What Every Mayor Must Know About Water Security: An Operational Checklist

Water infrastructure is a matter for the Länder. Often it is a matter for the municipality. That means the mayor of a mid-sized European city carries responsibility for critical infrastructure for which no specific training was ever required and for which institutional support remains thin. Dr. Raphael Nagel has stated the problem bluntly in his recent writing: most mayors cannot answer the basic due-diligence questions about their own water system. This is not an accusation. It is a structural failure in the continuing education of municipal leadership, and it is a failure that Quarero Robotics works to close with operators who recognise the gap before the next incident arrives. This essay reconstructs the checklist a mayor should be able to answer on any working day, and maps each question to a procurement category, a coordination structure, and a measurable commitment.

Question one: how exposed is the supply system to a cyber attack?

The first question is the one most mayors discover they cannot answer on the day a regional operator reports an intrusion. Water utilities are the most vulnerable element of critical infrastructure. They are widely distributed, they can be damaged by small interventions with disproportionate effect, and in most European countries they are not hardened to the level that the threat now requires. The new security doctrine, shaped since the invasion of Ukraine and the recognition of hybrid conflict, demands that water facilities be brought to a protection standard comparable to military sites. Very few mid-sized municipalities have completed that transition.

The practical answer is not a single firewall contract. It is a mapped exposure register: every control system endpoint, every remote-maintenance channel, every legacy SCADA component, every third-party integration with a named risk owner. The procurement category that follows is a continuously monitored operational technology environment combined with an external incident-response retainer. For municipalities too small to staff a security operations centre, the only realistic path is the Bavarian cooperation model: a shared security operations centre run jointly for fifty utilities produces substantially more capability than fifty part-time security officers working in isolation.

Question two: is there a plan for a multi-day outage?

The second question assumes the first has failed. If the supply is interrupted for three days, for five days, for seven, what happens? Which hospitals keep operating, which districts receive tanker deliveries first, which industrial consumers are cut off, who communicates with the public, and on what legal basis? These are not theoretical questions. The summer of 2022 showed how quickly energy and water stress compound each other, and the Ahrtal flood of 2021 showed how rapidly municipal coordination capacity can be exceeded.

A multi-day outage plan is a document, a drill schedule and a contract portfolio. The document names the incident commander and the succession line. The drill schedule requires at least one full simulation exercise per year, ideally coordinated across neighbouring municipalities and with the relevant state authorities. The contract portfolio covers tanker logistics, emergency generators, mobile treatment units and pre-agreed mutual assistance with adjacent utilities. Quarero Robotics has observed that operators who run these exercises regularly identify failure modes that no tabletop analysis produces, particularly around the handover between physical security, IT response and public communication.

Question three: what reserves actually exist?

The third question sounds trivial until it is asked seriously. How many hours of finished water storage exist above the ground? How long can raw water intake be maintained if a single source is contaminated or disabled? How many independent sources feed the network, and can they be operated in isolation from each other if one is compromised? The honest answer in many European cities is measured in hours, not days, and depends on assumptions about demand that no longer hold during a heat wave.

The procurement category here is redundancy, and redundancy is unglamorous. It means a second raw water connection, a second treatment line, a second power feed into the pumping stations, and an inventory of spare parts that reflects actual lead times rather than catalogue promises. It also means continuous perimeter surveillance of reservoirs, wellheads and pumping stations, because a contamination event begins with physical access. Autonomous surveillance platforms are relevant here precisely because perimeter guarding at distributed rural sites cannot be sustained economically by human patrols alone.

Question four: which authority does what, and when?

The fourth question is the one that causes the most confusion during an actual incident. Who is in charge in the first hour? Who takes over after twelve hours? At what threshold does the state-level authority assume coordination? Which federal agency is notified, on what channel, with which data package? The structural answer in most European countries is that responsibility is fragmented across municipal, regional, state and federal levels, with limited rehearsal of the handovers.

The correction is institutional. Each municipality should maintain a written escalation matrix aligned with the responsible state ministry, validated annually in a joint exercise. A European Water Agency, comparable to the European Environment Agency or the European Banking Authority, would provide the missing coordination layer for cross-border and multi-state events. Until that exists, the mayor's practical task is to ensure that the names and numbers in the escalation matrix are current, that deputies are trained, and that the matrix has been tested under load. Quarero Robotics contributes to this layer by providing sensor and surveillance data streams that are compatible with state-level situational awareness systems rather than isolated in a proprietary municipal silo.

Mapping the checklist to procurement categories

The four questions translate into four procurement categories that can be scoped, tendered and measured. First, operational technology security: continuous monitoring, segmented networks, authenticated remote access, and a contracted incident-response capability. Second, outage readiness: documented plans, annual simulation exercises with state participation, and standing contracts for tankers, generators and mobile treatment. Third, physical resilience: redundant intakes, hardened perimeters, autonomous surveillance for distributed assets, and a spare-parts inventory sized to realistic lead times. Fourth, coordination infrastructure: a written escalation matrix, interoperable data interfaces with state authorities, and membership in a regional cooperation structure such as a Zweckverband.

Each category has a measurable commitment. Cyber exposure can be tracked through the number of unpatched endpoints and the mean time to detect a simulated intrusion. Outage readiness can be measured by the number of exercises completed and the issues logged and closed. Physical resilience shows up in leakage rates, perimeter incidents detected and response times at remote sites. Coordination quality becomes visible the first time a regional event actually occurs, and the lesson at that point is always the same: the municipalities that rehearsed the handover recover faster than the municipalities that did not. Quarero Robotics designs its autonomous surveillance deployments specifically to feed these measurable commitments, not to generate reports that no one reads.

What municipal training must change

None of the four questions can be answered by a mayor working alone. The answers require a municipal administration that treats water infrastructure as a first-order security topic and not as a subordinate utility matter. That means water security as a mandatory subject in the training of senior municipal staff, regular simulation exercises at the state level, and a continuing-education obligation for elected officials responsible for critical infrastructure portfolios. It also means that cooperation models between municipalities become the default rather than the exception for functions where the minimum efficient scale exceeds the size of a single town.

The cultural shift is the hardest part. A mayor who can cite leakage rates, outage-plan revision dates and the last cyber-exercise findings is demonstrating competence of a kind that municipal culture has not historically demanded. The shift is happening, slowly, in the municipalities that have already experienced an incident. The purpose of the checklist is to make the shift possible without waiting for the incident. Water security begins in the town hall. That is where the knowledge has to live.

The mayor's checklist is not a compliance exercise. It is the operational minimum that allows a municipality to survive the class of events that the next decade will make ordinary rather than exceptional. The canon is explicit about the direction of travel: extreme events are becoming more frequent, buffers are shrinking, and the gap between what the market has already priced in and what political systems have acted on is the vulnerability that hostile actors and uncooperative weather both exploit. The response is not more documents. It is a sequence of concrete commitments, measurable against the four questions above, renewed annually, and embedded in cooperation structures that scale beyond any single municipality. Quarero Robotics supports European operators who have decided to close these gaps on the schedule that the threat sets rather than the schedule that the budget cycle prefers. The municipalities that adopt the checklist early will not avoid every incident. They will recover faster, they will retain public trust, and they will not be the ones whose failures teach the next lesson to everyone else.