Water utilities are classified as essential entities under NIS2 Annex I sectors 6 and 7. SCADA networks running on Modbus, DNP3 and IEC 60870-5-104 carry decades-old protocols with limited native security. Inline isolation, microsegmentation, and identity-based remote access for OT engineers form the practical SASE-aligned architecture. The Aliquippa and American Water Works incidents show the cost of inaction.
Water utility cybersecurity in 2026 is an operational problem before it is a compliance one. A typical Belgian or Benelux operator runs dozens of treatment plants and hundreds of unmanned pumping stations, most of them talking over protocols designed before the internet existed. System integrators dial in from outside to maintain PLCs. Smart meters report over cellular networks. And the regulator now expects all of it to be documented and defensible.
This guide is for the IT or OT lead at a European water utility, drinking water or wastewater, trying to turn NIS2 essential entity obligations into an architecture they can actually deploy. The reference point most people reach for is the Aliquippa Municipal Water Authority breach of November 2023. It was crude, it was avoidable, and it is the clearest illustration yet of what an internet-exposed controller costs.
Why water utilities are essential entities under NIS2
NIS2 (Directive (EU) 2022/2555) lists drinking water under Annex I sector 6 and wastewater under sector 7, both as sectors of high criticality. That classification triggers the Article 21 risk management obligations and the Article 23 incident reporting timelines. The CER Directive (Directive (EU) 2022/2557) adds a parallel layer of physical and operational resilience duties on top.
The directive splits covered entities into essential and important, based on size. An essential entity has 250 or more staff, or turnover above €50 million. An important entity sits in the 50 to 249 band. The supervisory regime differs sharply: essential entities face proactive audits and on-site inspections, while important entities are supervised reactively, only once authorities have reason to look.
Size is not the whole story. Article 2(2) lets member states pull smaller utilities into scope regardless of headcount. A municipality’s sole drinking water provider, or any operator whose disruption would carry systemic public health risk, can be designated essential even with fewer than 50 employees. In the water sector, that exception is the rule rather than the edge case.
Belgium transposed NIS2 through the law of 26 April 2024, in force since 18 October 2024, with the Centre for Cybersecurity Belgium (CCB) as the national authority. Most Belgian water utilities will land at the CyFun Essential level, the highest of the four CyberFundamentals tiers, with roughly 200 controls covering segmentation, cryptography, continuous monitoring and third-party risk. The CER transposition followed later, entering application on 19 January 2026, and automatically treats designated critical water operators as essential entities under the NIS2 law. For the full control set, our NIS2 compliance checklist walks through what auditors expect, and our CCB conformity assessment expectations guide covers the audit itself.
There is one more layer. Article 8 of the EU Drinking Water Directive (Directive (EU) 2020/2184) already requires a risk-based approach across abstraction, treatment and distribution. Because automated water safety depends on digital feedback loops, where chemical sensors drive physical dosing pumps, a SCADA compromise is a water quality event. Securing the OT network is therefore part of DWD Article 8 compliance, not just NIS2 Article 21.
The OT reality of European water utilities in 2026
Water utility OT is unlike a factory floor. Instead of one secured site, you get a sprawling, geographically distributed estate: treatment plants, pumping stations, reservoirs, distribution monitoring, all running legacy SCADA. The protocols underneath, Modbus, DNP3 and IEC 60870-5-104, were standardised when network isolation was assumed and cryptography was optional. Vendor remote access from system integrators completes the picture.
A mid-size European utility serving around 750,000 citizens typically operates roughly 25 treatment and wastewater facilities, around 300 remote pumping and chlorination stations, and a fleet of more than 500 PLCs and RTUs reporting back to a cluster of perhaps 15 SCADA and historian servers. Add elevated reservoirs, groundwater wells, and a growing population of smart residential meters communicating over NB-IoT or LoRaWAN.
The control layer is recognisable across the sector. SCADA platforms such as AVEVA Wonderware InTouch, Siemens WinCC and GE iFIX sit at the supervisory level. Programmable Logic Controllers (PLCs) like the Siemens SIMATIC S7 series, Allen-Bradley ControlLogix and Schneider Modicon run the local automation. Remote Terminal Units (RTUs) handle telemetry from sites too remote for fixed lines, over radio, cellular or satellite.
Those protocols are the weak point. Modbus/TCP has no native authentication or encryption, so every command travels in plaintext and any device on the segment can issue instructions to any controller. DNP3 is the telemetry workhorse for the sector. IEC 60870-5-104 dominates European telecontrol. OPC UA is the more modern, security-capable option increasingly bridging PLCs to upper-level databases, though in practice its security features are often misconfigured or left off.
