If you were to ask a room full of city administrators, county administrators, and elected officials to list items that they consider ‘critical infrastructure’ they would shout out things like roads, bridges, sewers, water, lift stations, and buildings.  Few would mention their network, the software used for daily operations of something like water and sewer systems. Very few (if any) would talk about the security surrounding the network and the software, or the people using the software.

We sometimes have a very Eisenhower-era definition of critical infrastructure. While all the items listed above are indeed critical infrastructure, there remains a lack of understanding or admission that the municipal water and wastewater systems are heavily reliant on a connection to the internet and as such are attractive targets to computer hackers and other malicious individuals.

Information security incidents

In my personal experience, the advent of something seemingly simple as the computerization of the city water and sewer system for efficiency is attractive to city leaders from an operational expense perspective.  The ability to reduce costs by relying on computer systems for water and wastewater handling is an important goal for almost every appointed leader and elected official.

These are all good things to strive for, and yet, the ability to prevent hacks of these operating systems is not as high a priority as systems like the power grid might be.  It is difficult to say why, but the practical reality is that hackers from unfriendly nation states and professional hacking businesses around the world are probing your municipal and county water systems.  In a 2016 issue of “Governing,” Tod Newcombe points out that these hackers are indeed probing your systems, and can cripple your system to hold it for ransom or take it down.  As a former mayor, I know residents have expectations that when they flush the toilet “things disappear,” or that when they turn on the tap clean water flows. If you aren’t engaging in securing your water and sewer networks, you are taking a huge risk.


Creating frameworks, policies, procedures, and strengthening your network is critical to long-term viability. It’s likely that you are relying on IT generalists to run the city’s network.  In fact, most cities and counties are, which has been shown in studies like the 2016 ICMA survey on cybersecurity and municipal government.  There is certainly nothing wrong with this approach for most of your municipal needs, but when it comes to securing things like water and sewer, and the data you store from all other departments, it is critical to recognize that an information security professional is needed to properly create the framework, write policies, and implement them into your organization in a way that isn’t weighed down with complexities.  Again, the ICMA study showed that the cost of a dedicated information security professional is cost prohibitive for most cities and counties and as a result, an information security professional is not a part of your team.

This is where FRSecure can help.  By contacting FRSecure, you can have us assess your needs, understand your weaknesses, and create a solution that is vendor agnostic.  In a world where hackers and attackers are becoming more and more interested in your network and your sewer and water systems, you need professional help. We are here to assist you and look forward to working with you.

penetration testing

Jim Nash on EmailJim Nash on Linkedin
Jim Nash
Information Security Evangelist at FRSecure
Jim's experiences in both politics and the InfoSec industry have cultivated him into a strong and animated communicator that has the ability to crystallize difficult concepts into digestible ideas. These skills and experiences have morphed him into a cybersecurity and information security evangelist, focusing on publicizing the need for organizations to make cyber threats a business liability and not just an IT problem.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *