Protecting Public Water Systems: A Step-by-Step Guide to Mitigating ICS Breaches

Introduction

Recent reports from the Polish Security Agency revealed that hackers successfully infiltrated industrial control systems (ICS) at five water treatment plants. The attackers gained the ability to modify equipment operational parameters, posing a direct and immediate risk to the public water supply. While the original news highlighted the breach, this guide translates those lessons into actionable steps for water utility managers and cybersecurity professionals. By following this structured approach, you can strengthen your ICS defenses, reduce the likelihood of similar intrusions, and maintain safe water delivery for your community.

What You Need

• Network diagram of your water treatment facility, including all ICS components (PLCs, RTUs, HMIs, SCADA servers)
• Asset inventory detailing make, model, firmware version, and network connections of each device
• Access log data from the past 90 days (firewall, VPN, and authentication logs)
• Change management records for the last year
• Cybersecurity policy document (or template if none exists)
• ICS-specific security tools (e.g., anomaly detection software, network monitoring agents compatible with Modbus/DNP3)
• Risk assessment framework (e.g., NIST 800-82, ISA/IEC 62443)
• Backup of all current configuration files stored offline
• Communication channel with IT security team and local law enforcement

Step-by-Step Guide

Step 1: Conduct a Comprehensive Asset Discovery and Risk Assessment

Begin by mapping every device connected to your ICS network, including legacy equipment that may not have been inventoried. Use passive scanning (e.g., monitoring network traffic) to avoid disrupting processes. For each asset, document its function, criticality to water treatment, and any known vulnerabilities. Cross-reference your findings with the Polish breach scenario: the attackers targeted operational parameters—likely valves, chemical dosing pumps, or filtration rates. Identify which devices in your facility could be abused similarly.

Perform a risk assessment using a standard like IEC 62443. Prioritize assets that control water quality parameters (pH, chlorine levels, pressure). Create a heat map showing the most likely attack vectors: remote access connections, unpatched firmware, or vendor default credentials.

Step 2: Enforce Network Segmentation Between IT and OT

The Polish attack underscores the danger of flat networks. Immediately isolate your ICS environment from corporate IT networks using a dedicated demilitarized zone (DMZ). Essential actions:

• Deploy a firewall with rules that only allow specific, documented traffic (e.g., SCADA historian updates, limited remote support).
• Implement unidirectional gateways where possible, especially for commands going from IT to OT.
• Segment the ICS network itself: separate safety-critical loops from lower-priority systems.
• Disable any unnecessary network connections—for example, WiFi on control room laptops that also connect to the internet.

Regularly test these segmentation rules with red team exercises or penetration tests focused on moving from IT to ICS.

Step 3: Harden All ICS Devices and Remove Default Credentials

Breaches often start with weak credentials. Change default passwords on PLCs, HMIs, and remote access points immediately. Enforce strong password policies—use passphrases of at least 15 characters with mixed case, numbers, and symbols. For devices that cannot support complex passwords, consider placing them behind a jump server or using hardware authentication tokens.

Review common attack vectors from the recent breach: the hackers modified operational parameters. Ensure that any device capable of changing setpoints requires multi-factor authentication (MFA) for remote access. For local access, use role-based controls: operators can view data, engineers can adjust parameters, and administrators can modify firmware.

Step 4: Implement Continuous Anomaly Detection and Logging

Without visibility, you cannot detect a parameter change in progress. Deploy ICS-specific intrusion detection systems (IDS) that parse protocols like Modbus, DNP3, or OPC-UA. Configure alerts for:

• Unexpected writes to PLC registers
• Changes to configuration beyond approved maintenance windows
• Communication attempts from unknown IPs
• Firmware updates or downloads

Centralize all logs (syslog, Windows event logs, SCADA historian logs) in a security information and event management (SIEM) solution. Set retention to at least one year as required by regulations. In the Polish case, a properly tuned IDS might have caught the attackers before they modified equipment.

Step 5: Establish Strict Change Management and Backup Procedures

Every change to operational parameters must be approved and documented. Create a formal change request process:

1. Propose the change with justification and risk analysis.
2. Test in a sandbox environment if possible.
3. Schedule during low-demand hours.
4. Implement with two-person integrity (one engineer executes, another monitors).
5. Verify after the change that parameters are within safe bounds.
6. Back up the new configuration and document the change.

Store at least three copies of configuration backups: one on site, one off site, and one in a cloud storage (encrypted). For critical PLCs, keep a golden image that can be restored quickly if parameters are maliciously altered.

Step 6: Train Staff on ICS Cybersecurity Awareness

Human error is a common breach vector. Conduct quarterly training that covers:

• Recognizing phishing emails targeting utility employees.
• Reporting unusual HMI behavior or unscheduled alarms.
• Following proper remote access procedures (e.g., never sharing VPN credentials).
• Understanding the consequences of a parameter change attack on public health.

Include hands-on exercises—for example, a tabletop drill where a breach similar to the Polish incident is simulated. Evaluate response times and communication protocols.

Step 7: Develop and Test an Incident Response Plan Specific to ICS

Your IT incident response plan may not cover ICS nuances. Create a dedicated plan with steps for:

• Detection: How to verify a breach without disconnecting critical systems.
• Containment: Isolating affected segments while keeping water treatment running.
• Eradication: Removing attacker access without corrupting PLC memory.
• Recovery: Restoring verified configurations from clean backups.
• Post-incident review: Updating policies and sharing threat intelligence.

Test this plan twice a year through tabletop exercises and once a year through a live simulation (with safety precautions). Ensure contact information for law enforcement (like the Polish Security Agency) is up to date.

Tips for Long-Term Success

• Treat every breach as a learning opportunity. The Polish incident shows that public utilities remain attractive targets. Regularly review threat intelligence from government agencies (e.g., CISA, NCSC) and adjust defenses accordingly.
• Invest in continuous vulnerability management. Many ICS devices run outdated firmware. Establish a patch policy with vendor consultation—never forgo testing patches on a non-production system first.
• Use the Principle of Least Privilege. Minimize the number of individuals with remote access to modify parameters. Consider implementing a 'break glass' procedure for emergencies.
• Don't forget physical security. A breach can start with a compromised USB drive left in a parking lot. Secure control rooms with badge access and cameras.
• Share anonymized incident data with industry groups like the Water Information Sharing and Analysis Center (WaterISAC). Collective defense strengthens all utilities.

By following these steps, your water treatment facility can drastically reduce the risk of an ICS breach that could alter equipment parameters and endanger public water supplies. Security is not a one-time project—it's a continuous cycle of assessment, improvement, and vigilance.