Strengthening cybersecurity for critical water and wastewater infrastructure

In a time of digital transformation and increasing cyber threats targeting industrial systems, a large Canadian municipality commissioned CIMA+ to conduct a comprehensive audit of cybersecurity practices in its drinking water and wastewater sectors.

This strategic project aimed to provide an accurate picture of the current level of maturity, identify priorities for improvement and develop a realistic four-year roadmap. Thanks to CIMA+’s multidisciplinary expertise, we provided uncompromising support tailored to operational issues, enabling the client to strengthen the resilience of its critical infrastructure in a sustainable manner.

The project began with a clear request: to assess and improve the cybersecurity posture of facilities essential to public health and community well-being. From the outset, CIMA+ assembled a team of cybersecurity experts, automation engineers and project management specialists. This combination of skills made it possible to address both technological and operational issues.

In the field, interventions took place in the core of production and processing sites, where continuity of operations is paramount.

The approach adopted, the Capability Maturity Model (C2M2) framework, is an hybrid approach based on recognized standards such as the NIST Cybersecurity Framework, ISO 27001 and CIS Controls.The assessment encompassed all pillars: governance, risk management, access control, protection of critical assets, event monitoring, change management and employee training.

The main challenge was the need to align protective measures with budgetary and operational constraints, while ensuring compatibility with internal IT standards. Collaborative workshops organized with local teams made it possible to contextualise the findings, prioritize actions and anticipate the impact on organizational culture.

The four-year roadmap includes gradual recommendations: deployment of new monitoring solutions, strengthening of access controls, targeted training for technical teams, and improvement of incident response processes. Each action is accompanied by performance indicators and an estimate of the required investment, providing the client with a concrete tool to guide implementation.

At the end of the project, the municipality now has:

  • an objective and quantified picture of its cybersecurity maturity;
  • a clear, prioritized and realistic strategic plan;
  • a solid foundation for guiding its decisions and protecting its infrastructure against current and emerging threats.

This project illustrates CIMA+’s ability to combine methodological rigour, technical expertise and sensitivity regarding human factors. It also demonstrates our commitment to supporting our clients in finding sustainable, secure solutions that are tailored to their circumstances.