WATER UTILITIES

Secure Remote Access for Water Utilities: EPA and CISA December 2024 Controls

EPA and CISA published joint guidance in December 2024 specifying four controls for water utility remote access: MFA, session logging, IP allowlisting, and HMI access restriction. The CSG implements all four.
On February 5, 2021, an attacker accessed the Oldsmar, Florida water treatment HMI over a remote desktop session and raised the sodium hydroxide level 100 times. An operator saw the mouse cursor moving. That was the only defense. Deploy in 20 minutes per facility without disrupting operations.

BAKER HUGHES

GE VERNOVA

ALTAGAS

ALUAR

MITSUBISHI

EPA AWIA

EPA/CISA DECEMBER 2024

WATERISAC

SOC 2 TYPE II

KUPPINGERCOLE LEADER 2025

20 min

Deployment per Facility

4 of 4

EPA/CISA Controls Covered

100x

NaOH Setpoint Increase (Oldsmar)

SOC 2

Type II Certified
Xona-Water Utilities-Image

The Oldsmar Incident and What It Actually Demonstrates

On February 5, 2021, a remote user accessed the HMI at the Oldsmar, Florida water treatment plant using a remote
desktop tool. The session was not unusual. Remote desktop tools are how water utility vendors access treatment control
systems. The attacker raised the sodium hydroxide setpoint from 111 parts per million to 11,100 parts per million. A plant
operator at the console saw the mouse cursor moving on its own and reversed the change before contaminated water
reached residents.
No MFA on the remote access tool. Internet-facing HMI. Shared credentials. No session recording. No access logging.

One operator watching a screen was the entire defense posture. It was enough. Once.

Remote access ranks among the top three OT vulnerability vectors in the SANS 2025 survey. For water utilities: SCADA systems communicating over Modbus and DNP3, chemical dosing controllers, and HMIs managing chlorination setpoints.

Platform Capabilities

Session-brokered, protocol-isolated access for every vendor, every maintenance window, every treatment facility.

MFA and HMI Access Control

  • EPA/CISA December 2024 guidance specifies MFA for all remote logins and access controls restricting who can reach HMIs
  • The CSG enforces MFA before any asset access begins
  • Role-based access at the gateway scopes vendor sessions to authorized assets only. No internet-exposed HMIs. No shared credentials. 
Result

The four December 2024 controls enforced at the gateway, not managed through manual firewall rules.

Session Recording and AWIA Finding Closure

  • Xona Centralizer captures every session with timestamps, user attribution, and asset-specific recordings
  • Your AWIA Risk and Resilience Assessment identified vendor remote access as an exposure
  • Session records, access logs, and user attribution close that finding with documented evidence
Result

Centralized governance across every connected treatment plant from one console.

On-Premises for Rural Utilities

  • Most community water systems serve fewer than 50,000 people. Many have no dedicated cybersecurity staff.
  • The CSG operates on-premises without a cloud dependency in the access path
  • Local access controls are enforced whether or not the upstream connection to Centralizer is active
Result

No cloud budget. No IT team. No concessions on security controls.

Session Hold for Remote Treatment Plants

  • Rural treatment plants with intermittent connectivity lose sessions during network interruptions
  • Session Hold (v5.5) maintains active sessions through connectivity loss
  • Session data logs locally and synchronizes when connectivity is restored
Result

Network interruptions at remote facilities do not disrupt authorized vendor maintenance.

20

minutes to deploy per facility

Step 1: Deploy gateway at each treatment plant. OT network topology unchanged. Network firewall policies may require minor updates. Step 2: Grant vendors time-limited, asset-scoped access. Step 3: EPA/CISA December 2024 controls and AWIA documentation produced automatically.

Named "Leader in OT/ICS Secure Remote Access" by KuppingerCole Leadership Compass 2025
Deployed across 40+ sites in 40+ countries including critical infrastructure operators in utilities and energy. The platform is purpose-built for facilities with limited IT resources. On-premises architecture, 20-minute deployment, and one-console management are designed for the operational reality of small and mid-size utilities.
Also deployed by Baker Hughes, GE Vernova, AltaGas, Aluar, and Mitsubishi. These are production deployments, not pilots.

