Project

Threat Modelling a Water Treatment SCADA System

January 5, 2026 ⏱ 4 min read OT/ICS Security

Overview

Threat modelling is a structured approach to identifying what can go wrong and how to prioritize defenses. In this project, I applied threat modelling to a simulated water treatment plant’s SCADA system — a common target in real-world ICS attacks (notably the 2021 Oldsmar, Florida incident where an attacker attempted to increase sodium hydroxide levels in a water supply).

Why Water Treatment?

Water treatment plants are a compelling case study because they combine several OT security challenges: safety-critical processes with direct public health impact, legacy systems running outdated protocols, small security teams with limited budgets, and increasing remote access requirements. They represent exactly the kind of critical infrastructure that needs better security.

Methodology

I combined two frameworks:

1. STRIDE (Microsoft Threat Modelling)

Applied to each component and data flow in the system:

Threat	Example in Water Treatment Context
Spoofing	Attacker impersonates the HMI to send commands to PLCs
Tampering	Modifying chemical dosage setpoints via Modbus writes
Repudiation	No logging of who changed process parameters and when
Information Disclosure	Reading process data to understand plant operations before an attack
Denial of Service	Flooding the OT network to disrupt PLC-HMI communication
Elevation of Privilege	Moving from the IT network to the OT network through a poorly segmented historian server

2. MITRE ATT&CK for ICS

I mapped realistic attack paths using the ICS-specific ATT&CK matrix:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


Initial Access (T0819 - Internet Accessible Device)
    │
    ├── Discovery (T0846 - Remote System Discovery)
    │
    ├── Lateral Movement (T0812 - Default Credentials)
    │
    ├── Collection (T0801 - Monitor Process State)
    │
    └── Impact
        ├── T0831 - Manipulation of Control (change chemical dosing)
        ├── T0827 - Loss of Control (disable safety systems)
        └── T0882 - Theft of Operational Information

System Architecture Modelled

The water treatment SCADA system I modelled includes:

Level 0 (Process): pH sensors, turbidity sensors, chemical dosing pumps, flow meters, chlorine analysers

Level 1 (Control): Allen-Bradley PLCs controlling chemical dosing and filtration processes, communicating via Modbus/TCP and EtherNet/IP

Level 2 (Supervision): SCADA HMI stations for operator control, historian server for process data recording

Level 3 (Operations): Engineering workstations, patch management server, remote access VPN gateway

Level 3.5 (DMZ): Firewall separating IT and OT, data diode for one-way historian replication

Key Threats Identified

Critical: Chemical Dosing Manipulation

Attack path: Compromise the VPN gateway → move laterally to the SCADA HMI → modify chlorine dosing setpoints

Impact: Public health risk — too little disinfection allows waterborne pathogens; too much causes chemical exposure

Mitigation: Independent safety instrumented systems (SIS) that operate on separate hardware and cannot be overridden from the SCADA network

High: Loss of Visibility

Attack path: Deploy ransomware on the historian server → operators lose process data trending → delayed detection of process anomalies

Impact: Operators lose situational awareness and ability to detect slow process manipulation

Mitigation: Read-only data diode from OT to IT, offline backups of historian data, manual process verification procedures

High: Remote Access Exploitation

Attack path: Credential stuffing against the VPN portal → access to Level 3 network → pivot into OT network

Impact: Full OT network access, ability to control or disrupt water treatment processes

Mitigation: Multi-factor authentication on all remote access, jump servers, session recording, time-limited access windows

Deliverable: Risk Register

I compiled all findings into a formal risk register with:

Threat description and attack path
Likelihood and impact ratings (using a 5×5 risk matrix)
Existing controls and control gaps
Recommended mitigations prioritized by risk reduction and feasibility
Mapping to IEC 62443 security levels and NIST CSF functions

Relevance to Graduate Study

This project demonstrates the ability to think systematically about complex systems and apply structured analytical frameworks — skills directly transferable to academic research. Threat modelling a real-world ICS scenario requires understanding both the cybersecurity landscape and the physical processes being controlled. I’m particularly interested in pursuing research that extends threat modelling approaches to account for the unique constraints of legacy OT environments.

References

MITRE ATT&CK for ICS: https://attack.mitre.org/matrices/ics/
NIST SP 800-82 Rev 3: Guide to OT Security
IEC 62443: Industrial Automation and Control Systems Security
Oldsmar Water Treatment Attack Analysis (2021)
CISA ICS Advisories: https://www.cisa.gov/news-events/ics-advisories

Replace with your actual threat model diagrams, data flow diagrams, risk register screenshots, and specific analysis findings.

Network Security Monitoring for … →