The Cyber Readiness Institute (CRI), in partnership with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies and with sponsorship from Microsoft, launched a pilot to test whether accessible, behavior-focused cybersecurity training could measurably improve cyber readiness among water and wastewater utilities. Aimed to help address the sector’s cybersecurity gap, the CRI pilot sought to engage up to 200 small and medium-sized utilities over the course of two years.
Titled ‘Water Utilities Need Cyber Support: Lessons from the Cyber Readiness Institute’s Pilot Project,’ the report highlights a widening gap between awareness and execution, with strong interest in improving cybersecurity but limited ability to follow through. While more than 90% of participating utilities reported improved understanding of cybersecurity fundamentals and a willingness to act, only 43 of 113 interested utilities completed the program, largely due to staffing shortages, funding gaps, and lack of implementation support. The results point to a structural challenge, where training alone is insufficient without hands-on assistance, sustained investment, and operational integration to translate awareness into measurable resilience.
“Strengthening the cybersecurity of the nation’s water sector requires shifting from information distribution to capacity building — embedding hands-on assistance, aligning cybersecurity with existing operator requirements, and leveraging trusted sector associations to scale participation,” the CRI pilot added. “These approaches will help ensure utilities not only learn foundational cybersecurity practices but are fully equipped to implement and sustain them, translating training into tangible improvements in operational resilience.”
Cyberattacks targeting water and wastewater utilities are increasing in frequency and severity, exposing systemic weaknesses across a sector heavily reliant on aging infrastructure, limited cybersecurity staffing, and, in some cases, internet-exposed control systems, according to findings from a Microsoft-supported pilot led by the Cyber Readiness Institute. Even large, well-resourced providers have faced operational disruption, while smaller utilities, which make up more than 97% of public water systems and often serve fewer than 10,000 customers, face far greater risk due to constrained resources and limited incident response capacity.
The CRI pilot leveraged CRI’s existing, free Cyber Readiness Program, a self-paced program that presents fundamental cybersecurity concepts and focuses on the human behavior aspect of security. The Program aims to provide information at a level that can be understood by individuals with or without a cybersecurity background. To recruit participants, CRI and CCTI briefed water sector organizations, federal and state government partners, and state and local government associations.
The report mentioned that CRI and CCTI experts spoke at conferences and webinars. CRI made phone calls to more than 1,000 utilities. Enthusiasm and interest were high among audiences. Several utilities participating in the pilot cited growing concerns about ransomware and other disruptive cyber threats as motivation for enrolling, even if they had not previously experienced an incident.
Ultimately, the CRI pilot confirmed the need for cybersecurity training and the recognition among water utilities of the importance of improving their resilience against cyber threats. The discrepancy between the high level of interest and the lower completion rates, however, raises concerns about the capacity of the sector, particularly of the small and medium-sized members, to address cybersecurity gaps without more significant financial and technical support.
Policymakers, sector associations, and private organizations should recognize that free resources alone are not enough to strengthen cybersecurity readiness and must be complemented with hands-on technical assistance to support real-world implementation. Future programs should also integrate cybersecurity training into operator licensing and continuing education requirements while leveraging water sector associations to drive broader participation and sustained cybersecurity improvements across the sector.
To support water utilities as they completed the Program, CRI also provided free Certified Cyber Coaches. The coaches met regularly with the utility’s designated ‘Cyber Leader,’ the individual within an organization accountable for its cybersecurity decisions and for promoting cybersecurity awareness among the organization’s employees. The Program is designed to help the Cyber Leader develop and implement cyber readiness policies and incident response procedures by providing one-on-one support.
The Cyber Readiness Program’s modules educate the Cyber Leader on the ‘Core Four,’ including strong passwords and multifactor authentication, software update management, phishing awareness, and secure file storage and sharing. The Program also explains how to develop a business continuity plan. The ‘Cyber Readiness Playbook,’ a set of cybersecurity and incident response policies that the Cyber Leader completes as part of the Program, contains worksheets on asset management, cybersecurity policy and incident response templates, and additional employee training resources.
Although the CRI pilot initially targeted small and medium-sized utilities, it engaged a balanced mix of small, medium, and large systems, most of them drinking water or combined water and wastewater providers. Participants consistently highlighted the value of the Cyber Readiness Program, particularly its structured, practical approach and incident response playbook, which helped them prepare for increasingly likely threats such as ransomware. More than 90% of surveyed participants reported improved understanding of cybersecurity fundamentals and said they were likely to take action, with many identifying previously unrecognized gaps such as missing continuity plans, weak password policies, and inconsistent staff training.
Despite strong interest, completion rates remained low, underscoring a gap between awareness and execution. Of 113 utilities that expressed interest, only 43 completed the program, with significantly higher success rates among those supported by a Cyber Coach. Capacity constraints, including limited staffing, funding, and implementation guidance, were the primary barriers, with some utilities operating with minimal personnel or relying entirely on third-party IT support. While participants were willing to improve cybersecurity, the findings highlight that without sustained support, structural limitations will continue to hinder meaningful progress.
