE, we have developed a proven methodology tailored to the most critical industrial environments. It relies on three key pillars: the NIST Cybersecurity Framework, ANSSI’s recommendations for industrial system security and the international IEC 62443 standard.
This approach enables us to structure our assessments around the five core cybersecurity functions:
- Identify: we inventory all OT assets, map the network architecture and assess process criticality. We deliver a complete map and inventory of OT equipment. These deliverables are immediately usable, both for cybersecurity experts and for process operators, who are the first line of industrial security.
- Protect: we analyse current protection measures and propose concrete actions for hardening, segmentation and securing critical systems.
- Detect: we evaluate the organisation’s ability to identify abnormal activity by reviewing log supervision and real-time incident detection.
- Respond: we analyse incident response procedures and recommend clear operating modes to limit the impact of cyber events.
- Recover: we assess infrastructure resilience and the ability of teams to restore operations after an incident, ensuring a rapid return to a nominal state.
Our approach is resolutely operational. We prioritise field immersion: we go into technical rooms, SCADA areas and industrial networks to work directly with operations teams. This proximity enables us to deliver concrete findings, far from purely theoretical approaches.
Rely on DATIVE’s field expertise to assess your OT environments according to NIS2, ANSSI and IEC 62443 standards.
Our four OT cybersecurity assessment pillars
We structured our audit around four complementary themes providing a 360° view of the station’s cybersecurity posture:
Industrial infrastructure analysis
We conduct an in-depth analysis of OT systems and equipment: operator station and HMI configuration, hardening of industrial Windows and Linux environments, remote maintenance access management, account and password usage, and patch/obsolescence levels of equipment.
This phase reveals structural vulnerabilities that directly weaken production continuity.
Industrial network mapping
We produce a complete flow map between zones and conduits and verify the relevance of IT/OT segmentation. We review firewall rules, industrial protocol management, network supervision and incident detection. We also test resilience to threats: scans, exploitation attempts, or use of unsecured services. The objective is to measure the actual level of segmentation and control over OT exchanges.
Human factor risk assessment
We evaluate organisational maturity and the role given to cybersecurity in daily operations: operator and subcontractor awareness, onboarding/offboarding processes, separation of personal and professional use, presence of IT charters or an identified OT security officer.
We also analyse the organisation’s capability to integrate cybersecurity in project phases: specifications, contractor audits, periodic testing. This component is critical, as human behaviour remains one of the primary vectors of compromise in industrial environments.
Physical access security assessment
We verify the security of access to critical systems: cabinets, IT racks, switches, SCADA servers and operator stations. We assess the presence (or absence) of access controls, anti-theft devices, clean desk policies or USB port blocking.
Often underestimated, this physical dimension remains an essential pillar of OT security, as direct access to equipment can bypass the most advanced software protections in seconds.
Key findings from our field assessment for this local authority
Our evaluation highlighted several recurring vulnerabilities in water treatment environments. These findings reflect common weaknesses we regularly observe in OT systems.
Physical weaknesses leading to intrusion risks
Some WWTPs lacked adequate access control mechanisms. PLCs could be reached directly, without badges or video surveillance, exposing the environment to malicious or accidental manipulations, impossible to trace.
Vulnerable industrial network
The OT network had insufficient segmentation between IT and OT environments. The administrative IT system was directly interconnected with the industrial network and had direct Internet access. We identified misconfigured VLANs and unfiltered flows, directly exposing PLCs and SCADA servers to threats originating from the office network.
Non-hardened supervision workstations
Several operator stations were still running Windows XP and Windows 7, systems no longer supported by their publishers. We observed daily use of administrator accounts and weak or shared passwords. These practices create ideal entry points for attackers.
Obsolete OT equipment and unsecured services
Some PLCs and network equipment used unencrypted services (FTP, HTTP) or still held default credentials. These weaknesses significantly increase the likelihood of exploitation, whether by internal or external actors.
Poorly managed backups and removable media
Personal USB drives circulated in the supervision environment, directly exposing systems to malware introduction. In addition, backups were neither centralised nor regularly tested, significantly increasing the potential impact of an intrusion, particularly by lengthening recovery timelines in case of an incident.
Leverage our field experience to anticipate and remediate vulnerabilities in your industrial environments.
Security improvement plan and recommended remediations
Based on these findings, we built a pragmatic and progressive action plan for the local authority, structured across three timelines. The objective: quickly address critical vulnerabilities while embedding cybersecurity into a long-term resilience strategy.
