There is an interesting article on TheDailyMail.net about a recent DHS inspection of a water treatment facility in a small town in New York. The article claims that “the Department of Homeland Security is requiring the Village of Athens to replace the computers at the water filtration plant to make them less vulnerable to potential hacking of the computer system”. It seems that there is currently just a single computer controlling the drinking water treatment system and supporting the administrative office for the system.
Now, I am absolutely sure that whoever came through to do this inspection it wasn’t anyone from the US Department of Homeland Security. DHS has no authority over security at water treatment plants; that authority has been loosely given to the US Environmental Protection Agency. Even the EPA wouldn’t be concerned with the Athens water treatment facility because it serves less than 3,500 customers (total population of Athens, NY is 3991 according to Wikipedia with only 1600 households which would equate to less than 2,000 customers).
I suppose that it could be a New York State agency making this inspection, but the appropriate agency in NY is the Division of Homeland Security and Emergency Services (DHSES). Even so, this water system is so small that I doubt that even they would be terribly involved in looking at the cybersecurity of the installation. There are certainly larger, more viable targets in the State of New York that need attention.
It is almost certainly a good idea to have the administrative functions of the water authority and the control system for the treatment plant on separate networks. And that is certainly hard to do when the network consists of a single computer. Having said that, it appears that, in this case at least, those security measures are beyond the budget of this system; they only have money for one additional computer.
On a closing note the article explains:
“Once the new system is in place, Homeland Security officials will come in and monitor the system for free to ensure it meets current security needs.”
That cinches the case, it wasn’t DHS involved in this operation, nor DHSES. No government agency would spend that kind of time on a small, low risk water system like this.