The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.
"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."
[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.
"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.
Related stories on SoylentNews:
An Online Dump of Chinese Hacking Documents Offers a Rare Window Into Pervasive State Surveillance - 20240229
US Says China's Volt Typhoon Is Readying Destructive Attacks - 20240216
The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying - 20231206
Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments - 20231116
How China Gets Free Intel on Tech Companies' Vulnerabilities - 20230913
Microsoft Links Russia's Military to Cyberattacks in Poland and Ukraine - 20221113
U.S. Charges Four Russian Government Workers With Hacking Energy Sector - 20220327
Microsoft Warns of Destructive Disk Wiper Targeting Ukraine - 20220118
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
DOJ: Chinese Hackers Stole "Hundreds of Millions of Dollars" of Secrets - 20200722
Chinese Digital Spying is Becoming More Aggressive, Researchers Say - 20200326
Vietnam's Battalions of 'Cyber-Armies' Silencing Online Dissent - 20200117
A New Hardware Implant Shows How Easy It May be to Hide Malicious Chips - 20191013
Congress Mobilizes on Cyber Threats to Electric Grid - 20190715
How a Hacker Network Turned Stolen Press Releases into $100 Million - 20180826
U.S. State and Local Governments Receive Malware-Containing CDs Mailed from China - 20180731
Ukrainian DNC Hack-Author has Turned Himself in and is Cooperating with FBI - 20170816
FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry - 20170528
Interview with Cybersecurity Expert Jeffrey Carr about Crowdstrike's Russian Hacking Claims - 20170417
Hacker Rigged Elections in Nine Latin American Countries - 20170308
Chinese Businessman Pleads Guilty to Conspiring to Hack US Defense Contractors - 20160326
China Hacks on US Continue, Facebook to Warn Users About Potential State-sponsored Attacks - 20151019
CIA Officers Pulled from China Because of OPM Breach - 20151002
North Korean Defector Warns that Hackers Could Kill - 20150530
(Score: 4, Interesting) by drussell on Saturday March 23 2024, @12:47PM (28 children)
Why in earth would a PLC involved with water plant operations be connected to the internet?
(Score: 2, Offtopic) by canopic jug on Saturday March 23 2024, @12:55PM (14 children)
And why would m$ products be in production environments, let alone networked production environments?
Money is not free speech. Elections should not be auctions.
(Score: 4, Interesting) by drussell on Saturday March 23 2024, @02:10PM (9 children)
Why are you talking about Windows and TCO? This has nothing to do with Microsoft; we're talking about the logic controllers that operate equipment in industrial settings.
Don't get me wrong, I'm no fan of Microsoft or their poor quality software, but that's not the issue being discussed in this article.
(Score: 2) by aafcac on Saturday March 23 2024, @02:35PM (3 children)
Yes, whether or not it's an MS product is at best a secondary issue here. Why are these being run over the internet? And is this a matter of them being run over an improperly secured VPN, or is there something even dumber going on.
IMHO, it makes precisely no sense to run such security sensitive systems over a public internet, even with a VPN being involved. Given the number of people that could be sickened, it seems like there should be a better way of dealing with it.
(Score: 2) by drussell on Saturday March 23 2024, @03:12PM (2 children)
It's a PLC. It doesn't "run" over the internet. Do you even understand what a PLC is?
You might want to perhaps monitor (or perhaps even control) some aspects of your system from a remote location, but you don't do this by directly connecting the damn PLC itself directly to the internet!!
(Score: 4, Informative) by GloomMower on Saturday March 23 2024, @03:44PM (1 child)
There are many PLC's with ethernet. Or devices that are on the internet connected to a PLC through serial or RS485.
don't do/shouldn't do not can't do.
I'm pretty sure stuxnet infected the computers that connected to the plc. More and more system are not air gaped, it is too darn convenient for optimization of usage, and man-hour reduction.
(Score: 2) by drussell on Saturday March 23 2024, @03:52PM
Of course most modern PLCs have ethernet ports, not just serial ports, but ethernet interface ≠ connected to internet!!
(Score: 1, Informative) by canopic jug on Saturday March 23 2024, @04:53PM (4 children)
Why are you talking about Windows and TCO?
The inner layer might be microcontrollers, but over the decades they have been networked and connected to Internet-facing Windoze systems, for the convenience of nation state attackers. Thus Windoze is part of the mix.
