Critical Infrastructure Cybersecurity in Miami: Energy, Water, and Transit
Miami's energy grids, water treatment systems, and public transit networks operate at the intersection of physical operations and digital control systems — making them high-value targets for nation-state actors, ransomware operators, and hacktivists. This page covers the regulatory frameworks governing critical infrastructure cybersecurity in South Florida, the technical mechanics of industrial control system (ICS) vulnerabilities, and the classification distinctions that separate sectors under federal and state oversight. Understanding how these systems fail, and why they are structurally difficult to defend, is essential context for the broader Miami cybersecurity landscape.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
Definition and scope
Critical infrastructure, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), encompasses 16 sectors whose incapacitation or destruction would have a debilitating effect on national security, economic stability, or public health. Three of those sectors are most operationally concentrated in Miami-Dade County: energy (including electrical distribution and petroleum logistics through PortMiami), water and wastewater systems, and transportation systems — which in Miami includes Miami-Dade Transit, Brightline's passenger rail corridor, and Miami International Airport ground infrastructure.
Miami-Dade County serves a population exceeding 2.7 million residents (U.S. Census Bureau, 2020 Decennial Census), and its water treatment infrastructure — operated by the Miami-Dade Water and Sewer Department (WASD) — processes over 300 million gallons of water daily. A successful cyberattack against any one of these systems does not stay contained: cascading dependencies mean a power disruption affects water pumping stations, and water system failures affect hospital operations, transit cooling, and fire suppression.
Florida designates critical infrastructure protection responsibilities partly through the Florida Division of Emergency Management (FDEM) and the Florida Department of Law Enforcement (FDLE), which coordinate with federal Sector Risk Management Agencies (SRMAs) on each sector's specific threat profile.
Core mechanics or structure
Critical infrastructure systems in Miami rely heavily on Operational Technology (OT) — a category encompassing Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS). Unlike traditional IT environments, OT systems prioritize availability and physical-process continuity over confidentiality.
SCADA systems used in water treatment plants, such as those at WASD's facilities, communicate over protocols including Modbus, DNP3, and IEC 61850 — many of which were designed before cybersecurity was a design requirement and lack native authentication. The National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems Security (SP 800-82, Rev. 3) documents these protocol weaknesses explicitly.
Florida's electrical distribution is managed in part by Florida Power & Light (FPL), a subsidiary of NextEra Energy, and by the municipal utility Miami-Dade County's own substations. Substation automation relies on Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs) that connect operational networks to enterprise IT networks — creating attack surface at the boundary. The North American Electric Reliability Corporation (NERC) enforces Critical Infrastructure Protection (CIP) standards for bulk electric system operators, with penalties reaching $1 million per violation per day (NERC CIP Reliability Standards).
Transit systems introduce a third architecture layer: Miami-Dade Transit operates Metrorail, Metromover, and Metrobus networks whose signaling, fare collection, and vehicle dispatch systems now interface with IP-based networks. The Transportation Security Administration (TSA) has issued cybersecurity directives covering surface transportation operators, including rail transit authorities, under its Surface Transportation Cybersecurity directives framework initiated in 2021 and 2022.
Causal relationships or drivers
Three structural drivers increase Miami's critical infrastructure cyber risk relative to comparable U.S. metros.
Geographic concentration and climate exposure. Miami's infrastructure is physically compressed onto a peninsula, meaning that redundancy pathways are limited. Hurricanes force accelerated remote-access configurations — operators connect to SCADA systems remotely during storm preparation — which temporarily expands the attack surface. The 2021 Oldsmar, Florida water treatment incident, in which an attacker remotely accessed a SCADA system and attempted to raise sodium hydroxide levels to 111 times the normal concentration (FBI, CISA, EPA Joint Advisory, March 2021), demonstrated how remote access tools become threat vectors in small and mid-sized Florida utilities.
Legacy OT equipment lifecycles. Industrial control equipment in water and energy sectors has operational lifespans of 15–30 years. Systems installed in Miami-Dade during the 1990s and early 2000s predate modern cryptographic standards. Patching OT equipment frequently requires vendor-approved maintenance windows that may occur only once or twice annually, leaving known vulnerabilities exposed far longer than in IT environments.
