Water and Energy System Hacks and How TrustedPlatform Can Protect Them
Dennis G. Perry, PhD, MBA
April 28, 2026
1. Executive Summary
Water and energy systems are cyber-physical environments. Their cyber risk extends beyond data loss or business interruption. A successful compromise may affect potable water treatment, wastewater movement, pumps, valves, pressure management, metering, distributed energy resources, substation control, pipeline operations, and operator confidence. Public advisories and incidents show that adversaries exploit the same structural weaknesses across both sectors: exposed operational technology, weak remote access, flat networks, credential compromise, vulnerable programmable controllers, delayed patching, vendor access, and insufficient separation between enterprise information technology and operational technology.
The water sector is under particular pressure because utilities are being pushed toward real-time telemetry, smart meters, predictive maintenance, customer-facing digital services, and Internet of Things deployments at scale. The uploaded Ovum and Telstra report argues that water operators must move beyond proofs of concept to secure, reliable, and resilient Internet of Things deployments at full operational scale, while also developing enterprise data management, integrity, governance, and security capabilities [14]. That scaling requirement is operationally sound, but it also expands the cyberattack surface unless zero-trust segmentation and cryptographic identity are built into the architecture from the beginning.
The energy sector faces parallel exposure. Ransomware can disrupt pipeline operations and business services. Nation-state actors can position themselves in critical infrastructure for later disruption. Distributed energy resources and battery systems add millions of edge devices, controllers, communications paths, and vendor-managed services to the grid. The result is a new critical infrastructure security problem: the most important defensive boundary is no longer the perimeter. It is the enforced trust relationship between a specific protected asset, a specific communication path, a specific enclave, and the management plane that governs that enclave.
The supplied TrustedPlatform technical reference describes a zero-trust architecture built around TrustedBlockchain, TrustedOrchestrator, TrustedBroker, and TrustedEdge. TrustedBlockchain serves as the root of trust, certificate authority, public key store, and anchor for device identity. TrustedOrchestrator is the management control point for defining enclaves, assigning TrustedEdges to TrustedBroker pools, and pushing topology and policy changes. TrustedBroker bridges TrustedEdge endpoints into secure enclave segments. TrustedEdge is positioned in front of protected assets and transitions them onto the Zero Trust network while preserving existing IP addressing [15].
Based only on the supplied technical reference, TrustedPlatform can help protect water and energy systems by replacing broad network reachability with cryptographically established enclave membership, by separating control-plane management traffic from data-plane traffic, by using enclave-specific certificates that preclude cross-enclave credential reuse, by negotiating bilateral trust before data-channel creation, by carrying data over AES-256 GCM micro-segmented tunnels, and by overlaying existing brownfield networks without requiring wholesale readdressing. These are strong architectural mitigations for the attack patterns seen in water and energy incidents, especially where the immediate goal is to reduce remote attack surface, restrict lateral movement, isolate legacy devices, and make OT access dependent on explicit trust establishment rather than assumed internal network trust.
2. Research Basis and Scope
.
The scope is intentionally practical. It does not attempt to prove that any single product can eliminate cyber risk in water or energy operations. Instead, it asks how the architecture described in the supplied TrustedPlatform document would reduce common attack paths and strengthen the cyber-physical security posture of utilities, microgrids, water treatment plants, wastewater systems, battery energy storage systems, substations, pipeline environments, and distributed energy resource networks.
3. Why Water and Energy Systems Are Being Hacked
Water and energy operators combine public visibility, physical consequence, strategic value, and uneven cybersecurity maturity. Attackers may seek ransom payments, political messaging, disruption of public services, pre-positioning for a future crisis, or intelligence about critical infrastructure. The operational value of these systems makes them attractive to criminals and state-linked actors. Their physical complexity makes them difficult to defend with traditional enterprise security models alone.
NIST Special Publication 800-82, Revision 3, defines operational technology as programmable systems or devices that interact with the physical environment, or manage devices that do so. It emphasizes that operational technology systems detect or cause direct change through monitoring or control of devices, processes, and events [5]. That definition is crucial for water and energy. A compromised business application may expose data, but a compromised controller path may affect pumps, valves, breakers, relays, chemical dosing, pressure, flow, or generation dispatch.
