First, a couple of things:

1. You may have noticed that this site has a shiny new domain. Well, not new, I’ve had it registered for a while. I just got around to finally using it. So, welcome to ransomwaresommelier.com.

2. We blew away the funding goal for issue 1 of the Yours Truly, Johnny Dollar comic book. A sincere thanks to everyone who backed us.

Weirdly, I get a lot more engagement on posts when I use curse words in the title and I am all for giving you people what you want.

The title is because of this really good article from Jonathan Grieg in The Record. The gist of the story is that the EPA tried to implement new rules mandating cybersecurity assessments to audits of public water systems. This was successfully challenged by attorneys general in several states.

The fact is that water utilities are being targeted by all sorts of attackers, not just ransomware groups. But, a ransomware attack against a water utility can be disruptive (or worse). And, I know, industry groups want to regulate themselves rather than have the government do it, but the truth is they aren’t.

Congress is trying to increasing funding available for water utilities in rural parts of the country to improve cybersecurity (though not providing nearly enough funding). But it is impossible to know how to spend that additional funding without conducting cybersecurity assessments. The EPA is asking water utilities to do just the basics: understand what their weaknesses are and what needs improvement. That should not be controversial, that is the bare minimum any organization must undertake to improve security and it should be a no-brainer for critical infrastructure like water utilities.

According to the Washington Post article, “…the petitioners to the court contend that the agency’s cyber rule will impose greater financial burdens on small utilities.”

Yes, security is expensive and that sucks, especially for rural water utilities, but a cyberattack is significantly more expensive both to the water utility and the people it serves. Too often we try to hide this cost of cybersecurity by simply not investing in it, but that isn’t going to work any more. There are too many bad actors out there who simply do not care about the disruption and pain they cause to victims. Investing a few dollars more per year per customer to improve the security of these water facilities will keep people safer in the long run. It is too bad that short-sighted Attorneys General are more interesting in scoring political points that actually protecting the people they are supposed to be serving.