PortMiami's logistics integration. PortMiami, one of the busiest cruise and cargo ports in the United States, runs terminal operating systems that interface with U.S. Customs and Border Protection (CBP) data systems, shipping line networks, and ground transportation logistics. The Maritime Transportation Security Act (MTSA) and USCG Maritime Cybersecurity Standards govern port cyber requirements, but vendor and third-party integrations create dependency chains not covered uniformly by a single regulation.
The regulatory context for Miami security provides additional framing on how these federal and state obligations interact at the local operator level.
Classification boundaries
CISA's 16-sector model creates distinct regulatory lanes with different SRMAs, different compliance standards, and different incident reporting obligations:
| Sector | SRMA | Primary Cyber Standard |
|---|---|---|
| Energy (Electric) | Department of Energy | NERC CIP |
| Energy (Oil & Gas) | Department of Energy / TSA | TSA Pipeline Security Directives |
| Water & Wastewater | EPA | America's Water Infrastructure Act (AWIA) |
| Transportation (Rail/Transit) | TSA / DHS | TSA Surface Directives |
| Maritime/Port | U.S. Coast Guard | MTSA / NVIC 01-20 |
For Miami operators, this means a single large facility — like PortMiami — may have compliance obligations under MTSA, CBP data-sharing rules, and EPA-adjacent environmental controls simultaneously. The EPA's Water Security Initiative requires community water systems serving more than 3,300 persons to conduct risk and resilience assessments under AWIA Section 2013 (33 U.S.C. § 300i-2).
The classification boundary between IT and OT security is also a formal distinction under NIST SP 800-82 and under NIST SP 800-53, Rev. 5, which now includes ICS-specific control overlays distinguishing compensating controls appropriate for environments where patching cannot be performed on standard IT timelines.
Tradeoffs and tensions
Availability vs. security. In OT environments, downtime during a security update has direct physical consequences. A water pump shutdown can cause pressure loss across distribution lines. This creates institutional resistance to applying patches or network segmentation changes that would be routine in an IT context. NERC CIP acknowledges this in its treatment of "low-impact" vs. "high-impact" BES Cyber Systems, with different patching timelines based on operational risk classification.
Transparency vs. threat exposure. Public utilities are subject to Freedom of Information and public records laws. Florida's broad public records statute (Florida Statutes § 119) can create tension when infrastructure operators wish to protect network topology documents, vulnerability assessments, or incident reports from public disclosure. Florida Statutes § 282.318 and § 365.172 contain specific carve-outs for certain cybersecurity records held by government entities.
Federal mandates vs. local operational control. Miami-Dade WASD is a county agency, not a federal entity. TSA directives apply to transit operators above defined thresholds. Smaller Miami-area utilities and transit contractors may fall beneath mandatory compliance thresholds while sharing interconnected infrastructure with systems that are regulated. This creates uneven security posture across a physically contiguous network.
Vendor dependency. OT vendors like Schneider Electric, Siemens, and Rockwell Automation develop the hardware and firmware in critical infrastructure deployments. Security updates depend on vendor release schedules. When CISA issues an Industrial Control Systems Advisory (ICS-CERT advisory) — CISA published 209 ICS advisories in fiscal year 2022 (CISA Year in Review 2022) — Miami-area operators must wait for vendor-validated patches before applying fixes, even when a vulnerability is actively exploited.
Common misconceptions
Misconception: Air-gapped OT networks are immune to cyber threats.
Correction: True air gaps are rare in modern critical infrastructure. Remote monitoring for efficiency, emergency access, and vendor maintenance have introduced IP connectivity into most Miami-area OT environments. The Oldsmar water attack exploited a TeamViewer remote desktop connection, not a breach of a segregated network.
Misconception: Compliance equals security.
Correction: NERC CIP compliance audits assess whether documented controls exist — they do not measure whether those controls are effective against current threat actor techniques. A utility can pass a NERC CIP audit while running unpatched HMI software facing the internet on a non-critical subnetwork outside the audit scope.