The layer of industrial microcontrollers connected to the sensors, valves, and pumps is, obviously not Windoze. It can't be. Those devices have to work or people would notice. However, in the layers above that, the ones connected to the open Internet, you will find Windoze all too often [unitronics.com]. Thus the problems of the total cost of ownership [soylentnews.org] for Windoze are relevant as these breaches are not externalities but an integral, unavoidable component in foolishly placing Windoze in Internet-facing production environments while giving said same Windoze boxes direct access to industrial control systems.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by Anonymous Coward on Saturday March 23 2024, @06:17PM (3 children)
Listen, I love to hate on Windows (and Microsoft) as much as the next soylentil around here, but using terms like 'windoze' does not make our side come across as particularly 'adult'. Secondly: redirecting everything even remotely related to vulnerabilities to microsoft, even though they are not the focus of the point attempting to be made in the article, deflects the blame from those who deserve it and where it could actually help by shining light, to a place (that also deserves it) that has no control over the main complaint in the article and thus makes zero difference.
So please, knock it out and behave a bit more like an adult. You're making us serious people look like clowns by association.
(Score: 4, Touché) by Tork on Saturday March 23 2024, @07:51PM (1 child)
Quoted for agreement. I don't know about the AC but I'm a green-site refugee and despite my daily headaches with Windows I still found too many people on that site, many using the same terminology canopic jug is, brought up MS tropes even where they weren't relevant because it earned karma.
I'm not saying canopic jug isn't right, mainly I'm sticking my nose in because the redundant moderation was hasty.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 4, Interesting) by canopic jug on Sunday March 24 2024, @05:40AM
[...] I'm a green-site refugee and despite my daily headaches with Windows [...]
More noticeably I see that defending m$, Windows, and Bill against all criticism, especially legitimate criticism, is also has become a trope, particularly on censorious sites like the two orange ones. I can't say about the green site, but it too was like that when I last logged in there it so very long ago. Whining about common writing styles is one way to distract from the actual topic, a topic which hurts m$ and its minions.
Back to the topic at hand and leaving the debate about style aside, here, on SN, the fine article linked to in the very summary at the top includes mention by name of Unitronics [unitronics.com] which is most clearly a Windows problem. It is even named as a factor (aka problem) in the Florida, Pennsylvania, and other state water treatment facility breaches.
The Windows deployments there and elsewhere did not occur spontaneously. Those misfit products were ordered purchased and ordered deployed by real people with names and addresses. If the US were serious about the network security problems surrounding water treatment, they could be solved quite quickly by any number of approaches, some faster some slower. But slow or fast, solving them is possible. If someone were to drill holes all over or blast a dam, the feds would swoop in probably even at the planning stage. If someone were to build a dam with knowingly substandard methods or materials or design, the feds would swoop in, probably even at the planning stage. Yet, although water treatment and management is essential, critical national infrastructure all knowledge and best practices are thrown out because of Windows and M$ exceptionalism. The products are not fit for purpose and everyone knows it, and those products have been that way for so many decades one can accurately say it is by design. However, since the pivot to politics and lobbying by M$ since back around the turn of the century, no one is allowed to say it or call them out. The government's announcements of memos, letters, and press releases are not going to solve the widespread managerial problems which lead to nation-crippling Windows deployments. Sending fines, jail sentences, or polished boots will.
Money is not free speech. Elections should not be auctions.
(Score: -1, Redundant) by Anonymous Coward on Sunday March 24 2024, @04:48AM
Fuck off.
(Score: 3, Informative) by RS3 on Sunday March 24 2024, @04:39AM (2 children)
Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.
But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.
The touchscreen modules often run Windows CE- the "embedded" versions of Windows, which are really quite stripped down, can be bloated up with stuff if needed, including software with libraries and modules that "talk" to the PLC.
There exist touchscreen modules that run on other OSes including Linux, and there's pretty strong Linux support for many PLCs.
In most cases it's somewhere between ignorance and laziness where all the Ethernet ports are all connected to one network segment, which is usually connected to Internet (through router / gateway / firewall).
As you might imagine, those touchscreen modules running Windows CE may want, or need, to connect to the Internet for many reasons. That doesn't mean they open any incoming service ports, but it shows how they could be vulnerable.
And it comes down to pretty much the main reason we all have and deal with the far too many vulnerabilities: people love to add features and functionality, but deprioritize security, if they consider it at all.
Remote monitoring and control of industrial processes is a very good useful thing. I think, at the very least, people should use a good VPN if they're going to use the Internet for remote monitoring.
(Score: 4, Informative) by canopic jug on Sunday March 24 2024, @06:09AM (1 child)
Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.
But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.
I've seen enough evidence, even though looking at it from the outside: The method for controlling water treatment systems which I saw demoed to me used RS485, if I recall correctly, but that was more than 20 years ago. The designer was under increasing management pressure at that time to connect the control systems to the Internet via Windows computers. That was something he refused to do and, as a consultant, was in a position to refuse. Times and situations change. People move on.
Now components with M$ requirements [epa.gov] are called out by name and are apparently common if not pervasive. Industrial control is serious business (in both meanings) but connecting the industrial control systems to the Internet via infamously insecure products in an even more insecure way is making those serious people look like clowns.
Money is not free speech. Elections should not be auctions.
(Score: 3, Insightful) by RS3 on Sunday March 24 2024, @03:30PM
Yeah, at this point pretty much everyone who isn't super hands-on with details of technology thinks it's just the thing to do to connect everything to the Internet. TBF, subsystem / component designers usually include Internet connectivity in the feature / functionality brag list. Then they pass the buck saying it's someone else's job to secure everything.
My most recent full-time job was at a small-ish food factory- maybe 200 employees. There was no IT person. They contracted out for IT services (total joke / waste of $). There were several very savvy people who did much IT work. One of the most awesome and smartest people I've ever met was many roles there, including he did much IT work. He had a degree in CS, but wore many hats well. The _only_ thing he was very wrong about: he and others had plugged all PLC / SCADA systems into a building-wide Ethernet. Many times he said the production machines (PLCs) were "air-gapped". Hmmm, then why could I run nmap and see most of the PLCs through WiFi? It's possible someone plugged in an Ethernet jumper between some of the Ethernet switches. Things weren't documented, were somewhat physically locked, and many years of learning the hard way taught me to just leave it alone, play dumb. Normally I'm wired for proactive action, but people always seem to have "reasons" for why I shouldn't touch things (in spite of me alone more than doubling the company's productivity) and I'm conflict-averse so again I've learned to back off and do other things.
Much bigger-picture problem of non-existing management. IMHO, good management would identify all talents in everyone, and apportion things based on needs, prioritizing, efficiency, productivity, etc. IE, I had, by far, the most general IT / networking talent, but was relegated to other roles. If I had stayed there I would have done more to inventory everything, including Etherenet stuff, then present a comprehensive plan to give everyone a full SCADA system of the entire production.
Yes, various forms of RS458 have been used for many control and monitoring systems for many many years. There have been many adaptations, including CAN bus [wikipedia.org]. RS485 is the basis for DMX512 which is used to control stage / show lighting systems, pyrotechnics, etc. For years Allen-Bradley (now owned by Rockwell Automation) PLCs used DeviceNet [wikipedia.org] which is based on CAN bus.
Another angle, or cake layer, is that most people can only handle so much complexity. Most people I've met / worked with in the PLC world are quite intelligent, and dealing with much complexity in the PLC world, struggling to keep up with the ever-changing PLC platforms, and have no bandwidth to deal with increasing IT complexity. IE, IT generalists and IT security specialists are needed to work with PLC people. Of course big corporations can afford such staff, but tiny producers can't afford such staff. 3rd-party providers are very expensive, might do some things well, but maybe won't do a comprehensive design. Someone onsite might make some changes, then expensive contractor gets even more expensive trying to figure out what's happened (and I've seen this many many times). It all starts to get into costs and economics and management and business-speak BS. Meanwhile, as too often, IT and IT security gets ignored until there's a break-in and panic.
Thanks for that interesting link, btw.
(Score: 2) by RS3 on Sunday March 24 2024, @04:58AM
I forgot to mention SCADA, as "Thesis" does below. Generally the software that runs on the touchscreen is considered SCADA, which can also run on PCs, hence the possibility of connecting a PLC to a PC somewhere else, possibly far away.