NIST Special Publication 800-207 explains why zero trust is relevant to this problem. Zero trust shifts defense away from static network perimeters and toward protecting users, assets, resources, and workflows. It assumes no implicit trust based solely on network location or asset ownership [6]. This is directly applicable to water and energy because remote support, smart meters, cloud analytics, field controllers, vendor maintenance, private cellular, and distributed energy resources have dissolved the older assumption that the operational network is a closed and trusted environment.
The U.S. Environmental Protection Agency increased attention on drinking water cybersecurity in 2024, warning community water systems to address cybersecurity vulnerabilities and comply with statutory risk and emergency planning obligations [1]. CISA also maintains a water and wastewater cybersecurity resource set for systems at different maturity levels [2]. These actions reflect a practical reality: cyber risk is now part of water safety, not merely information technology administration.
Energy systems face the same convergence. The U.S. Department of Energy has emphasized that distributed energy resources and connected grid technologies require cybersecurity to be incorporated into new devices, systems, and infrastructure as a core design concern [8]. As electric distribution networks integrate solar, batteries, inverters, electric-vehicle charging, intelligent switches, and microgrid controls, they face the same edge-device and remote-management problems already visible in water Internet of Things deployments.
4. Water Sector Hack Patterns
4.1 Remote Access to Water Treatment Controls
The Oldsmar, Florida, incident remains a defining example because it showed that a remote session into a water treatment environment can become a physical-process risk. CISA reported unauthorized access to a supervisory control and data acquisition system at a U.S. drinking water treatment facility in February 2021 [3]. Public reporting described an attempted change to sodium hydroxide dosing, followed by rapid operator reversal. Whether viewed as a targeted attack, opportunistic access, or a remote-access failure, the lesson is that remote-control paths into water operations must not rely solely on the assumption that an authenticated session is safe.
The TrustedPlatform implication is architectural. A TrustedEdge can be placed in front of protected assets, moving those assets onto a Zero Trust network while preserving existing IP addressing. TrustedBroker can bridge the relevant TrustedEdge endpoints into a controlled enclave segment. Before data traffic is carried, the Edge and Broker relationship must be established using enclave-specific certificates and bilateral trust negotiation. That means remote access should be reduced to explicitly authorized enclave membership rather than broad network reachability [15].
4.2 Exposed Programmable Logic Controllers and Weak Segmentation
CISA and partner agencies warned in 2023 that IRGC-affiliated actors using the CyberAv3ngers persona were exploiting Unitronics Vision Series programmable logic controllers. The advisory noted that these controllers are commonly used in the water and wastewater sector and in other sectors, including energy [4]. The operational lesson is direct: when controllers are reachable from untrusted networks or protected by weak defaults, a low-sophistication path can become a physical process exposure.
TrustedPlatform directly addresses the network reachability problem described in that pattern. It does not need to replace the controller. Instead, TrustedEdge can sit in front of the protected controller or controller-adjacent asset, while TrustedBroker connects that Edge into the appropriate enclave. Enclave-specific certificates prevent credentials scoped to one enclave from being reused in another enclave. The data channel then runs only within AES-256 GCM micro-segmented tunnels after bilateral trust is established [15].
4.3 Water Utility Business System Incidents
The American Water cybersecurity incident in October 2024 illustrates that even when public statements do not indicate direct operational impact, a compromise of a business system can disrupt customer portals, billing processes, and incident response activities. American Water reported unauthorized activity in its computer networks and systems in an SEC filing and later stated that the customer portal and standard billing processes were being reactivated after systems were confirmed to be secure [11], [12].
The cyber-physical significance is that business systems, customer systems, vendor systems, and operational systems increasingly share identities, networks, support channels, cloud services, or administrative dependencies. TrustedPlatform would not be a billing platform security tool. Its relevance is the separation of operational enclaves from enterprise network trust. Enterprise compromise should not automatically provide access to pumps, treatment controls, meter collection paths, remote terminal units, or telemetry networks.
4.4 Nation-State Pre-Positioning Against Critical Infrastructure
CISA and partner agencies reported in 2024 that PRC state-sponsored actors known as Volt Typhoon had compromised information technology environments across multiple critical infrastructure sectors, including energy, water, and wastewater systems [7]. The strategic concern is not only espionage. The warning emphasized the possibility of disruptive or destructive action against critical infrastructure during a future crisis.
