Guaranteeing sustainability
Managing critical water assets
Cost-efficient water-cycle services
Awareness & understanding
Increase food production
Welfare & healthy growth
Ensuring safe water
Access to timely water data
Reliable observation and forecasting
Information-based value
Efficient processes
Sustainable water infrastructures
Specialised advice
Efficient and competitive
Support, prevent and improve
Innovative, fast and low risk
Cost effective and scalable
2026-03-05
Adasa participated in the technical conference ‘Water Infrastructure’ organised by the Spanish Water Technology Platform (PTEA), at which David Bruguera, Head of Information Security, presented the cybersecurity strategy implemented at the company. The initiative focuses on a paradigm shift that is now essential in the sector: moving from ‘reactive’ security to operational resilience.
Bruguera began his presentation by highlighting the importance of cybersecurity in the water sector, given the critical nature of water infrastructure. He explained that the sector is increasingly exposed to cyber threats, such as ransomware attacks, which can cause serious disruptions to water supply. The initiative focuses on a paradigm shift that is nowessential in the sector: moving from ‘reactive’ security to operational resilience.
Bruguera began his presentation by explaining that the evolution of the global context and the increase in attacks on civil infrastructure show that essential services, such as water supply, are part of the strategic objectives.
At the same time, digitalisation has improved efficiency and process control, but it has also increased exposure to threats such as sabotage, espionage and ransomware.
In this scenario, the cybersecurity strategy must not only prevent incidents, but also guarantee service continuity even in adverse situations, integrating the protection of operational technology (OT) and information systems (IT).
Real threats: ransomware, vulnerability exploitation and AI techniquesBruguera explained that in the water sector, ransomware stands out for its ability to cause serious operational disruptions. Added to this is the accelerated exploitation of vulnerabilities (including zero-day vulnerabilities), which is particularly critical in OT environments with legacy systems and patching limitations, as well as the growing use of artificial intelligence-based techniques.
Regulatory compliance and industrial approach: ENS, NIS2 and ISA/IEC 62443To address these threats, Spain has a regulatory framework that has already become a technical and organisational benchmark. For example, the National Security Scheme (RD 311/2022) defines minimum requirements for protection and risk management. At the European level, NIS2 extends its scope to drinking water and wastewater services, strengthening obligations in governance, continuity and incident reporting.At the industrial level, the approach is based on ISA/IEC 62443, with principles such as segmentation, defence in depth and security levels adapted to critical processes.
Practical measures that make a difference in IT and OTIn addition to the need to rely on these regulations, Bruguera has given as an example of good practice the differentiation of measures in IT and OT because in OT the priority is safe and continuous operation. Among the measures to be taken into account, the following stand out:
Eight pillars for implementing resilience in daily operationsFinally, Bruguera presented an eight-pillar model that brings resilience to the daily management of the water cycle: governance, IT/OT architecture, identities, visibility/SOC, asset and vulnerability management, backups/continuity, third parties and training.
At Adasa, this approach is transferred to real projects and operations to accompany operators in the transition to more secure and resilient models.
