Reality
There has not been a publicly disclosed cyber incident on a US water utility’s OT system that has affected the delivery of safe, drinkable water for years. There has not been a publicly disclosed cyber incident that can even be called a near miss. Not Aliquippa. Not Oldsmar.
There have been 1000s of water outages in this time due to other causes. I personally have lived through two multi-week outages in the last 3 years. There have a smaller number of incidents where unsafe water was delivered. Some, much?, of the US water infrastructure is in need of repair and replacement.
Small and Medium Water Utilities
There are about 52,000 drinking water systems in the US. 28,000 serve fewer than 500 people; 42,000 serve less than 3,300 people. For almost all of these systems, automation is for efficiency and the systems can be run manually if necessary.
The key for small water utilities is to insure they can recover the ability to deliver safe water in an acceptable time even if the OT system is completely compromised by malware or an adversary. This usually means running a large part of the system manually.
They should be careful not to upgrade or automate their system, no matter how attractive this may sound, in a way that leads to reliance on the automation. Once they cross this line they need to carry a heavy cybersecurity burden that they likely cannot afford or accomplish.
The guidance from CISA and EPA is wrong for this group. They shouldn’t be allocating their resources to implement 20 or 30 or 40 security controls into a mature OT security program. They will fail, and the resources should be placed elsewhere. My medium sized water utility serving many more than 3,300 people needs to repair the water infrastructure, not spend money on cybersecurity.
It’s probably worth the money and resources to do a small number of basic cybersecurity controls. No direct Internet access, OT security perimeter (even a router ACL so no equipment cost), dedicated USB drives for OT, and two-factor authentication if remote access is required would be my list. Avoid the temptation to have a long list. The resources are better spent elsewhere and your chance of succeeding is small.
Large Security Conscious Water Utilities
My first ICS security consulting engagement in 2000 was for a water utility. There are some highly mature OT security programs in the water sector with one or two decades of experience securing their systems.
Their systems are so large and complex that manual operations is unrealistic. The risk of a cyber incident caused outage is real and warrants the investment. Fortunately many of these larger utilities have the OT security team and resources to do it right.
The guidance coming from CISA and EPA is laughable to this group. They are well past this 101 level guidance, and they are better informed on what to do to address cyber risk in their system than CISA or EPA.
Large Water Utilities In Denial
This is not a large number of utilities, but it could be a large number of customers served. It is what CISA and EPA should focus on. They have large, complex, automated systems that can’t be run manually, and they have an inmature OT security program with little prospect of progress.
This is similar to the situation NERC CIP tried to address. There were some electric utilities with quickly maturing OT security programs, and others were doing little. NERC CIP raised the floor. In a highly inefficient manner that actually setback the security conscious utilities, but it did raise the floor.