TrustedPlatform helps address this pattern by reducing the value of lateral movement inside information technology networks. A compromised enterprise host should not automatically gain access to operational technology assets if those assets reside behind TrustedEdges and can communicate only through enclave-specific trust relationships. The platform architecture described in the supplied reference makes trust specific, cryptographic, and scoped to the enclave rather than inherited from the surrounding network [15].
5. Energy Sector Hack Patterns
5.1 Ukraine Electric Power Grid Attacks
The 2015 Ukraine power grid attack remains one of the clearest public cases of cyber activity causing electric outages. The SANS and Electricity Information Sharing and Analysis Center report consolidated open-source information about the attack and identified lessons for supervisory control and data acquisition defense [9]. The attack sequence included reconnaissance, credential compromise, remote access, control-system interaction, and destructive activity against supporting systems. The event demonstrated that a power grid compromise is not theoretical.
TrustedPlatform maps to several defensive lessons from Ukraine-style attacks. It can reduce the reachability of operator workstations, substations, relays, and remote terminal units by placing protected assets behind TrustedEdges. It can separate management traffic from data traffic through independent out-of-band TLS 1.3 management channels and AES-256-GCM microsegmented data tunnels. It can also prevent cross-enclave credential reuse through enclave-specific certificates. Those controls do not replace monitoring, backup, incident response, or safety systems, but they reduce the likelihood that enterprise compromise results in direct operational control [15].
5.2 Pipeline Ransomware and Business-to-Operations Fragility
The Colonial Pipeline ransomware attack in May 2021 demonstrated that cyber incidents affecting business systems can disrupt energy supply even when the immediate compromise is not a targeted industrial control system attack. CISA described the attack as a ransomware incident that captured national attention and prompted extensive operational and policy responses [10]. The Department of Energy also documented federal response activity and related advisories concerning the DarkSide ransomware variant used in the attack [13].
TrustedPlatform is not a ransomware-decryption or endpoint-recovery tool. Its relevance is containment. If pipeline business networks, scheduling systems, remote offices, terminal networks, and operational segments are separated into cryptographic enclaves, ransomware spread, and post-compromise movement can be constrained. TrustedEdge and TrustedBroker relationships can narrow the set of systems that can communicate, while Dynamic Network Refactoring can move devices between security contexts without IP readdressing, VPN teardown, or policy re-composition [15].
5.3 Distributed Energy Resources and Microgrids
Distributed energy resources increase the number of devices and organizations involved in grid operations. Inverters, batteries, solar plant controllers, building energy management systems, electric vehicle chargers, aggregators, cloud platforms, and vendor support services expand the number of control points that can influence electric behavior. DOE guidance emphasizes that cybersecurity should be incorporated into distributed energy resources, systems, and infrastructure by design [8].
TrustedPlatform is relevant because distributed energy resources are inherently enclave-oriented. A battery energy storage system, an inverter bank, a microgrid controller, a utility head-end, a demand response aggregator, and a cloud monitoring service should not all share a flat trust domain. TrustedPlatform can place DER assets behind TrustedEdges, connect them to TrustedBroker pools, assign them to separate enclaves, and maintain enclave-specific certificate sets so that a credential or device relationship in one DER enclave cannot be reused to participate in another [15].
6. Cross-Sector Attack Taxonomy
The public record shows recurring attack patterns that cross the water and energy boundary. These patterns are important because water and energy infrastructures increasingly share vendors, communications carriers, industrial devices, remote support models, and cloud analytics practices.