(Score: -1, Troll) by aafcac on Saturday March 23 2024, @01:50PM (8 children)
A combination of it being cheaper and it allowing whatever President is in charge at the time to rationalize further erosion of our civil liberties in order to get the bad guys. Things being leaked via the internet that shouldn't be connected to the internet has been an issue for decades at this point. There's no justification for it.
(Score: 0, Insightful) by Anonymous Coward on Saturday March 23 2024, @02:33PM (7 children)
It's nice to know that we haven't prevented dumb people from modding around here.
(Score: 5, Insightful) by drussell on Saturday March 23 2024, @02:56PM (6 children)
The comment in question is currently scored +1 Troll
While I would say it is probably actually more like Flamebait, a comment like this:
... is absurd on it's face. Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?
Additionally, why would it be "cheaper" to have a PLC connected to the internet? Cheaper how, in what way?
Too bad there isn't a -1 Absurd mod. That would be highly appropriate, IMHO.
(Score: 3, Troll) by EJ on Saturday March 23 2024, @04:17PM (3 children)
I'm not reading the rest of the posts, but it is cheaper because you can have one guy in India monitoring multiple plants for $0.50/hr instead of having to pay for someone to work at the physical site.
(Score: 2, Troll) by drussell on Saturday March 23 2024, @09:45PM (2 children)
That may be the way the telephone company operates their customer service these days, but do you actually have any evidence that your local water utility is being run and monitored by some schmoo in a cubicle in India?!
I'm pretty sure that's not a thing!!
Offshoring hundreds or thousands of call-centre jobs for customer "service" is one thing, but the couple of operations dudes wandering around the local water filtration facility, power station or sewage treatment plant monitoring things plus a few maintenance and engineering staff are probably not being magically outsourced offshore. 🙄
Anything that requires "$0.50/hr monitoring" is already being taken care of by the PLC itself. Nobody is sitting there, just actively watching some level gauge.
Water level in tank X gets above level A, open valve Y until level is below setpoint B. If limit switch L,M,N,O,or P is reached at any time, shut down that subsystem and show an alert on the maintenance crew anomaly display panel or whatever. It's all still basically just ladder logic, perhaps with a cellphone dialer at the end in a pinch, I guess...
(Score: 2, Interesting) by EJ on Sunday March 24 2024, @01:17AM
Reading comprehension is a fundamental skill.
My response was only to the question of how it COULD make things cheaper.
(Score: 2, Interesting) by wArlOrd on Sunday March 24 2024, @10:29PM
Sunday, May 8, 1988, a fire broke out in the main switching room of the Hinsdale Central Office of Illinois Bell
Who was on site to notice?
(Score: 1, Offtopic) by canopic jug on Sunday March 24 2024, @06:26AM (1 child)
Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack
Yet, that is, in practice, what is actually happening. The egregious design of Windows and the shoddy workmanship have both been known for decades and is common knowledge. The difference is whether bad engineering is acceptable or not, and to whom it is or isn't, and whether security is part of design or merely and after market add-on provided by expensive snakeoil^w third party packages. But to deploy or maintain m$ products in a Internet-facing production environment in 2024 is to intentionally deploy systems which are easily vulnerable to actual compromise, not just log futile, ineffective attacks.
so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?
That's the outcome not the reason. The government does take advantage of each attack as an excuse to implement policies which curtail citizens' civil liberties. The PATRIO Act is the quintessential example of that. Take a step back and notice that the PATRIOT Act I was all written and ready and waiting on the shelf for an opportunity to push it through congress unexamined. If you need a detailed walk through with other examples, check out the book Shock Doctrine by Naomi Klein [naomiklein.org] or other analysis of disaster capitalism.
That some groups inside the borders perceive selfish benefit from these incidents gets in the way of straightening things out.
Money is not free speech. Elections should not be auctions.
(Score: 1, Redundant) by canopic jug on Monday March 25 2024, @07:07PM
Good, I hit a nerve by pointing out that the government takes advantage of each major attack as an excuse to implement policies [theguardian.com], such as the PATRIOT Act [naomiklein.org], which curtail citizens' civil liberties.
However, I would be remiss in neglecting the role of private companies and their lobbyists in all that. They draft contingency plans to have schemes for control and profit ready when the relevant, exploitable disasters strike [thenation.com]. In this case, it is Windows-connected water treatment plants which provide the opening (pun intended) for such schemes. The lowest layers of those plants are not going to be running Windows. They can't because people would notice the immediate failure. However, upper layers do and that's where things fall over because in Windows, security is a hasty afterthought and not considered part of the design process [expertinsights.com].
