SCADA Data Is Not Just Data
When Public Records, AI, and Operational Risk Collide
2026-Snapshot-Volume8
This newsletter is for educational purposes only. The frameworks and thinking approaches described here are starting points for developing professional judgment, not prescriptive procedures for any specific facility, utility, legal request, or security decision. Reading or using this material does not create a professional, consulting, or advisory relationship of any kind. The author is not providing legal, cybersecurity, or engineering services. Public records obligations vary by jurisdiction, so you should review them with legal counsel.
The Issue
On June 5, 2026, EPA’s Office of Water Emergency Response and Cybersecurity issued an advisory on a quiet but growing risk for water and wastewater utilities: operational data exposure.
The advisory followed public records requests from AI service providers, reported by WaterISAC and AWWA, seeking detailed operational information from water and wastewater systems.
In at least one instance, the request was explicit:
“all SCADA logs for 2026 for all treatment, distribution, and wastewater management systems, along with daily or hourly historical logs, flow rates, water quality baseline metrics, tank and reservoir levels, energy consumption, and equipment runtimes.”
At first glance, some of the information sounds like ordinary utility data. Operators use it. Engineers use it. Maintenance teams use it. Compliance teams may use summarized versions for reporting.
But that is precisely why it matters.
SCADA data is not just data; it is data that can be misused. In the wrong context, it becomes a map of how a utility operates.
The Insight
A single data point may not reveal much. A year of detailed operational data can reveal a great deal.
It can show when demand peaks, when storage is routinely low, which assets carry the load, how the process responds during abnormal conditions, and where the system has less flexibility than people assume.
The sensitivity is not only in the label on the file. It is in the resolution, the time span, and the context.
A monthly flow total is one kind of record. Five-minute flow, tank level, pump status, and alarm history over a year are something else entirely.
This is where OPSEC thinking comes in. For utilities, OPSEC is the discipline of asking what someone could learn about how the system operates by piecing together information the utility has already released, published, reported, or shared.
The OPSEC question is not, “Does this file contain a secret?“
The OPSEC question is, “What could someone infer from this information if they combined it with everything else we have already made public?“
That is the part AI makes harder to dismiss. The EPA specifically pointed to the risk that operational data aggregated across multiple utilities could reveal patterns, vulnerabilities, and system behaviours that no single dataset could. A request that looks limited at the level of one utility may become far more sensitive when combined with similar data from many systems.
This does not mean every request for operational information is suspicious.
Researchers,
vendors,
consultants, and
public agencies
often have legitimate reasons to request data.
Public utilities also have transparency obligations, and those obligations matter.
The point is not to reject every request. The point is to stop treating raw operational data as harmless just because it is not a password, a network diagram, or a vulnerability report.
The Quick Win
Before releasing detailed operational records, pause long enough to ask better questions:
What specific data is being requested, and at what resolution?
What time period does it cover?
Could aggregated, delayed, or lower-resolution data satisfy the request?
Could such data reveal normal operating patterns, constraints, or low-margin periods?
Could it become more sensitive when combined with maps, annual reports, capital plans, weather data, regulatory filings, or similar data from other utilities?
Will the data be retained, shared, sold, published, or used to train AI models?
If some sharing is appropriate, could a confidentiality or non-disclosure agreement be used to restrict how the recipient uses, stores, or further discloses the data?
Should legal, operations, cybersecurity, and OT all review this before it is shared?
That last question matters more than it might seem.
Records teams should not have to decide alone whether a historian export is operationally sensitive.
Legal should not have to evaluate technical risk without operational context.
Cybersecurity teams should not be brought in after the data has already left the building.
A short internal checklist for records requests involving SCADA, historian, alarm, or process data is a meaningful start.
Build one OPSEC test into it: Would we be comfortable if this dataset were combined with public maps, annual reports, capital plans, and similar data from other utilities?
If the answer is no, the request needs a more profound review before anything is released.
From the Field
I have had conversations over the years where I described what a historian archive actually contains and watched the reaction shift from casual to concerned.
People outside operations often consider data to be a file, a report, or a number. But process data is not abstract.
Drawings and control narratives show how a system is supposed to work.
Historian data shows how it actually works at 2 a.m., during peak demand, after a storm event, with one pump out of service and operators quietly managing around known limitations.
Tank levels are not just numbers.
Pump runtimes are not just maintenance data.
Alarm records are not just event history.
SCADA trends are not just lines on a screen.
That data describes judgment, workarounds, constraints, habits, and the practical reality of keeping service continuous. It tells a story the utility’s own operators may not have ever fully written down.
That story has value. The utility needs the full version. Most outside requesters do not.
SCADA data is not just data; it is a record of how a utility breathes. In the wrong hands, that record becomes operational reconnaissance.
Until next time,
Alana