It’s not just pipes that leak: Why our water infrastructure needs a digital ‘bund wall’

By Martin Fernandes, Business Development Manager (Africa), Operational Technology at Fortinet

In contemporary South African discourse, “water-shedding” has, for many, replaced “load-shedding” as a term of frustration. Our national focus remains rightly on the tangible: the R1 trillion infrastructure boost allocated in the 2026 budget, the refurbishment of ageing bulk water augmentation schemes, and the urgent effort to repair the literal leaks that result in nearly 47% of our treated water being lost as non-revenue water.

However, as we undertake this essential modernisation of our water utilities, we are unintentionally opening a new and risky valve. To address physical inefficiency, municipalities and water boards are swiftly deploying smart meters, IoT sensors, and remote telemetry systems. Although these tools are vital for real-time pressure control and leak detection, they are transforming our water networks from isolated mechanical systems into highly connected digital assets.

During this transition, we must implement a core engineering principle into our digital architecture: secondary containment.

The smart water challenge

In traditional engineering, secondary containment acts as a backup system – like a bund wall or outer shell – designed to prevent a primary failure from becoming a disaster. If a tank leaks, the secondary containment ensures the fluid is caught and controlled.

In the digital world, we are currently developing primary systems (smart water networks) that require the digital equivalent of a bund wall. By integrating Operational Technology (OT) with Information Technology (IT) to enable data flow and visibility, we are creating opportunities for “digital leaks” that also need containment strategies. A compromised smart meter, communication interception and manipulation, or a hijacked SCADA (Supervisory Control and Data Acquisition) system has long ceased to be just a hypothetical risk.

We have already observed global precursors to this. From hackers trying to modify chemical levels in treatment plants to ransomware groups shutting down the human-machine interfaces of rural utilities, the target isn’t just data – it is the physical safety of the resource. In South Africa, where our water systems are already under pressure, a digital breach that disrupts distribution or jeopardises water quality would escalate an existing crisis. That’s why infrastructure modernisation projects involve many layers.

Modernisation meets mandate

Some 2026 State of the Province addresses and the national budget have formalised a structural shift towards accountability in the water sector. With R27.7 billion in performance-linked funding now linked to operational delivery in our metros, the pressure on public sector CIOs is intense. They must modernise to meet these mandates and citizen expectations, but they are doing so while often dealing with legacy technology debt and navigating complex compliance frameworks.

In the rush to “go digital” and secure funding and enhance efficiency, cybersecurity is a fundamental requirement. At a time when a compromised end-point could theoretically provide a pathway to a high-pressure pump station, it’s easy to see why public sector leaders must consider far more than just brick and mortar when it comes to infrastructure expansion.

Resilience requires a comprehensive approach that goes beyond the traditional compliance “checklist” method. Resilience is built through containment, fail-safe behaviour, and pre-defined or authorised response actions that maintain safety and essential services even during a crisis. This can only be achieved by moving from the conventional project approach to a structured, ongoing programme with clear accountability and authority, which must be adopted organisation-wide – from board level down to operations. 

Cybersecurity operations must shift from the traditional IT focus to include operations and engineering, not just IT. Once the organisational structure and support are in place, the focus can shift to processes and technology.

Building the digital bund wall

An operational resilience strategy for our water infrastructure rests on three pillars:

1. Absolute visibility and segmentation

You cannot safeguard what you cannot see. Utilities might be unaware of the true scope of their OT/CPS footprint. Resilience starts with creating a complete catalogue of every asset, from the ERP system in the head office, data centre or cloud to the remote sensor on a rural pipeline. Containment must be achieved through asset-aware segmentation and should be enforced close to the physical assets to defend against physical attacks. However, segmentation goes beyond that. With increasing connectivity between sites, IT, OT/CPS, and cloud infrastructure, interdependencies extend far beyond the operational zone and must therefore be managed holistically. Proper segmentation will limit the impact of a breach but will not prevent data interception and control logic manipulation, which can still lead to serious consequences. 

This is where OT CPS contextual intelligence comes into play. OT CPS utilises industrial protocols that could support malicious activity that would be completely invisible for traditional enterprise security controls. True visibility requires broad industrial knowledge that utilises AI powered threat intelligence to correlate behaviour, threats and anomalies associated with Industrial communication and can protect against the exploitation of legacy vulnerabilities as well as zero-day threats.

2. The zero-trust mandate

In a modern water utility, the idea of a “trusted internal network” is essentially outdated. Every request, whether from users, vendors or devices, must be verified before being trusted. As we move towards the sovereign campus model of distributed infrastructure, this principle extends far beyond the internal network and traditional network access methods, requiring the inclusion of application security, least privilege, and continuous monitoring regardless of device, application or location. 

3. Security Operations with OT CPS Context

Resilience is also measured by the speed of recovery, and when it comes to protecting OT/CPS, a traditional IT SOC simply isn’t sufficient. A violation on the IT side often results in isolation or blocking actions, but this could have serious consequences in a production environment. Security Operations (SecOps) requires OT/CPS context that understands operational systems and application classification, capable of identifying attacks across various stages of the kill chain, focusing on both enterprise and industrial environments. Nonetheless, a crucial element of any successful SecOps system today is continuous testing and re-assessment across all areas.

Although contextual intelligence is vital, another essential aspect is capacity within human resources. Since AI introduced both threats and defence benefits, the scale and speed of attacks will be amplified exponentially. This places organisations that are already limited in skill and capacity under increased pressure, making the adoption of AI defence a necessity rather than just an operational enhancement. AI defence significantly reduces overload by removing noise and repetitive operational tasks, improves defence capabilities, and ultimately results in fewer context-driven alerts with decisions based on asset criticality and process status. 

Securing the lifeblood of the nation

As we observe World Health Day this April, we must recognise that access to safe, reliable water is the foundation of public health and economic stability. The current R900 billion funding gap for the water sector over the next decade means we cannot afford to lose a single rand – or a single litre – to digital sabotage.

Public-private partnerships will be vital in developing more robust and modern systems to support the mission of safeguarding this essential resource and its infrastructure. Digitalisation, however, is not an end in itself but a means for sustainability. Smart systems are only sustainable if they are secure. By adopting a digital resilience strategy, South Africa’s public sector can ensure that while we repair physical pipes, we do not leave the digital valves exposed. We must secure our data just as we secure our water, for they are now two sides of the same coin.