The Rising Tide of Regulation: Zero Trust for Water Utilities

For years, we treated water treatment facilities like medieval castles: a strong firewall on the outside and a trusted, flat network on the inside. That model is broken. Once a threat actor breaches that perimeter, often via valid credentials, they have free reign to move laterally across your network. With the rise of AI-driven attacks, relying on legacy solutions like VPNs is practically inviting a breach.

The Regulatory Hammer is Falling. Governments are no longer suggesting Zero Trust as a best practice, they are mandating change to protect public safety. We are seeing a wave of legislation explicitly requiring alignment with NIST 800-207 and Zero Trust principles:

• California (AB 749 & Tech Letter 23-01): Explicitly mandates agencies to implement Zero Trust Architecture and achieve the “Initial” maturity stage across the five pillars by May 2024, aligned with NIST 800-207 and the CISA Zero Trust Model.
  
• Florida (HB 7055): Indirectly advances Zero Trust by requiring government entities to adopt cybersecurity standards aligned with NIST best practices, which incorporate core ZTA principles.
  
• Illinois: Statewide directives and IT policy establish an active Zero Trust Strategy, with agencies reporting measurable progress toward implementation under Illinois DoIT leadership.
  
• Indiana (SEA 472): Requires public entities to adopt technology resource and cybersecurity policies by December 31, 2027, based on advanced IoT standards that align with Zero Trust principles.
  
• Michigan: Cybersecurity strategy and IT policy formally adopt Zero Trust as the umbrella framework for consolidating and advancing statewide security initiatives.
  
• New York: The NYS Cybersecurity Strategy mandates risk-based controls, MFA, segmentation, and continuous monitoring, directly implementing core Zero Trust concepts across state entities.
  
• North Dakota: State directives outline a dedicated Zero Trust implementation strategy, emphasizing network segmentation and continuous authentication for agencies.
  
• Texas: The DIR 2022–2026 State Strategic Plan for Information Resources Management encourages agencies to explore a Zero Trust model and mandates practices such as MFA and segmentation.

What You Will Learn

In this session, we will move beyond the buzzwords and look at the architectural reality of modernising your defence-in-depth strategy. We will cover:

• Deconstructing Mandates: A breakdown of what states like California and Indiana actually require from your tech stack.
• Killing the VPN: Why legacy remote access tools are a weak point in your network for OT security and how to replace it with Identity-Aware Proxies.
• Precise Authorisation: How to grant third-party vendors access to a single HMI without handing them the keys to the entire kingdom.
• Practical Zero Trust: Implementing secure remote access for SCADA systems using existing credentials, without complex network reconfigurations.

Don’t wait for an audit — or a breach — to force your hand. Join us to learn how to stay ahead of the curve.