Keep the network isolated – no internet access for the irrigation controllers, just a separate VLAN tied to the field Wi‑Fi. Use WPA2‑Enterprise or at least WPA3 with a dedicated RADIUS server, and enforce strong, unique credentials for each node. Log all traffic and set up an IDS to flag abnormal packet patterns. Regularly patch firmware on all devices, disable unused ports, and use a firewall to limit inbound traffic to only the necessary protocols. Finally, schedule routine checks for any physical tampering and back up control software in a separate, encrypted vault.