When the Tap Becomes a Target

In 2021, an attacker remotely accessed the water treatment plant in Oldsmar, Florida and briefly changed the sodium hydroxide levels to potentially dangerous concentrations. The plant operator caught it in time - but the incident sent a clear signal to water utilities across the country: operational technology (OT) networks that control physical processes are not immune to cyberattacks, and the consequences of a breach go far beyond data loss.

Since then, regulators have moved aggressively. The America’s Water Infrastructure Act of 2018 (AWIA 2018) required community water systems serving more than 3,300 people to conduct risk and resilience assessments and develop emergency response plans certified to the EPA. More recently, the EPA issued a March 2023 memorandum directing states to evaluate the cybersecurity of public water systems as part of their sanitary surveys - a requirement that, while contested in federal court, underscored the growing federal pressure on water sector cybersecurity. CISA has also designated the Water and Wastewater Systems Sector as one of 16 critical infrastructure sectors, publishing sector-specific guidance and threat advisories on an ongoing basis.

For IT and OT teams at municipal water authorities and state drinking water programs, the regulatory momentum is unmistakable. The question is no longer whether to take OT security seriously - it is how to do it with limited budgets, legacy equipment, and staffing constraints that are common across public sector organizations.

Microsoft Azure offers a purpose-built path.

The Unique Security Challenge of Water OT Environments

Water utilities rely on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems to manage pumping stations, chemical dosing, filtration, and distribution. These systems were designed for reliability and uptime - not for cybersecurity. Many run on proprietary protocols like Modbus/TCP, DNP3, and BACnet that traditional IT security tools cannot inspect or understand.

The threat landscape reflects this gap. Threat actors - ranging from criminal ransomware groups to state-sponsored actors - have increasingly targeted water sector OT environments. The CISA Water and Wastewater Systems Sector page notes that the sector faces physical attacks, cyberattacks, and contamination threats, any of which could result in widespread illness, service disruptions, and cascading impacts on healthcare, firefighting, and public safety.

Achieving meaningful security in this environment requires tools that:

• Understand industrial protocols without requiring agents on legacy PLCs or RTUs
• Establish behavioral baselines for OT networks and alert on deviations
• Support air-gapped or hybrid deployments where some systems must remain off the public internet
• Integrate with existing SOC workflows so alerts reach security analysts in context
• Meet federal compliance requirements like FedRAMP High

This is exactly where Microsoft Defender for IoT and Microsoft Sentinel work together.

Microsoft Defender for IoT: Visibility Without Disruption

Microsoft Defender for IoT is a unified security solution built specifically for IoT and OT environments. It uses agentless, network-layer monitoring - meaning it passively inspects network traffic without installing software on PLCs, RTUs, or SCADA servers that might not support agents and whose uptime requirements cannot tolerate maintenance windows.

For water utilities, the practical implications are significant:

Deep Protocol Support

Defender for IoT natively supports the industrial protocols water environments depend on, including Modbus/TCP, DNP3, BACnet, IEC 60870-5-104, IEC 61850, and many others. This means the system can decode and analyze the actual commands being sent between a SCADA workstation and a pump controller - not just see that a TCP connection occurred.

Behavioral Anomaly Detection for ICS Networks

Defender for IoT uses OT/IoT-aware analytics engines and deep packet inspection to learn the normal patterns of your OT network - which devices talk to which, which function codes are used, what constitutes a normal polling cycle - and alerts when deviations occur. An unauthorized Modbus write to a PLC, a new device appearing on a control network segment, or an unexpected firmware download attempt will all generate alerts. This behavioral approach is consistent with the principles of behavioral anomaly detection for industrial control systems described in NIST guidance such as NISTIR 8219.

Defender for IoT’s analytics engines also detect known industrial malware signatures, including those associated with Stuxnet, Triton/TRISIS (which targeted safety instrumented systems), BlackEnergy, and Havex - malware families specifically designed to attack industrial control systems.

Flexible Deployment: Cloud, Air-Gapped, and Hybrid

Not every water utility is ready or able to connect OT network telemetry to a cloud service. Defender for IoT supports both cloud-connected and locally managed deployment models, with the flexibility to mix approaches across sites:

• Cloud-connected: OT network sensors forward telemetry to Azure, enabling centralized management across all sites, automatic threat intelligence updates, and integration with Microsoft Sentinel and other Azure services.
• Air-gapped / locally managed: For environments where data must remain fully on-premises, sensors operate independently and report to an on-premises management console, with no data leaving the facility.
• Hybrid: Some sensors connect to the cloud while others remain on-premises, enabling phased cloud adoption that matches organizational risk tolerance and compliance requirements.

This flexibility is critical for water utilities that may operate both a modern SCADA environment at a main treatment facility and older, isolated PLCs at remote pumping stations with no reliable internet connectivity.

