Water Utilities Cybersecurity: Training Alone Isn’t Enough – New Report Findings

The nation’s water and wastewater systems are increasingly vulnerable to cyberattacks, but a recent pilot program revealed that simply providing cybersecurity training isn’t enough to address the growing threat. The Cyber Readiness Institute (CRI) pilot, conducted in partnership with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies and sponsored by Microsoft, found a significant gap between awareness of cybersecurity risks and the ability of utilities to implement effective defenses.

The pilot program, detailed in a report titled ‘Water Utilities Need Cyber Support: Lessons from the Cyber Readiness Institute’s Pilot Project,’ engaged up to 200 modest and medium-sized utilities over two years. Whereas over 90% of participating utilities demonstrated improved understanding of cybersecurity fundamentals and expressed a willingness to act on that knowledge, only 43 out of 113 interested utilities completed the program. The primary obstacles cited were staffing shortages, funding limitations and a lack of dedicated support for implementation.

The findings underscore a structural challenge within the water sector, where systemic weaknesses – including aging infrastructure, limited cybersecurity personnel, and internet-exposed control systems – are increasingly exploited by malicious actors. Even large, well-funded providers have experienced operational disruptions, while smaller utilities, which comprise over 97% of public water systems and often serve fewer than 10,000 customers, face disproportionately higher risks due to constrained resources and limited incident response capabilities.

The CRI pilot utilized the organization’s existing, free Cyber Readiness Program, a self-paced curriculum focused on fundamental cybersecurity concepts and the human element of security. The program aims to present information accessible to individuals regardless of their cybersecurity background. Recruitment involved briefings with water sector organizations, federal and state government partners, and state and local government associations, as well as direct outreach to over 1,000 utilities.

Participants frequently cited growing concerns about ransomware and other disruptive cyber threats as motivation for enrolling, even in the absence of prior incidents. To bolster support, CRI provided free Certified Cyber Coaches who met regularly with designated ‘Cyber Leaders’ within each utility – individuals responsible for cybersecurity decisions and awareness. These coaches assisted Cyber Leaders in developing and implementing cybersecurity policies and incident response procedures.

The Cyber Readiness Program’s core modules cover essential practices such as strong passwords and multifactor authentication, software update management, phishing awareness, and secure file storage. It also guides Cyber Leaders in developing business continuity plans, utilizing a ‘Cyber Readiness Playbook’ containing asset management worksheets, policy templates, and employee training resources.

Survey results indicated that the program’s structured approach and incident response playbook were particularly valuable in preparing for threats like ransomware. Participants reported identifying previously unrecognized vulnerabilities, including missing continuity plans, weak password policies, and inconsistent staff training. But, the low completion rate highlighted the disparity between intent and execution.

Microsoft, a sponsor of the pilot, has urged federal intervention to provide hands-on assistance to the water sector. The company noted that while agencies like the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) offer advisories and technical guidance, many utilities struggle to navigate this information and integrate it into daily operations. Microsoft argued that relying solely on free resources is insufficient and risks exacerbating existing limitations.

The CRI pilot report recommends expanding hands-on technical assistance programs, embedding cybersecurity coaches, and establishing regional support teams to aid with system configuration and policy drafting. It also suggests integrating cybersecurity training into operator licensing and continuing education requirements, leveraging existing workforce development pathways. The report emphasizes the importance of empowering water sector associations to lead and drive cybersecurity improvements, citing their role as trusted sources of information and their success in driving participation and completion rates.

New York State recently took action to address these concerns, with Governor Kathy Hochul announcing cybersecurity regulations for drinking water and wastewater systems, accompanied by a US$2.5 million grant program. The Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements grant program provides funding for cybersecurity assessments and upgrades, aiming to bolster defenses against increasingly sophisticated cyber threats.