NIS2 PilotNIS2 PilotNIS2 Pilot
Drinking Water – Annex IWastewater – Annex II

Water Sector: Critical Infrastructure

Drinking water supply and wastewater disposal are essential for life. NIS2 demands special protection for control systems and treatment plants.

Check ApplicabilityMeasures

Real Risk: Manipulation of Water Quality

Florida 2021: Hackers attempted to increase sodium hydroxide levels to dangerous values. Only human oversight prevented the catastrophe.

Critical Assets in the Water Sector

OT systems that NIS2 aims to protect

🖥

Process Control Systems

SCADA for water works and treatment plants: central control of all processes.

📡

Remote Control Technology

Remote stations, pumping stations, elevated tanks, often connected via insecure links.

Treatment Plants

Chemical dosing, UV disinfection. Manipulation has direct health consequences.

📊

Measurement & Control

Quality sensors, flow measurement. Basis for automatic control.

Typical Risks in the Water Sector

Threats with potentially catastrophic consequences

Treatment Manipulation

Altering chemical dosing, disabling disinfection. Direct health hazard.

🚫

Supply Disruption

Ransomware disables pumping stations. No water for households and industry.

👴

Legacy OT Systems

Controllers from the 90s, Windows XP. No patches, no segmentation.

🚪

Physical Security

Unsecured remote stations, wells, pump stations. Protect physically and digitally.

Key Measures for the Water Sector

Art. 21 NIS2 for the water sector

1

OT Risk Analysis

Inventory all controllers, sensors, remote stations. Assess criticality. Identify attack paths.

2

Incident Response

Emergency plans for cyber attacks on water supply. Coordination with health authorities and fire services.

3

Business Continuity

Manual control as fallback. Emergency supply via tanker trucks. Priority switching for critical consumers.

5

Secure Procurement

Security requirements in tenders. New installations per security-by-design. Vet suppliers.

9

Access Control

IT/OT network segmentation. Remote access only via secure VPN. Logging of all access.

Quick Wins for Water Utilities

  • Secure remote access: VPN with MFA for all remote connections
  • Isolate OT network: no direct connection to office IT
  • Manual monitoring: regularly check critical parameters on-site
  • Strengthen access control: who may change what?
  • Backup control programs: save PLC programs
  • Create emergency plans: what to do during a cyber attack?
NIS2 Applicability Check
NIS2 Maturity Assessment

NIS2 Compliance for Water Utilities

Check your applicability in 2 minutes and receive an action plan for critical infrastructure.

Start Free Check

Is your water utility affected by NIS2?

Check your NIS2 applicability in 2 minutes. Free and without registration.

Check applicability →

Fines: Drinking water (Annex I) up to €10M / 2%, Wastewater (Annex II) up to €7M / 1.4% of global annual turnover.

Other NIS2 Sectors

NIS2 covers 18 different sectors. Learn about other industries as well.

EnergyHealthcareFinance & InsuranceIT & CloudTransportManufacturingPublic Administration
Check your NIS2 readiness in 2 minutesStart now