The Air Gap is Dead: Water Utilities Must Embrace Zero Trust for OT Security


I recently had the privilege of speaking at the Water AI 2026 summit in Anaheim, where I shared my thoughts on a critical intersection of modern infrastructure: Operational Technology (OT) security and the reality of the industrial cloud. As water utilities continue their march into Industry 4.0 — an era defined by cyber-physical systems, distributed control, and edge AI — the way we defend our critical infrastructure has to fundamentally change.

For decades, the water industry has operated on long timelines. A plant built today is expected to run for 25 years. Capital expenditure (CapEx) rules the day, and once equipment is bolted to the floor, it stays there. But while the physical pumps and agitators remain constant, the digital landscape around them has evolved at a breakneck pace. We are no longer living in the era of isolated, local-only SCADA systems. We are operating cyber-physical systems where digital commands directly manipulate heavy machinery.

As we connect these systems to leverage big data, remote operations, and AI, we must confront an uncomfortable truth: the traditional security models we’ve relied on are failing us.

The Myth of the Air Gap

Historically, OT security leaned heavily on the Purdue Model and the concept of the “air gap.” The philosophy was simple: outside is infinitely bad, inside is infinitely good. It’s like the human body relying entirely on skin to keep infections out, but lacking white blood cells to fight an infection if the skin gets scratched.

In reality, the air gap is dead.

I’ve walked into multi-million-gallon-per-day wastewater plants where facility managers swore their networks had absolutely zero outside connectivity. Two minutes later, I spotted 700MHz LTE antennas bolted to a cabinet — installed by a vendor for remote maintenance without the plant operator’s knowledge. Between vendor shadow IT, dial-in modems, and undocumented internet connections, your environment is likely far more connected than you realise.

The Cold, Hard Facts of OT Attacks

When we look at the data from the Cybersecurity and Infrastructure Security Agency (CISA) Risk & Vulnerability Assessments, the narrative of sophisticated, movie-style hacking falls apart. Over 42% of successful attacks use valid, existing accounts. Another 26% rely on spear-phishing.

In total, roughly 80% of successful attacks exploit user authentication and identity weaknesses. Attackers aren’t breaking through your firewalls with zero-day exploits; they are simply logging in. They find a shared credential like “Siemens_Admin,” exploit a legacy VPN that provides broad access to the entire plant network, and move laterally until they reach your critical PLCs and HMIs.

Moving to a Zero Trust Framework

Security vendors often treat “Zero Trust” as a product you can buy off a shelf, but it’s actually a framework. It boils down to three core pillars:

Identity (Who): Every user must be individually known and authenticated. We must eliminate shared accounts. Whether it’s an internal operator or a third-party vendor, identity must be tied to a specific human.

Authorisation (What): Access must be governed by the principle of least privilege. An HVAC contractor shouldn’t have network-wide access to your water treatment PLCs. They should only have access to the specific application they need, and perhaps only during specific hours.

Access (How): We need to kill the corporate VPN. VPNs place users directly onto the network. Instead, we should use Identity-Aware Proxies that route users only to the specific destination resources they are authorised for, entirely decoupled from the underlying network topology.

A Non-Zero-Sum Game

In the IT world, there is a long-standing belief that security and productivity are a zero-sum game — if you increase security, you make a system harder to use. In the OT space, Zero Trust is actually a non-zero-sum game. You can increase security, boost productivity, and lower costs simultaneously.

Think about your task workers and external experts. As the workforce ages out and the skills gap widens, you will increasingly rely on remote subject matter experts. By implementing Zero Trust, these experts can access the resources they need from any device, on any network, without installing clunky VPN clients. By adopting modern authentication like Passkeys (which use local biometrics like your fingerprint or FaceID), you can eliminate passwords entirely, defeating phishing while making the login process seamless.

Implementation: Hours, Not Months

The most common objection I hear is that overhauling plant security is too expensive and complex. But modernising your OT security doesn’t require ripping and replacing your legacy infrastructure.

With an Identity-Aware Proxy, you can bolt modern OpenID Connect authentication onto 25-year-old PLCs and HMIs without changing a single line of config on the plant floor. Furthermore, by utilising an outbound-only architecture, you can close all inbound firewall ports. The plant establishes a secure, outbound tunnel to the cloud, dramatically reducing your attack surface while still allowing authorised users to connect inward securely.

You don’t have to fix everything on day one. You can deploy this incrementally — one user, one application, one vendor at a time.

The industrial revolution of water utilities is already here. The machines are talking to the cloud, and remote access is a necessity, not a luxury. By embracing a Zero Trust framework, we can build a defence-in-depth posture that protects our critical water infrastructure without getting in the way of the people working hard to keep it running.