If we can build resilience in the water sector, one of the most challenging and under-resourced environments, we can apply those lessons to other sectors.
Small and medium-sized water and wastewater utilities represent some of the most resource-constrained environments in the nation’s critical infrastructure. They often operate under financial constraints, with legacy systems, limited staff who must wear multiple hats, and, in many cases, they lack the dedicated budgets required for even rudimentary cybersecurity.
Through our work at the Cyber Readiness Institute (CRI) on a pilot program sponsored by Microsoft, and in partnership with the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, we tested whether accessible, behavior-focused cybersecurity training paired with hands-on support could meaningfully improve cyber readiness among small and medium-sized water and wastewater utilities.
The most significant takeaway from our pilot program is not just about water; it is a blueprint for securing the U.S. economy.
The pilot used CRI’s free Cyber Readiness Program, a self-paced program that presents basic cybersecurity concepts built on the human behavior aspect of security. The program provides information at a level that can be understood without a cybersecurity background, focusing on the “Core Four,” that is, strong passwords and multifactor authentication, software update management, phishing awareness, and secure file storage and sharing.
Utilities that completed the program reported a better understanding of cybersecurity basics and a significant advance in their ability to prepare for and respond to cyber incidents. Because of the pilot’s success, the program is now a permanent offering, providing water utilities with ongoing training and support to strengthen cyber resilience and better protect their communities from evolving threats.
Crucially, the pilot provided utilities with access to a CRI Certified Cyber Coach. These coaches worked directly with designated “Cyber Leaders” within the utilities to translate training into formal policies, playbooks, and incident response plans. Pairing utilities with a Cyber Coach significantly increased program completion rates, over 300% higher than self-paced participants.
The critical challenge for policymakers and utility leaders is moving beyond “concern” to sustained, operational resilience. For organizations with limited time and technical expertise, the path from knowing a threat exists to defending against it remains the steepest hurdle.
While the water sector faces unique operational challenges, the CRI pilot proves that if we can build a culture of cyber readiness in a rural water treatment plant, we can do it in a community hospital, a local power utility, or a regional manufacturing hub. By working closely with this sector, we learned vital lessons that apply to healthcare, energy, transportation, and beyond:
The findings from this report point to both promise and a call to action. We have the data. We have the framework. Now, we need the leadership.
The cyber readiness gap in the water sector is too wide for bespoke, expensive solutions to fill. We must continue to support and scale free, accessible tools like those provided by the Cyber Readiness Institute. By lowering the barrier to entry, we strengthen the entire ecosystem.
However, free cybersecurity resources alone rarely translate into operational improvements. Many utilities struggle not with access to guidance (federal agencies such as the Cybersecurity and Infrastructure Security Agency and the U.S. Environmental Protection Agency already provide free materials), but with the cost, time, and expertise required to turn those resources into day-to-day security practices.
The vulnerability of our water systems is a shared risk, but as this pilot demonstrates, it is a solvable one. Through collaborative partnerships and a focus on practical, human-centric readiness, we can build a resilient critical infrastructure that stands the test of an evolving digital landscape.
To the decision-makers in other critical sectors: the “cyber readiness gap” is not an inevitability. The CRI pilot has stripped away the excuse that cybersecurity is “too expensive” or “too complicated” for small-to-medium operators. The path to resilience is easier than you think, but it requires you to step up and engage. We need both public and private sector leaders to recognize that securing our nation is a shared responsibility. The blueprint is ready. The tools are available. The water sector has shown the way. Now it is time for the rest of the economy to follow.
We are inviting leaders in both the public and private sectors to look at the water sector’s success and ask: “Why aren’t we doing this?” The infrastructure for collaboration is already built. Microsoft and CRI have proven that when the private sector provides the resources and the public sector provides the engagement, we can move the needle on cybersecurity in months, not years.
By working together, we can move from a state of constant concern to a state of sustained operational resilience. The blueprint exists. Now, we just need you to join us. Let’s close the readiness gap, one sector at a time.
Sasha Pailet Koff is Managing Director of the Cyber Readiness Institute (CRI) and is Founder and President of consultancy, So Help Me Understand. Read the report: Water Utilities Need Cyber Support: Lesson from the Cyber Readiness Institute’s Pilot Project. Explore the free Cyber Readiness Program.