Secure variants exist. Modbus/TCP Security adds TLS, DNP3 Secure Authentication (SAv5/SAv6) adds challenge-response identity checks, and IEC 62351 defines cryptographic protections across utility protocols. The problem is retrofitting them. Most legacy controllers lack the processing headroom for TLS handshakes, and wholesale replacement means capital expenditure and downtime no operator wants. That economic reality is precisely why network-level segmentation and inline isolation become the compensating controls. Many of these sites are also physically unmanned, which means an exposed RJ45 port or serial connection on a remote PLC is a real attack surface, not a theoretical one. The same IT-OT convergence patterns seen in manufacturing apply here, just spread across a far wider geography.
Documented water sector cyberattacks 2023 to 2026
Water sector incidents follow a clear pattern: exposed remote access, default credentials, and lateral movement from corporate IT into control systems. Aliquippa Municipal Water Authority (November 2023) saw the Iran-linked Cyber Av3ngers exploit internet-facing Unitronics PLCs. Veolia North America and American Water Works (2024) were ransomware hits on business systems. South Staffordshire Water (UK, August 2022) was an earlier warning.
The Aliquippa case is worth dwelling on because it was so basic. The Cyber Av3ngers reached Unitronics Vision PLCs that were exposed to the internet over TCP ports 1111 and 20256, protected only by default passwords. They shut down a pressure-boosting pump, and operators reverted to manual control. CISA documented the vulnerability class in advisory ICSA-23-355-01 in December 2023. No sophisticated exploit was required, only an exposed device and an unchanged password.
The Texas incidents of January 2024, affecting Muleshoe, Hale Center, Lockney and Abernathy, came from the Cyber Army of Russia Reborn brute-forcing unencrypted remote access portals. In Muleshoe, manipulated settings caused a water tank to overflow for around 45 minutes. The pattern repeats: symbolic, visible disruption achieved through weak perimeter controls rather than deep technical capability.
The ransomware incidents tell a different story. Veolia North America (January 2024) and American Water Works (October 2024) were hit on billing and corporate systems, not directly on control networks. In both cases the utilities proactively isolated OT to prevent lateral spread. That isolation is the point: when corporate IT and SCADA share flat connectivity, an IT ransomware event forces a precautionary OT shutdown even when the control systems themselves were never touched.
The most strategically concerning actor is not a ransomware crew. The US authorities have attributed to Volt Typhoon a campaign of stealthy, long-term pre-positioning inside critical infrastructure, including water. Rather than disrupt for profit or propaganda, the goal is persistent access that could be activated during a future geopolitical conflict. For European operators, the lesson from the Dragos OT year-in-review reporting is that the threat is no longer purely opportunistic.
Why traditional IT defences miss the water sector OT problem
Corporate security tools were built for a different problem. Firewalls inspect IP and port traffic but do not understand industrial protocols. Antivirus and endpoint agents cannot run on a PLC or RTU. And the air-gap that once justified minimal OT controls no longer exists, broken by remote telemetry, smart metering, cloud analytics and vendor maintenance access.
The air-gap belief is actively harmful, because it tends to leave the internal network flat. Once an attacker crosses from the corporate side, whether through a phishing email, an unpatched VPN, or a public-facing billing portal, there is nothing between them and the SCADA control plane. Internet-wide scanning research has repeatedly shown exposed industrial controllers reachable from the public internet, water sector devices among them, often discoverable through services like Shodan.
The Purdue Reference Model gives the standard way to think about where controls belong. It layers the environment from Level 0 (physical process: pumps, valves, sensors) up through Level 1 (PLCs), Level 2 (local HMIs), Level 3 (site SCADA and historians), to Level 4 (corporate IT) and Level 5 (cloud). The rule is that no direct path should run between Level 4 and Level 3. All traffic terminates in an Industrial DMZ at Level 3.5, where it is validated and translated.
Traditional controls land at the IT layers and at the IDMZ boundary. The gap is everything below: the legacy controllers that cannot authenticate, cannot encrypt, and cannot host an agent. Detection-only OT monitoring platforms see that traffic but do not block it. Closing the gap requires enforcement at the network layer, in front of the device.
The architecture water utilities need under NIS2
Three architectural elements map directly onto NIS2 expectations for the water sector. Inline isolation for unagented OT devices. Microsegmentation between treatment plants and pumping stations. And identity-based remote access for OT engineers, replacing flat VPN connectivity. Together they cover containment, least privilege and auditability, the controls a CyFun Essential assessment looks for.
Microsegmentation does the heavy lifting on blast radius. In a completely flat network, an attacker who compromises one node can reach every other node. Segment that network into isolated zones and any single compromise is confined to its zone, with cross-zone traffic forced through controlled gateways. For a utility, that means a tapped pumping station cannot become a route back to the central treatment plant’s control plane. Our microsegmentation approaches guide covers the implementation patterns.
