You are here

Cybersecurity Fundamentals for Water and Wastewater Utilities

Cybersecurity Fundamentals for Water and Wastewater Utilities

Created: Tuesday, April 2, 2024 - 10:00
Cybersecurity, Security Preparedness


On March 28, 2024, WaterISAC unveiled the first three Fundamentals as part of an ongoing update to its acclaimed Cybersecurity Fundamentals for Water and Wastewater Utilities series. The current version, 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, is being replaced by the 12 Cybersecurity Fundamentals for Wastewater and Wastewater Utilities. WaterISAC is excited to bring this refresh, which represents a concerted effort to provide the sector with the most up-to-date guidance.

Why the change? A desire to make it a little more manageable, but still touch on key fundamentals that water and wastewater utilities should consider addressing.

What changed to get us from 15 to 12? A few things were combined, most notably:

  • Tackle Insider Threats section was appropriately merged with building a cyber secure culture (this quarters’ release).
  • Address All Smart Devices (IIoT, IoT, Mobile, etc.) was consolidated with the fundamental on asset management (which will be released next quarter in June 2024).
  • Among other things, given AWIA requirements it was decided that Assess Risks (risk assessments) is an “assumption” and as such there will be a discussion in the introduction.

What other changes?

Note: the current 2019 version of WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities will remain on the website until the end of the year, so there will be a full set available until all 12 refreshed ones have been released.


Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet our sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation states and others.

To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC published 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The original guide, first published in 2012, has been downloaded thousands of times.

The guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue.

The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

The 15 fundamentals are: 

  1. Perform Asset Inventories
  2. Assess Risks
  3. Minimize Control System Exposure
  4. Enforce User Access Controls
  5. Safeguard from Unauthorized Physical Access
  6. Install Independent Cyber-Physical Safety Systems
  7. Embrace Vulnerability Management
  8. Create a Cybersecurity Culture
  9. Develop and Enforce Cybersecurity Policies and Procedures
  10. Implement Threat Detection and Monitoring
  11. Plan for Incidents, Emergencies, and Disasters
  12. Tackle Insider Threats
  13. Secure the Supply Chain
  14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
  15. Participate in Information Sharing and Collaboration Communities

Download the guide below.