| Attack Pattern | Water Manifestation | Energy Manifestation | Primary Security Failure |
| Remote access abuse | Unauthorized or weakly governed sessions into SCADA, HMI, or treatment systems. | Remote engineering access to substations, pipeline systems, generation sites, or DER controls. | Remote access is treated as a network convenience rather than an explicit, asset-scoped trust decision. |
| Exposed controllers | Internet-facing PLCs, default credentials, weak segmentation, insecure vendor access. | Exposed industrial gateways, DER controllers, inverter portals, and remote terminal unit paths. | Controllers remain reachable outside a tightly bounded enclave. |
| Credential compromise | Stolen or weak accounts used to access utility systems or vendor paths. | Compromised VPN, domain, cloud, or vendor credentials used to move toward OT. | Identity is not bound to device, enclave, and communication path. |
| Flat network movement | Business compromise creates a route toward telemetry, engineering, or treatment systems. | Enterprise compromise creates a route toward substations, pipelines, DER, or operations centers. | Network location is treated as trust. |
| Ransomware spillover | Business disruption affects billing, customer service, dispatch, or operations support. | Ransomware pressure affects pipeline logistics, terminal operations, or power operations support. | Segmentation and resilience are insufficient to preserve critical operations. |
| Nation-state pre-positioning | Long-term access to water or wastewater IT as future leverage. | Long-term access to energy IT or OT as crisis leverage. | Adversaries can persist in shared infrastructure and probe for operational paths. |
7. Why Scaled Water IoT Increases the Security Requirement
The uploaded Ovum and Telstra report argues that the water sector must move from isolated proofs of concept toward full-scale Internet of Things deployments. It describes smart meters, sensors, telemetry, predictive maintenance, and near real-time visibility as operationally valuable for leakage reduction, asset management, customer experience, regulatory compliance, and environmental sustainability [14]. It also warns that disconnected pockets of limited deployments can become siloed, difficult to manage, and difficult to connect.
The same report highlights the need for core data capabilities in management, integrity, governance, and security, and it identifies proven integrated Internet of Things security solutions as a top criterion in supplier selection [14]. This is the key security insight: scaled telemetry without scaled trust expands the attack surface. Thousands or millions of smart endpoints can improve operational visibility, but only if they are incorporated into a governance and network model that denies implicit trust.
TrustedPlatform fits this scaling problem because the supplied reference describes it as a transport-agnostic overlay that can operate across existing installed networks without requiring changes to the underlying infrastructure. The dual-layer model uses an encrypted Layer 2 tunnel encapsulated inside an unencrypted Layer 3 port tunnel, allowing security segments to stretch from edge to core or edge to cloud [15]. For water utilities, this is important because brownfield treatment plants, pumping stations, reservoirs, meters, field sensors, and regional communications links cannot be rebuilt all at once.
8. TrustedPlatform Capabilities Used in This Analysis
This section is the governing constraint for the rest of the document. Every TrustedPlatform mitigation claim below is limited to the capabilities described in the supplied TrustedPlatform Dataflow and Enforcement Controls document.
| TrustedPlatform Capability | Description from Supplied Technical Reference | Security Relevance to Water and Energy |
| TrustedBlockchain | Root of trust, built-in certificate authority, public key store, and anchor for device identity. | Provides cryptographic identity anchoring for platform components rather than relying only on network location. |
| TrustedOrchestrator | Management control point used to define enclaves, assign TrustedEdges to TrustedBroker pools, and push topology and policy changes. | Creates a governed control point for enclave membership and topology decisions. |
| TrustedBroker | Bridge between TrustedEdge endpoints, combining endpoints and protected devices into a unified enclave or network segment. | Creates brokered enclave connectivity rather than direct broad reachability. |
| TrustedEdge | Positioned in front of protected assets and transitions those assets onto the Zero Trust network while preserving existing IP addressing. | Protects legacy OT assets without requiring immediate IP readdressing or rip-and-replace modernization. |
| Dynamic Network Refactoring | TrustedEdges and TrustedBrokers can participate in multiple enclaves, enabling devices to move between security contexts without IP readdressing, VPN teardown, or policy re-composition. | Supports incident containment, resegmentation, and operational flexibility in brownfield utilities. |
| Provisioning and certificates | TrustedBlockchain CA issues certificates to TrustedOrchestrator, TrustedBrokers, and TrustedEdges. The document states these incorporate NIST-approved post-quantum cryptography algorithms. | Establishes a cryptographic foundation for component authentication and management communications. |
| TPM key storage | Private keys are stored in each component Trusted Platform Module, and public keys are stored in TrustedBlockchain. | Reduces risk of private key extraction from platform components. |
| Enclave-specific certificates | A new certificate set is generated for every Edge and Broker participating in an enclave; certificates are scoped to that enclave and cannot be reused across enclaves. | Prevents cross-enclave trust inheritance and limits lateral movement across operational segments. |
