Security for Water and Utilities Infrastructure | CloseProtectionHire

Water utilities, electricity distribution networks, gas transmission operators, and other critical infrastructure operators form the backbone of national security in every developed economy. The physical and personnel security of these assets is a statutory obligation, a national security imperative, and – increasingly – a personal safety matter for the executives who lead them.

This guide addresses the physical security framework for water and utility infrastructure, the insider threat environment at CNI facilities, and the personal security considerations for utility sector executives.

Critical National Infrastructure: The Regulatory Framework

In the UK, 13 sectors are designated Critical National Infrastructure (CNI): chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water. The CNI designation carries specific security obligations for operators under the Security and Emergency Measures Direction (SEMD), and the Centre for the Protection of National Infrastructure (CPNI) provides security guidance and assessment for CNI operators.

The Water Security Framework. UK water and wastewater companies operate under the Water Industry Act 1991 and associated secondary legislation. The Drinking Water Inspectorate (DWI) regulates drinking water quality; Ofwat regulates economic performance; and the Environment Agency regulates environmental compliance. The security obligations are set by SEMD and the CPNI framework. Water company security officers work within a structure that reports to the company’s executive team and engages with CPNI, the Home Office, and regional police Counter Terrorism units.

The US Framework. In the United States, water systems are regulated at the federal level by the EPA (Environmental Protection Agency) under the Safe Drinking Water Act (SDWA) and the America’s Water Infrastructure Act 2018 (AWIA 2018), which requires community water systems serving more than 3,300 persons to conduct risk and resilience assessments and develop emergency response plans. CISA (Cybersecurity and Infrastructure Security Agency) provides the broader CNI framework and issues advisories on threats to water and wastewater infrastructure.

The Oldsmar 2021 Attack: Lessons for Physical Security

The February 5, 2021 attack on the Oldsmar Water Treatment Plant in Florida is the most publicly documented case of a deliberate attempt to harm the public through water infrastructure manipulation.

What happened. An unidentified attacker used TeamViewer – a legitimate remote access application installed on the plant’s control systems – to access the SCADA (Supervisory Control and Data Acquisition) interface and increase the sodium hydroxide (lye) concentration from 100 parts per million to 11,100 parts per million. An operator observed the change and corrected it immediately. No public harm resulted.

Security failures identified. The CISA/FBI/EPA joint advisory identified: shared TeamViewer credentials between plant personnel; no monitoring of remote access sessions; outdated operating systems (Windows 7, which had reached end-of-support in January 2020); and inadequate network segregation between the IT and OT environments. The attacker’s method of initial access was not publicly confirmed, but the use of TeamViewer with shared credentials suggests either credential theft or knowledge from a current or former employee.

Physical security implications. The Oldsmar attack required no physical presence – it was conducted entirely through remote access. But the physical security dimension is significant: the physical control console is the highest-consequence insider access point; the SCADA terminals should be in a physically restricted area with access logging; and the chemical storage for treatment chemicals should be physically secured independently of the control system environment.

Chemical Storage Security

Water treatment works store significant quantities of treatment chemicals with specific security implications:

CBRN-relevant materials. Chlorine gas (used in older chlorination systems), sodium hypochlorite solution, sodium hydroxide, aluminium sulphate, and fluoride compounds are all present at water treatment works. Some of these materials are CBRN-relevant – chlorine gas in particular is listed under the Chemical Weapons Convention (CWC) as a toxic industrial chemical with potential weaponisation use. Their theft or deliberate release creates both a public safety and a terrorism risk.

CPNI chemical storage guidance. CPNI provides specific security guidance for chemical storage at CNI sites that goes beyond the Health and Safety Executive’s COSHH (Control of Substances Hazardous to Health) requirements. The physical security of chemical storage areas is assessed by CPNI as part of the CNI security review, with requirements for alarmed perimeter, access control, CCTV, and response protocols for unauthorised access.

Chlorination bypass. A targeted attack on a water supply does not require physical access to the treatment works. Injection of contaminants at post-treatment points – distribution network access chambers, storage reservoirs, pumping station bypass points – is a lower-access-requirement attack vector. Physical security of distribution network infrastructure, not just treatment works, is part of the water sector security framework.

Insider Threat at Utilities

The personnel security challenge for water and electricity utilities has been amplified by the integration of IT and OT environments. Where legacy SCADA systems operated in air-gapped environments, modern integrated architectures mean that a malicious insider with corporate network access may have pathways to operational technology systems.

OT access control. Role-based access control for OT environments should be defined on a need-to-access basis. Not all IT staff require access to SCADA systems; not all OT engineers require access to the corporate network. Logical and physical separation of these environments, with audited crossing points, is the appropriate architecture.

Two-person integrity. Critical control actions – modification of treatment chemical dosing setpoints, opening/closing of major distribution valves, emergency system isolations – should require two-person authorisation. This applies both to physical console actions and to remote access commands. Two-person integrity eliminates the single point of failure created by a malicious individual with elevated access.

CPNI behavioural indicators. CPNI’s insider threat guidance (aligned with the Centre for the Study of Organisational Deception, CSOD, and the broader government framework) identifies relevant behavioural indicators for utilities staff, including: unusual access to OT systems outside normal working patterns, downloading of process documentation or network diagrams, and expressed grievances combined with access to critical systems.

Executive Protection in the Utility Sector

Utility executives – particularly those leading UK water companies that have been the subject of sustained public controversy over sewage discharges – have a personal threat profile that has increased materially.

Activist and protest targeting. The campaign against UK water companies over sewage discharge data has included: demonstrations at company offices and executives’ homes (documented in media reporting 2022-2024), personal targeting of named CEOs on social media, and in some cases threats that have been reported to police. The security response includes: residential security review, route assessment for regular commuting patterns, media monitoring and OSINT monitoring of campaign activity, and physical security at corporate offices that is proportionate to the escalation level of protest activity.

State-sponsored collection. CISA, NCSC, and allied agency advisories document state-sponsored campaigns targeting CNI operators. Executives with access to emergency planning documentation, infrastructure layout data, and operational resilience information are attractive intelligence collection targets. Device security and counter-elicitation awareness are appropriate personal measures.

Standard executive risk. Utility sector executives typically earn salaries comparable to other large-company executives and have public profiles through regulatory scrutiny and media attention. The standard KFR and robbery risk associated with any equivalent-profile corporate leader applies.

For the physical security assessment framework applicable to CNI sites and corporate facilities, see our physical security assessment guide. For the insider threat programme framework applicable to utilities and critical infrastructure operators, see our insider threat guide. For organisations navigating the NISR 2003 regulatory framework, IAEA safeguards obligations, and Category I material physical protection standards at nuclear energy facilities – where security governance extends significantly beyond standard CPNI guidance for utility CNI – see our security for nuclear energy facilities guide. For chemical and HAZMAT facilities – including COMAH 2015 top-tier sites, insider threat at high-hazard operations, and close protection for senior engineers visiting chemical clusters in P1 cities such as Mumbai and Istanbul – see our security for chemical plants and hazmat sites guide. For power grid and electrical infrastructure – substation physical security (NERC CIP-014 transmission security assessment requirements), large power transformer vulnerability and lead times, the December 2022 Moore County NC attack lessons, Ukrainian grid Industroyer2 precedent, and inspection team security in P1 markets including Nigeria, Pakistan, and Indonesia – see our security for power grid and electrical infrastructure guide.