NIS2 for Water Suppliers and Wastewater Operators

Why Water Suppliers and Wastewater Operators Fall Under NIS2

Drinking water is the most essential foodstuff. If the water supply fails or drinking water quality can no longer be guaranteed, the impact on the entire population is felt within hours. Hospitals need water for operations, food manufacturers cannot produce, fire departments lose their fire-fighting water supply. Wastewater disposal is the counterpart: if treatment plants fail, environmental pollution and hygiene hazards threaten.

The European legislator has included both areas in Annex I of the NIS2 Directive as sectors of high criticality:

• Drinking water (Drinking Water): Suppliers and distributors of water intended for human consumption
• Wastewater (Waste Water): Companies that collect, dispose of, or treat wastewater

The inclusion of wastewater disposal as a separate sector in Annex I is a new addition compared to the predecessor directive NIS1, which only covered drinking water supply. NIS2 thus acknowledges that wastewater disposal is also a critical infrastructure whose failure can cause significant environmental and health damage.

Specifically affected are:

• Municipal water suppliers: Municipal utilities, water associations, municipal-owned enterprises
• Private-sector water suppliers: Companies operating water supply on behalf of municipalities
• Wastewater operators: Operators of treatment plants, sewer networks, and stormwater management
• Combined utility providers: Municipal utilities offering water, wastewater, and energy from a single source

The thresholds are the same as for all NIS2 sectors: at least 50 employees or at least 10 million euros in annual revenue. However, as with the energy sector, the BSI can classify entities below these thresholds if their failure would have significant impacts on public supply.

In practice, NIS2 affects a very large number of water suppliers and wastewater operators. The German water industry is highly decentralized: there are approximately 5,800 water supply companies and around 6,800 wastewater disposal operators. Many of these are small municipal operations with fewer than 50 employees that do not fall under NIS2. But the medium and large suppliers, particularly municipal utilities and associations serving entire regions, regularly exceed the thresholds.

Essential Entity: The Highest Regulatory Tier

Since drinking water and wastewater are listed in Annex I, affected companies qualify as essential entities. This means:

• Proactive BSI supervision (the BSI can request evidence at any time)
• Fines of up to 10 million euros or 2 percent of global annual revenue
• Reporting obligations: 24-hour initial report, 72-hour follow-up report, 1-month final report
• Regular security reviews by or on behalf of the BSI
• Personal liability of the management

The Unique IT/OT Landscape of the Water Industry

The water industry has an IT landscape that fundamentally differs from a typical office operation. The core of operations is not ERP systems or email servers but process control technology and remote control technology distributed across a widely spread network of facilities.

SCADA and Process Control: The Heart of Operations

SCADA systems (Supervisory Control and Data Acquisition) are the central control and monitoring system in the water industry. All facilities are monitored and controlled from a control room:

• Water treatment plants: Processing raw water into drinking water (filtration, disinfection, pH adjustment)
• Wells and springs: Water extraction, level monitoring, pump control
• Elevated tanks: Drinking water storage, level monitoring, pressure regulation
• Pumping stations: Pressure boosting in the supply network, demand-controlled pump regulation
• Treatment plant: Mechanical, biological, and chemical wastewater treatment, sludge processing
• Sewer network: Monitoring of water levels, control of storm overflow basins and pumping stations

The SCADA system collects measurements (flow rate, pressure, water level, pH value, turbidity, chlorine content, temperature) from hundreds or thousands of measurement points, visualizes them for operators, and enables control interventions (pumps on/off, valves open/close, dosage adjustments).

Remote Control Technology: The Link to Remote Stations

The biggest challenge in the water industry is the spatial distribution of facilities. A medium-sized water supplier typically operates 10 to 30 remote stations (wells, elevated tanks, pumping stations) distributed across the entire service area. These facilities are connected to the central control room via remote control technology.

The remote control technology comprises:

• Remote Terminal Units (RTUs): Decentralized control units at each remote station that capture local measurements, execute local control tasks, and transmit data to the central SCADA system
• Communication network: The connection between RTUs and the control room uses various media: owned lines, leased dedicated connections, DSL, mobile (4G/5G), directional radio, or satellite communication
• Protocols: Typical remote control protocols are IEC 60870-5-101 (serial) and IEC 60870-5-104 (IP-based). Older facilities still use Modbus or proprietary protocols

From a NIS2 perspective, remote control technology is a critical element because it significantly expands the attack surface. Every remote station with a network connection is a potential entry point. The communication paths, particularly over public networks (DSL, mobile), must be encrypted and authenticated.

