Ten years ago I found out our water was poisoned.
Not metaphorically – literally. PFAS chemicals, the so-called “forever chemicals,” had been emitted into the air from local industrial stacks, fell back to earth, and precipitation slowly worked them into the aquifers beneath our town. We were drinking it, cooking with it, bathing in it. The PFAS concentration in our blood here in town ended up being twice the national average of US citizens, and recently we were declared a kidney cancer cluster.
At first, barely anyone knew. Most people didn’t even know what PFAS were. And fewer wanted to talk about it, especially the powers that be. Nobody acted like it was urgent. But those of us who understood the danger didn’t let go. We raised hell. Public meetings. Letters. Phone calls. Articles. We didn’t stop there. Eventually, I ran for water commissioner – and beat the incumbent. Not because I’m some political genius, just because enough people were finally ready to fight back.
And fight we did. Once inside, the scale of the work hit hard. We modernized operations, overhauled customer service, rebuilt trust, established transparency. And after over $20 million in investments for filtration and treatment plants, we were finally able to declare our public drinking water safe again in 2022.
That should’ve been the end of the crisis.
But just as we solved one threat, an even more sinister one was already creeping in – this time through Ethernet cables, insecure ports, and unpatched PLCs.
Aliquippa, Pennsylvania: Iranian-linked hackers breached a water station and took over the interface controlling chemical dosing. Their target? An Israeli-made PLC.
Fort Worth, Texas: Hackers dumped internal documents from the water department and claimed they could access SCADA (system operator) control screens remotely.
Lansing, Michigan: A ransomware attack shut down internal systems – email, billing, customer service – and the utility paid the ransom just to get back online.
These weren’t isolated events. And they weren’t sophisticated zero-day exploits either. They were simple intrusions, through exposed HMIs, reused passwords, and wide-open VPNs.
The federal government has been trying to raise awareness – CISA, EPA, FBI – they’re all pushing out alerts and best-practices on the double. But the truth is, most small towns and rural utilities just aren’t equipped to act on it, and nobody is doing it for them either.
Most local staff are focused on pipes right here in town, not ominous threats from beyond our borders. Most boards are made up of volunteers who’ve never heard the words “Information Asset Inventory” or “Incident Response.” There’s certainly no InfoSec Officer on staff. There’s no Business Continuity Plan on the shelf, or at least none that includes Cyberattack scenarios. There’s often not even a budget line for IT security – expenditures are focused on thread sealant and payroll.
That’s where I saw a gap. One that threatens my home, my family, life as we know it.
And that’s why I founded Granite State InfoSec Consulting.
Because I’ve seen it from both sides. I’ve sat at the board table trying to stretch the last $10k in the budget. I’ve walked through the pump houses with rust on the panels and Windows XP still running the lye dosage pump. I’ve presided over public meetings with local neighbors expressing their concerns or frustrations about their water quality – or water bill.
But I’ve also built Information Security Management Systems to ISO 27001, TISAX®, and NIST standards for private-sector clients with security budgets bigger than our entire district. I’ve written water supplier policies and risk assessments under the America’s Water Infrastructure Act. I’ve worked with private-sector manufacturers and service providers who take this stuff seriously. And I know how to translate that high-level governance into something that actually works for a small public utility or nonprofit.
GSIC was created for this exact kind of organization:
- Water and wastewater suppliers
- Public works departments
- Nonprofits providing essential services
- Municipal boards trying to get ahead of the next disaster before it hits
We‘re not another consultancy parachuting in with a tie, a PowerPoint and a cryptic checklist. We know the inside of these organizations, the quiet heroics and the glaring blind spots. We know what grants and funding might be available.
We come in with real-world knowledge and help these organizations protect themselves – without blowing their budget or grinding their operations to a halt.
And if you think that all of this sounds alarmist, consider this:
Top analysts from the NSA, CISA, Microsoft, and Dragos all agree: many critical infrastructure networks are likely already compromised.
We’re not talking about ransomware or defaced websites. We’re talking about state-backed actors quietly gaining access and waiting, sometimes for years, until the timing is right:
The Volt Typhoon campaign, linked to China, infiltrated U.S. water and energy systems using everyday admin tools to hide in plain sight. CISA said these attackers are “pre-positioning themselves to disable or destroy systems at a time of their choosing.”
Dragos reported that most small utilities don’t even have the visibility to know if someone’s already inside their ICS environments. In other words: by the time they see the alert, it’s already too late.
That should stop you cold.
This is why we can’t afford to treat Information Security and Cybersecurity like an afterthought anymore. It’s national resilience. It’s utility-level continuity. It’s public safety.
And let’s be honest: the geopolitical temperature isn’t dropping. The past and current Cyberattacks are not for show or just financial gain: they are practice runs, giving adversaries the option for conflict abroad to ripple into our neighborhoods through technological and organizational back doors. Diverting government attention and resources to managing local crises back home.
Water isn’t just a service. It’s a strategic target. So when those who finance those threat actors decide it’s time, the only thing that matters is whether we’re prepared – or not.
We can’t keep reacting after the fact. We need real Business Continuity plans. Real Cybersecurity measures. Real awareness from the boardroom to the operational staff.
Because when the next attack comes, the question won’t be “why didn’t we see this coming?”
It’ll be “who did we trust to prepare us, and why did they let us down?”
If you’re in the business of keeping water safe and flowing, let’s talk now. GSIC was built for exactly this moment.
Your Granite State InfoSec Team
#Water #DrinkingWater #CriticalInfrastructure #ISMS #InfoSec #InformationSecurity #CyberSecurity #ISO27001 #RiskManagement #GSInfoSec #AWIA
