High-voltage power lines and tall transmission towers against a pink and orange sunset sky

Utility Districts & OT Networks: Practical Security Steps That Actually Work

Utility districts across Middle Tennessee face a unique challenge: keeping water, sewer, and critical infrastructure running while defending aging operational technology (OT) and SCADA environments. OT networks were built for reliability, not cybersecurity—and attackers know it.

Unlike corporate IT, OT downtime isn't an inconvenience. It's a public safety issue, a regulatory liability, and a customer-impacting event. And while the industry is filled with high-level frameworks and 200-page guides, most utility teams want basic steps that actually work, can be maintained locally, and don't require ripping and replacing every system.

This guide breaks down practical, budget-friendly SCADA security fundamentals—built on the same security-first approach Johnson BTS brings to utility districts today.

Start With OT/IT Segmentation (The #1 Security Gap We See)

For many utility districts, OT and IT networks are still intermingled: shared switches, flat VLANs, or one firewall protecting everything. That's dangerous.

At a minimum, segmentation must include:

  • A dedicated OT VLAN or physically separate network. OT systems such as SCADA servers, PLCs, Wonderware, HMIs, and telemetry devices should never be on the same broadcast domain as office computers.
  • A firewall enforcing one-way or strictly limited two-way traffic. Limit communications to only what the SCADA system requires. Everything else: blocked.
  • A "jump host" or controlled access point. No direct RDP/VNC into PLCs or SCADA servers.
  • No internet access on the OT network. You'd be surprised how often this still exists.

Outcome: You prevent a phishing incident in the office from turning into a SCADA outage—something that still happens nationwide every year.

Vendor Access: Control It or Assume You're Compromised

Vendors need access to update PLC programs, troubleshoot SCADA screens, or maintain lift station telemetry. But uncontrolled vendor access is one of the sector's biggest risks.

A strong vendor-access strategy includes:

  • MFA + individual accounts (never shared passwords). The HIPAA, FTC, and NIST standards you already follow on the IT side also apply cleanly to OT access control.
  • Scheduled, time-bound access windows. Vendors should not have 24/7 access "just in case."
  • Logged sessions for forensics. Record configuration changes on PLCs, RTUs, and SCADA servers.
  • No inbound port forwarding from the internet. Use VPN with MFA or a secure remote-access gateway.
  • A vendor request/approval workflow

Live-answered dispatch and rapid triage—core strengths of Johnson BTS—make it easier to quickly approve/deny vendor work with accountability.

Outcome: You eliminate "surprise" vendor logins and maintain the integrity of OT systems during maintenance.

Logging & Monitoring: You Can't Defend What You Can't See

Most utility districts have minimal or no monitoring of OT assets. If a PLC reboots unexpectedly or a SCADA server generates unusual traffic, no one knows until an operator sees alarms on the HMI.

At a minimum, implement:

What normal traffic looks like

Which devices talk to which

What ports and protocols exist in your environment

  • System logs on SCADA servers, HMIs, and engineering workstations. Centralize logs if you can—but even local logs are better than nothing.
  • Firewall and VPN logging. Every vendor login should be traceable.
  • Alerts on configuration changes. If a PLC program is modified, you need to know immediately.
  • Basic OT network anomaly detection. You don't need a six-figure OT monitoring platform. Start with simple baselines:
    What normal traffic looks like
    Which devices talk to which
    What ports and protocols exist in your environment

Johnson BTS uses a "security-first, automate-the-simple, analyze-the-critical" operations model that maps perfectly to OT monitoring needs.

Outcome: Faster detection of tampering, misconfigurations, and early indicators of compromise.

Backups for OT Systems: The Safety Net Most Utilities Forget

Many districts back up their billing or business systems—but not their SCADA environment. That's a mistake.

If a PLC gets factory-reset, your Wonderware server is corrupted, or ransomware hits the IT side, you need a clean, offline backup to quickly restore OT operations.

