With the potential gutting/further defunding of EPA and other federal regulatory agencies. My money says there will be no action taken until an actual security incident occurs. Administrations don’t care about the long term health of the country, only what they can do in 4 year spans.
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Because it was being addressed before the defunding? I mean... clearly not. They haven't been defunded yet.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
There has actually been a lot of investment in this area, especially in the last few years.
Cyber is seen as a risk and most municipal utilities and auditors are treating it as such. The private companies… not so much unless there’s a clear financial benefit or mandate.
Republican lawmakers and the water industry sued the EPA saying it would be too expensive to secure water systems.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
This statement from the EPA is the crux of it: "Most cybersecurity practices can be implemented at minimal cost."; a statement that anyone involved with software/cybersecurity knows has never been true about any software system, ever. It feels very reasonable to me that some of these dirt-poor counties could look at a new set of cyber requirements and say, we physically cannot pay for this; and while the EPA goes on to list sources of funding they offer, I don't know much about those; its possible that given they've already vastly underestimated the cost of securing an industrial software system, they're also vastly under-provisioning the grant funding available to do it.
No one wants their water systems insecure. Republicans aren't a comic book villain; and to help empathize with how they think, right or wrong, consider this: What if we took a good chunk of the EPA's budget and distributed it to the local water utilities directly (in other words: Your federal taxes go down, your county taxes go up). The EPA seems really good at drafting memorandums they have to redact and publishing reports about how insecure our water systems are; Republicans would argue, the money we spent on those things did nothing to help actually fix the problem, so maybe the solution is "less EPA".
I'm not saying this is right, and I'm not saying its even representative of a cogent reality. I'm just saying, this is the line of thinking.
As a cybersecurity practitioner and owner of a mid 7 figures budget to defend an enterprise, I am not unfamiliar with the costs (controls, staff, implementation). But, the evidence is clear that the response was “no” to this effort, and no further action or negotiation to improve the security posture of these entities. I know what it looks like when someone says “we don’t have the funds for this, what can we do with what we have?” but also what it looks like when lack of funding is an excuse to take no further action. Republicans have made no effort to appropriate funding for this work at either the federal or state level, for example. If this matters to them, when can we expect this to happen? And how many people will have to be harmed first for it to happen?
> Republicans aren't a comic book villain;
Agreed, they’re much worse. “We’re going to spend nothing, and when something happens to you, too bad, so sad” under the guise of fiscal responsibility. But if that’s what you vote for as a voter, who am I to get in your way? This isn’t a problem to be fixed, this is an indicator of electorate intent.
> What if we took a good chunk of the EPA's budget and distributed it to the local water utilities directly (in other words: Your federal taxes go down, your county taxes go up).
This sounds like a recipe for fraud and waste due to the sophistication of those responsible at the local level, with no accountability.
> Republicans have made no effort to appropriate funding for this work at either the federal or state level, for example.
The article states that drinking water systems for 26 million Americans are vulnerable to significant cybersecurity risks. What that obviously implies is that the drinking water systems for... 308 million Americans face an at least mitigated and acceptable level of cyber-risk. Are you stating that 308 million Americans live in counties led by Democrats, as they're the only ones capable of securing their water systems? Clearly that isn't the case. Are you crediting all of the good things about the good water systems to Democrats, and all the bad things about the bad water systems to Republicans, somehow? That feels unlikely; though I'm sure the federal government funds a significant amount of our local water systems' budgets, and currently the Republican party is the party of anti-federal government, obviously past and current Republicans also had a hand in creating some of that federal infrastructure and no one is saying it should entirely disappear.
> This sounds like a recipe for fraud and waste due to the sophistication of those responsible at the local level, with no accountability.
Its actually fascinating how Republicans would say the same thing of some of our federal institutions: That they've become so big that they're impossible to hold accountable. There's some truth in both extremes: but the Republican view is that the voting populace can more-easily hold their local government and utilities accountable than we're able to hold the federal bureaucracy accountable. Given the measurable performance and efficiency of some of these federal institutions; I do believe that Republicans are, at least, operating in good faith, even if I tend to side with Democrats directionally. Of course, we've become a culture of extremes: you're either in the party of "don't touch it, touching it is anti-federal and anti-democrat" or "tear it down and salt the earth it stood on", there's no in-between take that maybe these institutions just need an overhaul (well, there was [1], but it never panned out).
> Agreed, they’re much worse. “We’re going to spend nothing, and when something happens to you, too bad, so sad” under the guise of fiscal responsibility.
1) What, Republicans don't need to drink water now?
2) I find it amazing. For decades the small government people have been arguing that centralising power to the national level is a bad idea because it creates a single point of failure. It is a real tell that people are play-acting with their concerns about the Republicans that they currently control all the major organs of the US government AND are led by Trump, but this is not enough to provoke a "gee, maybe centralising all these critical functions is a bad idea" response. The answer is still to concentrate power towards Trump and the Republican party, just to demonise them more vociferously.
I mean gee. If there are a group of people who are so terrible at securing clean water, don't give them control over the water systems ~50% of the time. Let it all happen at the local or state level. Is this such a radical position?
Do you think water systems are managed at the federal level? They're not. Municipal water supplies are primarily managed by local and state agencies.
The feds get involved when there are environmental issues (EPA) or something directly under the federal prerogative comes up like federal lands, standardisation, the army, or interstate cooperation.
So from your comment it seems you see a body that is basically advisory. Would I be correct in assuming you see no issue with getting rid of the parts of the EPA that deal in water? They don't sound like they do anything particularly important. They were probably overstepping their mandate with the cybersecurity stuff if your view is accurate; nobody needs to sue them if they don't exercise any control.
Those functions could be wholly coordinated by the states or direct communication between relevant bodies by the way.
I dunno, there seems to be a logical issue here. You've told me that water systems aren't managed at the federal level, and I take you at face value.
So if, as toomuchtodo points out, Republicans are having to sue the EPA to stop them from managing water systems it is clear that the EPA is overstepping their mandate.
If they do in fact have a mandate to manage water systems and the Republicans aren't simply and obviously in the correct moral and legal position here, then this idea that they don't have a mandate must be discarded and they are in fact managing water systems at the federal level.
As can be seen from my earlier posts, I agree with the Republican lawyers & what appears to be your position - the EPA shouldn't be managing water systems. Leave it to the state & local authorities, the results will be better overall. If they are alarmed over something they can report it all they like, but they shouldn't be the ones to try and fix it.