Remote access is the other recurring failure point. Legacy VPNs, once authenticated, drop the engineer onto the whole OT subnet. A Zero Trust model inverts this: continuous authentication with MFA against the utility’s identity provider, device posture for NIS2 validation of the engineer’s workstation, and granular per-application access that exposes only the specific HMI or service needed. The rest of the network stays invisible.
The table below maps each element to the NIS2 article it supports and its water-specific application.
| Architecture element | NIS2 article addressed | Water-specific application | Operational consideration |
|---|---|---|---|
| Inline isolation for agentless devices | Article 21 (risk management, access control) | PLCs and RTUs at treatment plants and pumping stations protected without agents | Default-deny gateway; microsecond latency, tested in monitor mode first |
| Microsegmentation between sites | Article 21 (containment of incidents) | A compromised remote station cannot reach the central SCADA control plane | No flat connectivity between plants; cross-zone traffic through controlled paths |
| Identity-based remote access | Article 21 (access governance) | System integrators reach one HMI, not the whole OT subnet | Time-bound, recorded sessions replacing persistent VPN tunnels |
| Centralised logging | Article 23 (incident reporting) | Single audit trail across distributed sites for 24/72-hour reporting | Correlated events feed early-warning and final-report timelines |
| Continuous device posture | Article 21 (risk management) | Engineer workstations checked before any OT session | Blocks non-compliant devices automatically, with logged evidence |
| Secure vendor remote access | Article 21 (supply chain security) | Siemens or Schneider engineers granted scoped, audited access | No standing credentials; access provisioned per maintenance window |
You can also secure the protocols more directly. For the specifics of protecting Modbus and OPC UA traffic, see our guide on industrial protocol security with inline isolation.
How Jimber NIAC fits water utility SCADA environments
Jimber NIAC (Network Isolation Access Client) deploys inline at the network entry to a SCADA segment. PLCs, RTUs, HMIs and smart meters cannot run security agents, so enforcement happens at the network layer. The protected device sees the zone behind it as a normal network. The zone never sees the device directly. Every flow is default-deny unless an explicit allow rule permits it.
For a single treatment plant with multiple PLCs, the NIAC sits between the controllers and the plant network, encrypting transit traffic and enforcing a tight allow-list of permitted flows. A Modicon controller might be permitted to talk only to its historian on a specific port, and nothing else. Anything outside that list, including a scan from a compromised workstation elsewhere on the network, is dropped before it reaches the controller.
For distributed pumping stations with RTUs, the same approach travels well precisely because it does not depend on the local switch hardware or the controller’s own capabilities. A DIN-rail mountable unit in front of an unmanned station’s RTU turns that station into a controlled zone of its own. If the site is physically breached, the attacker still cannot pivot back toward the central control plane.
Vendor maintenance is where the model earns its place day to day. When a Siemens engineer needs to reach one specific HMI to push a firmware update, access is scoped to that single device, time-bound to the maintenance window, and recorded. There is no standing tunnel and no broad subnet access. For smart metering networks, NIAC isolation contains the large population of low-power endpoints so that a compromised meter cannot become a route into billing or control systems.
The operational concerns water teams raise first are continuity and disruption. NIAC adds latency measured in microseconds, not milliseconds, which is undetectable for the vast majority of water processes, though any sub-millisecond real-time loop should be validated during a monitoring phase before enforcement is switched on. Deployment does not require rearchitecting the network or taking production offline. Policies can run in monitor mode first, so the team sees exactly what each device communicates before any rule starts blocking. NIAC is managed from the same console as the rest of the Jimber SASE platform, so OT devices appear alongside office devices in one policy engine with unified logging. The underlying capability is described on the Jimber NIAC inline isolation page.
Belgian water utility landscape and procurement reality
The Belgian and Benelux water sector is consolidated and public. In Flanders, De Watergroep is the largest drinking water company, serving over 3.2 million customers, alongside Pidpa in the Antwerp province and Farys across East Flanders. Vivaqua runs the Brussels-Capital Region’s water infrastructure, SWDE is the largest Walloon operator, and CILE covers the Liège province. In Wallonia, the Société Publique de Gestion de l’Eau (SPGE) and the professional association AquaWal set the technical and regulatory framing.
These operators run lean internal IT and OT teams and lean heavily on a specialist ecosystem. Global integrators such as Capgemini and Atos (Eviden) handle large-scale IT-OT integration and reporting systems. Industrial automation specialists, including firms in the Engie orbit and local engineering houses, design and maintain the PLC and SCADA environments. Regional cybersecurity service partners deliver managed detection, incident response and SASE deployments tailored to public-sector utilities.