Microsoft Sentinel: SIEM for the Full Threat Picture

Detecting an anomaly on an OT network is only useful if it reaches the right analyst with the right context. Microsoft Sentinel is Azure’s cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform, and it integrates directly with Defender for IoT.

When Defender for IoT generates an alert - say, an unauthorized remote access session to a SCADA workstation - Sentinel can correlate that alert with other signals: a failed login attempt from an external IP earlier the same day, a suspicious email attachment opened by a staff member, or a known malicious IP address in Microsoft’s threat intelligence feeds. This correlated view allows a security analyst to quickly determine whether an isolated OT alert is part of a broader attack campaign.

For water utilities that may not have a dedicated Security Operations Center (SOC), Sentinel’s built-in workbooks, analytics rules, and automation playbooks reduce the expertise burden. Pre-built detection rules mapped to the MITRE ATT&CK for ICS framework help smaller teams prioritize and respond effectively.

Azure Government and Compliance Alignment

For government water utilities - whether they are operated by a municipality, a regional authority, or a state agency - compliance with federal frameworks is not optional. Azure maintains a FedRAMP High Provisional Authorization to Operate (P-ATO) for both Azure Commercial and Azure Government regions, and Microsoft Defender for IoT and Microsoft Sentinel are both within that compliance scope.

Azure Government (with regions in US Gov Arizona, US Gov Texas, and US Gov Virginia) additionally holds DoD IL2, IL4, and IL5 authorizations from DISA - providing a clear compliance pathway for sensitive government workloads that need to remain within sovereign cloud boundaries.

For organizations using Microsoft 365 GCC tenants, it is worth noting that cloud-connected Defender for IoT management operates through the Azure portal rather than through Microsoft 365. This means GCC tenant customers can still fully leverage Defender for IoT and Sentinel in Azure Commercial or Azure Government without GCC feature limitations affecting the OT security workflow.

A Layered Defense Architecture for Water Utilities

A practical security architecture for a water utility might look like this:

1. OT Network Sensors deployed at the treatment plant and key remote pumping stations, passively monitoring SCADA traffic for anomalies
2. Defender for IoT aggregating sensor data, maintaining the asset inventory, and generating prioritized security alerts
3. Microsoft Sentinel receiving Defender for IoT alerts alongside firewall logs, endpoint signals from plant workstations (via Microsoft Defender for Endpoint), and identity events from Microsoft Entra ID
4. Automated playbooks in Sentinel that notify on-call staff, create tickets in the utility’s ITSM system, or isolate a compromised workstation - reducing response time without requiring 24/7 analyst coverage
5. Microsoft Entra ID with Conditional Access enforcing multi-factor authentication and device compliance checks for anyone accessing the SCADA environment remotely

This layered architecture addresses the core technical requirements of AWIA 2018 risk and resilience assessments: it identifies cybersecurity vulnerabilities, monitors for threats, and supports incident response planning.

Why This Matters for Government

Water utilities represent some of the most critical - and historically least-resourced - cybersecurity environments in state and local government. A successful cyberattack on a water treatment system is not a data breach; it is a public health emergency.

The regulatory environment is only tightening. The EPA’s ongoing cybersecurity enforcement activities, CISA’s sector-specific advisories, and executive orders across administrations on critical infrastructure protection all point in the same direction: water sector cybersecurity is a federal priority, and utilities that cannot demonstrate proactive risk management face increasing scrutiny.

Microsoft’s investments in OT-aware security tools reflect an understanding that government agencies cannot simply bolt traditional IT security onto industrial environments. Defender for IoT was designed from the ground up for the protocols, architectures, and operational constraints of environments like water treatment - where a security scan that disrupts a pump controller is not an acceptable tradeoff.

For CxOs at water authorities and state drinking water programs, Azure offers a credible answer to the question regulators are increasingly asking: What are you doing to protect the systems that protect public health?

For IT leaders and developers responsible for implementing these protections, it offers a path that works with existing infrastructure - legacy PLCs, air-gapped networks, and all - while building toward a modern, cloud-connected security posture over time.

Getting Started

If your organization is beginning to assess OT cybersecurity options, these resources provide a strong starting point:

• Microsoft Defender for IoT Overview - Understand the platform’s capabilities and architecture
• Defender for IoT OT Deployment Path - Step-by-step guidance for deploying OT monitoring
• Supported OT Protocols - Verify coverage for your specific industrial equipment
• Microsoft Sentinel Overview - Cloud-native SIEM/SOAR for unified threat management
• Azure FedRAMP and DoD Compliance Scope - Review the compliance authorizations covering Azure security services
• CISA Water and Wastewater Systems Sector - Federal threat advisories and sector-specific guidance

The water your community depends on runs through systems that deserve the same security rigor as any other critical government asset. Azure provides the tools to get there - on your timeline, within your constraints, and with the compliance posture your regulators require.