The conversation delves into the nature of cyber intrusions and the reality of cyber warfare, emphasizing that these threats are not random but targeted, and that the battlefield is local rather than distant.  

Resources:

When the FBI says there have been around 200 intrusions targeting small water systems, they’re not talking about bored teenagers in basements. They’re referring to coordinated foreign state-affiliated cyber groups.
Source:
NBC News reporting on Littleton breach
Source:
https://www.nbcnews.com/news/us-news/littleton-mass-cyberattack-foreign-hack-water-systems-rcna163133
CISA ICS Security Advisories
https://www.cisa.gov/topics/industrial-control-systems  

We have seen this tactic before. Russia pre-positioned inside Ukraine’s power grid years before the 2014 annexation of Crimea and long before the 2022 invasion. When they needed leverage, they didn’t have to build new cyber tools. They already had the access. They already understood the system. So when it came time to act, they shut off parts of Ukraine’s grid in the dead of winter. They weren’t experimenting. They were executing what had been prepared long in advance. Reference:
Ukraine grid cyberattack analysis, US DHS ICS-CERT
https://www.cisa.gov/news-events/ics-case-studies/ukraine-power-grid-attack

The Department of Justice has already indicted Iranian-linked hackers who targeted U.S. critical infrastructure systems. That is a matter of public record. These charges detail explicit efforts to compromise municipal water facilities, energy companies, and public works operations. Source:
U.S. DOJ press release on Iranian cyber activities
https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-iranian-malicious-cyber-activities

If you want the receipts, read the EPA’s March 2024 letter and the enforcement alert. They basically say the quiet part out loud: basic cyber hygiene is missing in too many places to ignore. https://www.epa.gov/system/files/documents/2024-03/epa-apnsa-letter-to-governors_03182024.pdf and https://www.epa.gov/enforcement/enforcement-alert-drinking-water-systems-address-cybersecurity-vulnerabilities The attack surface is known, the weaknesses are common, and the fix list starts with boring discipline. https://www.cisa.gov/water and https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/water-and-wastewater-sector If a booster station’s telemetry is reachable, someone will eventually reach for it. Coverage from AP and sector write-ups laid out both the intrusion details and the legislative scramble that followed. https://apnews.com/article/1c475f5d2ef3b5d52410c93bdeab3aad and https://www.cpomagazine.com/cyber-security/iranian-hackers-breached-a-us-water-utility-via-an-israeli-made-scada-system/ Changes to treatment processes or loss of situational awareness can put public health at risk. https://www.gao.gov/assets/gao-24-106744.pdf Now the constructive part. If the weakness is local, the counterweight must also be local. Here is what that looks like in practice for a small utility that wants to punch above its weight.
1.    
Tighten identity and access. Kill default passwords. Enforce unique accounts and role-based access. Remove vendor accounts that are not in active use. Turn on multifactor authentication for anything with a public IP. This sounds basic because it is. The EPA letter literally cites unchanged defaults as a root problem. https://www.epa.gov/system/files/documents/2024-03/epa-apnsa-letter-to-governors_03182024.pdf EPA
2.    
Segment operational tech from business IT. If your billing workstation can talk directly to plant controls, you are one phishing email away from a very bad day. Even coarse network separation with strict allow lists is a leap forward for small teams. CISA’s “Cyber Risks and Resources for the Water Sector” provides starter guidance and a map to help choose controls that match staff capacity. https://www.cisa.gov/resources-tools/resources/cyber-risks-and-resources-management-water-and-wastewater-systems-sector CISA
3.    
Know your assets. You cannot defend what you cannot see. Build and maintain a simple inventory of PLCs, HMIs, remote access appliances, and their firmware versions. The American Water Works Association keeps current guidance and assessment tools, including small systems resources. Use them. https://www.awwa.org/technical-reports/ and https://www.awwa.org/AWWA-Articles/is-your-utility-vulnerable-to-cyberattacks/ American Water Works Association+1
4.    
Practice manual failover. Aliquippa proved that people and clipboards still matter. Rehearse safe shutdown and manual operation of critical functions. That single habit converts a crisis into an inconvenience.
5.    
Set a baseline and monitor. Even a low-cost logging setup that tracks unusual remote connections and sudden config changes will catch a large percentage of amateur intrusions and shorten the dwell time of advanced ones. Partner with your state fusion center or ISAC to get free threat intel feeds.
6.    
Train the humans. Most cyber incidents begin with persuasion. Phishing, spoofed support calls, fake vendor emails. Short, recurring refreshers outperform once-a-year checklists. EPA and CISA both run free training targeted to water systems, including for very small utilities. https://www.epa.gov/system/files/documents/2024-08/epa-guidance-on-improving-cybersecurity-at-drinking-water-and-wastewater-systems-1.pdf and https://www.cisa.gov/water AP’s 2024 coverage highlighted both the rising attack tempo and the growing resolve among utilities to get ahead of it. https://apnews.com/article/1435b3e6a569aa046e05c7947f0a0f3d If you want a place to start this week, open three links and schedule one task. Open the EPA letter to governors so leadership sees the urgency. Open the CISA water toolkit and pick one checklist. Open the AWWA small systems guidance and run the first assessment. Then schedule a 45-minute tabletop on how your team would operate ma