Cybersecurity for collection systems: How to identify and address vulnerabilities in smart sewer networks
Key Highlights
- Smart sewer networks integrate sensors, controllers, and supervisory systems to optimize wastewater collection and prevent overflows.
- Recent cyber incidents reveal vulnerabilities stemming from legacy equipment, poor access controls, and inadequate network segmentation.
- Collection systems are more exposed to cyber threats due to their widespread, unmanned, and often inconsistent infrastructure.
As wastewater utilities modernize their collection systems, smart sewer networks are becoming increasingly common. What once consisted of isolated lift stations operating independently now includes interconnected assets that share data, coordinate flows, and respond dynamically to changing conditions. This evolution has improved reliability, overflow prevention, and operational efficiency. It has also introduced new risks that many utilities are still learning to manage.
Recent cyber incidents have highlighted what can happen when connectivity increases without adequate planning. At the same time, more advanced smart sewer deployments now coming online show how automation and security can work together when systems are designed with both in mind.
What a modern smart sewer network entails
A typical smart sewer collection system is made up of several interconnected layers that work together to move wastewater safely and efficiently.
At the field level, physical processes are monitored by instrumentation such as level and pressure sensors, ultrasonic or float switches, magnetic flow meters, rain gauges, and equipment health sensors that track vibration or motor temperature. These devices provide the raw data that drives system behavior.
That data is processed by intelligent devices, most commonly remote terminal units and programmable logic controllers. These act as the local brains at each lift station. They read inputs from field sensors, execute control logic, and communicate upstream to supervisory systems. RTUs are common in older utility deployments, while PLCs are more typical in newer installations.
Above the field layer, supervisory platforms provide systemwide visibility. SCADA and HMI servers allow operators to see real‑time status, alarms, and trends across the collection system. Historians store time‑series data that support trending, reporting, compliance, and post-event analysis. These systems may be hosted on premises or in hybrid environments, and they increasingly exchange data with business and enterprise IT systems.
What connects all of these layers is the communications systems. Collection systems rely on a mix of cellular, licensed radio, fiber, and satellite links. Many utilities operate hybrid environments where legacy radio networks coexist with newer cellular deployments. Common protocols include Modbus, DNP3, and Modbus TCP. Newer deployments may introduce MQTT or OPC‑UA. Remote and mobile access adds another layer, including VPN‑connected laptops, vendor support connections, and mobile HMI applications. This is often where the greatest cybersecurity exposure exists.
Understanding how these layers connect is essential to understanding why collection systems are vulnerable.
What recent cyber incidents have looked like in practice
Over the past two years, several publicly reported cyber incidents have affected water and wastewater systems in the United States. These incidents span a range of attack types, but they share a common theme: attackers exploited basic weaknesses in access control, legacy technology, or operational practices rather than highly sophisticated exploits.
In early 2024, multiple small U.S. water utilities in Texas were targeted in cyberattacks later linked to a foreign group. In at least one case, attackers gained remote access and caused the water system to overflow. Although no public health impacts were reported, the incidents demonstrated how basic cyber intrusions can quickly translate into real‑world consequences when operational technology systems are exposed or insufficiently secured. The attacks relied on low‑complexity techniques, reinforcing a key lesson for utilities: even modest systems require strong access controls, network segmentation and continuous monitoring to reduce the risk of disruption to essential water services.
In another example involving field‑level control, a water authority in Pennsylvania experienced a PLC takeover in 2023. A foreign‑linked threat group exploited an internet‑exposed Unitronics PLC with default passwords controlling a booster station. Operators were forced to switch the station to manual operation after the compromise was detected. The PLC was directly accessible from the internet without user credentials or multifactor authentication, highlighting the risk of exposing legacy controllers that were never designed to be publicly accessible.
Ransomware has also played a significant role in operational disruption. Between 2019 and 2021, multiple wastewater facilities in California experienced ransomware attacks that impacted SCADA systems. In some cases, malware encrypted multiple SCADA servers, leaving operators unable to monitor or control the system digitally. Facilities were forced into manual operation until systems were restored, reinforcing how disruptive SCADA‑level attacks can be even when no physical damage occurs.
Across these incidents, the same issues appeared repeatedly:
- Factory passwords that were never changed.
- Legacy equipment that was never designed for secure connectivity.
- Communications that were not encrypted.
- Networks that were not adequately segmented.
- Operators serving as the final safeguard.
In many cases, serious damage was avoided because operators recognized the issue early and acted quickly. That human oversight remains critical. Relying on it alone becomes increasingly risky as systems grow more automated and interconnected.
Why collection systems face a different risk profile than treatment plants
Collection systems are fundamentally different from treatment plants when it comes to cybersecurity risk.
Treatment plants may be complex, but they are also concentrated. Operators are typically on site around the clock. Control systems are largely contained within a fence line. Network segmentation is more feasible, and human oversight is constant.
