From Pilot to Scale: Water Utilities Advance OT/ICS Cybersecurity
Water utilities are moving from isolated cybersecurity pilots to standardized, enterprise-level Operational Technology (OT) and Industrial Control System (ICS) security programs. In 2023, the Cyber Readiness Institute (CRI), Microsoft, and the Foundation for Defense of Democracies supported 50 small and medium utilities in a human-centered Cyber Readiness Program. With certified Cyber Coaches, the initiative reached a 72% program completion rate, significantly higher than rates in uncoached pilots. CRI plans to expand the program in Phase 2, aiming to support 150 utilities using enhanced sector-specific resources and maintaining collaboration with the EPA and CISA.
Background
Increasing IT-OT convergence has eroded traditional air-gap security for water utilities, exposing OT/ICS systems to new threats. OT breaches are often linked to IT vulnerabilities; one study found 84% of OT disruptions originate from IT-based intrusions. Many utilities manage aging SCADA (Supervisory Control and Data Acquisition) platforms-62% operate systems over ten years old-while 47% lack dedicated IT security staff. Fragmented cyber maturity and wide disparities in preparedness increase risk, especially for small utilities.
Details
During Phase 1, CRI designated a Cyber Leader in each utility and provided training through Cyber Coaches. Training covered multifactor authentication, software updates, incident response, and asset management. Utilities receiving coaching achieved a 72% completion rate, compared to 11% and 41% in two self-guided groups. Staffing shortages were a key limitation, with Cyber Leaders citing limited time due to operational demands. Phase 2 will adapt the program's structure, reordering modules to improve engagement, and broaden participation through networks such as the National Rural Water Association.
Participating utilities implemented standardized asset inventories, unified patch management, ICS monitoring, and segmentation controls. One utility introduced an ICS security monitoring solution, costing around USD 150,000 plus annual maintenance of 15-20%, gaining improved device behavior visibility and threat detection.
The regulatory landscape is evolving. EPA guidance and the U.S. Infrastructure Investment and Jobs Act established new funding streams and cybersecurity requirements. However, sector-wide fragmentation and divergent OT modernization strategies continue to challenge consistent improvement.
Outlook
With Phase 2 underway, water utilities may advance toward unified cybersecurity standards supported by shared frameworks and consistent training. Those adopting coaching, asset management, and regulatory-compliant practices could accelerate progress from isolated pilots to scalable, resilient OT security.