Among the 57 respondents who completed the feedback survey, over 90% agreed that they better understood cybersecurity basics, and a similar proportion reported they were likely to take action to improve their utilities’ cybersecurity posture based on the training. Participants highlighted the value of the ‘Core Four,’ the password guidance, and the Playbook’s worksheets and incident response plan in particular, as helpful for understanding how to prepare for and respond to ransomware and other disruptive cyber incidents. Several noted that the Program helped them identify gaps in their cybersecurity posture that they had not documented, including missing business continuity plans, outdated password policies, or inconsistent staff awareness training.
The CRI pilot revealed a consistent pattern, as water utilities understand the importance of cybersecurity but lack the capacity to implement improvements. Improving cybersecurity in the water sector, therefore, requires targeted support that addresses operational constraints, not just awareness or training. The following recommendations are based on insights from the pilot into what federal and state policymakers, sector associations, and private organizations can do to strengthen cybersecurity readiness nationwide.
Among the recommendations of the report, Microsoft called for recognizing that ‘free’ is not enough. Federal agencies such as the EPA and CISA provide advisories, alerts, and technical guidance, including the EPA’s October 2025 water sector cybersecurity procurement checklist. However, many utilities struggle to navigate scattered guidance, link it to daily operations, or allocate staff for training. Survey responses reveal a gap between what free programs offer and what utilities need to strengthen cybersecurity.
It noted that while programs like the Cyber Readiness Program improve basic understanding, obstacles such as insufficient security personnel and funding prevent utilities from fully using no-cost resources. Some utilities outsource most IT functions or lack the internal capacity to implement the provided templates. Federal and state programs cannot rely solely on free tools and checklists; CISA’s increased dependence on its own no-cost services and reduced funding for hands-on support organizations risks worsening these limitations.
The CRI pilot also urged expansion of hands-on technical assistance to support implementation. Policymakers should fund programs that provide capacity building, not just content. Embedding cybersecurity coaches, regional support teams, and technical experts who can assist with configuration will improve cybersecurity best practices implementation. Free offerings should be paired with personalized support that helps utilities apply guidance, complete policies, and adopt foundational controls. Without this shift, the utilities most willing to improve will remain the least able to act, and the sector’s cybersecurity posture will continue to lag despite widespread availability of no-cost resources.
Clearly, the support should go beyond training materials and include direct assistance with configuring systems, drafting policies, and operationalizing incident response playbooks.
Apart from cybersecurity grants, federal and state agencies could fund dedicated implementation teams or regional cybersecurity coaches who pair with utilities to adapt materials to their specific operational environment. Incorporating cybersecurity assistance into the National Rural Water Association’s (NRWA) existing Circuit Rider Program likely would provide the scale and existing local relationships necessary to get hands-on cybersecurity assistance to utilities quickly.
The Microsoft report called for including cybersecurity training in operator licensing and continuing education requirements. “One of the clearest findings from the pilot is that incentives matter. Regulators often require operators to earn periodic continuing education credits or units to maintain state licenses. Credits are typically earned through approved courses, programs, and industry conferences on treatment processes, quality, and safety that meet state-specific guidelines.”
As operators are already required to complete continuing education hours, aligning cybersecurity training with existing workforce requirements offers a powerful, low-burden, nonregulatory incentive. This approach allows states to strengthen sector cybersecurity without imposing new mandates, but instead leveraging existing professional development pathways.
Finally, the report called for empowering water sector associations to lead and drive cybersecurity improvements. The pilot demonstrated that outreach partners played a critical role in generating participation. Utilities that heard about the Program and joined because of recruitment by industry and state associations showed high completion rates. Direct outreach from CRI to utilities yielded little engagement. Calling more than 1,100 utilities produced only 161 interest forms and only a handful of utilities starting the Program. In contrast, association-driven outreach accounted for the majority of utilities that not only enrolled but also completed the Program.
Over half of association recruited entities completed the Program, whereas a third of those recruited through other means completed the Program. Feedback survey responses reinforce this dynamic, as utilities that already had some policies, vendor support, or training in place still chose to participate when they heard about the Program through a trusted association, indicating that utilities depend on sector intermediaries to filter, validate, and prioritize which cybersecurity efforts are worth their limited time.
To increase participation in existing programs and to improve cybersecurity, particularly of smaller utilities, federal and state agencies must partner with sector associations that are already viewed as trusted sources of information. These associations, in turn, can integrate cybersecurity into routine association trainings, conferences, and certifications. This will likely be the most effective channel for scaling voluntary cybersecurity programs.
In conclusion, the CRI pilot recognized that the pilot demonstrated that no-cost, accessible cybersecurity training can improve awareness and readiness across water and wastewater utilities, but only when paired with the support structures that enable real implementation. As real-world cyber threats targeting water and wastewater systems continue to grow, utilities are increasingly seeking practical and actionable ways to prepare. Small and medium-sized systems showed strong willingness to participate, yet the survey findings underscore that willingness alone cannot overcome chronic staffing, funding, and operational constraints.
Earlier this month, Kathy Hochul, New York’s governor, announced cybersecurity regulations for drinking water and wastewater systems, alongside a US$2.5 million grant program designed to help communities strengthen cyber defenses for critical water infrastructure. The Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements grant program, administered by the New York State Environmental Facilities Corporation, provides funding of up to $50,000 for cybersecurity assessments and up to $100,000 for utilities to implement cybersecurity upgrades. These grants are meant for system improvements to help utilities strengthen defenses against increasingly sophisticated cyber threats.