Short term: securing the fundamentals for this WWTP
We proposed immediate, low-cost, high-impact actions to rapidly reduce the attack surface:
- Hardening of supervision workstations: removal of administrator rights, implementation of strong password policies, deployment of OT-compatible antivirus solutions.
- IT/OT segmentation: deployment of industrial firewalls with rules adapted to OT protocols and usage.
- Access management: introduction of nominative accounts and multi-factor authentication for remote maintenance connections.
Medium term: strengthening operational resilience
Once the foundations were secured, we defined a consolidation plan for the OT environments:
- Network segmentation: strict separation of OT zones, creation of function-specific VLANs and advanced flow filtering.
- Firmware updates: remediation of known vulnerabilities on PLCs and network devices, or implementation of compensating measures (segmentation, restricted access, sealing) for non-patchable equipment.
- USB whitelisting station: systematic control of removable media to limit malware introduction.
- Operating system migration: gradual transition to supported and secured Windows versions.
Long term: towards continuous OT network monitoring
To embed cybersecurity sustainably, we defined an ambitious trajectory:
- Passive OT detection (IDS): deployment of sensors adapted to industrial protocols for continuous anomaly detection.
- Log centralisation: integration of an OT SIEM to obtain a unified and contextualised view of events.
- Equipment standardisation: adoption of a unified technical baseline, simplifying maintenance, updates and overall security.
OT cybersecurity governance: embedding security over time
Beyond technical measures, we insisted on the need for lasting governance. Cybersecurity must be integrated into the operational culture of this Savoie authority through:
- Regular awareness training for teams and contractors,
- Clear procedures for all OT activities,
- Appointment of an OT cybersecurity lead ensuring long-term consistency and follow-up of actions.
A deployed cybersecurity strategy: immediate benefits for the community
Implementing this plan produced immediate and visible results:
- Reduced attack surface thanks to workstation hardening and IT/OT segmentation,
- Improved service continuity: operators now have clear procedures and better visibility over the OT network state,
- Regulatory alignment: the authority has begun compliance with NIS2 and IEC 62443 best practices,
- Increased operator confidence: teams, often wary of cybersecurity constraints, quickly realised the implemented measures did not hinder production but instead secured their daily operations.
Conclusion
Industrial cybersecurity in wastewater treatment plants is no longer optional: it is a strategic imperative supporting the continuity of essential services and regulatory compliance.
Through an in-depth assessment and a pragmatic action plan, this Savoie authority established the foundations of long-term OT resilience. This example illustrates how combining a structured methodology (NIST, IEC 62443) with a field-driven approach is essential to securing sensitive industrial environments.
Do you operate a WWTP or another critical infrastructure and want to strengthen your OT cybersecurity? Contact DATIVE’s experts for a tailored assessment.
News
This article presents a comprehensive hardening strategy for obsolete workstations to strengthen your industrial cybersecurity. In industrial environments, we regularly encounter outdated systems (Windows 2000 SP4, XP, 7 or old Windows 10). These systems, although critical in industry, can no longer receive patches: license issues, PLC incompatibilities, or risk of production shutdown.
Industrial cybersecurity is no longer optional. With the rise of cyber threats, every industry must build an architecture adapted to its OT systems. An effective strategy relies on a detailed analysis of flows, assets, and risks. This article guides you in designing a robust, scalable, and standards-compliant industrial cybersecurity architecture for 2025.
Managing security vulnerabilities in industrial systems has become a key challenge — but one that’s rarely straightforward. With legacy equipment, unpatchable systems, and often incomplete inventories, field teams must navigate significant technical and operational constraints. While standards and frameworks provide valuable guidance, applying them in real industrial environments remains complex. This article explores the real-world obstacles and presents a pragmatic approach to effectively securing existing systems without disrupting operations.
On September 17 and 18, we will be participating in the Lyon Cyber Expo 2025 to defend a cause that is close to our hearts: industrial cybersecurity. Alongside us, FORTINET, a leading technology partner with whom we share the same ambition: to sustainably protect OT environments.
Industrial cybersecurity attacks are no longer fiction or rare exceptions. From attempted poisoning to power outages, safety system overrides, and global ransomware paralysis, real-world OT attacks are on the rise. These incidents expose critical vulnerabilities in industrial environments and underscore a crucial reality: operational systems have become high-value strategic targets.