The Cyber Readiness Institute (CRI), Foundation for Defense of Democracies (FDD), and Microsoft launched a phased pilot to implement the Cyber Readiness Program across small and medium-sized water and wastewater utilities nationwide in 2023. The pilot provides utilities with a free CRI Certified Cyber Coach uniquely trained to guide participants through the Cyber Readiness Program and successfully foster a ‘Cyber Ready’ culture.
CRI, FDD, and Microsoft set the following goals for Phase 1:
This interim report presents the findings from Phase 1, details ongoing changes to the CRI Certified Cyber Coach approach utilizing the Cyber Readiness Program and outlines the Phase 2 approach.
Phase 1 participant feedback refined improvement strategies for Phase 2 and confirmed the Cyber Readiness Program’s adaptability with one utility stating, “This Program is excellent and gives organizations small and large a great foundation.” The pilot now aims to determine what supplemental materials would best support the water and wastewater sector by supporting one hundred and fifty utilities through the Cyber Readiness Program in Phase 2.
The Cyber Readiness Program:
CRI’s self-paced Cyber Readiness Program presents fundamental cybersecurity concepts in an accessible program focused on human behavior designed specifically for small and medium-sized organizations regardless of technical expertise. The Program informs a ‘Cyber Leader’ how to develop and implement cyber readiness policies and incident response procedures throughout their organization. The Program’s modules educate the Cyber Leader on strong passwords and multifactor authentication (MFA), software update management, phishing awareness, secure file storage and sharing, and business continuity plan development. It includes a Playbook complete with asset management worksheets, cyber readiness policy and incident response templates, and additional employee training resources.
A Cyber Leader is a designated individual from a participating water and wastewater utility who cultivates a cyber ready culture, influences behavior to adopt secure practices, and promotes cybersecurity awareness among employees. They regularly communicate and meet with a CRI Certified Cyber Coach throughout their engagement in the pilot to take informed steps toward cyber resilience.
A CRI Certified Cyber Coach is trained by CRI to help the Cyber Leader complete the Program. The Cyber Coach meets with the Cyber Leader in each water and wastewater utility to provide support and answer questions. CRI found Cyber Coach support propelled the Program completion rate among participants in one pilot to 72% compared to 11% and 41% in two other pilots without Cyber Coach support. These underlying one-on-one interactions drive the successful implementation of the Program among participating utilities nationwide.
Pilot Status:
CRI, FDD, and Microsoft received interest from eighty-nine utilities in Phase 1, with fifty-nine having started the Cyber Readiness Program as of September 1, 2024. Thirty-five utilities fully completed the Program with an additional seven completing at least 84%. A few of these seven utilities are likely to reach 100% as others indicated they completed as much of the Program as they intended to their Cyber Coach. CRI, FDD, and Microsoft consider 84% a significant metric as it represents completion of all fundamental cyber readiness learning modules by the Cyber Leader.
CRI Certified Cyber Coaches supported five utilities a step beyond Cyber Readiness Program completion. These utilities earned a “CRI Certified Cyber Ready” certificate through a process known as ‘Playbook Verification.’ This requires the Cyber Leader and head of the organization to attest they trained 100% of their employees and contractors on their cyber readiness policies and incident response plan. CRI verifies the utility’s Playbook, and policies meet the minimum requirements outlined in the Cyber Readiness Program.
The remaining seventeen participants are either actively working through the Cyber Readiness Program, paused their participation with an expressed intent to return, or ended their participation in the pilot. Utilities who communicated their decision to discontinue participation expressed resource constraints as their greatest challenge. The designated Cyber Leaders did not have the bandwidth to complete the Program, nor could they refer a colleague with the capacity to serve as a Cyber Leader. One Cyber leader stated their team is “swamped with day-to-day operations” and could not continue the Program.
Despite the resource challenges plaguing small and medium-sized water and wastewater utilities, there appears to be no statistically significant correlation between utility size and completion rates, nor between utility size and the impact of the Cyber Readiness Program.
Phase 1 Feedback:
Water and wastewater utility Cyber Leaders acknowledged the Cyber Coach was critical to helping them complete the Cyber Readiness Program. One participant admitted the only reason she was able to complete the Program was because of the accountability she felt to the Cyber Coach.
