UPDATE - May 2025

WaterISAC is excited to announce the release of the consolidated 12 Cybersecurity Fundamentals for Water and Wastewater Utilities, which were updated in 2024. This update consolidates all 12 fundamentals into one whole document for our members’ convenience. WaterISAC is proud to bring this refresh to its members as part of a concerted effort to provide the water and wastewater sector with the most up-to-date guidance. 

Access this archived summary for the updates that occurred in 2024 as the updated Fundamentals were being released, and to access the previous 15 Fundamentals guide.

*Please see below for the full product. 

BACKGROUND ABOUT THE CYBERSECURITY FUNDAMENTALS FOR WATER AND WASTEWATER UTILITIES

Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet our sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation states and others.

To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC published 15 Cybersecurity Fundamentals for Water and Wastewater Utilities in 2019. The original guide, first published in 2012, has been downloaded thousands of times.

The guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue.

The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

The original 15 fundamentals included: 

1. Perform Asset Inventories
2. Assess Risks
3. Minimize Control System Exposure
4. Enforce User Access Controls
5. Safeguard from Unauthorized Physical Access
6. Install Independent Cyber-Physical Safety Systems
7. Embrace Vulnerability Management
8. Create a Cybersecurity Culture
9. Develop and Enforce Cybersecurity Policies and Procedures
10. Implement Threat Detection and Monitoring
11. Plan for Incidents, Emergencies, and Disasters
12. Tackle Insider Threats
13. Secure the Supply Chain
14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
15. Participate in Information Sharing and Collaboration Communities

Download the guide below.