They have a mandate to monitor and set standards for water systems. That's what they're doing here. Implementing those standards is left up to the municipal water supplies that actually manage the water systems. Similarly, CISA has a mandate to monitor and strengthen infrastructure cybersecurity. There's no contradictions here.
If you have questions on the extent of the EPA's mandate and why, you'll probably find the Wikipedia page a better resource than me.
I'm not actually asking questions about the EPA here, this is more an exploration of what you think.
> They have a mandate to monitor and set standards for water systems.
So we've found a point of disagreement, because that is pretty much my definition of management. IMO, to a reasonable approximation, management is the process of monitoring a situation and setting standards that people must meet.
What do you think management involves, and what would separate the work of, say, senior management from what the EPA is doing? If the power to monitor and set standards isn't the heart of management, what is?
It's still local governments designing the water treatment systems, working with suppliers and local polluters, designating water source uses, setting the local quality standards (which may be different than the federal standards), collecting monitoring data, granting discharge permits, getting funding, handling lawsuits, filing state level reports, and so on. I'm barely even scratching the surface of how much is involved with modern infrastructure either.
I don't understand why you think an agency nationally coordinating all the local governments' efforts and making reports to Congress should exist at any level below the federal.
Well yeah, execution has to happen locally. But you did open this with a "Do you think water systems are managed at the federal level? They're not.". And I'm not sure why you think that because you seem to be describing a situation where the EPA, at the federal level, is in fact managing water systems. Obviously we have a terminology disagreement here somewhere.
I mean, if there was a software engineer designing systems, working with vendors, setting his own standards that were higher than company standards, collecting monitoring data, managing permissions, yada yada, we would still have to acknowledge that he was not the manager in the region, he is an employee and the manager is someone else. He is managing some aspects of the situation, no doubt, but if we ask "who is managing all this" the conventional answer isn't the developer, but the developer's manager. "Management" is typically reserved for the senior managers in the area monitoring the outcomes and setting high-level standards. By analogy, the EPA is attempting to manage water systems at the Federal level.
Do parts of that chain of logic seem questionable to you? Is it possible that when you say "managed" you mean what I would call "executed"?
> I don't understand why you think an agency nationally coordinating all the local governments' efforts and making reports to Congress should exist at any level below the federal.
I recommend asking questions if you don't understand something. It works well for me. This (drinking water) is a critical system. Centralised management is too risky, if something goes off the rails then it'd affect drinking water across an entire country. It is better to have disparate systems where failure is more localised.
Right now, the headline suggests <10% of the US is at risk. Trading that for a situation where there is a <10% chance that all of the US is at risk is actually making the risk profile worse. The chance of a problem is the same because nothing has been done to lower the triggers, but the consequences are substantially worse because the system is trying to centralise under the EPA. The EPA shouldn't be in a position where local authorities feel they have to sue them to keep the system decentralised, they shouldn't be trying to manage local operations.
When presented with an issue that poses a real and present danger to the drinking water supply of citizens of this country your contribution is pearl clutching over notional mandates? To be clear, in your opinion "overstepping their mandate" is the bigger threat here? Here's a wild idea, how about we return to the concept of actual governance for the first time in a few decades and actually empower the EPA with both budget and enforcement rights to ensure that local and state run systems that our fellow citizens rely on aren't falling through the cracks?
> ...your contribution is pearl clutching over notional mandates...
> Here's a wild idea, how about we return to the concept of actual governance for the first time in a few decades...
These two ideas are actually somewhat contradictory, I recommend picking one. You can't return to good governance by ignoring governance every time you think something needs to be done.
And you don't need the EPA to be involved to defend against these sort of risks. In fact, standardising the IT approach through the EPA will might increase the risk since any vulnerabilities will be more likely to be standardised. Highly heterogeneous systems are expensive and difficult to cripple. If an adversary wants to attack there is a single point of failure they can target - the EPA process.
> In fact, standardising the IT approach through the EPA will might increase the risk since any vulnerabilities will be more likely to be standardised. Highly heterogeneous systems are expensive and difficult to cripple.
This is not a safe assumption to make. As an example: Standardized patching programs are very basic and reduce a lot of this risk. Without them (or incentive/budget for them), it’s typical for most private and public orgs to end up with pretty bad security posture.
This is a known failure state that results in many known vulnerabilities that can be trivially exploited, regardless of how heterogeneous these various networks are.
Sadly, from what I’ve seen in the news and in various reports, I don’t think many regional organizations have the funding, expertise, or incentive to run effective security programs.
Clearly you need someone involved to defend against these sort of risks as they are demonstrably not being addressed currently. May as well involve the EPA, they already exist and water is already a thing they do. Given we're already discussing a diverse mix of insecure systems "heterogeneity" isn't much of a talking point. You're proposing local and state governments spend orders of magnitude more taxpayer money on duplication of effort. In a forum that generally favors efficiency this seems out of place.
They are being addressed. By the headline something like >90% of the US isn't affected.
If it was a more centralised system, there'd be a 90% chance it was all working and a 10% chance that the incompetent local officials were incompetent EPA officials instead, standardising everyone on insecure systems with nobody able to overrule them. It'd make a bad situation into an all-or-nothing gamble with substantially worse worst-case performance.
> You're proposing local and state governments spend orders of magnitude more taxpayer money on duplication of effort.
Doubt it. The expenses are going to be mostly capital and operating ones that can't be avoided.
> Doubt it. The expenses are going to be mostly capital and operating ones that can't be avoided.
This suggests to suspicion you've never worked in or with local or state government agencies and have spent zero time in a water treatment facility. I've done both so here's a couple of things that might help form a more robust picture of the situation:
1. These organizations are typically operating with budgets below the minimum requirements necessary to maintain the systems they're responsible for. This is why municipal bond initiatives are so common for water system maintenance and expansion projects.
2. Private contractors created this situation. Local and State government agencies contract out all of their IT projects and do not have personnel on staff capable of performing the work under discussion.
Point 1 isn't anything to do with economies of scale though - the municipal authorities could operate with an appropriate budget.
Point 2 is underdone, the question is basically should knowledge be in the private or public sector. Given that the private sector is generally more efficient than the public it seems a bit of an assertion to say that contracting out projects will decrease efficiencies. It could easily make the situation better. The US Federal government is absolutely known for being captured by contractors and consulting firms because it is a big, obvious & lucrative target and its bandwidth is completely overwhelmed to the point where very few people vote based on EPA policy. Odds are it'd be much more efficient to handle that at a lower level of government.