Misconception: Only large utilities are targeted.
Correction: Ransomware operators specifically target smaller municipalities and utilities because those entities typically have fewer security staff and lower incident response capabilities. The Oldsmar facility served approximately 15,000 residents — well below the scale most organizations associate with high-profile infrastructure attacks.
Misconception: Physical security controls compensate for cyber vulnerabilities.
Correction: Most modern ICS attacks do not require physical access. Spearphishing targeting an engineer's corporate email, credential theft through an enterprise IT breach, or exploitation of a vendor remote access portal all represent initial access vectors that physical perimeter controls do not address.
Checklist or steps
The following sequence represents the standard phases documented in CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) and NIST SP 800-82 for OT/ICS environments. This is a descriptive framework, not a prescriptive engagement recommendation.
Phase 1 — Asset Inventory
- Enumerate all OT assets including RTUs, PLCs, HMIs, and engineering workstations
- Map communication flows between IT and OT network zones
- Identify all remote access pathways, including vendor VPN accounts
Phase 2 — Vulnerability Identification
- Cross-reference asset firmware versions against CISA ICS-CERT advisories
- Identify default credentials on field devices
- Document unencrypted protocol usage (Modbus, DNP3 without authentication)
Phase 3 — Network Segmentation Assessment
- Verify that IT/OT boundary controls (DMZ architecture, data diodes, unidirectional gateways) match documented topology
- Test for unauthorized lateral movement paths between enterprise and OT zones
Phase 4 — Incident Response Readiness
- Confirm existence of OT-specific incident response playbooks separate from IT playbooks
- Verify backup and restoration procedures for historian servers and PLC configurations
- Confirm reporting procedures for CISA (CISA reporting portal) and EPA (for water systems under AWIA)
Phase 5 — Continuous Monitoring
- Deploy passive OT network monitoring (active scanning can disrupt legacy field devices)
- Establish baselines for normal process variable ranges to enable anomaly detection
- Schedule recurring tabletop exercises that include physical operations staff, not only IT/security teams
The Miami incident response resources page covers local and regional resources relevant to steps 4 and 5.
Reference table or matrix
Regulatory Framework Summary for Miami Critical Infrastructure Sectors
| Regulation / Standard | Sector Applicability | Governing Body | Key Requirement | Penalty/Enforcement Mechanism |
|---|---|---|---|---|
| NERC CIP v7/v8 | Bulk Electric System | NERC / FERC | Cyber asset inventory, access control, incident reporting | Up to $1M/violation/day (NERC) |
| TSA Surface Directives (2021–2022) | Rail, Transit, Bus | TSA / DHS | Cybersecurity coordinator designation, incident reporting within 24 hours | Civil penalty authority |
| AWIA § 2013 | Water systems >3,300 persons | EPA | Risk & resilience assessment, emergency response plan | EPA compliance orders |
| MTSA / NVIC 01-20 | Port facilities, vessels | U.S. Coast Guard | Cybersecurity within Facility Security Plans | USCG enforcement action |
| NIST SP 800-82 Rev. 3 | All ICS/OT environments | NIST (voluntary) | ICS security guidance, risk management framework | N/A (voluntary standard) |
| Florida § 282.318 | State agency IT/OT systems | FL Agency for State Technology | Annual security assessments, incident reporting | State agency compliance oversight |
References
- CISA Critical Infrastructure Security and Resilience
- NIST SP 800-82 Rev. 3 — Guide to OT Security
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls
- NERC CIP Reliability Standards
- EPA Water Security Initiative / AWIA
- TSA Surface Division Cybersecurity Directives
- CISA/FBI/EPA Joint Advisory — Oldsmar Water Treatment, February 2021
- CISA Cross-Sector Cybersecurity Performance Goals
- CISA Year in Review 2022
- Florida Division of Emergency Management
- Florida Statutes Chapter 119 — Public Records
- U.S. Census Bureau, 2020 Decennial Census — Miami-Dade County
- [U.S. Coast Guard NVIC 01-20 — Cyber Risk Management](https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/5ps/NVIC/2020