Water Quality Monitoring: When Manipulation Becomes Life-Threatening

Drinking water quality monitoring is legally required (Drinking Water Ordinance, TrinkwV). Online analytical instruments continuously measure parameters such as pH value, turbidity, conductivity, and disinfectant concentration (typically chlorine or chlorine dioxide). Threshold exceedances automatically trigger alarms and can initiate control interventions (such as increasing chlorine dosage or shutting down a well).

A cyberattack on water quality monitoring has potentially life-threatening consequences:

• Manipulation of measurement values: If an attacker manipulates pH or chlorine measurements, contaminated water can enter the network without the system raising an alarm
• Chemical overdosing: If an attacker increases the chlorine dosage, drinking water can reach health-damaging concentrations
• Disinfection shutdown: If the disinfection system is deactivated, pathogens can enter the drinking water

The attack on the water treatment plant in Oldsmar, Florida (2021) demonstrated that these scenarios are not theoretical. An attacker gained remote access to the SCADA system and attempted to increase the sodium hydroxide level by a factor of 100. An alert operator noticed the manipulation in time.

KRITIS Overlap: Two Regulatory Frameworks in Parallel

Larger water suppliers have been regulated as KRITIS operators for years. The KRITIS ordinance defines thresholds for the water industry: a water supplier qualifies as a KRITIS operator if it serves more than 500,000 people. A treatment plant qualifies as KRITIS if it exceeds a certain design capacity.

NIS2 significantly lowers this threshold. A water supplier with 60 employees serving a small city of 40,000 inhabitants was previously not a KRITIS operator but falls under NIS2. This considerably expands the circle of regulated companies in the water industry.

For companies that are both KRITIS operators and NIS2-regulated, both frameworks apply in parallel:

The good news: those who already meet KRITIS requirements and operate an ISMS based on ISO 27001 or the industry-specific security standard (B3S) for the water industry have a solid foundation. The NIS2-specific requirements (personal liability, training obligation, supply chain security, three-tier reporting scheme) need to be added, but building an ISMS from scratch is not necessary.

Specific NIS2 Requirements for the Water Industry

Risk Analysis: Drinking Water Quality and Environmental Protection

The risk analysis of a water supplier must consider two additional dimensions beyond classic IT risks — in ISMS Lite, drinking water quality and environmental protection can be integrated as dedicated assessment criteria in the risk matrix:

1. Drinking water quality: What happens if quality monitoring fails or is manipulated? What are the consequences for consumer health?
2. Environmental protection: What happens if the treatment plant fails or does not operate properly? What discharges into waterways are at risk?

The risk analysis must answer the following questions:

• Which SCADA functions are indispensable for drinking water quality? (Disinfection, pH regulation, turbidity monitoring)
• What happens in a total SCADA system failure? Can remote stations continue to operate autonomously?
• How long can water supply be maintained during an IT outage? (Elevated tanks typically provide a buffer of 12 to 48 hours)
• Which remote control installations are connected via public networks and thus particularly vulnerable?

Network Segmentation: IT, OT, and Remote Control Technology

The network architecture of a water supplier must rigorously separate three areas:

Office IT: ERP system (typically SAP or an industry-specific solution), email, administration, customer communications, GIS (geographic information system for the pipe network).

Process OT: SCADA server, operator workstations, historian, engineering stations. These systems control and monitor water treatment and distribution.

Remote control technology: RTUs at remote stations, communication infrastructure (routers, modems, VPN gateways). This layer bridges central OT and decentralized facilities.

Recommended network segmentation:

Securing Remote Control Technology

Remote control technology is the most vulnerable element of OT infrastructure in the water industry because communication can run over public networks and remote stations are physically difficult to protect.

Recommended measures:

• VPN encryption: All remote control connections over public networks (DSL, mobile) must be protected by VPN tunnels
• Authentication: Each RTU must authenticate to the SCADA system (certificate-based or equivalent)
• Firewall at each remote station: Even if the RTU communicates through a VPN tunnel, a local firewall should restrict traffic to the necessary protocols and ports
• Monitoring of remote control connections: Unusual traffic (unknown protocols, unusual data volumes, connection attempts outside defined parameters) must be detected and alerted
• Physical security of remote stations: Access control (locks, alarm systems), tamper protection for control cabinets, camera surveillance at critical locations
• Fallback capability: RTUs must be configured to continue operating autonomously when the connection to the control room is lost (local control logic, alerting via alternative means)

Protecting Water Quality Monitoring

Online analytical instruments for drinking water quality deserve special protection because their manipulation can directly impact consumer health.