> This suggests to suspicion you've never worked in or with local or state government agencies and have spent zero time in a water treatment facility.
This is a silly point. I might as well ask "Are you one of the people who are managing water operators in the US incompetently?". If the debate is that the managers are clearly not up to the challenge, a lack of expertise is not a downside because the process the managers are using is being challenged.
I have had a lot of experience on the subject of organisational design. If you want better results, centralising into a single unaccountable bureaucracy isn't usually the way to get there. It is a bad strategy.
How so? What accountability measures exist for the EPA that don't exist for the private sector?
I anticipate you saying voting, so I'll preemptively observe that voters can vote for the government to switch to a different private provider too. Voting doesn't lose any of its potency if the government uses contractors, although it runs into the same problem as always that the EPA is realistically never going to be high enough on the priority list to change an election's outcome.
There's many people who would reasonably disagree with a course like this, because there are no elected positions in the EPA.
The whole "overstepping their mandate" thing is perceived as a very real and present threat among MAGA people, for this reason specifically. This is the whole notion of "The Swamp" Trump was going to drain; unelected career bureaucrats.
That they would disagree isn't in question. That their position is reasonable is, however, very much up for debate. Career bureaucrats are literally the pool of experience and expertise that make government agencies function, to the extent that's possible given legislative hobbles. The only thing that gets drained when these people are replaced by elected officials or private industry is expertise and theoretically sane incentives.
It’s funny how it seems we care more about years of expertise for the engineers on our software teams than the people running government.
There’s a balance that needs to be struck between new blood with fresh perspectives and old guard with decades of experience navigating Washington politics.
EPA can only regulate what congress empowers them to regulate.
You’re pretty close to the mark on the line of thinking. Boiling down complex issues to pablum and creating problems is a hallmark of modern conservatism. Sorta like I set your house on fire, then launch a campaign attacking the firemen for not putting it out fast enough.
Somehow I doubt the security posture was magnificent even before the defunding. This kind of thing is usually a simple checklist item for companies let alone government agencies.
> Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
> Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism?
If you're working government info-sec for drinking water systems, it's going to be mostly for municipal water systems, often agencies that are a similar geographic scope as counties or cities but sometimes independent from them. Water districts aren't spying much (unless you have strong feelings about water meters, or lawn watering restrictions), and they rarely take part in acts of violence outside the districts they serve and the sources of their water.
Some of these systems are private companies, and who knows about ethics there, sure.
The NSA famously recruits math geniuses and quants to solve abstract problems, esp. around cryptography. If you're a security person hired to harden infrastructure or web services, its not so abstract. People like Snowden for example.
NSA's early career recruiting pipeline is pretty strong at the collegiate level. They recruit from a LOT of good universities that top tech employers don't recruit from (eg. UTSA, Texas Tech).
The issue is the US Government is hundreds of agencies, and each state in turn has hundreds of agencies as well.
Each of these agencies has their own IT that manages that agencies's infra and security AND they are very limited funds wise and salary wise.
For example, back when I was a PM, a customer of mine was the de facto CISO of a several hundred person agency yet only earned around $120k a year and had a less than $1M budget for all IT spend.
The agency could not build it's own hiring pipeline (having to resort to USAJOBS and the department it was a part of) nor was there any truly unified security platform.
While the naive answer would be "have everyone use a single platform", just about every presidential administration in the past 20 years has tried that and failed.
> While the naive answer would be "have everyone use a single platform", just about every presidential administration in the past 20 years has tried that and failed.
Isn't that literally the job of a National Security Agency, instead of spying?
I think it is safe to say that few if anyone actually understands the common American voter and what they actually care about. Anecdotally, the prevalence of cyber-security plot points in action thriller movies/games/books indicates that there is at least some awareness of the threat.
My core question is, why? I understand that security can be difficult, but why is infrastructure that is able to operate effectively for many decades before micro controllers were even a thing vulnerable to remote attacks.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
A water treatment plant would need about 2 people to a shift (and 4 sets of people) to have 24/7 monitoring (one to watch the control screens, and one to handle tasks like running tests on water, handling deliveries, etc., that takes you away from the screens), and that basically doesn't change if you're a small facility making 10KGD of water or a large facility making 100MGD of water. There is serious economy of scale going on here.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
I understand that monitoring and status is reasonable to optimize for cost and this comes with some tradeoffs. Loss of monitoring should not equal a loss if service not unless that monitoring is off line for an extended period.
The actual functional control for ensuring a critical service like water is working should remain as an analog computer with something like pneumatics, or other such technology. These are robust and can continue to operate even when electronic circuits have failed.
Loss of visibility, and loss of service should be separated. This should be the same even for power stations as well.
I only work on power stations, but about 30 of 33 I have worked on are accessible by VPN. They aren’t staffed 24/7 and one crew will be responsible for several facilities in a geographic area. Bad weather causes problems and makes travel difficult or dangerous, so being able to control equipment remotely saves time, money or lost revenue, and is safer by avoiding dangerous travel.
The ones not on VPN were owned by big enough utility to have their own private fibre networks.
I am ripping out analog electronics from the 70s that nobody alive wants to support and installing PLCs with Ethernet.
The attention paid to cybersecurity goes up with the size of the facility as downtime is more expensive. Failsafes preventing damage or loss of life are seperate processors from the plc and independent often redundant systems, but still digital.
Small cities are quite willing to economize even if it means X risk some attacker will muck with the system.
But the thing I'd take issue is the "can't afford it" part.
Of course these cities could afford onsite worker. As gp pointed out, these districts operated long before the Internet and they could provide water then. But the neoliberal paradigm has appeared and suddenly the constant claim is no organization "can afford" not to do any given automation measure, no matter how illogical or dangerous. And so a key thing calling organizations on this baloney.
> I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
That’s irrelevant. Pneumatic systems don’t expose telemetry towards the network.
If you want to do that - and you do because having someone next to your equipment all the time to monitor things is both a waste of time and money and very error prone - you will need a data diode.
