Physical isolation for treatment, distribution and outstation telemetry
Water companies run a central control room linked to thousands of remote sites over private telemetry. Firevault Control puts a real boundary between the office, the telemetry network, the plant SCADA and the dosing and pumping kit behind it.
Utilities - Water and wastewater
When treatment SCADA, outstation telemetry and corporate IT share the same paths, every software vulnerability becomes a candidate for a dosing or supply incident.
100%
Plant SCADA isolation from corporate IT
Zero
Persistent remote access to dosing controllers
6
Control modules deployed per water zone
Full
Evidence for NIS2 and DWI security expectations
Water control systems carry public safety consequences and a thin attack surface to defend.
Dosing and public health
Treatment SCADA controls chemical dosing. A spoofed reading or unauthorised setpoint change can become a public health incident inside one shift.
Long-lived outstations
Outstation RTUs and PLCs were deployed over decades, are reachable over private APN telemetry and cannot all be patched at once.
Shared corporate paths
WIMS, asset management and billing share infrastructure with the office estate, creating paths into operations that should not exist.
The Scenario
Scenario: Telemetry spoofing into a treatment plant
Attackers gain a foothold on the corporate estate and pivot through a shared engineering jump server into the treatment SCADA network. Spoofed turbidity readings are injected into the historian, prompting an automated dosing increase. The control room only realises after downstream quality alarms fire. Investigation takes weeks because the historian, the engineering workstation and the recovery archive all share the same domain. With Firevault Control, telemetry lands on a defined route through the industrial DMZ with origin and integrity checks. The treatment SCADA fabric is physically separate from corporate IT. Verified baselines for dosing setpoints are held on infrastructure that has no live network path to production and require multi-party authorisation to release.
"Once you start scoring incidents in litres of water or milligrams of chlorine, you stop arguing about the cost of physical separation."
Where each Control module is deployed across treatment and distribution telemetry.
Water and wastewater operators bridge a central control room to thousands of remote sites over private telemetry. Control puts a real boundary between the office, the telemetry network, the plant SCADA and the field devices that move and dose the water.
Grounded in NIST SP 800-82 Rev. 3, EPA Water Sector cybersecurity guidance, NIS2 Annex I and DWI security expectations.
Cloud / Internet
External
Public traffic stops in the DMZ.
Enterprise
IT
Office, billing and customer services.
Office, billing and customer services.
Office cannot reach the plant on its own.
Industrial DMZ
DMZ · trust boundary
Brokered exchange. Private APN telemetry lands here.
Brokered exchange. Private APN telemetry lands here.
Outstation telemetry arrives on a defined route only.
Operations systems
OT
Water information management and engineering tools.
Water information management and engineering tools.
WIMS and SCADA sit on separate fabrics.
Supervisory control
OT
Control room view of plants and the distribution network.
Control room view of plants and the distribution network.
Dosing and pump changes need approval before they move.
Basic control
Field
Treatment works, pumping stations, reservoirs.
Treatment works, pumping stations, reservoirs.
Field kit ties to named engineers.
Physical
Field
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Treatment recipes, dosing safety limits, plant configurations, distribution network maps and the recovery sets you need after an incident.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Isolate
At every Purdue boundary
Office, telemetry, treatment and distribution sit on separate physical fabrics. A compromise on the corporate side cannot reach the plants or the outstations.
-
Firebreak
On the L5 to L4 link and the L4 to L3.5 link
Real off switches on the boundaries that matter most when an incident is live.
-
Validate
On the L5 to L4 link and inside the L3.5 DMZ
Telemetry and engineering requests are checked for origin and integrity. A spoofed reading does not become a chemical dose.
-
Relay
Inside the L3.5 DMZ
Outstation data flows into SCADA on scheduled routes. Outside the window, telemetry cannot reach control.
-
Execute
On the L2 to L1 link
Treatment and network actions hold until the right authority signs them off.
-
Lock
On the L1 to L0 link
Field devices tie to named engineers, the right device and the right authority.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign water data
Operational and customer data remains within the agreed jurisdiction in carefully selected Firevault Bunkers.
Multi-party control
Dosing and major network changes require sign-off from both control room and security teams.
Regulatory evidence
Continuous compliance evidence aligned to NIS2, EPA Water Sector guidance and DWI security expectations.
Out-of-band management
Cellular and dedicated paths keep the control plane reachable when primary telemetry is compromised.
Tamper-proof logging
Every access, configuration change and dosing command lands in immutable logs on physically separate infrastructure.
Verified configuration baselines
Verified baselines of plant and network configuration enable a known-good restore of control-plane state.
Demo to Live
Adoption Guide
Network assessment
Map every path between corporate IT, WIMS, treatment SCADA and outstation telemetry to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your plants and distribution estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring a treatment works and outstation pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the water estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Network assessment
Map every path between corporate IT, WIMS, treatment SCADA and outstation telemetry to identify convergence and persistent vendor connections.
Zone architecture design
Design physically separated zones aligned to your plants and distribution estate, with Control modules at each boundary.
Non-production pilot
Deploy in a test environment mirroring a treatment works and outstation pair with full zone separation, multi-party authorisation and compliance logging.
Operational deployment
Full deployment across the water estate with verified configuration baselines, continuous compliance evidence and 24/7 out-of-band management.
Explore More
Control for Utilities
The parent view across power, water and gas networks.
Learn more about Control for UtilitiesControl for Water (sector view)
The standalone water sector page with broader regulatory context.
Learn more about Control for Water (sector view)Control for Energy
Transmission, distribution and substation control.
Learn more about Control for EnergyIT/OT Convergence Threat
Physically separate IT from operational technology.
Learn more about IT/OT Convergence ThreatQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.