Collection systems are spread out. A midsized utility may operate dozens or even hundreds of lift stations across a large service area. These sites are unmanned. For operators, the SCADA system serves as the primary eyes and ears of operations. If communications are disrupted or compromised, visibility is lost quickly.
Communications variability adds another challenge. Wireless links can be disrupted, intercepted, or spoofed. Cellular connections introduce dependencies on external carriers. Physical access is often easier at lift stations located in easements, parks, or roadsides. Over time, collection systems also tend to accumulate inconsistent device configurations and security features as they expand through different contractors, technologies, and standards.
Taken together, collection systems have a larger attack surface, less consistent protection, and less immediate human presence to catch anomalies early.
The consequences of a cyber or control system disruption in a collection system are operational and immediate. Loss of visibility is often the first impact. Operators lose real-time insight into wet‑well levels, pump status and alarm conditions. Decision-making becomes guesswork.
If remote control is lost, operators must physically drive to each affected station. For utilities with dozens of lift stations, this is not feasible during wet weather events. Wet wells can overflow within 30 to 90 minutes, depending on inflows.
Forced manual operation stretches staffing and introduces additional risk. Crews encounter inconsistent panel designs, outdated documentation, and limited coordination between stations. Cascading failures can occur if a key trunk lift station is affected, backing up flows across an entire basin.
A realistic scenario many utilities now plan for is a ransomware event that disables SCADA servers during a storm, leaving operators unable to see or control the system at the worst possible moment.
What advanced smart sewer networks are doing differently
Some advanced smart sewer systems show how this risk can be reduced. Collection systems are becoming more connected, more capable, and more autonomous. Field devices that make local decisions, analytics that anticipate conditions, and coordinated networks are no longer theoretical.
For example, at one facility in California, highly automated wastewater systems are designed with cybersecurity in mind to operate with minimal onsite staffing. These systems rely on tightly integrated hardware and software environments where controllers, instrumentation, servers, and operator interfaces are designed to work together from the beginning.
Cybersecurity is not added later. It is embedded into the architecture. Encrypted communications, role-based access control, and multifactor authentication are standard. Field devices are built with industrial security in mind, reducing the need for compensating controls to protect older equipment.
This integration allows lift stations and storage assets to coordinate with one another. Instead of reacting after alarms occur, the system can prepare for changing conditions in advance.
A defining characteristic of advanced systems is the shift toward local decision-making. Rather than sending all data to a central system or relying on constant cloud connectivity, many decisions happen closer to the asset. Field devices can do more than measure. They can evaluate conditions and trigger predefined responses. A rising level at one station can prompt pump adjustments or downstream preparation without waiting for operator intervention.
Artificial intelligence is beginning to support this approach. By learning from historical operating data, systems can adapt to seasonal rainfall patterns, wet weather events, or population changes. Some of these capabilities are implemented locally, which reduces latency and limits exposure if external connections are lost.
Why preparedness is an operations issue
Cybersecurity in collection systems is ultimately an operations problem, not just an IT one.
Prepared utilities have clear manual operating procedures stored locally at critical stations. They maintain backups of PLC and RTU configurations, keep spare equipment on hand, and define clear coordination between IT teams that manage networks and operations teams that manage field assets. Incident response plans specific to operational technology are in place.
The goal is not to eliminate automation, but to design systems that fail safely. As collection systems become more automated, utilities must recognize that connectivity is no longer optional. At the same time, it is no longer free of risk.
The industry has moved from a mindset of isolation to one of connection. Smart sewer systems depend on connectivity to deliver value. Security must be designed alongside that connectivity, not treated as a separate problem or someone else’s responsibility. The most important shift is moving from a reactive to a proactive approach. Utilities should not wait for an incident to discover where their vulnerabilities are.
Recent cyber incidents have shown what can go wrong when systems are connected without enough planning. Advanced smart sewer networks show what is possible when automation, security, and operations are designed together.
For wastewater utilities, the challenge is not whether to modernize, but how to do it in a way that improves reliability, protects public trust, and supports the people responsible for running these systems every day.
About the Author
Danielle Jablanski
Danielle Jablanski is the Cybersecurity Consulting Program Lead for Operational Technology (OT) Cybersecurity at STV and a widely respected voice in the OT cybersecurity community. Danielle’s background spans government, industry, and research, including work in ICS cybersecurity strategy, incident preparedness, and critical infrastructure protection. She emphasizes practical, risk-based approaches that support operators and engineers in managing real-world cyber threats.
Marcel Dinamarca
Marcel Dinamarca, P.E., is the Vice President and National Technical Lead for Electrical, Instrumentation and Controls (I&C), and SCADA Automation Services at STV, where he supports water and wastewater utilities nationwide. With more than 30 years of experience across the water, wastewater, power, industrial and municipal sectors, Marcel oversees the planning and implementation of complex monitoring and control systems that help utilities operate infrastructure more efficiently, reliably, and safely. His expertise spans SCADA integration, distributed control systems, PLC programming, power distribution, and substation automation, with a strong focus on modernizing collection systems while addressing operational and cybersecurity risk.