It is cheaper, your product takes fewer people to operate, you can outsource the operations, if you deliver IoT solutions you get to call yourself a tech company which gets you valued at 30x earnings instead of 10x earnings, getting hacked does not affect your stock price, and the actual effect of getting hacked is actually minor because you get hacked by the functional equivalent of Dr. Evil who takes down water for millions of people or cripples a billion dollar business, then asks for the staggering sum of 1… million dollars.
It’s probably necessary for something along the lines of requiring a licensed engineer to sign off on these systems if private companies are going to manage critical infrastructure.
Do computer and software engineers stamp their drawings
And reports? I’ve only seen electrical civil and mechanical drawings stamped, but that is who is involved in hydro electric.
Indeed, and the regulatory standards get really specific about what hardware can even be installed in some locations.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
I think it'd be a shame if engineers were the ones to make the decision in this case. The decision needs to be made by people with a more serious understanding of risk and fragility, like the military generals, and especially by the people who will bear both the upsides and downsides of the decision, a.k.a. the local community who will be consuming the water.
This is one of the few areas where rural living is better, in my experience.
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
My rural "neighbors" pay more than 2x for electricity and don't have any water/sewer service. I live in a small town in a geographically large county that only has about 35,000 residents, so there may be differing ideas of rural at play.
We pay more, yes, but not 2x what the city people pay in the next county over. Maybe 1.2x or so. Obviously there is no sewer service, just septic tanks. That cost is minimal once they're installed. Install price was around 5k, and it costs $200 to have it pumped ever four or five years.
The definition of rural to me is around 12k residents in a county that is around 1000 square miles. That's the size of where we are. The largest town is around 3k people. Two counties over is a city of about 40k. The 3k town is part of our co-op, so they have fiber. The 40k had less than 15% on fiber the last I knew, but that was two years ago. Since then they haven't run anymore lines, but have added customers on their existing lines.
Who needs cybersecurity risks when you have an incoming republican administration hellbent on gutting regulations to the benefit of industry, a SCOTUS bending over backwards to help them do it (stare decisis? What’s that?), and a HHS secretary nominee who wants to singlehandedly trigger the next pandemic or two.
RFK isn't going to trigger a pandemic; don't be ridiculous. Pandemics aren't caused by individuals.
But, similar to not having any smoke detectors in your home when something catches fire at night, being in a pandemic with him running the health agency is not going to turn out well for you.
That still doesn't invalidate my statement. He can't trigger a pandemic; he doesn't have the ability to engineer a virus, and I don't think he's going to find anyone to help him do so. Besides, why do think he wants a pandemic? The guy's a fruitcake, but I haven't seen any evidence that he's actively malicious this way.
Why do the water systems need to be connected to the internet at all? If the systems are completely disconnected from the internet there shouldn't be much cybersecurity risk. Of course there still needs to be proper precautions to prevent a Stuxnet type worm getting through.
Yeah I never understand all these systems being connected at all. I understand remote working and monitoring, but is that worth it for something that is the most crucial part of society?
Now is a good time to prep. Get a few food grade 55 gallon drum - you can usually find them at food/restaurant supply stores or people trying to get rid of them on craigslist/fb market. Get a dolly so you can move them around your garage or basement. Just need a few teaspoons of bleach to keep it good for ~ 6 months. If your washer is in your basement, you can disconnect the cold line to fill up the drums, or you can run a garden hose. They also make kitchen faucet to garden hose attachments. When you need to drain it, a cheap transfer or sump pump will do the job.
Speaking as someone who has the entirety of my heat for this winter stacked up in totes, prepping by storing bulk materials is not really something to be done lightly. Unless you turn this DIY water buffer into something you use in your every day life (ie thirsty? time to go to the basement to get a glass of water), you will get bored of maintaining it long before the municipal water supply fails.
Also 55 gallons of water is ~450lbs, so it's not going to be terribly easy to move with an [appliance] dolly. You probably want pallets and a pallet jack (and a smooth concrete floor).
Personally I'd suggest getting an RO filter for your every day drinking water needs, and setting up a rain barrel collection that you can routinely use for outdoor garden/plants. Then if you suddenly need drinking water, you should be good just boiling the rain water. And if there is some large scale catastrophe with some kind of chemical/radiological contaminant in the rain, you can run it through the RO.
With the potential gutting/further defunding of EPA and other federal regulatory agencies. My money says there will be no action taken until an actual security incident occurs. Administrations don’t care about the long term health of the country, only what they can do in 4 year spans.
Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Because it was being addressed before the defunding? I mean... clearly not. They haven't been defunded yet.
The issue is unlikely to be money, nor is it likely to be technical. If throwing ever-increasing amounts of money at the problem isn't fixing it, maybe it isn't all that crazy to try the opposite.
There has actually been a lot of investment in this area, especially in the last few years.
Cyber is seen as a risk and most municipal utilities and auditors are treating it as such. The private companies… not so much unless there’s a clear financial benefit or mandate.
Republican lawmakers and the water industry sued the EPA saying it would be too expensive to secure water systems.
> In a statement to Recorded Future News, an EPA spokesperson confirmed that the memorandum – handed down in March – was being withdrawn due to lawsuits filed by attorneys general in the States of Missouri, Arkansas, and Iowa as well as industry groups American Water Works Association (AWWA) and National Rural Water Association (NRWA).
There is no point in trying to solve what there is no will to solve. Less money, more money, they just don’t want to have to do it or be liable.
https://therecord.media/epa-says-litigation-from-republicans...
https://www.iowaattorneygeneral.gov/newsroom/attorney-genera...
https://content.govdelivery.com/attachments/IACIO/2023/04/18...
That's not how I read that.
This statement from the EPA is the crux of it: "Most cybersecurity practices can be implemented at minimal cost."; a statement that anyone involved with software/cybersecurity knows has never been true about any software system, ever. It feels very reasonable to me that some of these dirt-poor counties could look at a new set of cyber requirements and say, we physically cannot pay for this; and while the EPA goes on to list sources of funding they offer, I don't know much about those; its possible that given they've already vastly underestimated the cost of securing an industrial software system, they're also vastly under-provisioning the grant funding available to do it.
No one wants their water systems insecure. Republicans aren't a comic book villain; and to help empathize with how they think, right or wrong, consider this: What if we took a good chunk of the EPA's budget and distributed it to the local water utilities directly (in other words: Your federal taxes go down, your county taxes go up). The EPA seems really good at drafting memorandums they have to redact and publishing reports about how insecure our water systems are; Republicans would argue, the money we spent on those things did nothing to help actually fix the problem, so maybe the solution is "less EPA".