Every utility district needs backups for:

  • SCADA server VMs (full image)
  • HMI configurations
  • PLC & RTU programs
  • Historical data
  • Wonderware/Intouch application files (if applicable)

Backup best practices:

  • Store one copy offline (not accessible via the OT network).
  • Store another copy off-site (disaster scenarios).
  • Encrypt backups at rest and in transit.
  • Document restore procedures (operators should know the steps).
  • Perform quarterly test restores—a Johnson BTS standard for all compliance-driven clients.

Outcome: A failed PLC or corrupted SCADA server no longer means days of downtime or emergency vendor calls.

Patch Carefully, but Consistently

Patching OT systems can be tricky—nobody wants to reboot a SCADA server during peak operations. But ignoring patches entirely leaves systems vulnerable.

A workable patching strategy:

  • Quarterly patch windows. Coordinate maintenance periods with operators.
  • Test patches in a lab or backup VM first. Especially important for Wonderware, historian servers, and older HMIs.
  • Prioritize security patches for Windows, firewalls, and telemetry devices
  • Keep an inventory of all OT assets. HIPAA and NIST frameworks used in medical practices emphasize asset inventories; the same principle applies here and reduces blind spots.

Outcome: A secure environment without unexpected downtime from untested updates.

Physical Security: Still One of the Simplest Wins

Many lift stations, pump sites, and telemetry cabinets can be accessed with a generic key or a simple latch. A compromise doesn't need to be digital.

Practical steps:

  • Re-key critical cabinets and padlocks
  • Use tamper-evident seals where feasible
  • Secure engineering laptops and programming cables
  • Install camera coverage at critical sites
  • Keep PLC cabinets locked at all times

Outcome: You eliminate easy physical tampering—the lowest-effort attack vector.

Incident Response: Operators Need a Simple Plan

A great plan isn't 50 pages; it's clear and usable during an outage.

Utility-focused IR plan essentials:

  • Who to call first
  • How to isolate the OT network
  • How to cut vendor access during an emergency
  • Where backups are stored
  • How to reach engineering support
  • How to restore PLC programs and SCADA servers
  • A log sheet for documenting actions during an event

Johnson BTS's security-first, live-answered, rapid-triage support model means operators never feel abandoned during an incident—something utility districts value highly.

Outcome: Faster containment, faster recovery, and clear communication during a crisis.

The OT Security Roadmap for Small Utility Districts

Here is a realistic order of operations that works even for small teams:

  1. Segment OT from IT
  2. Implement vendor access controls + MFA
  3. Lock down firewalls and remove direct internet access
  4. Create and test OT backups
  5. Turn on SCADA/PLC logging
  6. Add basic network monitoring
  7. Create an incident response plan
  8. Schedule quarterly security reviews

Security doesn't have to be expensive—just disciplined and consistent.

Don't Overthink OT Security, Master the Basics

Utility districts don't need massive, budget-breaking platforms to secure their OT networks. You need practical, proven steps:

  • Segmentation
  • Vendor access control
  • Logging and monitoring
  • Offline backups
  • Patching
  • Physical security
  • A simple response plan

These steps dramatically reduce risk without overwhelming your operators or budget.

And when you partner with a security-first MSP like Johnson BTS—experienced in utility, medical, and other compliance-heavy environments—you get a team that answers live, shows up onsite, documents security controls, and understands the real-world urgency of keeping critical infrastructure running.

Click Here or give us a call at 615-989-0000 to Book a FREE 15-Minute Discovery Call

Schedule A 15-Minute Discovery Call

 

Recent Articles

Laptop screen displaying an email with a contract agreement and a suspicious file link highlighted.

April Fools Jokes Are Over, but These Scams Aren’t Fun Pranks

 Point of sale tablet and payment terminal on cafe counter with blurred staff and customers in background

How Managed IT Services in Nashville Help Small Businesses Thrive

 Nashville skyline at sunset with green park, river, and John Seigenthaler Pedestrian Bridge in view

How AI is Revolutionizing Managed IT Services in Nashville