Water and Wastewater

The Security Risks of Using VPNs in Water and Wastewater Facilities


Water and wastewater facilities have relied on Virtual Private Networks (VPNs) for years. 

But how secure are they, really? 

The short answer is they aren’t. 

The longer answer is that as the number and complexity of security threats continue to increase exponentially, VPNs and other traditional network access tools simply can’t keep up with modern solutions. This should be especially concerning for water and wastewater facilities as critical infrastructure services like these are being increasingly targeted by cyber attacks.

In this article, we’ll help you understand the risks and what to do instead so you can protect your critical infrastructure and the community you serve. 

Security Risks for Water and Wastewater: Why VPNs Leave You Open to Cyber Attacks

VPNs leave your water and wastewater facilities vulnerable to cyber threats for several reasons: 

Insufficient Access Control

VPNs allow remote access to the facility’s entire network, which can be convenient for remote monitoring and maintenance tasks. However, if unauthorized individuals gain entry to the network, they could potentially control or manipulate your critical water networks. 

Inadequate Security

VPNs often rely on poorly configured and outdated encryption protocols to protect data transmitted over the network. This can create significant security vulnerabilities and potentially expose sensitive data or allow malicious actors to intercept and manipulate network traffic.

Vulnerable to Insider Threats

VPNs can also inadvertently provide an opening for insider threats. Malicious insiders, such as disgruntled employees or contractors, can abuse their access privileges to laterally traverse your network and sabotage or compromise critical infrastructure systems.

Lack of Network Segmentation

Water and wastewater facilities typically have complex and interconnected networks that include various operational technology (OT) systems. A VPN may not have the secure segmentation needed to prevent unauthorized access to critical systems via the VPN. 

Dos and Don’ts

  • Don’t overlook VPN software vulnerabilities: Stay informed about potential vulnerabilities and exploits related to the VPN software you are using. Regularly check for updates and security patches released by the vendor, and promptly apply them to protect against known vulnerabilities.
  • Don’t rely on VPNs for security: Better yet, don’t use a VPN at all! While VPNs are often used in water and wastewater facilities to provide an additional layer of security, they aren’t an effective modern solution. 
  • Do leverage Zero Trust instead: Instead, switch from a perimeter-based (firewall and VPN) model of access to a user-to-resource model through Zero Trust. It’s simpler and more secure. 
  • Do Enforce Strict Access Controls: Implement granular access controls to ensure that only authorized individuals can connect to your network. Regularly review and update access privileges to prevent unauthorized access and regularly revoke access for employees or contractors who no longer require connectivity. 
  • Do implement strong authentication: Ensure that strong authentication mechanisms (like multi-factor authentication) are leveraged as much as possible to verify the identities of users attempting to access your network. This adds an extra layer of security and helps prevent unauthorized access. 

Transition Your Water and Wastewater Facilities to a Zero Trust Architecture with Agilicus

Now that you know the risks and the best practices, how do you transition to a Zero Trust architecture?

Well, with Agilicus, you can leverage Zero Trust to deploy a robust, seamless solution in just one hour with no disruption to your operations and no VPN. 

Here’s How We Do It: 

Agilicus grants access to specific resources based on stringent authentication and authorization principles, rather than allowing broad access to your entire network (like a VPN would). This significantly reduces the damage a cyber attacker can do once they’re inside your network and eliminates the risks associated with lateral traversal entirely. 

We also make it easy to proactively defend your critical infrastructure too by enforcing multi-factor authentication, eliminating shared credentials, (which we discussed in more depth in part one of this series), and providing comprehensive visibility into the network. This allows your IT team to detect and respond to potential threats promptly. 

Finally, Agilicus gives your remote workers and third-party vendors secure access to only the resources they need to do their work. This restricts them from accessing the rest of your network, further securing your systems. We also allow you to enforce strong security measures on their third-party devices to prevent anything from being introduced to your network. 

Discover the Agilicus Difference

Learn more about how Agilicus can help you implement a Zero Trust Architecture here. Or, check out this case study to learn how we helped a municipality secure its water treatment facility’s operational technology.