| Bilateral trust negotiation | Edge and Broker exchange encrypted tokens over out-of-band TLS transport using enclave-scoped credentials. Trust is established only if the token is valid and decrypted with the sender public key from the blockchain. | Makes communication dependent on bilateral cryptographic validation. |
| Separated channels | Management traffic uses out-of-band TLS 1.3 tunnels. Data traffic uses AES-256 GCM micro-segmented session tunnels after bilateral trust is established. | Separates control-plane management from protected operational data paths. |
| Transport-agnostic overlay | Encrypted Layer 2 tunnel encapsulated inside an unencrypted Layer 3 port tunnel, overlaying existing networks. | Allows deployment across brownfield water and energy networks without redesigning the underlay. |
| SD-WAN integration and local resiliency | The platform can coexist with SD-WAN and transport bonding, and local TrustedEdges and TrustedBrokers can preserve local enclave communication during backhaul failure. | Improves compatibility with existing WAN resiliency patterns and remote-site operations. |
| Emerging data diode mode | A capability under development for one-way communications using unilateral trust between TrustedEdge and TrustedBroker. | Potential future option for unidirectional telemetry or high-assurance monitoring flows. |
9. How TrustedPlatform Protects Water Systems
9.1 Treatment Plant and Pumping Station Segmentation
Water treatment plants and pumping stations contain a mixture of legacy controllers, human-machine interfaces, supervisory control and data acquisition services, engineering workstations, telemetry systems, remote access tools, and vendor-maintained equipment. The defensive problem is that many of these systems were designed for operational continuity before modern threat models existed. TrustedPlatform can place TrustedEdges in front of protected assets or asset groups and use TrustedBrokers to form water operations enclaves. This creates a security boundary based on enclave membership and cryptographic trust, rather than assuming that any device within the plant network is trusted [15].
This architecture is especially valuable for small and mid-sized utilities that cannot redesign their entire control networks immediately. Because TrustedEdge is designed to preserve existing IP addressing, a water utility can reduce lateral movement and improve direct reachability without forcing a full readdressing project. The practical result is a staged path toward zero trust operations in environments where operational downtime and engineering change control are major constraints.
9.2 Protection of Smart Meters and IoT Telemetry
Scaled water Internet of Things deployments create many small endpoints, many communications paths, and many places where integrity and availability matter. Smart meter readings may support billing, leakage detection, customer communications, and regulatory reporting. Pressure sensors and sewer-level sensors may support early fault detection and overflow prevention. The Ovum and Telstra report describes these capabilities as essential to modern water operations but also emphasizes the need for data integrity, governance, and security [14].
TrustedPlatform can support the connectivity-security side of this problem by placing telemetry gateways, meter head-end systems, or sensor-aggregation assets within discrete enclaves. Enclave-specific certificates prevent one telemetry enclave from serving as a credential bridge to another. The separate management channel also means that topology and policy changes are not carried over the same data path as telemetry. This does not validate meter data by itself, but it reduces unauthorized reachability to the systems that collect and move that data.
9.3 Vendor and Remote Support Access
Water utilities depend on external vendors for pumps, treatment equipment, telemetry platforms, industrial controls, analytics services, communications, and maintenance. Vendor access is operationally necessary, but it is also a repeated source of cyber risk. A zero-trust approach should treat vendor connectivity as a narrowly scoped path to a protected asset, not as general network access.
TrustedPlatform can support that model by assigning vendor-reachable protected assets to specific enclaves and forcing communications to flow through TrustedEdge and TrustedBroker relationships. Because bilateral trust must be negotiated before a data tunnel is created, and enclave-specific certificates cannot be reused across enclaves, a vendor path can be narrowed to the asset or asset group requiring support. Complementary tools would still be needed for user authentication, session recording, privileged access management, and command-level approval, but the TrustedPlatform contribution is the cryptographic and network segmentation layer.
9.4 Local Resilience for Remote Facilities
Remote water facilities often depend on backhaul links to central operations. Loss of connectivity can impair monitoring and centralized control. The supplied TrustedPlatform reference recommends deploying TrustedEdges and one or more TrustedBrokers at each site when customers are concerned about the complete loss of connectivity to remote sites. This topology prevents a backhaul failure from becoming a single point of failure for local inter-segment communications [15].
For water utilities, this means a treatment plant, pump station cluster, or reservoir site could preserve local enclave communication during a wide-area network failure. That does not eliminate the need for manual fallback or local operating procedures, but it supports resilience by keeping local protected segments connected through local TrustedPlatform components rather than depending exclusively on the central backhaul.