I'm not saying this is right, and I'm not saying its even representative of a cogent reality. I'm just saying, this is the line of thinking.
As a cybersecurity practitioner and owner of a mid 7 figures budget to defend an enterprise, I am not unfamiliar with the costs (controls, staff, implementation). But, the evidence is clear that the response was “no” to this effort, and no further action or negotiation to improve the security posture of these entities. I know what it looks like when someone says “we don’t have the funds for this, what can we do with what we have?” but also what it looks like when lack of funding is an excuse to take no further action. Republicans have made no effort to appropriate funding for this work at either the federal or state level, for example. If this matters to them, when can we expect this to happen? And how many people will have to be harmed first for it to happen?
> Republicans aren't a comic book villain;
Agreed, they’re much worse. “We’re going to spend nothing, and when something happens to you, too bad, so sad” under the guise of fiscal responsibility. But if that’s what you vote for as a voter, who am I to get in your way? This isn’t a problem to be fixed, this is an indicator of electorate intent.
> What if we took a good chunk of the EPA's budget and distributed it to the local water utilities directly (in other words: Your federal taxes go down, your county taxes go up).
This sounds like a recipe for fraud and waste due to the sophistication of those responsible at the local level, with no accountability.
> Republicans have made no effort to appropriate funding for this work at either the federal or state level, for example.
The article states that drinking water systems for 26 million Americans are vulnerable to significant cybersecurity risks. What that obviously implies is that the drinking water systems for... 308 million Americans face an at least mitigated and acceptable level of cyber-risk. Are you stating that 308 million Americans live in counties led by Democrats, as they're the only ones capable of securing their water systems? Clearly that isn't the case. Are you crediting all of the good things about the good water systems to Democrats, and all the bad things about the bad water systems to Republicans, somehow? That feels unlikely; though I'm sure the federal government funds a significant amount of our local water systems' budgets, and currently the Republican party is the party of anti-federal government, obviously past and current Republicans also had a hand in creating some of that federal infrastructure and no one is saying it should entirely disappear.
> This sounds like a recipe for fraud and waste due to the sophistication of those responsible at the local level, with no accountability.
Its actually fascinating how Republicans would say the same thing of some of our federal institutions: That they've become so big that they're impossible to hold accountable. There's some truth in both extremes: but the Republican view is that the voting populace can more-easily hold their local government and utilities accountable than we're able to hold the federal bureaucracy accountable. Given the measurable performance and efficiency of some of these federal institutions; I do believe that Republicans are, at least, operating in good faith, even if I tend to side with Democrats directionally. Of course, we've become a culture of extremes: you're either in the party of "don't touch it, touching it is anti-federal and anti-democrat" or "tear it down and salt the earth it stood on", there's no in-between take that maybe these institutions just need an overhaul (well, there was [1], but it never panned out).
[1] https://www.washingtonpost.com/climate-environment/2022/05/3...
> Agreed, they’re much worse. “We’re going to spend nothing, and when something happens to you, too bad, so sad” under the guise of fiscal responsibility.
1) What, Republicans don't need to drink water now?
2) I find it amazing. For decades the small government people have been arguing that centralising power to the national level is a bad idea because it creates a single point of failure. It is a real tell that people are play-acting with their concerns about the Republicans that they currently control all the major organs of the US government AND are led by Trump, but this is not enough to provoke a "gee, maybe centralising all these critical functions is a bad idea" response. The answer is still to concentrate power towards Trump and the Republican party, just to demonise them more vociferously.
I mean gee. If there are a group of people who are so terrible at securing clean water, don't give them control over the water systems ~50% of the time. Let it all happen at the local or state level. Is this such a radical position?
Do you think water systems are managed at the federal level? They're not. Municipal water supplies are primarily managed by local and state agencies.
The feds get involved when there are environmental issues (EPA) or something directly under the federal prerogative comes up like federal lands, standardisation, the army, or interstate cooperation.
So from your comment it seems you see a body that is basically advisory. Would I be correct in assuming you see no issue with getting rid of the parts of the EPA that deal in water? They don't sound like they do anything particularly important. They were probably overstepping their mandate with the cybersecurity stuff if your view is accurate; nobody needs to sue them if they don't exercise any control.
Those functions could be wholly coordinated by the states or direct communication between relevant bodies by the way.
The EPA is specifically mandated to do this in the clean water act. They're not overstepping at all, and neither is CISA.
I dunno, there seems to be a logical issue here. You've told me that water systems aren't managed at the federal level, and I take you at face value.
So if, as toomuchtodo points out, Republicans are having to sue the EPA to stop them from managing water systems it is clear that the EPA is overstepping their mandate.
If they do in fact have a mandate to manage water systems and the Republicans aren't simply and obviously in the correct moral and legal position here, then this idea that they don't have a mandate must be discarded and they are in fact managing water systems at the federal level.
As can be seen from my earlier posts, I agree with the Republican lawyers & what appears to be your position - the EPA shouldn't be managing water systems. Leave it to the state & local authorities, the results will be better overall. If they are alarmed over something they can report it all they like, but they shouldn't be the ones to try and fix it.
They have a mandate to monitor and set standards for water systems. That's what they're doing here. Implementing those standards is left up to the municipal water supplies that actually manage the water systems. Similarly, CISA has a mandate to monitor and strengthen infrastructure cybersecurity. There's no contradictions here.
If you have questions on the extent of the EPA's mandate and why, you'll probably find the Wikipedia page a better resource than me.
I'm not actually asking questions about the EPA here, this is more an exploration of what you think.
> They have a mandate to monitor and set standards for water systems.
So we've found a point of disagreement, because that is pretty much my definition of management. IMO, to a reasonable approximation, management is the process of monitoring a situation and setting standards that people must meet.
What do you think management involves, and what would separate the work of, say, senior management from what the EPA is doing? If the power to monitor and set standards isn't the heart of management, what is?
It's still local governments designing the water treatment systems, working with suppliers and local polluters, designating water source uses, setting the local quality standards (which may be different than the federal standards), collecting monitoring data, granting discharge permits, getting funding, handling lawsuits, filing state level reports, and so on. I'm barely even scratching the surface of how much is involved with modern infrastructure either.
I don't understand why you think an agency nationally coordinating all the local governments' efforts and making reports to Congress should exist at any level below the federal.