Procurement shapes everything. As public bodies, Belgian water utilities are bound by the Wet overheidsopdrachten, the Dutch equivalent being the Aanbestedingswet. Security and integration services are typically bought through long framework agreements of four to eight years, which means a vendor usually has to work through an authorised system integrator holding pre-approved framework status. Smaller municipal utilities often buy through joint purchasing consortia, with an operator like Farys acting as central purchasing coordinator. The same public-sector dynamics covered in our SASE for public sector guide apply here.
Sovereignty is a recurring specification. Given water’s critical status, tenders increasingly require that cloud-hosted elements of any SASE or ZTNA solution meet EU data sovereignty standards, which favours platforms with European headquarters and local hosting. For a Belgian-headquartered provider processing data within the EU, that requirement is met by design rather than by add-on.
What water utility IT leaders should do in 2026
After the April 2026 CCB CyFun deadline, the practical sequence for a water utility IT or OT lead is straightforward to state and demanding to execute: asset inventory first, segmentation second, vendor remote access third, centralised logging fourth. CISA’s Foundations for OT Cybersecurity guidance frames the same priorities for the sector.
Start with the inventory, because you cannot protect what you have not catalogued. For a mid-size Belgian utility with, say, 5 to 10 treatment plants and 50 to 200 PLCs, this is weeks of work, not days, and much of it is fieldwork at unmanned sites. The output is a map of every controller, every protocol in use, and every remote access path, including the ones nobody documented.
Segmentation comes next, and it does not need to be all-or-nothing. Begin by separating IT from OT at the Purdue Level 3.5 boundary, then isolate the highest-value sites. Vendor remote access is the third priority because it is the most exploited path in the documented incidents: replace standing VPN access with scoped, time-bound, identity-based sessions. Centralised logging closes the loop, giving you the single audit trail that the Article 23 reporting timelines and a CyFun Essential assessment both require.
None of this requires a forklift upgrade. The compensating-controls approach, isolating legacy devices at the network layer rather than replacing them, is what makes the timeline realistic for an operator that cannot take treatment plants offline.
Frequently asked questions
Are water utilities classified as essential entities under NIS2?
Yes. NIS2 Annex I lists drinking water under sector 6 and wastewater under sector 7, both as sectors of high criticality. Most water utilities qualify as essential entities, and member states can designate even small sole-provider utilities as essential regardless of size.
What protocols does a typical water utility SCADA system use?
Water SCADA systems commonly run Modbus/TCP for local controllers, DNP3 for remote telemetry, and IEC 60870-5-104 for European telecontrol. OPC UA is increasingly used to bridge PLCs to upper-level databases. The older protocols lack native encryption and authentication.
How does inline isolation protect Programmable Logic Controllers?
Inline isolation places a default-deny gateway between the PLC and the network. The controller needs no agent. Only explicitly permitted traffic, such as a specific historian connection on a defined port, passes through. All other traffic, including scans from compromised hosts, is blocked before reaching the device.
What does the CCB CyFun framework expect from Belgian water utilities?
Because water is critical to public health, most Belgian water utilities are expected to reach the CyFun Essential level, roughly 200 controls covering network segmentation, cryptography, continuous monitoring and third-party risk. Essential entities undergo conformity assessment by an accredited body.
Can Modbus or DNP3 traffic be inspected by a SASE platform?
Inline isolation enforces allow-lists on Modbus and DNP3 traffic at the network layer rather than relying on the protocols’ weak native security. The NIAC supports both TCP-based and UDP-based industrial protocols from one appliance, controlling which flows are permitted to each controller.
Which water sector attacks since 2023 illustrate the cyber risk?
Aliquippa (November 2023) saw Cyber Av3ngers exploit default-password Unitronics PLCs exposed to the internet. American Water Works and Veolia (2024) were ransomware hits on corporate systems that forced precautionary OT isolation. The Texas incidents (January 2024) caused a tank overflow through brute-forced remote access.
How can system integrators access water utility OT remotely without VPN?
Identity-based remote access grants an engineer scoped, time-bound access to a single application or HMI rather than the whole OT subnet. The session requires MFA and a device posture check, and it is recorded. The rest of the network stays invisible, removing the lateral movement risk of flat VPN access.
NIS2 turned SCADA protection into a regulatory question rather than an optional one. The architecture is well understood: isolate the agentless devices, segment between sites, replace flat VPN access with identity-based sessions, and log everything to one audit trail. The open question for Belgian and European water utility leaders in 2026 is not whether to protect these networks, but how to do it without interrupting water service.
For Belgian and European water utility IT teams translating NIS2 obligations into deployable architecture, the conversation goes faster with a SASE platform that handles agentless SCADA devices natively. Book a 30-minute walkthrough to see how Jimber NIAC fits a water utility environment.
