For small and medium-sized water and wastewater utilities, addressing cybersecurity issues is a significant challenge. Recognizing this, the Cyber Readiness Institute (CRI), Foundation for Defense of Democracies (FDD), and Microsoft launched a pilot program in 2023 to implement CRI’s Cyber Readiness Program across the nation. This multi-phase initiative seeks to empower utilities with the knowledge and support needed to foster a robust “cyber ready” culture. With Phase 1 complete, the interim report provides critical insights and lays the foundation for an expanded Phase 2.
The Goals and Approach of Phase 1
Phase 1 of the pilot aimed to:
- Support at least 50 small and medium-sized water and wastewater utilities through the Cyber Readiness Program.
- Assess the applicability of the sector-agnostic Cyber Readiness Program to critical water and wastewater infrastructure.
- Evaluate the unique cybersecurity needs within critical infrastructure sectors.
The centerpiece of the program is CRI’s Cyber Readiness Program, which focuses on practical cybersecurity measures, including strong passwords, multifactor authentication (MFA), phishing awareness, and incident response planning. Central to its success is the Cyber Leader, a designated individual at each utility, supported by a CRI Certified Cyber Coach trained to guide and encourage participants to complete the program.
Key Findings from Phase 1
Phase 1 successfully engaged 59 utilities, with 35 completing the program and another seven nearing full completion (84%). Importantly, five utilities earned the “CRI Certified Cyber Ready” certificate by verifying their Playbook and training met Program standards. However, resource constraints remained a key challenge for some participants, with several citing limited bandwidth to complete the program.
Despite these challenges, the results underscored the adaptability and value of the Cyber Readiness Program:
- High Program Impact: Two-thirds of participants rated the program as having a “High” or “Very High” impact on their organization’s cyber readiness.
- Ease of Use: Utilities found the program accessible, even for those with limited technical expertise, describing it as a “great foundation” and a “manageable, action-oriented” tool for enhancing resilience.
Participants also highlighted areas for improvement, including a desire for more guidance on network monitoring tools and operational technology-specific content.
Challenges and Adjustments for Phase 2
While Phase 1 confirmed the program’s effectiveness, feedback revealed several opportunities for refinement:
- Cyber Coach Enhancements: CRI has updated the Cyber Coach Guide to improve training and provide practical tools, such as email templates and tailored support strategies.
- Playbook Improvements: To address participant concerns about the Playbook’s usability, CRI is redesigning it to be more intuitive and interactive, allowing Cyber Leaders to draft and customize policies directly within the document.
- Completion Rate Barriers: Phase 1 revealed many participants stopped at the 84% mark due to the placement of a “Congratulations” lesson early in the final module. To address this, CRI has moved the lesson to the program’s conclusion to encourage full completion.
What’s Next in Phase 2?
Building on Phase 1 success, Phase 2 will aim to support 150 utilities through the Cyber Readiness Program, with a projected recruitment of 300 utilities to account for attrition. Key priorities include:
- Sector-Specific Resources: CRI will continue exploring supplemental materials to address unique water sector needs, such as operational technology guidance and advanced monitoring tools.
- Expanded Partnerships: Phase 2 will leverage relationships with the National Rural Water Association (NRWA) and regional offices of the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA). These partnerships proved critical in Phase 1 and will be integral to reaching more utilities.
A Collaborative Path to Cyber Resilience
The pilot’s first phase demonstrated with the right tools, guidance, and commitment even resource-constrained utilities can take meaningful steps toward cybersecurity. The combination of accessible training, personalized coaching, and practical resources has already made a tangible impact on participating organizations.
As Phase 2 unfolds, CRI, FDD, and Microsoft will build on these insights to create a more secure and resilient future for the water and wastewater sector. Through collaboration, innovation, and a steadfast focus on adaptability, this initiative is setting a precedent for empowering critical infrastructure sectors to combat evolving cyber threats.
For more information about the Cyber Readiness Program and how your organization can participate in Phase 2, visit Cyber Readiness Institute.