10. How TrustedPlatform Protects Energy Systems
10.1 Substations, Relays, and Remote Terminal Units
Energy operational technology often contains substations, protective relays, remote terminal units, gateways, engineering workstations, and control center systems that were not designed for frequent exposure to enterprise networks or remote administrative paths. A major risk is that the compromise of one system becomes a route into many others. TrustedPlatform addresses this by allowing protected assets to be assigned to enclaves through TrustedEdges and TrustedBrokers. Enclave membership is cryptographically scoped, and cross-enclave trust is architecturally precluded by independent enclave-specific certificates [15].
This matters for substations because substations should not all reside in a single flat trust zone. A compromise at one remote site should not imply reachability to neighboring substations, the control center, or distributed energy resource management systems. TrustedPlatform micro-segmentation can create separate operational enclaves for substations, engineering functions, telemetry, and support paths.
10.2 Battery Energy Storage Systems and Microgrids
Battery energy storage systems and microgrids combine power conversion systems, battery management systems, energy management systems, inverters, meters, protection devices, building systems, and cloud or vendor services. These systems are often located at campuses, hospitals, data centers, military facilities, industrial sites, or utility distribution nodes. Their cyber risk is significant because remote manipulation may affect charging, discharging, availability, islanding coordination, alarms, and equipment condition.
TrustedPlatform can segment battery energy storage and microgrid assets into functional enclaves. For example, one enclave could contain battery management telemetry, another could contain energy management system communication, another could protect vendor maintenance, and another could connect to utility or facility control systems. The supplied reference supports this kind of architecture through TrustedEdges, TrustedBrokers, multiple enclave participation, Dynamic Network Refactoring, and preserved IP addressing [15]. Complementary controls would still be needed for safety logic, firmware integrity, local interlocks, and process monitoring.
10.3 Distributed Energy Resource Aggregation
Distributed energy resource aggregation creates a many-to-many trust problem. A utility, aggregator, vendor cloud, inverter fleet, battery fleet, and facility owner may all participate in the same operational ecosystem. The risk is that a weakness in one organization or access path becomes a route to many field devices. DOE guidance treats cybersecurity as a design issue for distributed energy resources because of the increasing integration of connected devices and systems into the electric grid [8].
TrustedPlatform helps by making device and enclave trust explicit. Each participating Edge and Broker can receive enclave-specific certificate sets for the particular security context in which it participates. A device assigned to multiple enclaves maintains separate, independent certificate sets. This design prevents a certificate from one enclave from being substituted into another enclave, thereby reducing the ability of a single DER relationship to serve as a cross-domain bridge [15].
11. Reference Architecture
Figure 1 summarizes the revised protection model using only the TrustedPlatform components and dataflow controls described in the supplied technical reference.
Figure 1. TrustedPlatform protection model for water and energy operational technology based on the supplied technical reference.
In this architecture, existing water or energy assets do not become trusted simply because they are on an internal network. TrustedEdges move protected assets onto the Zero Trust network. TrustedBrokers bridge the relevant Edge endpoints into enclave segments. TrustedBlockchain anchors certificates, public keys, and device identity. TrustedOrchestrator defines enclaves, assigns Edges to Broker pools, and pushes topology and policy changes. Management traffic is separated from data traffic, and data traffic is carried through micro-segmented AES-256 GCM tunnels only after bilateral trust has been established [15].
12. Control Mapping
| Threat or Control Need | TrustedPlatform Control from Supplied Reference | Practical Outcome |
| Flat OT networks | TrustedEdge, TrustedBroker, and enclave segmentation. | Reduces broad reachability between controllers, workstations, telemetry systems, and support paths. |
| Compromised business network | Transport-agnostic overlay and protected enclaves independent of the underlay network. | Enterprise network compromise does not automatically create OT enclave membership. |
| Cross-domain movement | Enclave-specific certificates that cannot be reused across enclaves. | Prevents credentials scoped to one enclave from authenticating into another enclave. |
| Remote-site backhaul failure | Local TrustedEdges and one or more TrustedBrokers at each site. | Preserves local inter-segment communication when the backhaul link fails. |
| Legacy addressing constraints | TrustedEdge transitions assets onto the Zero Trust network while preserving existing IP addressing. | Supports brownfield deployment without wholesale IP readdressing. |
| Control-plane exposure | Out-of-band TLS 1.3 management channel separated from the data plane. | Protects topology and policy communications from sharing the operational data path. |
| Data path confidentiality and segmentation | AES-256 GCM micro-segmented session tunnels after bilateral trust. | Protects permitted operational flows and narrows communication paths. |
| Key extraction risk | Private keys stored in TPM; public keys stored in TrustedBlockchain. | Adds hardware-backed protection for component private keys. |
| Crypto-agility and quantum-era concerns | The supplied reference states that certificates incorporate NIST-approved post-quantum cryptography algorithms. | Improves the cryptographic posture of platform management and identity infrastructure. |
| Operations with SD-WAN | Coexistence with SD-WAN and transport bonding; Onclave-secured traffic can be used as a routing policy input. | Allows protected OT traffic to be prioritized through existing resilient transport designs. |
13. Implementation Roadmap
13.1 Phase 1: Asset and Communication Path Discovery
The first phase is not product deployment. It is discovery. A water or energy operator should identify protected assets, communication paths, remote access paths, vendor dependencies, site-to-site links, cloud or data center destinations, and operational dependencies. The output should be a segmentation map that distinguishes safety-critical control, operational telemetry, engineering access, vendor maintenance, business systems, and regulatory reporting.
