Case Study 2: When Impact Means Lives — A Small Water Utility

"In a bank, the worst case is money. Here, the worst case drinks the water." — Operations manager, Cedar Hollow Water District (constructed)

Executive Summary

To understand risk, it helps to leave the bank for a moment and look at an organization where the variables sit in completely different places. Cedar Hollow Water District is a small public utility serving about 30,000 residents, run on a shoestring by a handful of operators and exactly zero full-time security staff. It has almost no confidential data worth stealing — and yet its risk is, in some respects, higher than Meridian's, because its impact axis includes public health and safety. This case study is a design exercise: rather than scoring a register, you will map the utility's attack surface and reason about how the CIA triad re-weights when availability and integrity, not confidentiality, are the crown jewels. It previews the operational-technology material of Chapter 33 and sharpens the most important idea in this chapter — that risk is contextual. All details are constructed for teaching (Tier 3).

Skills applied: attack-surface mapping; reasoning about CIA priorities by context; distinguishing IT from operational-technology (OT) risk; applying likelihood × impact where impact is non-financial; recognizing that "low-value data" does not mean "low risk."

Background

Cedar Hollow runs two kinds of technology that barely speak the same language. Its IT looks like any small office: a dozen PCs, email, a billing system, a website where residents pay their bills. Its OT — operational technology — is the part that actually moves and treats water: programmable logic controllers (PLCs) that open and close valves, sensors that measure chlorine and pressure, and a supervisory control and data acquisition (SCADA) system on an operator's screen that ties it together. For years these two worlds were separate. Then, to let an operator check the plant from home, someone connected the SCADA workstation to the internet through a remote-access tool — and the two worlds quietly became one.

The district has no CISO, no SOC, and a security budget that rounds to zero. If you applied a bank's mental model — "protect the confidential data" — you would conclude Cedar Hollow has little to defend. That conclusion would be dangerously wrong, and seeing why is the lesson.

The Analysis

Phase 1 — Mapping the attack surface

Recall from §1.3 that the attack surface is the sum of all points where an attacker could try to enter. Let us draw Cedar Hollow's, separating the two worlds and — critically — the bridge between them:

        INTERNET
           │
   ┌───────┴────────┐
   │                │
 [Website/        [Remote-access tool] ───────────┐   <-- the bridge nobody
  billing]          (added "for convenience")     │       threat-modeled
   │                                               ▼
 ── IT NETWORK ──                          ── OT NETWORK ──
   PCs, email,                              SCADA workstation
   billing DB                                   │
                                            PLCs / valves / pumps
                                            chlorine + pressure sensors
                                                  │
                                            ☣ PHYSICAL WATER SUPPLY

Figure 1.2 — Cedar Hollow's attack surface. The remote-access bridge collapses the gap between an ordinary office network and a system that controls drinking water. The most dangerous point on the map is the arrow, not any single box.

🚪 Threshold Concept: The attack surface is not just a list of boxes — it is the connections between them. Cedar Hollow's individual components might each be defensible, but the bridge from the internet to the OT network is where catastrophe enters. New defenders count assets; experienced defenders trace paths. Whenever you map an environment, ask not only "what is exposed?" but "what does exposure of this let an attacker reach next?"

Phase 2 — Re-weighting the CIA triad

At Meridian, confidentiality led for customer data. At Cedar Hollow, confidentiality barely matters — who cares if an attacker learns the current chlorine level? — while integrity and availability dominate completely:

The worst realistic case is not data theft. It is an attacker who reaches a PLC and changes a chemical dosing setpoint while feeding the operator's screen normal-looking values — an integrity attack with public-health consequences — or who triggers a shutdown the operators cannot reverse remotely, an availability attack. This is exactly the shape of real incidents that have been reported at small water utilities, where weak remote access met internet exposure.

Phase 3 — Scoring with a non-financial impact axis

Apply $\text{Risk} = \text{Likelihood} \times \text{Impact}$ — but now impact is measured in safety, not dollars. The district has no security staff, so likelihoods are not low.

The most striking row is the last. The risk a non-specialist would name first — a data breach of the billing system — is the lowest on the board, because both its likelihood and its impact are modest compared with an OT compromise. A defender who optimized for "protect the data" would harden the billing database and leave the valve controllers one weak password away from a public-health emergency.

💡 Intuition: "Low-value data" is not the same as "low risk." Risk lives in impact, and impact is whatever the organization actually stands to lose — money for a bank, safe water for a utility, patient lives for a hospital, an election's integrity for a government. Always ask what does this organization most fear losing? and let that, not a generic instinct about "sensitive data," set your priorities.

Discussion Questions

1. The single most dangerous element of Cedar Hollow's attack surface was a convenience feature (remote access) added without a threat model. How should an organization with no security staff make even small architecture decisions more safely? What is the minimum viable process?
2. At Cedar Hollow, confidentiality scored low and availability/integrity scored critical — the reverse of a typical bank. Name another kind of organization where the triad re-weights unusually, and explain which property dominates and why.
3. Three different risks scored 20 by very different routes (exposure, weak credentials, no monitoring). With one operator's time, where would you start, and why?
4. This case argues that "protect the confidential data" is a dangerous default mental model. When is it nonetheless a reasonable starting heuristic, and when is it actively misleading?

Your Turn

Choose an organization whose worst case is not primarily about confidential data — a hospital, an airline, a power co-op, a city's traffic systems, a newsroom. Draw its attack surface as a simple diagram that emphasizes the connections between zones, identify the one path you would most fear, and rank the three legs of the CIA triad for it with a one-sentence justification each. Then write a single sentence completing: "For this organization, the worst case is not data theft; it is ______."

Key Takeaways

• The attack surface includes the connections between systems, not just the systems; the most dangerous point is often a bridge, not a box.
• The CIA triad re-weights by context: confidentiality dominates for a bank's customer data, but integrity and availability dominate for systems that control physical processes.
• Impact is whatever the organization stands to lose — and it is not always money. Scoring risk where impact means public safety changes every priority.
• "Low-value data" ≠ "low risk." A utility with nothing worth stealing can carry higher risk than a bank, because its impact axis includes lives.
• Convenience features added without a threat model (the remote-access bridge) are a recurring source of catastrophic exposure — a theme that returns in operational-technology security (Chapter 33).