Water & Wastewater Utility – Secure SCADA Architecture

Client:
Australian Water & Wastewater Utility

Industry:
Critical Infrastructure

Services Rendered:
OT Security Architecture, SCADA Network Segmentation, Industrial DMZ Design, Secure Remote Access, Infrastructure Resilience Engineering

About Australian Water & Wastewater Utility

A water and wastewater utility engaged S5 Technology Group to modernise its SCADA security and strengthen the resilience of its operational technology environment through standards-aligned segmentation, secure remote access and a live Proof of Concept validation.

A water and wastewater utility engaged S5 Technology Group to strengthen the security and resilience of its SCADA and operational technology environment.

Discovery identified limited segmentation between enterprise and operational systems, legacy identity dependencies and constraints around secure remote engineering access.

A structured Proof of Concept was commissioned to validate a modern, standards-aligned architecture in a live operational environment before broader rollout.

Client name withheld at request due to security considerations.

Browse our services

The Challenge

Flat or lightly segmented SCADA networks
Enterprise identity systems used for operational access
Remote assets with limited secure administration capability
Increasing expectations for critical infrastructure cyber security

The utility operates a large operational technology environment supporting water and wastewater services, with SCADA systems, telemetry networks and process control equipment distributed across multiple sites.

Limited Internal Segmentation

Discovery identified that SCADA assets were operating with minimal internal segmentation. Trust boundaries between enterprise IT systems and operational environments were not consistently enforced, increasing exposure to lateral movement if a single system or credential set was compromised.

Legacy Access Dependencies

Remote administration relied heavily on enterprise identity services and broad network access. This reduced auditability and increased exposure to credential misuse across operational systems.

Operational Constraints

Where secure remote access was not practical, engineers were required to attend sites in person for maintenance, upgrades and configuration changes.

The client required a strengthened security posture that preserved operational continuity while improving governance and resilience across critical environments.

The Solution

S5 designed and validated a standards-aligned OT security architecture introducing enforceable segmentation, controlled access pathways and resilient connectivity across critical SCADA environments.

Our Approach

S5 delivered a staged Proof of Concept to validate a secure and scalable target-state architecture within a live operational environment.

The design aligned to the Purdue Model and introduced clearly defined trust zones between enterprise IT and operational systems. Access to control networks was enforced through an Industrial DMZ, ensuring that no direct pathways existed between corporate environments and lower-level process devices.

Hardened jump infrastructure was implemented as the controlled entry point into OT. Access policies were identity-aware and supported multi-factor authentication, restricted protocol access and full session logging. This removed legacy broad-access patterns and introduced deterministic access governance.

A dedicated OT identity domain was specified to separate operational authentication from enterprise credentials. This reduced reliance on corporate identity systems for control system access and strengthened boundary enforcement between IT and OT environments.

Network backbone design was refined to support secure remote administration of PLC and telemetry devices from authorised engineering environments. Redundant connectivity patterns were implemented for critical facilities using SD-WAN and route-based VPN architecture, with automatic failover tested under simulated link degradation.

The validated architecture now serves as the reference model for broader rollout.

The Outcome

Removal of unrestricted lateral traffic within scoped networks
Controlled and auditable remote access pathways
Validated separation between enterprise and operational identities
Successful failover testing across redundant link

The Proof of Concept delivered measurable improvements across segmentation, identity governance and operational resilience.

Security Enforcement

Previously flat network segments were replaced with enforced security boundaries. Exposure to lateral movement was reduced and clear separation between enterprise and operational environments was established.

Remote access pathways were tightened and made fully auditable, strengthening visibility and accountability over control systems.

Resilience Validation

Redundant connectivity mechanisms were implemented and tested under simulated degradation scenarios. Automatic failover was confirmed without service interruption.

Secure remote engineering capability reduced site travel while improving response times for maintenance and incident handling.

Scalable Architecture

The engagement established a validated reference architecture that can now be confidently extended across additional facilities.

More Case Studies

Feb / 2026

Water & Wastewater Utility – Secure SCADA Architecture