Well yeah, execution has to happen locally. But you did open this with a "Do you think water systems are managed at the federal level? They're not.". And I'm not sure why you think that because you seem to be describing a situation where the EPA, at the federal level, is in fact managing water systems. Obviously we have a terminology disagreement here somewhere.
I mean, if there was a software engineer designing systems, working with vendors, setting his own standards that were higher than company standards, collecting monitoring data, managing permissions, yada yada, we would still have to acknowledge that he was not the manager in the region, he is an employee and the manager is someone else. He is managing some aspects of the situation, no doubt, but if we ask "who is managing all this" the conventional answer isn't the developer, but the developer's manager. "Management" is typically reserved for the senior managers in the area monitoring the outcomes and setting high-level standards. By analogy, the EPA is attempting to manage water systems at the Federal level.
Do parts of that chain of logic seem questionable to you? Is it possible that when you say "managed" you mean what I would call "executed"?
> I don't understand why you think an agency nationally coordinating all the local governments' efforts and making reports to Congress should exist at any level below the federal.
I recommend asking questions if you don't understand something. It works well for me. This (drinking water) is a critical system. Centralised management is too risky, if something goes off the rails then it'd affect drinking water across an entire country. It is better to have disparate systems where failure is more localised.
Right now, the headline suggests <10% of the US is at risk. Trading that for a situation where there is a <10% chance that all of the US is at risk is actually making the risk profile worse. The chance of a problem is the same because nothing has been done to lower the triggers, but the consequences are substantially worse because the system is trying to centralise under the EPA. The EPA shouldn't be in a position where local authorities feel they have to sue them to keep the system decentralised, they shouldn't be trying to manage local operations.
When presented with an issue that poses a real and present danger to the drinking water supply of citizens of this country your contribution is pearl clutching over notional mandates? To be clear, in your opinion "overstepping their mandate" is the bigger threat here? Here's a wild idea, how about we return to the concept of actual governance for the first time in a few decades and actually empower the EPA with both budget and enforcement rights to ensure that local and state run systems that our fellow citizens rely on aren't falling through the cracks?
> ...your contribution is pearl clutching over notional mandates...
> Here's a wild idea, how about we return to the concept of actual governance for the first time in a few decades...
These two ideas are actually somewhat contradictory, I recommend picking one. You can't return to good governance by ignoring governance every time you think something needs to be done.
And you don't need the EPA to be involved to defend against these sort of risks. In fact, standardising the IT approach through the EPA will might increase the risk since any vulnerabilities will be more likely to be standardised. Highly heterogeneous systems are expensive and difficult to cripple. If an adversary wants to attack there is a single point of failure they can target - the EPA process.
> In fact, standardising the IT approach through the EPA will might increase the risk since any vulnerabilities will be more likely to be standardised. Highly heterogeneous systems are expensive and difficult to cripple.
This is not a safe assumption to make. As an example: Standardized patching programs are very basic and reduce a lot of this risk. Without them (or incentive/budget for them), it’s typical for most private and public orgs to end up with pretty bad security posture.
This is a known failure state that results in many known vulnerabilities that can be trivially exploited, regardless of how heterogeneous these various networks are.
Sadly, from what I’ve seen in the news and in various reports, I don’t think many regional organizations have the funding, expertise, or incentive to run effective security programs.
Clearly you need someone involved to defend against these sort of risks as they are demonstrably not being addressed currently. May as well involve the EPA, they already exist and water is already a thing they do. Given we're already discussing a diverse mix of insecure systems "heterogeneity" isn't much of a talking point. You're proposing local and state governments spend orders of magnitude more taxpayer money on duplication of effort. In a forum that generally favors efficiency this seems out of place.
They are being addressed. By the headline something like >90% of the US isn't affected.
If it was a more centralised system, there'd be a 90% chance it was all working and a 10% chance that the incompetent local officials were incompetent EPA officials instead, standardising everyone on insecure systems with nobody able to overrule them. It'd make a bad situation into an all-or-nothing gamble with substantially worse worst-case performance.
> You're proposing local and state governments spend orders of magnitude more taxpayer money on duplication of effort.
Doubt it. The expenses are going to be mostly capital and operating ones that can't be avoided.
10% of the us is like 30 million people.
Is 30 million people’s water being at risk in one of the richest countries on the planet a success? Is it even good enough?
Percentages like that aren’t as meaningful for government as they are for SaaS products.
> Doubt it. The expenses are going to be mostly capital and operating ones that can't be avoided.
This suggests to suspicion you've never worked in or with local or state government agencies and have spent zero time in a water treatment facility. I've done both so here's a couple of things that might help form a more robust picture of the situation:
1. These organizations are typically operating with budgets below the minimum requirements necessary to maintain the systems they're responsible for. This is why municipal bond initiatives are so common for water system maintenance and expansion projects.
2. Private contractors created this situation. Local and State government agencies contract out all of their IT projects and do not have personnel on staff capable of performing the work under discussion.
Point 1 isn't anything to do with economies of scale though - the municipal authorities could operate with an appropriate budget.
Point 2 is underdone, the question is basically should knowledge be in the private or public sector. Given that the private sector is generally more efficient than the public it seems a bit of an assertion to say that contracting out projects will decrease efficiencies. It could easily make the situation better. The US Federal government is absolutely known for being captured by contractors and consulting firms because it is a big, obvious & lucrative target and its bandwidth is completely overwhelmed to the point where very few people vote based on EPA policy. Odds are it'd be much more efficient to handle that at a lower level of government.
> This suggests to suspicion you've never worked in or with local or state government agencies and have spent zero time in a water treatment facility.
This is a silly point. I might as well ask "Are you one of the people who are managing water operators in the US incompetently?". If the debate is that the managers are clearly not up to the challenge, a lack of expertise is not a downside because the process the managers are using is being challenged.
I have had a lot of experience on the subject of organisational design. If you want better results, centralising into a single unaccountable bureaucracy isn't usually the way to get there. It is a bad strategy.
Private industry is even less accountable to the public than government agencies so that dog doesn't hunt.
How so? What accountability measures exist for the EPA that don't exist for the private sector?
I anticipate you saying voting, so I'll preemptively observe that voters can vote for the government to switch to a different private provider too. Voting doesn't lose any of its potency if the government uses contractors, although it runs into the same problem as always that the EPA is realistically never going to be high enough on the priority list to change an election's outcome.