Built for Your Role

Utility Operations / Plant Manager

  • Deploy in 20 minutes per treatment plant without changes to OT network topology or control system configurations
  • Manage vendor access for SCADA integrators and chemical dosing calibration from one console
  • Produce the session log and user attribution an EPA auditor or incident investigator would request

OT / SCADA Engineer

  • Session isolation for chemical dosing controllers, chlorination HMIs, and Modbus/DNP3 SCADA assets
  • On-premises operation with no cloud dependency in the access path at rural and remote facilities
  • Session Hold (v5.5) maintains active sessions through network interruptions at remote treatment plants

CISO / IT Director

  • EPA/CISA December 2024 four-control coverage from one architecture, not four separate tools
  • SOC 2 Type II certified, KuppingerCole Leader in OT/ICS Secure Remote Access 2025
  • Every vendor session recorded, timestamped, user-attributed, and audit-ready

Regulatory / Compliance Officer

  • AWIA Section 1433 vendor remote access finding closed with session records, access logs, and user attribution
  • WaterISAC 15 Fundamentals #12 (MFA and remote access controls) satisfied at the gateway
  • Positioned for CIRCIA mandatory incident reporting requirements (expected 2025-2026)

Xona vs. Traditional Remote Access

Capability
Deployment Time
Network Changes
Protocol Isolation
Session Recording
EPA/CISA Controls
Rural/Remote Support
IT Staff Required
AWIA Documentation

Xone-Logo-White@2x

 

20 minutes per facility
OT topology unchanged. Minor firewall policy updates may apply.
Full. OT protocols terminate at boundary.
Every session. Timestamped. User-attributed.
All 4: MFA, logging, allowlisting, HMI restriction
On-premises. No cloud required. Session Hold.
No. One administrator.
Session records close the RRA finding
Traditional VPN
Days to weeks
Firewall rules, VLANs
None. Tunnel carries all traffic.
IP-level logs only.
Manual firewall rules
Requires stable connection
Network engineering team
Manual log aggregation
Cloud ZTNA
Hours to days
Cloud connector config
Partial. Cloud relay.
Varies. Often cloud-stored.
Cloud-dependent MFA
Requires cloud connectivity
Cloud admin + security team
Cloud audit reports
Jump Server
Days to weeks
Network segmentation
None. Direct session.
Screen recording add-on.
Shared credentials common
Requires stable connection
Server admin + network team
Manual evidence assembly

EPA and CISA Compliance Mapping

EPA AWIA (2018) amended Section 1433 of the Safe Drinking Water Act. Community water systems serving 3,300 or more persons must complete a Risk and Resilience Assessment covering physical and cyber threats, and develop an Emergency Response Plan. Systems must certify completion to EPA and update every five years.
 
AWIA requires the assessment. AWIA does not prescribe specific technical controls. The result: every community water system serving 3,300+ persons has a documented vulnerability assessment. Many identify vendor remote access as an exposure. The assessment created the finding. The CSG closes it.
 
In December 2024, CISA and EPA published joint guidance addressing internet-exposed HMIs in the water and wastewater sector. The guidance specifies four controls.
Requirement
AWIA RRA (Section 1433 SDWA)
EPA/CISA Dec 2024: Restrict HMI remote access
EPA/CISA Dec 2024: Require MFA
EPA/CISA Dec 2024: Log all remote access events
EPA/CISA Dec 2024: IP allowlisting
EPA/CISA Dec 2024: IP allowlisting
Control
Document and address remote access exposure
Access controls limiting who can reach HMIs
MFA on all remote logins
Timestamps, user ID, duration per session
Restrict to authorized addresses
MFA and remote access controls
Architecture
Centralizer audit trail closes the RRA finding
Role-based access at CSG; vendor cannot reach assets beyond authorized scope
MFA enforced at CSG before any asset access
Centralizer session recordings satisfy logging requirement automatically
Access policies in Centralizer govern which principals reach which assets
CSG/Centralizer architecture satisfies WaterISAC Fundamental 12

CIRCIA and Upcoming Reporting Requirements

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require critical infrastructure operators, including water utilities, to report qualifying cyber incidents to CISA. Final rulemaking is expected 2025-2026. Utilities with documented access controls, session recordings, and user attribution are positioned to meet reporting requirements when they take effect.

International Context

Australia SOCI Act 2021 (water and sewerage designated as critical infrastructure). Singapore OT Masterplan 2024. EU NIS2 (drinking water supply). The same architecture addresses multiple regulatory frameworks across jurisdictions.

