(TLP:CLEAR) WaterISAC’s Cybersecurity Fundamentals for Water and Wastewater Utilities: Small Systems Guidance Compendium

Summary: The 12 Cybersecurity Fundamentals for Water and Wastewater Utilities was completed in December 2024 and published under a single cover in May 2025. This special edition compendium specifically incorporates the Small Systems Guidance from the 12 Cybersecurity Fundamentals for Water and Wastewater Utilities.

Intended audience. Small/rural/less cyber mature water and wastewater utilities.

Why the separate compendium? A desire to make the guidance a little more manageable but still touch on key cybersecurity fundamentals that smaller water and wastewater utilities should consider addressing.

How many fundamentals for small systems? Small Systems Guidance was incorporated into eight of the twelve fundamentals and represented in the following:

1 | Plan for Incidents, Emergencies, and Disasters

2 | Minimize Control System Exposure

3 | Create a Cyber Secure Culture and Protect from Insider Risks

4 | Implement System Monitoring for Threat Detection and Alerting

5 | Account for Critical Assets

6 | Enforce Access Controls

7 | Embrace Risk-Based Vulnerability Management

8 | Secure the Supply Chain

What’s consistent across the 12 Cybersecurity Fundamentals and Small Systems Compendium? There are many references to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and the Five ICS Cybersecurity Critical Controls within the eight sections.

Special Notes.

• Sharing cybersecurity guidance with service providers. We recognize that many small/rural utilities outsource technology and systems integration services. As such, it is practical to consult with those providers on cybersecurity practices to help protect your OT and IT networks. It may be helpful to share this compendium and the larger 12 Cybersecurity Fundamentals for Water and Wastewater Utilities guide with them.
• Receive a call about an incident at your utility? There may be an instance when you receive a call from someone with information about a cyber incident at your utility. Unless you know this person, it is important not to divulge any information to them – regardless of who they say they’re with – CISA, FBI, EPA, even WaterISAC. However, do not ignore them. Rather, record all the information they will provide to you and then immediately contact someone you trust to help you get to the bottom of the issue. That someone you trust could be your NRWA Circuit Rider, local law enforcement, or one of your neighboring utilities.
• National Rural Water Association (NRWA). If you belong to NRWA or any of its state associations, your utility may qualify for free WaterISAC membership as part of your NRWA benefits. Contact us to find out or sign up!

Thank you for accessing WaterISAC’s Cybersecurity Fundamentals for Water and Wastewater Utilities | Small Systems Guidance Compendium. We hope you appreciate the thoughtful compendium. Please let us know what you think!

Original Source: Access the full report below. 

Related WaterISAC PIRs: 6-12