Water & Wastewater
Water and wastewater operators manage distributed OT/SCADA networks across treatment plants, pump stations, and remote telemetry. Learn how LightMesh IPAM supports site-aware network attribution, segmentation evidence, and incident response for water utilities.
Water and wastewater operators run geographically distributed OT networks that connect treatment plants, pump and lift stations, reservoirs, remote telemetry units, SCADA masters, HMIs, historians, PLCs, RTUs, and cellular gateways. These networks are often resource-constrained, rely on long-lived equipment, and depend on vendor-maintained systems.
IPAM for water and wastewater is about site-aware attribution, subnet planning, segmentation evidence, and change history, not pushing changes into control systems. LightMesh provides a read-only source of truth so teams can resolve IP attribution questions in seconds, document vendor access paths, and generate audit evidence without touching OT equipment.
This guide covers water and wastewater network environments, common operational challenges, and practical LightMesh modelling recommendations. For the underlying OT architecture, see OT Networks.
Why water and wastewater networks matter
Water and wastewater systems are critical infrastructure. Ransomware and intrusion attempts against water utilities have increased in recent years. EPA and CISA have published cybersecurity guidance specifically for water systems, and network documentation has been cited as a gap during security assessments.
The operational reality is challenging. Treatment plants and pump stations are spread across a wide geography, sometimes hundreds of miles. Each site may have its own PLCs, RTUs, HMIs, and SCADA connections. Documentation is inconsistent: some sites have up-to-date network diagrams, others have nothing. When an incident occurs, the SOC needs to know which site, which device, and who owns it, and that information is often buried in spreadsheets or the memory of a single operator.
The stakes are high. A misconfigured IP at a pump station can affect telemetry reporting. An undocumented vendor access path can become an incident vector. Overlapping RFC1918 ranges across sites can complicate incident response. Water and wastewater operators need a trusted, auditable view of their network address space.
Common network environment
flowchart TB
subgraph ControlCentre["Control Centre"]
SCADA["SCADA Master"]
Hist["Historian"]
Eng["Engineering Workstations"]
end
subgraph FieldSites["Field Sites"]
TP["Treatment Plant - PLCs, HMIs"]
PS["Pump Station - RTUs, Gateways"]
Res["Reservoir - Telemetry"]
end
subgraph VendorAccess["Vendor Access"]
OTDMZ["OT DMZ"]
Jump["Jump Host"]
Integrator["Integrator Remote Support"]
end
ControlCentre -->|"Industrial Protocol"| FieldSites
VendorAccess -->|"VPN / Cellular"| OTDMZ
OTDMZ -->|"Firewall"| ControlCentre
Each field site operates semi-autonomously with local PLCs and RTUs. The control centre runs SCADA masters and historians that aggregate data from all sites. Vendor access arrives through OT DMZs and jump hosts, often via cellular or VPN connections.
Common operational challenges
-
Distributed sites with inconsistent documentation. Treatment plants and pump stations are spread across a wide geography. Each site may have been deployed by a different integrator at a different time, with different documentation practices. The result is address space that varies in quality from site to site.
-
Vendor remote access paths undocumented. Integrators maintain remote access for maintenance and troubleshooting. These paths (VPN credentials, cellular gateways, jump host addresses) are rarely recorded in network documentation. During an incident, the SOC cannot quickly determine if a suspicious IP is a vendor or a threat.
-
Incident attribution latency. When the SOC detects suspicious traffic from a water utility IP, they need to know: which site, which zone, which device, who owns it, and what changed recently. Without a central source of truth, this requires phone calls to site operators, hours, not minutes.
-
Static addressing with long lifecycles. PLCs and RTUs in water systems may operate for 15-20 years. IP assignments made a decade ago are still in use, and the engineer who made them may have retired. Documenting these assignments requires manual effort.
-
Overlapping RFC1918 across sites. Multiple pump stations or treatment plants may use the same 10.0.0.0/24 range. When sites connect via VPN or during incident response, overlapping ranges create attribution ambiguity.
-
Active scanning is unsafe for SCADA and field devices. Many PLCs and RTUs react unpredictably to network scanning. A port scan can trigger device reboots or process interruptions. Water utilities require passive discovery methods.
-
Audit and cyber insurance evidence gaps. Cyber insurance applications and regulatory assessments ask for asset inventory, segmentation evidence, and change history. Spreadsheets do not satisfy these requirements.
How LightMesh helps
Site-aware SCADA IPAM
Model each treatment plant, pump station, lift station, reservoir, and control centre as a separate Site with Zones for network segmentation. Use custom attributes to capture site-specific metadata:
| Custom Attribute | Purpose |
|---|---|
| Site Name | Treatment Plant A, Pump Station 12 |
| Process Area | Clarification, Aeration, Disinfection |
| Device Class | PLC, RTU, HMI, Gateway |
| Site Criticality | High, Medium, Low |
| Vendor | Primary integrator |
| Maintenance Owner | Support group or individual |
| Change Window | Quarterly, Annual, Emergency-only |
This model makes it possible to search by site, filter by device class, or export all assets owned by a specific vendor.
Incident attribution for field telemetry
When the SOC calls about a suspicious IP from a water utility:
- Search the IP in LightMesh
- See the site, subnet, zone, device class, and vendor
- View the support group and maintenance owner
- Check recent changes: who modified this subnet, when, and what changed
- Identify NAT mappings if the IP is translated
This workflow resolves IP → site → device → owner → recent changes without phone calls.