CRI suggests the Cyber Readiness Program requires about one hour per week for about six weeks of the Cyber Leader’s time. While some utilities completed the Program in as little as two weeks, on average, it took water utilities significantly longer than the estimated six weeks to complete the Program. This may be because they could only devote an hour every other week or once a month. In other cases, learning the material and implementing new policies simply required more time. However, most participants said the Program was easy to follow and comprehend when compared to educational resources they encountered elsewhere.
Utilities consistently rated the Cyber Readiness Program as highly impactful on their organization’s cyber readiness. Two-thirds said the Program had a “High” or “Very High” impact and more than three-quarters indicated they would recommend the Program to others. Participants called the Program “excellent,” “a great foundation,” and a “great starting point” for implementing business continuity and incident response plans. Others noted the Cyber Readiness Program distilled complex information into manageable, action-oriented, learning modules for utilities to implement and be resilient. One participant noted employees at their utility were “impressed how making small changes can prevent incidents.” Another noted he already had a strong cyber background but, the Program furnished him with “instruction and tools to help guide coworkers towards cybersecurity awareness and safeguard critical infrastructure.” An overwhelming majority indicated they planned to take concrete steps to implement new cybersecurity measures within their organization.
Pilot Improvements:
CRI hypothesized the Cyber Readiness Program is adaptable to small and medium-sized water and wastewater utilities. While Phase 1 metrics, surveys, and anecdotal feedback from Cyber Leaders support this hypothesis, sector-specific adjustments may be valuable. The overall impact score is slightly lower than the 76 percent of Cyber Readiness Program participants who usually rate the Program as having a “High” or “Very High” impact. Anecdotally, participants indicated a desire for more information about network monitoring tools or technical solutions, and others suggested a need for Operational Technology oriented content. At this stage, however, there is no consensus on what specific supplemental materials the water sector needs. CRI plans to evaluate this avenue further in Phase 2. Cyber Coaches will continue to provide tailored guidance as part of their regular support calls.
CRI revised the Cyber Coach Guide to enhance Cyber Coach training and improve their field capabilities. The updates provide thorough guidance for Cyber Coaches to support Cyber Leaders and to adapt the guide for use in various industries. It details an updated process for becoming a CRI Certified Cyber Coach, defines the Cyber Coach mission across sectors, and recognizes the cyber challenges of small and medium-sized businesses. The guide includes email templates and initial support call questions to help establish a baseline with the Cyber Leader. It imparts knowledge on becoming an effective Cyber Coach with practical strategies, tips, and tools to excel. CRI intends to ensure Cyber Coaches provide applicable support to Cyber Leaders and plans to develop a Cyber Coach resource library using the guide as a foundation.
CRI is remodeling the Cyber Readiness Playbook to enhance its adaptability and ease-of-use in response to pilot participant and Cyber Coach feedback. Cyber Coaches reported one of the consistent challenges their Cyber Leaders faced was accessing the CRI Playbook. Cyber Coaches directed the Cyber Leaders to the correct location on CRI’s website, but even then, participants reported the Playbook as difficult to use due to its layout. The updates will simplify the companion document for better comprehension and reorganize the policy sections for more precise guidance. CRI is exploring options for Cyber Leaders to draft policies directly in the Playbook, making it a comprehensive, customizable, and living document. This modification would direct Cyber Leaders to tailor their personalized Playbook with clear, actionable instructions. These revisions will help Cyber Coaches better support Cyber Leaders and verify completed Playbooks meet the CRI Certified Cyber Ready standard.
Before Phase 2 launched, the Cyber Readiness Institute analyzed why several Cyber Leaders stopped at 84% completion. This percentile coincided with a ‘Congratulations’ lesson at the start of the final module in the Program and appears to be the reason why Cyber Leaders did not continue to 100% completion. Based on these findings, CRI determined to relocate the lesson to the end of the Program and analyze the impact of the change in Phase 2.
Phase 2 Launch:
CRI projects to recruit about three hundred utilities in Phase 2 to reach the goal of supporting one hundred and fifty utilities given attrition rates between interested utilities and Cyber Readiness Program completion. Phase 1 yielded the highest ratio of completions through recruitment streams from the National Rural Water Association and the regional offices of both the Cybersecurity and Infrastructure Security Agency and the Environmental Protection Agency. CRI intends to continue collaborating with these partners.
CRI is engaged with state and local governments with a direct link to water utilities in their regions. These state and local stakeholders (including NRWA) may also prove valuable partners for the development of additional Cyber Coaches and for the sustainability of Cyber Coach support to water utilities after the pilot concludes.
