Full Report
Free cybersecurity training can help water and wastewater utilities protect themselves against hackers, but only when paired with hands-on assistance and incentives for employees to build cybersecurity skills, Microsoft said in a report published on Thursday. The report — a summary of a 2023-2025 cybersecurity assistance pilot program that Microsoft ran in partnership with the Cyber Readiness Institute (CRI) and the Foundation…
Analysis Summary
# Best Practices: Water and Wastewater Cybersecurity Capacity Building
## Overview
These practices address the critical security gap in the water and wastewater sector, where traditional "information distribution" (simply providing PDFs or recorded webinars) has proven insufficient. The focus is on transitioning from passive learning to active **capacity building** through hands-on technical assistance and institutionalized skill development.
## Key Recommendations
### Immediate Actions
1. **Conduct a Skills Gap Analysis:** Assess current staff's ability to implement basic security controls (MFA, patching, etc.) rather than just their awareness of them.
2. **Inventory Critical Systems:** Identify all Operational Technology (OT) and Information Technology (IT) assets that are internet-facing.
3. **Engage Trusted Partners:** Reach out to sector-specific associations (e.g., American Water Works Association or National Rural Water Association) to identify available hands-on assistance programs.
### Short-term Improvements (1-3 months)
1. **Implement Hands-on Training:** Replace passive video training with guided, interactive labs where employees configure security settings under expert supervision.
2. **Apply Technical Hardening:** Focus on securing Microsoft systems and other common software platforms frequently targeted in critical infrastructure attacks (e.g., the "Stryker" hack mitigation).
3. **Establish Incident Response Basics:** Create a simple, physical "run book" for what to do if an HMI (Human Machine Interface) behaves unexpectedly.
### Long-term Strategy (3+ months)
1. **Incentivize Skill Building:** Align cybersecurity competencies with operator certification requirements and salary advancement tiers.
2. **Embed Security into Operations:** Integrate cyber-maintenance tasks (like log reviews) into standard daily maintenance workflows for water treatment.
3. **Collaborative Defense:** Establish formal resource-sharing agreements with larger neighboring utilities or state agencies for emergency technical support.
## Implementation Guidance
### For Small Organizations
* **Leverage Pilot Programs:** Actively seek federal or private-sector (e.g., Microsoft/CRI) pilot programs that provide direct engineering hours.
* **Focus on Hygiene:** Prioritize "Cyber Readiness" basics: patching, multi-factor authentication, and securing remote access.
### For Medium Organizations
* **Association Participation:** Utilize sector associations to scale participation in joint training exercises.
* **Resource Allocation:** Dedicate a specific "Security Lead" role, even if it is a secondary duty for an existing engineer, to ensure accountability.
### For Large Enterprises
* **Capacity Building Leadership:** Act as a "hub" for smaller regional utilities, sharing templates for incident response and technical configurations.
* **Advanced Standards Alignment:** Map internal controls directly to NIST or CIS frameworks to ensure audit readiness.
## Configuration Examples
*While the article summarizes high-level findings, the program emphasizes the following technical focus areas:*
* **Identity Management:** Enforcing MFA on all remote access points to the SCADA network.
* **Endpoint Exposure:** Disabling unnecessary services on Windows-based HMIs to reduce the attack surface.
* **Cloud Security:** Securing Microsoft 365 and associated cloud environments used for administrative utility functions.
## Compliance Alignment
* **NIST Cybersecurity Framework (CSF):** Implementation of "Protect" and "Respond" functions.
* **CISA Water and Wastewater Performance Goals:** Alignment with the sector-specific cybersecurity performance goals (CPGs).
* **EPA Requirements:** Supporting compliance with sanitary survey cybersecurity evaluations.
## Common Pitfalls to Avoid
* **"Information Overload":** Assuming that providing more documents or links improves security.
* **Decoupled Training:** Offering training that is not tied to the specific software or hardware the utility uses.
* **Lack of Incentives:** Expecting overworked operators to gain new complex skills without professional recognition or compensation.
## Resources
* **Cyber Readiness Institute (CRI):** [cyberreadinessinstitute[.]org]
* **Microsoft CSR / Cybersecurity Program:** [microsoft[.]com/en-us/corporate-responsibility/cybersecurity-protection-program]
* **Foundation for Defense of Democracies (CCTI):** [fdd[.]org/projects/center-on-cyber-and-technology-innovation]
* **CISA Water Sector Resources:** [cisa[.]gov/water-and-wastewater-systems-sector]