• Physical separation of analytical instruments from the SCADA network: Measurement values flow to the SCADA system via dedicated channels, but analytical instruments cannot be configured directly from the SCADA network
• Plausibility checks: Automatic verification that measurement values fall within physically plausible ranges. A pH value that jumps from 7 to 12 within seconds is physically implausible and should trigger an alarm
• Manual control measurements: Regular manual sampling and laboratory analyses as cross-checks against online monitoring
• Independent dosing monitoring: Chemical dosing (chlorine, flocculant) should be monitored via an independent measurement not controlled by the same SCADA system

Practical Example: Water Supplier with 65 Employees

Starting position:

Wasserwerk Flusstal GmbH (fictitious example) is a municipal water supplier and wastewater operator based in Rhineland-Palatinate. 65 employees, 14 million euros annual revenue. The company supplies a city of 80,000 inhabitants with drinking water and operates wastewater disposal including a treatment plant with 120,000 population equivalents.

The IT and OT infrastructure:

• SCADA system: COPA-DATA zenon, two redundant servers in the control room, 4 operator workstations
• Remote stations: 22 RTUs (Siemens SICAM A8000) at wells, elevated tanks, and pumping stations. Communication via DSL (14 stations) and mobile 4G (8 stations)
• Treatment plant: Dedicated process control system (Siemens PCS 7), 8 PLCs for control of treatment stages
• Water quality monitoring: 6 online analysis stations (pH, turbidity, chlorine, conductivity) at the water treatment plant and network feed points
• ERP system: Industry solution (Schleupen, on-premise), billing, customer management, materials management
• GIS: Geographic information system for the pipe network (Smallworld)
• Server infrastructure: 6 servers (SCADA, treatment plant PCS, ERP, file server/AD, GIS, backup)
• Workstations: 25 PCs (control room, administration, laboratory, treatment plant)
• Laboratory equipment: For self-monitoring per Drinking Water Ordinance and wastewater self-monitoring regulation

IT is managed by an IT manager and an automation technician. An external IT service provider handles server maintenance and network management. No ISMS exists. The supply threshold for KRITIS (500,000 persons served) is not reached, meaning the company was not previously regulated as a KRITIS operator.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: Wasserwerk Flusstal falls under NIS2 with 65 employees and 14 million euros in revenue. Drinking water and wastewater are listed in Annex I. Classification: essential entity. This means proactive BSI supervision, even though the company was not previously KRITIS-regulated.

Regulatory inventory: In addition to NIS2, Wasserwerk Flusstal is subject to the following regulations: Drinking Water Ordinance (TrinkwV), Federal Water Act (WHG), state wastewater self-monitoring regulation, Municipal Charges Act (for fee collection), GDPR (customer data), Operational Safety Regulation.

Appoint CISO: The IT manager takes on the CISO role at 50 percent time allocation. Since the company had no prior ISMS, an external consultant with OT security expertise is engaged for the initial implementation.

Create asset inventory:

Key finding: Of the 22 remote stations, 8 are connected via mobile (4G). The VPN routers at these stations date from 2018 and use an outdated VPN protocol. Three remote stations have no VPN encryption at all and communicate with the SCADA system via a direct mobile connection. A firewall exists between the SCADA network and the office network, but the rulesets have not been reviewed since the initial installation in 2019.

Phase 2: Risk Analysis (Months 3-4)

Identified as particularly critical: The three remote stations without VPN encryption and the lack of segmentation of water quality monitoring. These risks are addressed with the highest priority.

Phase 3: Technical Measures (Months 5-8)

Secure remote control technology (Months 5-6, highest priority):

• All 22 remote stations receive up-to-date VPN routers with IPsec encryption. The three unencrypted connections are immediately switched to VPN.
• The 8 mobile stations receive SIM cards with a fixed APN and private IP address space instead of public IP addresses
• Firewall rules at each VPN router: Only IEC 60870-5-104 on defined ports, everything else is blocked
• Monitoring: Each remote control connection is monitored. Connection drops, unusual data volumes, and connection attempts from unknown sources trigger alerts

IT/OT network segmentation (Months 6-7):

• The existing firewall between IT and OT is configured with updated rulesets: Only defined data flows (historian replication, patch distribution) are permitted
• A DMZ is established: The historian server is moved to the DMZ and receives data from the OT network but provides it to the IT network as read-only
• The treatment plant receives its own network segment, separated from the water supply SCADA
• Engineering workstations for SCADA and treatment plant are placed in a separate segment that is activated only when needed

Harden water quality monitoring (Month 7):