EPA AWIA

EPA/CISA DECEMBER 2024

WATERISAC

SOC 2 TYPE II

Technical Specifications

OT Protocols
Modbus TCP/RTU
DNP3
Telnet
VNC
HTTP/HTTPS
RDP
SSH
SCADA-specific legacy protocols
Architecture
CSG (Xona Secure Gateway)
CSG (Xona Secure Gateway)
Centralizer
Deployment
On-premises
hybrid
air-gapped
No cloud dependency required
Endpoints
Agentless
No software on OT endpoints
Certifications
SOC 2 Type II
KuppingerCole Leader 2025
v5.5 Features
Session Hold
Auto-Reconnect
concurrent multi-protocol sessions
session transfer

FAQ

Our AWIA Risk Assessment identified vendor remote access as a vulnerability. Does this close that finding?

Yes. The RRA documents the exposure. The ERP documents how you address it. Session recordings with timestamps, user attribution, and asset-specific access logs document the technical controls that close the vendor remote access finding. MFA enforcement at the gateway addresses the authentication gap. The architecture satisfies what EPA/CISA December 2024 guidance recommends and provides the documentation an ERP requires.

Is there a federal mandate requiring specific remote access controls for water utilities?

No binding technical mandate exists. EPA AWIA requires a risk assessment and emergency response plan but does not prescribe specific controls. EPA and CISA joint guidance (December 2024) describes recommended controls. These are not legally enforceable. Water utilities implementing the recommended controls are positioned for CIRCIA mandatory incident reporting (expected 2025-2026) and demonstrate documented good-faith compliance in any EPA inspection or post-incident review context.

We have no dedicated IT or cybersecurity staff. Can we actually deploy and manage this?

Yes. The gateway deploys in 20 minutes per site without network changes to OT topology or control system configurations. Network firewall policies may require minor updates to enable the CSG connection path. One administrator manages access policies, reviews session recordings, and enforces controls across every connected facility from a single console. The operational model is designed for utilities where security management is a part-time responsibility, not a dedicated function. Supported protocols include Telnet, VNC, HTTP/HTTPS, Modbus, DNP3, and SCADA-specific legacy protocols.

How does the system handle intermittent or low-bandwidth internet at rural treatment plants?

The CSG operates on-premises without a cloud dependency in the access path. Local access controls are enforced whether or not the upstream connection to Centralizer is active. Session data logs locally and synchronizes when connectivity is restored. Session Hold (v5.5 feature) maintains active sessions through network interruptions without requiring reauthentication. Rural and remote facilities with intermittent connectivity are a supported architecture.

Our SCADA vendor needs remote access to chemical dosing controllers for routine calibration. How does that work?

The vendor submits an access request through Centralizer. Vendor access requires explicit administrator approval before each session begins. Centralizer enforces time-limited, asset-scoped sessions. The CSG enforces session isolation: the vendor accesses the Modbus-connected dosing controller through the gateway interface. No SCADA network access beyond the authorized asset. The session is recorded with full timestamps and user attribution. Access terminates automatically at session end. No persistent vendor connection remains.

What would the Oldsmar attack look like if remote access was controlled through this architecture?

The attacker's connection attempt through an unapproved remote desktop tool would be rejected before reaching the HMI. No authorized session exists for that user through the gateway. If a vendor session were active at the time, it would be isolated: the authorized vendor sees only the assets within the scope of that session. The attacker gains no access. The session recording shows the authorized vendor's activity, and any unauthorized attempt is logged as a rejected access event. The operator no longer needs to watch for an unexpected mouse cursor.

How does CIRCIA affect water utilities, and are we ready for reporting requirements?

CIRCIA will require critical infrastructure operators to report qualifying cyber incidents to CISA within defined timeframes. Final rulemaking is expected 2025-2026. Utilities with documented access controls, session recordings, and user attribution already have the forensic evidence baseline that incident reporting requires. Implementing controls now means the reporting infrastructure is in place before the mandate takes effect.

We operate a rural water district with 8 treatment plants spread across 200 miles. How does multi-facility management work?

Centralizer provides centralized governance across every connected facility. One administrator manages access policies, reviews session recordings, and enforces controls for all 8 treatment plants from a single console. Each facility has a locally deployed CSG that operates independently of the others. Session Hold (v5.5) handles the intermittent connectivity that is standard across rural water infrastructure. Deploy at each facility in 20 minutes without sending an IT team.

Stop Relying on One Operator Watching a Screen. Start Closing the AWIA Finding.

The Oldsmar attacker reached the HMI because no gateway stood between the internet and the treatment control system. The CSG is that gateway. MFA, session logging, IP allowlisting, HMI access restriction. All four EPA/CISA December 2024 controls. 20-minute deployment per facility. AWIA RRA documentation ready from day one.

 Secure access for the systems that keep the world running.
© Xona Systems, 2026
Cookie Policy
Privacy Policy
Disclosure Policy
Website Terms of Service
Terms & Conditions