Add new comment

Do not overlook the AWWA standards as well: G430 and J100.

It is also worth noting that the American Water Infrastructure Act of 2018 mandates a cybersecurity review and incident response planning for the entire utility, including the ICS/SCADA systems.

Some states, such as New Jersey also have also legislated cybersecurity reviews.

So legislative mandates are finally making their way in to the industry. It is also worth noting that all utilities, as regulated monopolies, have a fiduciary responsibility to their ratepayers to spend money to accomplish exactly what the law requires. If there is no legal requirement to even consider a problem, they should not spend the money because they have no authorization --unless the measure can be justified in terms of an investment to save money in a longer term. And that expenditure is usually presented and authorized by a public utilities commission of some sort.

So until recently, there wasn't even a legal mandate to do anything about cybersecurity; and that's the real reason why things look the way they do today.