A regional municipal water authority responsible for 50 distributed sites faced a stark reality: most plants had no remote access at all, and the few that did relied on inconsistent VPN configurations with shared credentials and manual firewall port-opening for vendors. With 12 confirmed attacks on water infrastructure in a single 12-month period and EPA AWIA recertification deadlines approaching, the authority needed a solution its seven-person SCADA team could deploy without disrupting existing infrastructure.
By deploying Xona's Critical System Gateway in a phased three-year rollout, the authority achieved zero-trust secure access across all 50 sites without a single network change. Vendor access transitioned from shared credentials and manual firewall rules to named accounts with MFA, moderated approval workflows, and full session recording, all for approximately $112,000 to $150,000 per year in a phased rollout aligned to municipal budget cycles. The result is zero direct network connectivity: users interact with OT systems in real time, but their endpoints are never connected to the OT network.
The authority's 50 sites ran GE iFIX for HMI and supervisory control, Rockwell PLCs for process automation, and VMware vSphere for virtualization. The access situation was fragmented:
No remote access at most sites. The team drove to facilities for every issue, a major constraint for seven people covering a large geographic region.
Shared credentials for vendors. Process control integrators used shared usernames and passwords with no individual accountability.
Manual firewall port-opening. Each vendor request required manually opening ports, a process that often left ports open longer than intended.
No MFA, no session recording. Neither staff nor vendor access was protected by multi-factor authentication, and there was no record of vendor activity.
The authority selected Xona based on three decisive factors: zero network changes required, browser-based simplicity, and phased licensing that aligned with municipal budget cycles. Xona's CSG deploys at each site as an overlay, with no reconfiguration of firewalls, switches, or SCADA systems. Users connect via any standard browser over HTTPS port 443 only. The CSG terminates OT protocols inside the plant network and streams only encrypted pixel images to the browser. The user's device never connects directly to any SCADA asset.
The three-year phased rollout distributed costs across municipal budget cycles: 30 sites and 50 users in Year 1 at approximately $112,000; 45 sites and 125 users in Year 2 at approximately $150,000; and full coverage across all 50 sites and 150 users in Year 3. Each site deployment averaged 30 minutes. The SCADA team performed all deployments themselves, with no external consultants.
Key vendor access improvements included named accounts with MFA for every vendor technician, moderated access requiring SCADA team approval before each session goes live, credential injection so vendors never see or handle plant passwords, time-based controls with automatically expiring access windows, full session video recording with timestamps, and instant revocation via Kill Button and Lockbox.
Operational improvements: The team diagnoses and resolves issues at any site within minutes instead of driving for hours, transformative for a seven-person team covering 50 sites. Every vendor session is now documented with video recording, timestamps, and user attribution. Vendor access is governed through automated policy rather than phone calls and manual port changes.
Security improvements: Every user has a unique, named account with MFA enforced at the Xona gateway. Protocol isolation means no RDP, SSH, or VNC traffic leaves the plant network, reducing the attack surface to a single HTTPS endpoint.
Regulatory alignment: Xona's controls directly address the access governance, MFA, and audit trail requirements that EPA AWIA risk assessments require utilities to demonstrate. Session logs, access records, and forensic video recordings support incident reporting within the mandated 72-hour window for CIRCIA readiness.