13.2 Phase 2: Enclave Design
The second phase is enclave design. Enclaves should be aligned with operational consequences rather than organizational convenience. A water treatment chemical control path should not share broad reachability with billing systems. A substation engineering path should not have the same broad reach as a public-facing customer portal. A battery energy storage vendor maintenance enclave should not inherit access to facility supervisory control systems. The TrustedOrchestrator role described in the supplied reference is to define enclaves, assign TrustedEdges to TrustedBroker pools, and push topology and policy changes [15].
13.3 Phase 3: Brownfield Pilot with Production Criteria
The third phase should protect a real operational segment, not a disconnected demonstration. A suitable water pilot may include a pump station, treatment plant subsystem, or telemetry aggregation path. A suitable energy pilot may include a battery energy storage subsystem, a microgrid controller path, or a remote substation communications path. Success criteria should include preserved operations, no IP readdressing where that is required, successful bilateral trust establishment, validated management/data channel separation, controlled enclave membership, and recovery behavior under backhaul degradation.
13.4 Phase 4: Scale-Out and Dynamic Network Refactoring
The fourth phase is scale-out. The utility should expand by enclave family: treatment plants, pump stations, telemetry gateways, substations, DER assets, microgrid systems, vendor access paths, and control centers. Dynamic Network Refactoring is useful during scale-out because the supplied reference states that TrustedEdges and TrustedBrokers can move devices between security contexts without IP readdressing, VPN teardown, or policy re-composition [15].
13.5 Phase 5: Integration with Complementary Controls
TrustedPlatform should be deployed as the zero-trust overlay and enclave enforcement architecture. It should be combined with complementary controls that are outside the supplied TrustedPlatform description: multi-factor identity, privileged access management, endpoint detection and response, industrial intrusion detection, process anomaly detection, secure backups, patch governance, incident response playbooks, safety interlocks, firmware integrity controls, and security operations workflows. This distinction is important. TrustedPlatform reduces reachability and enforces cryptographic enclave trust, while complementary controls address monitoring, endpoint behavior, process semantics, and recovery.
14. Governance, Procurement, and Board Reporting
For governance purposes, water and energy leaders should treat segmentation, remote access control, and cryptographic identity as board-level resilience issues. EPA enforcement activity, CISA advisories, NIST operational technology guidance, DOE distributed energy resource guidance, and public incidents all point to the same conclusion: critical infrastructure cyber risk must be managed as operational, public safety, regulatory, and reputational risks.
Procurement should require vendors to support zero-trust segmentation patterns. For TrustedPlatform deployment, procurement language should be tied to the capabilities in the supplied reference: TrustedEdge placement in front of protected assets, TrustedBroker enclave bridging, TrustedBlockchain certificate and public key anchoring, TrustedOrchestrator topology and policy management, enclave-specific certificates, bilateral trust negotiation, separated management and data channels, AES-256 GCM micro-segmented data tunnels, TLS 1.3 management tunnels, TPM private key storage, and compatibility with existing underlay networks [15].
Board reporting should avoid counting only vulnerabilities, alerts, or training completion. More meaningful measures include the percentage of critical OT assets behind TrustedEdges, the number of operational enclaves defined, the percentage of remote access paths converted from broad network access to enclave-specific access, the number of sites with local TrustedBroker resilience, the number of legacy devices protected without readdressing, and the reduction in cross-enclave reachability. These metrics align the technology architecture with operational risk reduction.
