Case Study: Strengthening the Cyber Readiness of Water Utilities

Posted on by Karen Evans

In today's interconnected world, cybersecurity threats loom large, and nowhere is this more critical than in the water and wastewater sector. With the potential for a cyber incident to wreak havoc on public health and safety, policymakers and industry leaders have recognized the need for robust cybersecurity measures in small and medium-sized water utilities and wastewater treatment plants. However, these vital organizations often face significant challenges, including limited resources, technical expertise, and aging infrastructure, making them vulnerable targets for malicious actors seeking to disrupt operations or compromise sensitive data.

In August, the Cyber Readiness Institute (CRI), the Center on Cyber and Technology Innovation (CCTI), and Microsoft, launched a pilot program tailored to the unique needs of small and medium-sized water utilities and wastewater treatment plants.

The Problem: Understanding the Challenges

Water systems are considered critical infrastructure, necessitating heightened protection against physical and cyber threats.

In a recent letter to US governors, Jake Sullivan, Assistant to the President for National Security Affairs, and Michael S. Regan, Administrator of the Environmental Protection Agency, wrote, “Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.” Yet, small and medium-sized utilities frequently lack the resources or technical capacity to implement comprehensive cybersecurity measures. Aging infrastructure and legacy systems contribute to the cybersecurity challenge, leaving these utilities susceptible to exploitation by malicious actors. 

According to a survey by the Water ISAC, training and education emerged as the top priority for improving cyber readiness among water system managers. Key challenges include identifying and responding to cyber threats effectively, as well as developing continuity and resilience plans to ensure operational stability.

Addressing the Issue: The Role of Cyber Readiness Programs 

In response to these pressing challenges, the Cyber Readiness Institute (CRI), the Center on Cyber and Technology Innovation (CCTI), and Microsoft joined together to launch a pilot program tailored to the unique needs of water utilities. The pilot, which has enlisted utilities throughout the US and its territories, employs CRI’s Cyber Readiness Program (CRP) as a foundational resource for small and medium-sized water utilities. The CRP provides free content designed to cultivate a culture of cyber readiness among employees, equipping them with the skills necessary to defend against various threats. CRI-trained Cyber Coaches are used to support the SMBs through the program and to verify they successfully complete the Playbook included in the Cyber Readiness Program.

The Results: Progress and Achievements 

Early results from the implementation of cyber readiness programs in water utilities are promising. For example, one utility initially faced challenges in adopting required policies, including sharing passwords for critical business software. However, with the support of Cyber Coaches provided by CRI, the utility successfully completed the program, established core cybersecurity policies, and developed a robust business continuity plan, earning the designation of Certified Cyber Ready.

Similarly, another utility, though initially confident in its IT security preparedness, benefited from the guidance and high-touch support offered by the CRI coaching program. By leveraging the program's resources, the utility improved communication of cybersecurity policies to its workforce, implemented regular phishing training, and adopted multifactor authentication (MFA) measures. This proactive approach not only enhanced the utility's cyber resilience but also positioned it as a champion for the program within the industry.

As of March 2024, significant progress has been made, with 25 utilities completing the Cyber Readiness Program and three utilities achieving Certified Cyber Ready status. Additionally, 41 utilities are currently engaged in the program, working toward certification with the support of Cyber Coaches.

Looking Ahead: Building a Safer Future 

While these early successes are encouraging, there is still much work to be done to strengthen cybersecurity in the water and wastewater sector. Continued collaboration between industry stakeholders, policymakers, and cybersecurity experts will be essential in addressing existing challenges and ensuring the long-term resilience of critical infrastructure. By investing in comprehensive cyber readiness programs and providing ongoing support to water utilities, we can build a safer and more secure future for communities around the world. For more information about CRI, please visit

Karen Evans

Managing Director, Cyber Readiness Institute

Protecting Data & the Supply Chain Ecosystem

critical infrastructure security operations data security governance risk & compliance Hackers / Threats persistence security education security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs