so lets say that you don't have the budget to keep a fully trained staff of scada and network engineers on site, 24/7. and then there's a systems failure, and the choice is either "they debug it remotely and fix the problem within an hour" or "the staff drives 2-3 hours to the location where the airgapped systems are and then begins work".
now imagine the system is life-preserving or otherwise critical. those 2-3 hours could be hundreds of lives. wouldn't it be criminally irresponsible to not have the system as resilient as possible?
I would say any system whose failure quickly results in the loss of life should always have properly trained staff either on location or trivially close. Anything less than that would be, as you put it, criminally irresponsible, as is the idea of connecting such infrastructure to publicly accessible networks.
I don't think you'd like what your power bill would look like if your distribution company had to have staff trivially close to all of its infrastructure, 24/7. I work at a utility and all (yes, all) of our stations and substations are unmanned.
To have a crew on site at every station, 24/7, you'd be looking at nearly 1,000 employees at $65-90k, assuming 8-hour shifts.
It's almost like you're saying no one has now or ever built an affordable water supply system that can supply water unless it is run remotely through the internet.
Pretty sure that's not the case since internet controlled systems are solidly in the minority.
That depends on how the cost-benefit analysis came out. You did do a cost-benefit analysis, right?
Personally, I would consider connecting critical infrastructure to the Internet without taking adequate security measures to be the criminally irresponsible thing.
Of course, water pumps aren't really "critical infrastructure" in the same sense as, say, nuclear power plants. Hopefully their security is a little more reasonable.
I work for one of the largest municipal electric utilities in North America. We are a monopoly and do not set our own rates. There is no such thing as "cost-benefit" for us. We spend as much money as we need to get the reliability our regulator demands, and then our rates are set accordingly for us to recover those costs.
now imagine the system is life-preserving or otherwise critical. those 2-3 hours could be hundreds of lives. wouldn't it be criminally irresponsible to not have the system as resilient as possible?