• Online analyzers are placed in a dedicated microsegment
• Plausibility checks are configured in the SCADA system: Automatic alarm on physically implausible value changes
• Chlorine dosing receives an independent overdose protection function that is hardware-based (SIL-certified) and cannot be influenced by the SCADA system
• Manual control measurements are documented and compared with online values (automated comparison in LIMS)

Secure remote maintenance (Months 7-8):

• Central jump host in the DMZ for all remote maintenance access (SCADA manufacturer, treatment plant manufacturer, analytical instrument manufacturer)
• Remote maintenance activated only on demand, four-eyes principle (request by manufacturer, approval by IT or automation)
• Session recording for all remote maintenance sessions
• MFA for remote maintenance access

Backup and recovery (Month 8):

• SCADA configuration: Weekly backup, offline copy
• RTU configurations: Backup of all 22 RTU parameterizations, stored in offline backup
• Treatment plant PCS: Weekly backup of PLC programs and parameterizations
• ERP: Daily backup with offsite copy
• RTO targets: SCADA 4 hours (redundancy failover immediate, backup restore 4h), treatment plant 8 hours, ERP 24 hours

Phase 4: Organizational Measures (Months 8-10)

Training program:

• All employees: 30-minute module on cyber hygiene, integrated into annual briefings
• Control room team: in-depth training on recognizing unusual process states that indicate manipulation. Clear instruction: if manipulation is suspected, immediately trigger manual sampling and, if in doubt, shut off the affected supply zone
• Automation technician and IT: OT security, remote control technology protection, IEC 62443
• Management: NIS2 obligations, personal liability, proactive BSI supervision
• On-call duty: Integration of BSI reporting obligations into the existing on-call service (24/7 availability)

Supplier assessment:

Business continuity plan:

Tabletop exercise: Scenario: An attacker has gained access to the SCADA system via a compromised mobile RTU and is attempting to alter chlorine dosing at the water treatment plant. The automation technician notices unusual write commands in remote control monitoring. Result: The automation technician isolates the affected RTU within 10 minutes. The independent overdose protection function kept chlorine dosing within the safe range. The control room triggers manual sampling and confirms drinking water quality. The BSI report is submitted within 6 hours. Improvement potential: Automatic detection of unusual write commands should trigger an immediate alarm, not just a log entry.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit:

Findings:

1. Two RTUs at wells in rural areas have no physical access security (only a simple padlock). Corrective action: Retrofit electronic access control, install tamper protection for control cabinets.
2. The treatment plant still uses three PLC controllers on firmware from 2019. Corrective action: Firmware update during the next planned shutdown (annual maintenance).
3. The plausibility check in the SCADA system works, but alerting goes only to the control room screen, not to the on-call service. Corrective action: Set up SMS/app alerting for the on-call service.

BSI registration: Wasserwerk Flusstal registers with the BSI as an essential entity in the drinking water and wastewater sectors.

Management review: Management approves the residual risk catalog and the budget for the following year (focus: retrofitting RTU access security, expanding OT monitoring).

Budget Overview

For comparison: ISMS Lite costs 500 euros per year and covers risk management, measure tracking, policies, and audit documentation in one tool, without per-seat licenses.

What You Should Do Now

If you manage a water supplier or wastewater operator and need to implement NIS2, the following first steps are crucial:

1. Check remote control connections immediately. Are all connections to remote stations encrypted? Are there still unprotected mobile or DSL connections? Securing remote control technology is the most urgent single measure.

2. Separate SCADA and office network. If your SCADA system is directly connected to the office network, a firewall with restrictive rules must be placed between them. Ransomware entering the office network via a phishing email must not be able to reach the SCADA system.

3. Protect water quality monitoring. Online analyzers and dosing controls are the most protection-worthy assets because their manipulation endangers public health. Plausibility checks and independent safety functions are indispensable.

4. Take proactive BSI supervision seriously. As an essential entity, the BSI can request evidence at any time. This is new for water suppliers that were not previously KRITIS-regulated. A paper-only ISMS will not withstand a BSI audit.

The water industry bears a responsibility that goes beyond mere compliance. Drinking water is the number one foodstuff, and wastewater disposal protects the environment and public health. An ISMS that takes this responsibility seriously protects not only against fines but against the consequences a successful cyberattack on water infrastructure would have.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• NIS2 for Energy Suppliers and Municipal Utilities
• Risk Assessment in the ISMS: Methods, Criteria, and Practical Examples
• Network Segmentation for SMEs: A Practical Guide
• Business Impact Analysis (BIA): Assessing the Criticality of Your Business Processes