Treatment Plant and Distribution SCADA Path Control
Water treatment and distribution systems directly affect public health. When control systems are compromised, attackers can alter chemical dosing, disrupt supply, or contaminate drinking water for entire populations.
Key threats addressed
Overview
A real boundary between corporate IT and the chemistry of public water.
Water infrastructure presents attackers with the opportunity for catastrophic physical harm. Firevault Control uses physical isolation to render treatment SCADA, dosing controllers and distribution telemetry unreachable from corporate IT and the wider internet. Fast to deploy, non-disruptive, and fully aligned to NIS2, DWI and Ofwat expectations, with immutable evidence ready for audit.
Water
When a water treatment control system is reachable from the corporate network, every phishing email becomes a potential path to altering the chemical composition of a city's drinking water.
100%
Treatment SCADA isolation from corporate IT
Zero
Persistent remote access to dosing systems
5
Operational zones with independent governance
Full
NIS2 and DWI compliance evidence
Water infrastructure faces direct public health threats.
Chemical Dosing Risks
Compromised control systems could alter chlorine dosing or pH levels in treatment processes, directly threatening public health on a massive scale.
Remote Pumping Stations
Hundreds of remote pumping stations and reservoirs rely on SCADA communications with limited local security, creating distributed entry points.
IT/OT Convergence
Smart water network modernisation creates network paths between corporate IT and operational technology that attackers can traverse.
Pain points
- Software-only defences can be bypassed by zero-day exploits targeting SCADA systems.
- Third-party SCADA vendor access creates persistent connectivity risks.
- Chemical treatment and pump control systems require strict access governance.
- NIS2, DWI and Ofwat security expectations require demonstrable segmentation and resilience.
The Scenario
Scenario: Water Treatment SCADA Compromise
Attackers compromise a water company's corporate network through a targeted phishing campaign against the finance department. They move laterally until they reach a historian server that bridges the IT and OT networks. From there, they access the treatment plant SCADA system and modify chemical dosing parameters for chlorine and fluoride. The changes are subtle enough to avoid immediate alarm triggers but sufficient to affect water quality across the distribution area. With Firevault Control, the treatment SCADA network is physically disconnected from corporate IT. The historian server operates in a controlled zone with authorised, time-limited data transfer to corporate systems. The attack path from finance workstations to dosing controls does not exist.
"The historian server was our biggest vulnerability. It sat on both the IT and OT networks because the business needed water quality data in their dashboards. It was the bridge that gave attackers a direct path from email to the chlorine dosing system."
Where each Control module is deployed across treatment and distribution.
Water companies run the same Purdue stack as power, with telemetry reaching every treatment plant, reservoir and pumping station. Control puts a real boundary between the office, the telemetry network and the SCADA that moves and treats the water.
Grounded in NIST SP 800-82 Rev. 3, EPA Water Sector cybersecurity guidance and NIS2 Annex I.
Cloud / Internet
External
Public traffic stops in the DMZ.
Enterprise
IT
Office, billing, customer services.
Office, billing, customer services.
Office cannot reach the plant on its own.
Industrial DMZ
DMZ · trust boundary
Brokered exchange. No straight-through paths into the plant.
Brokered exchange. No straight-through paths into the plant.
Telemetry lands on a defined route only.
Operations systems
OT
Engineering and SCADA on separate fabrics.
Supervisory control
OT
Control room view of treatment and the network.
Control room view of treatment and the network.
Treatment changes are approved before they move.
Basic control
Field
Field kit ties to named engineers.
Physical
Field
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Treatment recipes, plant configurations, distribution network maps and the recovery sets you need after an incident.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Isolate
At every Purdue boundary
Office, telemetry, treatment and distribution sit on separate physical fabrics. A compromise on the corporate side cannot reach the plants.
-
Firebreak
On the L5 to L4 link and the L4 to L3.5 link
A real hardware off switch on the public and office boundaries, cutting the live path between corporate and the treatment plants.
-
Validate
On the L5 to L4 link and inside the L3.5 DMZ
Before any reading or request reaches operations, Validate checks its origin and integrity. A spoofed telemetry value does not become a chemical dose.
-
Relay
Inside the L3.5 DMZ
Sensor and pump data flows into SCADA on a scheduled, controlled route. Outside that route, telemetry cannot reach into control.
-
Execute
On the L2 to L1 link
Cross-plant actions need the right approval and the right state. Single clicks do not move treatment kit.
-
Lock
On the L1 to L0 link
Field devices tie to named engineers, the right device and the right authority.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Water Data
All treatment and distribution control data remains within the agreed jurisdiction in secured Firevault Bunkers, meeting Ofwat and DWI requirements.
Multi-Party Process Control
Changes to treatment parameters require authorisation from both operations and water quality teams, preventing unilateral modifications.
DWI and NIS2 Evidence
Automated compliance logging maps directly to Drinking Water Inspectorate requirements and NIS2 Article 21 outcomes for water companies.
Cellular SCADA Failover
Out-of-band management via cellular connectivity ensures control over treatment systems independent of primary communications infrastructure.
Process Change Audit
Every dosing parameter change, valve operation, and access authorisation is recorded in tamper-proof logs for DWI and regulatory audit.
Safe State Recovery
Verified baselines of treatment configuration enable rapid restoration to known-safe operating parameters during compromise scenarios.
Demo to Live
Adoption Guide
Water Network Assessment
Map all network paths between corporate IT, treatment SCADA, distribution SCADA, water quality systems, and remote pumping stations.
Treatment Zone Design
Design physically separated zones for treatment, distribution, quality monitoring, and corporate systems with Control modules at each boundary.
Single Works Pilot
Deploy at one treatment works with full SCADA isolation, multi-party process authorisation, and compliance logging to validate operational procedures.
Company-Wide Deployment
Phased deployment across all treatment works and pumping stations with verified configuration baselines, continuous compliance evidence, and cellular management.
Water Network Assessment
Map all network paths between corporate IT, treatment SCADA, distribution SCADA, water quality systems, and remote pumping stations.
Treatment Zone Design
Design physically separated zones for treatment, distribution, quality monitoring, and corporate systems with Control modules at each boundary.
Single Works Pilot
Deploy at one treatment works with full SCADA isolation, multi-party process authorisation, and compliance logging to validate operational procedures.
Company-Wide Deployment
Phased deployment across all treatment works and pumping stations with verified configuration baselines, continuous compliance evidence, and cellular management.
Explore More
Control for Utilities
Physical isolation for power grid and utility SCADA.
Learn more about Control for UtilitiesControl for Critical Infrastructure
National-grade security for essential services.
Learn more about Control for Critical InfrastructureIT/OT Convergence Threat
Physically separate IT from operational technology.
Learn more about IT/OT Convergence ThreatQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.