One more time: the PLCs are not running Windows, but the layers above, where the compromises are taking place, most definitely are. It's in the system requirements description in their marketing brochures.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by quietus on Saturday March 23 2024, @06:01PM
For the same reason all other infrastructure is connected to the Internet: because the number of technical specialists who know what they are doing is severely limited in comparison to the number of infrastructure items that need to be managed.
To prevent you having to type your next reply: yes, I agree completely that this should be an out-of-band connection, separate from the Internet (e.g. plain old telephony & dial-up modem).
To that, the answer is ... [drum-roll] ... silo's. As in: every industry sits in its own silo, not looking at what has happened to other industries. As a relevant example, the networking world had to relearn the lessons learned in the 60s-70s by. telco's with their phreaker problem: use a separate line for command-and-control. Took them until the 2000s before the realisation dawned.
Not so bad, if you realize that, according to rumor (cough..2600..cough) you could still call internationally for free (i.e. phreaking) from select airports in the United States.
Plus ca change, plus ca reste.
(Score: 3, Insightful) by Thexalon on Saturday March 23 2024, @06:01PM (1 child)
Presumably, one reason would be to help plant staff manage things during the stage in the pandemic where leaving your home was considered dangerous, or to be able to help out in emergencies without having to go into the office in the middle of the night. A not-totally-unreasonable desire that unfortunately has to contend with bad software and the fact that water systems are more of a target of bad guys than you might think.
Vote for Pedro
(Score: 4, Insightful) by drussell on Saturday March 23 2024, @09:51PM
Nobody operating a seriously essential service like running the water filtration and pumping station was ever told not to go to the plant to perform their job, at any point, be it middle of the night or otherwise.
That's absolutely ridiculous. That was never considered too "dangerous."
You still don't connect the actual PLC to the internet, for fuck sakes!
(Score: 3, Interesting) by krishnoid on Saturday March 23 2024, @06:11PM
I post this a lot, but ... it describes the problem [youtu.be] with networking and infrastructure better than I can.
(Score: 2, Interesting) by Anonymous Coward on Saturday March 23 2024, @03:36PM (1 child)
https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ [theregister.com]
Another attack surface that seems to not involve Microsoft? Who thought it was a good idea to give truck monitoring systems access to the full CAN bus...and also give it Wi-Fi?
If I owned a big rig I wouldn't be parking in busy truck stops just now, until I figured out how to disable the Wi-Fi.
(Score: 3, Interesting) by krishnoid on Sunday March 24 2024, @01:49AM
Maybe the same people who enabled the CAN-bus-via-headlight attack vector [autoblog.com]?
(Score: 2, Touché) by DrkShadow on Saturday March 23 2024, @04:06PM
Good thing we wast .. that is, *spent* all that money to replace all that Chinese networking kit! I mean, all that Chinese-made networking kit was just giving them backdoors into our infrastructure. Whew, glad that problem is solved!
Er.. wait..
(Score: 5, Informative) by Thesis on Sunday March 24 2024, @12:19AM (2 children)
I will try to simplify things for folks here who may not be knowledgeable, when it comes to Utility Systems.
Drinking water plants must me manned onsite when in operation. This is Federal and in many cases, State regulation. Many levels of licensure and permitting is mandatorily involved.
The vast majority of drinking water, waste water plants, and electrical generation plants are controlled via SCADA (Supervisory Control and Data Acquisition). SCADA is the brains that makes it all work, by communicating to the PLCs, which control the actuators on valves, chemical feed systems, switches and such via an internal network.
Most (not all) available SCADA systems for utilities are Windows based. Those solutions are cheaper and easier to support for a utility than open source systems.
Now for the real problem... Most managers for the SCADA systems software, and the Utilities, have been pushing for years to have the ability to monitor and control systems from off site. There is your internet connection, and your direct vector for infection/infiltration.
Smart folks have SCADA systems completely physically disconnected from any external network. I know of one water system personally that lost everything but the SCADA systems via ransomware. The only saving grace for them was that SCADA systems were on thier own physical network. Most Utilites are not setup that way...
SCADA systems are used in many large and small scale industrial settings as well, not just in Utilities. Food for thought.