Vendor access documentation
Use custom attributes on subnets or zones to document vendor remote access:
- Vendor name and contact
- Purpose of access (maintenance, troubleshooting)
- NAT mapping (external IP → internal IP)
- Access window and expiry
- Support group responsible
Review these records quarterly. Expired vendor access should be archived.
Segmentation evidence
LightMesh documents which zones exist, which subnets belong to each zone, and how address space is partitioned across control, field, and vendor zones. This provides evidence for cyber insurance applications, EPA guidance assessments, and CISA CPG alignment.
LightMesh does not enforce segmentation. That belongs to firewalls and network access control. LightMesh provides the documentation layer that supports those controls.
Planned-vs-live reconciliation
Before modernization projects (PLC upgrades, SCADA migrations, network refreshes), compare planned state in LightMesh against live state from DHCP discovery and manual import. This prevents address conflicts during cutovers and provides rollback documentation.
Best practices
-
Model sites as Sites before importing data. Define your site hierarchy (control centre, treatment plants, pump stations, reservoirs) and create Sites and Zones before importing subnets.
-
Import passively. Use DHCP Discovery Agent, nmap scan sync, or spreadsheet import to populate LightMesh. Do not run active scans against SCADA or field devices.
-
Document every vendor access path. Record vendor name, contact, purpose, NAT mapping, and expiry. Review quarterly. Expired access should be archived.
-
Use consistent custom attributes. Define a standard schema (site name, process area, device class, site criticality, vendor, maintenance owner, change window) and apply it uniformly across all sites.
-
Separate overlapping ranges by Site and Zone. If two pump stations use 10.0.0.0/24, model them in separate Sites with separate Zones. LightMesh tracks IP uniqueness within a Zone, but overlapping ranges across sites need clear separation.
-
Link NAT mappings to IP assignments. Use NAT records to document vendor access translations. During incident response, search the translated IP to find the original source.
-
Export audit evidence on demand. Use audit logging and roles and RBAC to generate evidence for cyber insurance, EPA guidance, or CISA CPG assessments.
What LightMesh does not do
LightMesh is a read-only source of network intelligence for water and wastewater environments. It does not:
-
Control PLCs, RTUs, SCADA systems, or field equipment. LightMesh does not push configuration into water treatment or pump station equipment. Operational changes remain under your engineering controls and change windows.
-
Push network configuration. LightMesh does not configure routers, switches, or firewalls. It is a documentation and planning layer.
-
Guarantee compliance. LightMesh provides evidence and audit trails that support EPA guidance, CISA CPGs, and cyber insurance assessments. It does not certify compliance.
-
Replace your SIEM, CMDB, or OT monitoring platform. LightMesh complements these tools by providing IP attribution context for water utility networks.
-
Safely discover every OT asset. Active scanning against SCADA devices can cause process interruptions. LightMesh supports passive discovery and manual import.
Related documentation
- OT Networks - underlying OT architecture and Purdue Model
- Network Architectures - section hub for all network architecture guides
- Industry Guides - section hub for all industry guides
- NAT - source and destination NAT documentation
- Audit Logging - change history and evidence
- Self-Hosted - on-premises deployment option
- Getting Started - fundamentals of LightMesh IPAM
- Roles & RBAC - access control for sensitive OT data
FAQ
How does LightMesh help water utilities with incident attribution? LightMesh resolves IP → site → subnet → device class → vendor → support group → recent changes. When the SOC detects suspicious traffic, they search the IP in LightMesh and get attribution in seconds instead of hours of phone calls.
Can LightMesh scan my SCADA or pump station networks? LightMesh supports passive discovery: DHCP lease sync, nmap scan sync on safe protocols, and spreadsheet import. Active scanning against SCADA devices and PLCs can cause process interruptions and should be avoided.
Does LightMesh control water treatment or pump station equipment? No. LightMesh is a read-only source of network truth. It documents address space, provides attribution, and supports audit evidence. It does not push configuration into PLCs, RTUs, HMIs, or any water treatment equipment.
How do I model pump stations and treatment plants? Model each site as a separate Site with Zones for network segmentation. Use custom attributes for site name, process area, device class, site criticality, vendor, and maintenance owner. Import subnets via DHCP discovery, nmap scan, or spreadsheet.
Can LightMesh help with cyber insurance or audit evidence? Yes. LightMesh provides asset inventory, segmentation evidence, and change history that support cyber insurance applications and assessments aligned with EPA guidance, CISA CPGs, and NIST SP 800-82.
What about overlapping IP ranges across multiple sites? If multiple pump stations or treatment plants use the same private address range, model them in separate Sites with separate Zones. LightMesh tracks IP uniqueness within a Zone. Overlapping ranges across sites need clear zone separation.
How does LightMesh document vendor remote access? Use custom attributes on subnets or zones: vendor name, contact, purpose, NAT mapping, access window, and expiry. Review quarterly and archive expired access. This documentation supports incident response and audit evidence.
References
- NIST SP 800-82 Rev. 3 - Guide to OT Security - Defines OT, ICS, SCADA scope. September 2023.
- CISA Cross-Sector Cybersecurity Performance Goals (CPGs) 2.0 - Aligned to NIST CSF 2.0 with sector-specific goals.
- EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems - EPA cybersecurity guidance for water systems.
- ISA/IEC 62443 - Industrial Automation and Control Systems Security - Zone-and-conduit model for IACS cybersecurity.