21.1 Physical Security and Cybersecurity
Key Takeaways
- Water-plant security uses layers: deter, detect, delay, assess, respond, and recover while preserving safe treatment and service.
- Operators protect both physical assets and operational technology by controlling access, reporting anomalies, safeguarding credentials, and following the approved incident plan.
- Current U.S. water-sector guidance emphasizes reducing internet exposure, replacing default credentials, inventorying assets, maintaining tested backups, training staff, and exercising response plans.
- A suspicious cyber or physical event must be treated as an operational event too: verify water-quality and process data independently before changing treatment.
Security is an operating responsibility
The 2025 WPI Water Treatment Operator Class I outline expects operators to protect facility perimeters and follow industry cybersecurity practices. Security is not limited to guards or information-technology staff. An unsecured hatch, an unescorted visitor, a shared password, or an unexplained control-system change can threaten treatment reliability and public health. The Class I decision pattern is recognize, protect, verify, report, document—not investigate beyond authorization or improvise technical countermeasures.
Build physical security in layers
Layered security gives staff more than one chance to deter, detect, delay, assess, and respond to unauthorized activity. Exact measures are site-specific and should not be disclosed outside approved channels. An operator commonly checks these layers:
| Layer | Operator focus | Example evidence |
|---|---|---|
| Property boundary | Controlled vehicle and pedestrian access | Gate status, fence condition, visitor log |
| Site and buildings | Locked doors, hatches, windows, and chemical areas | Key/badge accountability, alarm status |
| Critical process assets | Restricted access to intakes, tanks, feed systems, laboratories, and controls | Tamper seals, inspection rounds, camera or sensor alerts |
| Response capability | Reliable notification and safe coordination | Current contact list, tested radio/phone path, exercise record |
A sound round notes new damage, propped doors, missing locks, unfamiliar vehicles, disturbed seals, suspicious packages, or people without required identification. Do not handle an unknown substance or confront an intruder. Move to a safe location, use the facility's emergency communication path, and protect the scene for authorized responders. Visitor and contractor controls matter even when a person appears legitimate: confirm authorization, issue the correct temporary access, escort where required, and recover badges or keys.
Make access accountability routine
Security controls fail when ordinary exceptions become normal. At shift change, reconcile keys, portable radios, badges, and open work permits under the plant procedure. Confirm that a contractor's access still matches the authorized work area and time window. Report a lost credential immediately rather than waiting to see whether it appears. Do not allow tailgating through a controlled door, and do not lend credentials to a coworker. When a lock, alarm, light, camera, gate, or seal is defective, create the required work record and apply the approved temporary protection; an entry in a log by itself does not secure the asset. Keep facility drawings, access codes, chemical quantities, security schedules, vulnerability findings, and incident details in authorized channels. Helpful public communication can still avoid publishing information that would make a critical asset easier to target.
Protect operational technology without becoming the attacker
Information technology (IT) supports business functions such as email and records. Operational technology (OT) includes supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), human-machine interfaces (HMIs), analyzers, and communications that observe or control the plant. A cybersecurity event can therefore appear as an operational symptom: an impossible tank level, a set point that changed without an authorized work order, repeated login failures, a disabled alarm, or a screen that disagrees with a local gauge.
The joint 2024 CISA, EPA, and FBI water-sector actions emphasize practical defenses. At operator level, these translate into:
- keep a current, owner-approved inventory of connected IT and OT assets;
- eliminate unnecessary public-internet exposure and use only authorized remote-access paths;
- replace default credentials, never share accounts, and use multifactor authentication where the utility provides it;
- apply least privilege so a user has only the access needed for assigned work;
- install updates through approved testing and change control rather than patching live controls impulsively;
- maintain protected, tested backups of configurations and essential records;
- report suspicious messages, removable media, login prompts, alarms, or configuration changes; and
- practice the cybersecurity incident-response and recovery plan.
These are defensive practices, not permission for an operator to scan networks, test passwords, disable logging, bypass interlocks, or rewrite control logic. Do not connect an unapproved laptop, phone, wireless device, or storage drive to a control network. Never place passwords in a shift log or on equipment.
Respond to a security anomaly as a water-quality event
Suppose a night operator receives a chemical-room door alarm while the HMI shows an unexplained coagulant set-point change. The correct response is not to assume a faulty sensor and not to chase an intruder. Follow the site's plan:
- Protect personnel and notify the designated supervisor/security contact through a trusted channel.
- Preserve treatment barriers; use approved local or manual operation only if the response plan and current conditions call for it.
- Verify critical values using independent field instruments, local indicators, inventory observations, and valid samples.
- Preserve useful evidence—time, alarm text, screen state, badge event, observed condition—without altering logs or exploring the suspected system.
- Escalate to authorized IT/OT, emergency, law-enforcement, and regulatory contacts as the plan requires.
- Increase operational surveillance or sampling when directed, and document decisions through recovery.
Disconnecting or powering down equipment can erase evidence or stop a protective process, so only the approved incident lead should direct isolation unless an immediate life-safety procedure says otherwise. A screen value is not proof that water quality changed, but a suspect screen is also not proof that water remained safe. Independent verification bridges that gap.
Exam lens
Choose answers that preserve barriers, limit access, verify field conditions, and escalate through the plan. Reject choices that dismiss anomalies, reveal sensitive details, share credentials, make unauthorized control changes, or prioritize evidence collection over immediate personnel and public-health protection.
A chemical-room access alarm occurs at the same time as an unexplained feed set-point change on the HMI. What is the best initial operator response?
Which practice most directly limits damage if one operator account is compromised?
Why should an operator avoid immediately powering down a control device after a suspected cyber event?