(Score: 4, Insightful) by krishnoid on Sunday March 24 2024, @01:46AM
Read-only monitoring, sure, maybe that's more reasonable for external Internet access. But control -- perhaps that should at least be through a message-passing gateway rather than via direct access, at least so that (e.g.) automatic notifications can accompany any changes, so everyone can know who-what-when-where-why an externally-originated change is being made.
(Score: 0) by Anonymous Coward on Sunday March 24 2024, @01:57AM
Could use VPNs.
e.g. outsider VPNs in to a restricted network and from that network has limited and monitored access to the servers that provide the dashboards etc for the PHBs.
From what I see while some of these software runs on Windows, they could have the same problems if they were on Linux instead, so it's not really a Windows problem.
For example - some of those systems were exposed to the Internet on a default port with default passwords. Doesn't take a genius hacker to pwn those.
(Score: 2) by VLM on Monday March 25 2024, @06:26PM
One assumption is there's 'the' plant. In my city, there is indeed literally "the" big wastewater plant down by the river, but we have something like 7 wells distributed for various geographic reasons. Lots of crowing about how the plant should be staffed so no remote access is required, but in the real world we're not going to staff each individual pump 24x7. Its actually infinitely worse, because we have IIRC 5 water towers of various size and uncountable remotely controllable valves and pressure monitoring gauges and flow rate meters in random little huts around the city. I've seen the GIS diagram I have a friend working there. It would take about 1% of the population of the city just to operate every little pump and valve and gauge by 24x7 humans over radio or something. In the old days, the system was a lot simpler but wasted a lot more water and energy and required more repairs and took a lot longer to find and fix problems.
Another assumption is PLC stuff is mostly direct control. True, if you have RS-232 connection to a VFD over the internet (why?) you could trivially reprogram the motor controller to command a 3-phase motor to run a large centrifugal pump in reverse and that'll usually destroy the seals pretty rapidly and permanently and expensively. Most likely the demarc or API or UI of the system is the PLC outputs 0-10V and the VFD motor controller runs the pump 0-100% speed. Even more likely the pump controls itself, and 0-10 volts from the PLC results in 1 to 101 PSI at the regulator output. The best you can hope for with remote access is shutting off the pump to inconvenience and piss off people. Very few industrial designs include some kind of cartoonish "self destruct" pushbutton.
Another assumption is interdepartmental trust. "Lock out tag out" comes from the industrial world, like these PLCs. Nobody trusts the operators enough to not press "start" on the hydraulic press or oven or the ain't crew or electricians or whatever techs attach physical locks to save their lives. This mentality permeates PLC design. The operators usually can't do as much as the fearmongers like to claim. Much like an emergency shutdown button on an assembly line, its far more likely you can shut stuff off than blow stuff up. Not to say there's no threat, if "the usual suspects" wanted to burn down a city they don't need to make all the water pumps explode they merely need to flick all of them into maintenance mode at the same time. The usual fear monger stories are not terribly likely. Nobody trusts anybody out in the real world and if the ops dept could F something up at 2am they probably would just because they're untrustworthy so the system is designed so they can't. And they're experts on how this stuff works so if they can't F stuff up, some random hacker doesn't stand a chance. Likewise nobody trusts engineering so ops will not wire up a "self destruct" type of design too many engineers have missed a unit conversion or something, so the "API" between hardware and the PLC is probably not 0-10 volts being "explode around 0v, work around 5v, explode around 10v" the API tends to be more like "run 10% slow at 0V, dead on at 5V, run 10% fast at 10V" and the bean counters can hyperoptimize to run 5.6789% low or whatever they calculate.
The final assumption is most of the remote stuff is control not monitor. Most of the ops dept calls when I was an engineer on call at a public utility were along the lines of advice not me doing something. Technically being able to "hack" into the local power company and read the temperature of transformer #242 is a "major hack" in an abstract sense or effort required sense, but you can't actually DO anything with that read-only data. And even if I had RW there's not much I can write remotely. I could bypass the cooling fan to remotely request to run full blast which will waste some power and/or wear it out faster. And, um... that's about it. I can't shut off the fan because the hardware thermostat will run it anyway. I can't bypass the lockout-tagout shutdown remotely because if that were possible and OSHA found out they would execute everyone by firing squad (OSHA is kinda strict, all their rules having been written in blood...).