15. Conclusions
Water and energy system hacks exploit the same recurring weakness: operational environments have become connected, remote, instrumented, and vendor-dependent faster than their trust models have changed. The result is a mismatch between cyber-physical consequence and inherited network trust. Attackers exploit that mismatch through remote access, exposed controllers, credential compromise, ransomware, and long-term pre-positioning.
The supplied TrustedPlatform technical reference describes an architecture that directly addresses the trust model problem. It uses TrustedBlockchain as a root of trust and certificate authority, TrustedOrchestrator as the management control point, TrustedBroker as the bridge between TrustedEdge endpoints, and TrustedEdge as the inline transition point for protected assets. It establishes trust through provisioning, TPM-backed private keys, blockchain-stored public keys, enclave-specific certificates, bilateral trust negotiation, separated management and data channels, TLS 1.3 management tunnels, and AES-256 GCM micro-segmented data tunnels [15].
Within the limits of the information provided, TrustedPlatform is best understood as a zero-trust overlay and enclave-segmentation architecture for critical infrastructure. It does not eliminate the need for process safety, endpoint security, identity governance, monitoring, incident response, or secure engineering practice. Its value is more foundational: it changes the default assumption from reachable means trusted to no communication without explicit, cryptographically established, enclave-scoped trust. That is precisely the architectural shift water and energy systems need as they scale Internet of Things, distributed energy resources, remote operations, and cloud-connected operational technology.
References
[1] U.S. Environmental Protection Agency, “Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities,” May 2024. [Online]. Available: https://www.epa.gov/enforcement/enforcement-alert-drinking-water-systems-address-cybersecurity-vulnerabilities
[2] Cybersecurity and Infrastructure Security Agency, “Water and Wastewater Cybersecurity.” [Online]. Available: https://www.cisa.gov/water
[3] Cybersecurity and Infrastructure Security Agency, “Compromise of U.S. Water Treatment Facility,” AA21-042A, Feb. 2021. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-042a
[4] Cybersecurity and Infrastructure Security Agency, “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities,” AA23-335A, Dec. 2023. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
[5] K. Stouffer et al., “Guide to Operational Technology (OT) Security,” NIST Special Publication 800-82 Revision 3, Sept. 2023. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/82/r3/final
[6] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture,” NIST Special Publication 800-207, Aug. 2020. [Online]. Available: https://csrc.nist.gov/pubs/sp/800/207/final
[7] Cybersecurity and Infrastructure Security Agency, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” AA24-038A, Feb. 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[8] U.S. Department of Energy, “Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid,” Oct. 2022. [Online]. Available: https://www.energy.gov/sites/default/files/2022-10/Cybersecurity%20Considerations%20for%20Distributed%20Energy%20Resources%20on%20the%20U.S.%20Electric%20Grid.pdf
[9] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the Cyber Attack on the Ukrainian Power Grid,” SANS ICS and E-ISAC, Mar. 2016. [Online]. Available: https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf
[10] Cybersecurity and Infrastructure Security Agency, “The Attack on Colonial Pipeline: What We Have Learned and What We Have Done Over the Past Two Years,” May 2023. [Online]. Available: https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
[11] American Water Works Company, Inc., “Form 8-K,” U.S. Securities and Exchange Commission, Oct. 2024. [Online]. Available: https://www.sec.gov/Archives/edgar/data/1410636/000119312524233300/d869346d8k.htm
[12] American Water, “American Water Reactivating Systems After Cyber Event,” Oct. 2024. [Online]. Available: https://www.amwater.com/press-room/press-releases/corporate/american-water-reactivating-systems-after-cyber-event-10102024
[13] U.S. Department of Energy, “Colonial Pipeline Cyber Incident,” May 2021. [Online]. Available: https://www.energy.gov/ceser/colonial-pipeline-cyber-incident
[14] A. Krishnarajah, “Beyond Proofs of Concept: Scaling IoT for Water Networks,” Ovum Consulting and Telstra Enterprise, 2020.
[15] Onclave Networks, Inc., “TrustedPlatform Dataflow and Enforcement Controls,” Technical Reference Document, supplied by user, Apr. 2026.
Leave a Reply