I'm a recently retired software engineer who has been on the board of directors of a small rural mutual water company (i.e., owned by the customers) for ~15 years. We have less than 1,000 customers / shareholders. I'm in my mid-50s and the only one on the board under 75-years old. Our community didn't have wired internet access until eight years ago, and half the community still doesn't have cell reception. You can imagine the level of technical literacy.

It's hard to imagine significant help the government could give us, short of $100K+ / year to hire a security engineer. Even then, how would small utility companies find / evaluate them? We already feel saddled with how many hours of mandatory training we have to go through each year (e.g., board members have to sit through training to remind us not to direct company funds into our own bank accounts - I doubt that's a training issue!). Looking at our two neighboring water companies, their setups have very little in common with ours or each others. So any training would be too generic to be of much use.

I have to give credit to our company's chairman / general manager (himself 84-years old). He works to have diverse expertise on the board. He's a retired wild-land firefighter, plus there's a retired bookkeeper, a retired state employee, a retired farmer, and me. As a group, we have a lot of experience in a lot of areas. I suspect most small, rural water companies haven't found a way to have that breadth of knowledge available. But, even then, there's only so much that two full-time plus two half-time employees can do. And it's hard to have more while keeping rates sane.

On the security side, I'm no expert, but I pay attention. I do my best to help the employees understand the dangers of phishing and of downloading things onto company computers. We have a consumer grade router and none of them know how to get into it to open ports, etc. Even if things were locked down hard, we couldn't afford to hire someone to maintain that state as threats evolve. Our total compensation budget is $150K / year for all employees, and 80% of that is needed for state-licensed water treatment operators.

For us, all of that means being resigned to the fact that hacks will happen. It's more about minimizing the damage and being able to recover. I've pushed for using cloud services for things like customer billing - these services are not the ultimate in security, but they're far better than what we could do with software running on our computers. I've also put append only / offsite / offline backups in place so we can recover from encrypting ransomware (which has hit us before, luckily we could just wipe and re-install / restore).

The biggest thing we've done is around SCADA (software / hardware involved in our water treatment and distribution). When we put SCADA in place ten years ago, I pushed for it to be read-only. That is, it can be used for monitoring and alerting, but not for controlling anything (there's literally no hardware in place to do so). So, hackers can see how much water, chemicals, etc. we're using, but they can't directly change or shutoff the water. They can make us think we need twice the chemicals, but that will be a red flag for the operators who have to manually implement it. Even then, we do manual daily testing of our water in our lab and have monthly testing done by state-licensed independent labs.

But, when we put SCADA in place, I had to stop and think a lot about this given that I wasn't a security expert. And, of course, the vendor was certain it was 100% secure (a red flag in itself). But at least I had experience thinking about software issues / impact. The operators certainly wanted automated control, as that would save them from having to drive to the plant in the middle of the night. And without automated control, we have to use more chemicals, as we can't optimize usage by reacting in real time to changes in pollutants in our source water. But we'd all rather deal with those downsides than find out someone has compromised our water. So it was easy to sway them.

It's far from perfect, but we've mostly limited potential damage to things that aren't deadly, literally or figuratively. Without someone like our chairman / general manager being dedicated to bringing in diverse expertise via the board, I don't see what chance we'd have. And in certain parts of the country, it would be hard to find security (or at least software) expertise to sit on the board.

Something our state is doing to attack the lack of economies of scale (in this and other areas) is trying to force rural water systems to merge. About half in our area have been folded into the water company for the "big" city (5K people), 20-miles away from us. That's too far to move treated water given our local terrain, so they have to keep running the systems from afar. But at least they can spread (e.g., IT) expertise across these systems. Where this has happened near us, water rates have roughly doubled. Maybe that trade-off is okay, at least for those who can afford it?

Hey @rented_mule thanks very much for sharing, and i want to thank you for what you and the board and the operators over at the water company do for your community! I'm glad that there are people in the world like you and the rest there, who help the community!

While i understand that funding might be very limited or non-existent, actually, your situation sounds almost exactly the kind that could benefit from support from a government entity. It could run the gamut from free training, to actual technical advisement, support, to direct funding for cybersecurity/protection operations, etc. Tlo be clear, i don't mean that the gov. comes in there and takes over - no, no, no. I mean, that some gov. entity comes to you asks what they can do to help. Sure they can advise on best practice, but its your show, and you should run it your way....its simply that they might have the know-whow and funding to help you and your water company. At least, that's what i figure shoiuld happen to help communities like yours and others! :-)

>e.g., board members have to sit through training to remind us not to direct company funds into our own bank accounts - I doubt that's a training issue!).

"Have to"? As in 'obligatory?