There's many people who would reasonably disagree with a course like this, because there are no elected positions in the EPA.
The whole "overstepping their mandate" thing is perceived as a very real and present threat among MAGA people, for this reason specifically. This is the whole notion of "The Swamp" Trump was going to drain; unelected career bureaucrats.
That they would disagree isn't in question. That their position is reasonable is, however, very much up for debate. Career bureaucrats are literally the pool of experience and expertise that make government agencies function, to the extent that's possible given legislative hobbles. The only thing that gets drained when these people are replaced by elected officials or private industry is expertise and theoretically sane incentives.
It’s funny how it seems we care more about years of expertise for the engineers on our software teams than the people running government.
There’s a balance that needs to be struck between new blood with fresh perspectives and old guard with decades of experience navigating Washington politics.
EPA can only regulate what congress empowers them to regulate.
You’re pretty close to the mark on the line of thinking. Boiling down complex issues to pablum and creating problems is a hallmark of modern conservatism. Sorta like I set your house on fire, then launch a campaign attacking the firemen for not putting it out fast enough.
Somehow I doubt the security posture was magnificent even before the defunding. This kind of thing is usually a simple checklist item for companies let alone government agencies.
> Cybersecurity is unfortunately not “sexy” enough for the common American voter to get behind.
Government info-sec jobs suck too. Crap pay, red tape, onsite only. Also, alot of security people have ethics surrounding privacy, data security, etc. Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism? The NSA can attract some decent mathematical minds but lacking on the security front.
> Why work for a culture that spies on its own citizens, its allies, and engages in global terrorism?
If you're working government info-sec for drinking water systems, it's going to be mostly for municipal water systems, often agencies that are a similar geographic scope as counties or cities but sometimes independent from them. Water districts aren't spying much (unless you have strong feelings about water meters, or lawn watering restrictions), and they rarely take part in acts of violence outside the districts they serve and the sources of their water.
Some of these systems are private companies, and who knows about ethics there, sure.
the math people work towards the same goal. why single them out
The NSA famously recruits math geniuses and quants to solve abstract problems, esp. around cryptography. If you're a security person hired to harden infrastructure or web services, its not so abstract. People like Snowden for example.
NSA's early career recruiting pipeline is pretty strong at the collegiate level. They recruit from a LOT of good universities that top tech employers don't recruit from (eg. UTSA, Texas Tech).
The issue is the US Government is hundreds of agencies, and each state in turn has hundreds of agencies as well.
Each of these agencies has their own IT that manages that agencies's infra and security AND they are very limited funds wise and salary wise.
For example, back when I was a PM, a customer of mine was the de facto CISO of a several hundred person agency yet only earned around $120k a year and had a less than $1M budget for all IT spend.
The agency could not build it's own hiring pipeline (having to resort to USAJOBS and the department it was a part of) nor was there any truly unified security platform.
While the naive answer would be "have everyone use a single platform", just about every presidential administration in the past 20 years has tried that and failed.
> While the naive answer would be "have everyone use a single platform", just about every presidential administration in the past 20 years has tried that and failed.
Isn't that literally the job of a National Security Agency, instead of spying?
No.
Ever since WW2, the NSA's primary role has been Signals Intelligence, not Internal IT.
Offensive Security is an entirely different mission from Defensive Security.
I think it is safe to say that few if anyone actually understands the common American voter and what they actually care about. Anecdotally, the prevalence of cyber-security plot points in action thriller movies/games/books indicates that there is at least some awareness of the threat.
My core question is, why? I understand that security can be difficult, but why is infrastructure that is able to operate effectively for many decades before micro controllers were even a thing vulnerable to remote attacks.
I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted, but why is the core operational infrastructure that way? Command and control should be isolated and be using 50-70 pneumatic tech to control it. Building in such a way to allow it to be disrupted remotely is the core problem here.
Just because you can, doesn't mean you should.
A water treatment plant would need about 2 people to a shift (and 4 sets of people) to have 24/7 monitoring (one to watch the control screens, and one to handle tasks like running tests on water, handling deliveries, etc., that takes you away from the screens), and that basically doesn't change if you're a small facility making 10KGD of water or a large facility making 100MGD of water. There is serious economy of scale going on here.
If you're a small facility servicing a few thousand people, you can't afford to have that kind of monitoring, and so you have to economize in various ways. One of the popular ways is pooling together with other small facilities so that you have one person doing that monitoring for several sites at once, which requires some form of remote operation.
Furthermore, when I worked at a large water company, all of our network, even the telemetry to the various pumping stations dotted around the service area, was on a private network airgapped from the internet. But there's also economy of scale here; a large company servicing 1.5 million people in a large metropolitan area can afford to do custom fiber backhaul in a way that even a bunch of small companies in the rural Midwest cannot, and so the control systems end up being Internet-accessible because it's too expensive for them not to be.
I understand that monitoring and status is reasonable to optimize for cost and this comes with some tradeoffs. Loss of monitoring should not equal a loss if service not unless that monitoring is off line for an extended period.
The actual functional control for ensuring a critical service like water is working should remain as an analog computer with something like pneumatics, or other such technology. These are robust and can continue to operate even when electronic circuits have failed.
Loss of visibility, and loss of service should be separated. This should be the same even for power stations as well.
I only work on power stations, but about 30 of 33 I have worked on are accessible by VPN. They aren’t staffed 24/7 and one crew will be responsible for several facilities in a geographic area. Bad weather causes problems and makes travel difficult or dangerous, so being able to control equipment remotely saves time, money or lost revenue, and is safer by avoiding dangerous travel.
The ones not on VPN were owned by big enough utility to have their own private fibre networks.
I am ripping out analog electronics from the 70s that nobody alive wants to support and installing PLCs with Ethernet.
The attention paid to cybersecurity goes up with the size of the facility as downtime is more expensive. Failsafes preventing damage or loss of life are seperate processors from the plc and independent often redundant systems, but still digital.
Yeah,
Small cities are quite willing to economize even if it means X risk some attacker will muck with the system.
But the thing I'd take issue is the "can't afford it" part.
Of course these cities could afford onsite worker. As gp pointed out, these districts operated long before the Internet and they could provide water then. But the neoliberal paradigm has appeared and suddenly the constant claim is no organization "can afford" not to do any given automation measure, no matter how illogical or dangerous. And so a key thing calling organizations on this baloney.
> I get having monitoring systems for it that are accessible in a way they could be hacked and disrupted
Actually it’s very easy to isolate that part. One way network equipments with physical isolation have existed for decades. An optic fibre with only an emitter on one side and only a receiver on the other will do the trick.
Fiber still relies on electronic circuits. While they can be isolated network wise they are not immune to attacks in the way a pneumatic system is.
That’s irrelevant. Pneumatic systems don’t expose telemetry towards the network.
If you want to do that - and you do because having someone next to your equipment all the time to monitor things is both a waste of time and money and very error prone - you will need a data diode.
As others have said in more detail: cost. So they enable remote control to cut costs.
They don't want to pay a 24/7 on-site ops center. They take their chances and bolt-on security, and that's how the incentives work today.
It is cheaper, your product takes fewer people to operate, you can outsource the operations, if you deliver IoT solutions you get to call yourself a tech company which gets you valued at 30x earnings instead of 10x earnings, getting hacked does not affect your stock price, and the actual effect of getting hacked is actually minor because you get hacked by the functional equivalent of Dr. Evil who takes down water for millions of people or cripples a billion dollar business, then asks for the staggering sum of 1… million dollars.
https://www.wired.com/story/oldsmar-florida-water-utility-ha...
It’s probably necessary for something along the lines of requiring a licensed engineer to sign off on these systems if private companies are going to manage critical infrastructure.
Do computer and software engineers stamp their drawings And reports? I’ve only seen electrical civil and mechanical drawings stamped, but that is who is involved in hydro electric.
There is no requirement for stamped designs for digital systems as far as I know.
Indeed, and the regulatory standards get really specific about what hardware can even be installed in some locations.
Also, due to past shenanigans with vendor lock-in schemes the Engineering Managers often have a valid concern for cryptographic/locked infrastructure and maintenance cycles. Ironically, right-to-repair legislation may slowly improve the situation.
It is not a technical problem, but a bureaucratic one =3
I think it'd be a shame if engineers were the ones to make the decision in this case. The decision needs to be made by people with a more serious understanding of risk and fragility, like the military generals, and especially by the people who will bear both the upsides and downsides of the decision, a.k.a. the local community who will be consuming the water.
This is one of the few areas where rural living is better, in my experience.
Our water, power, and Internet are all delivered by local co-ops. We actually do get a direct say in how the money is spent on our infrastructure.
It's one of the reasons why I have fiber Internet whereas the closest town (managed by for profit entity) is still fighting to roll it out years after we had ours run to us.
I also got reimbursed by the co-op for the water line to my house when we built the place.
I also lobbied the power board to prioritize tree removal near lines for a more reliable service.
My rural "neighbors" pay more than 2x for electricity and don't have any water/sewer service. I live in a small town in a geographically large county that only has about 35,000 residents, so there may be differing ideas of rural at play.
We pay more, yes, but not 2x what the city people pay in the next county over. Maybe 1.2x or so. Obviously there is no sewer service, just septic tanks. That cost is minimal once they're installed. Install price was around 5k, and it costs $200 to have it pumped ever four or five years.
The definition of rural to me is around 12k residents in a county that is around 1000 square miles. That's the size of where we are. The largest town is around 3k people. Two counties over is a city of about 40k. The 3k town is part of our co-op, so they have fiber. The 40k had less than 15% on fiber the last I knew, but that was two years ago. Since then they haven't run anymore lines, but have added customers on their existing lines.
Who needs cybersecurity risks when you have an incoming republican administration hellbent on gutting regulations to the benefit of industry, a SCOTUS bending over backwards to help them do it (stare decisis? What’s that?), and a HHS secretary nominee who wants to singlehandedly trigger the next pandemic or two.
RFK isn't going to trigger a pandemic; don't be ridiculous. Pandemics aren't caused by individuals.
But, similar to not having any smoke detectors in your home when something catches fire at night, being in a pandemic with him running the health agency is not going to turn out well for you.
Where did I say he's going to trigger a pandemic?
>a HHS secretary nominee who wants to singlehandedly *trigger the next pandemic* or two.
>a HHS secretary nominee who wants to singlehandedly trigger the next pandemic or two.
That still doesn't invalidate my statement. He can't trigger a pandemic; he doesn't have the ability to engineer a virus, and I don't think he's going to find anyone to help him do so. Besides, why do think he wants a pandemic? The guy's a fruitcake, but I haven't seen any evidence that he's actively malicious this way.
I don’t disagree with your statement. I disagree with your assertion that your statement stands in opposition to mine and the accompanying pedantry.
If one concludes that >92% of Americans are served by properly secured facilities, that sounds like quite a win!
(It’s all about spin)
Of course, an example statistic like 99.9% of airline passengers surviving a flight is not all that great…
Why do the water systems need to be connected to the internet at all? If the systems are completely disconnected from the internet there shouldn't be much cybersecurity risk. Of course there still needs to be proper precautions to prevent a Stuxnet type worm getting through.
Yeah I never understand all these systems being connected at all. I understand remote working and monitoring, but is that worth it for something that is the most crucial part of society?
Now is a good time to prep. Get a few food grade 55 gallon drum - you can usually find them at food/restaurant supply stores or people trying to get rid of them on craigslist/fb market. Get a dolly so you can move them around your garage or basement. Just need a few teaspoons of bleach to keep it good for ~ 6 months. If your washer is in your basement, you can disconnect the cold line to fill up the drums, or you can run a garden hose. They also make kitchen faucet to garden hose attachments. When you need to drain it, a cheap transfer or sump pump will do the job.
Speaking as someone who has the entirety of my heat for this winter stacked up in totes, prepping by storing bulk materials is not really something to be done lightly. Unless you turn this DIY water buffer into something you use in your every day life (ie thirsty? time to go to the basement to get a glass of water), you will get bored of maintaining it long before the municipal water supply fails.
Also 55 gallons of water is ~450lbs, so it's not going to be terribly easy to move with an [appliance] dolly. You probably want pallets and a pallet jack (and a smooth concrete floor).
Personally I'd suggest getting an RO filter for your every day drinking water needs, and setting up a rain barrel collection that you can routinely use for outdoor garden/plants. Then if you suddenly need drinking water, you should be good just boiling the rain water. And if there is some large scale catastrophe with some kind of chemical/radiological contaminant in the rain, you can run it through the RO.
Yep, got to help with some water systems in small town govs. No care for security and no budget = this situation.