UPDATE - MARCH 2024

On March 28, 2024, WaterISAC unveiled the first three Fundamentals as part of an ongoing update to its acclaimed Cybersecurity Fundamentals for Water and Wastewater Utilities series. The current version, 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, is being replaced by the 12 Cybersecurity Fundamentals for Wastewater and Wastewater Utilities. WaterISAC is excited to bring this refresh, which represents a concerted effort to provide the sector with the most up-to-date guidance.

Why the change? A desire to make it a little more manageable, but still touch on key fundamentals that water and wastewater utilities should consider addressing.

What changed to get us from 15 to 12? A few things were combined, most notably:

• Tackle Insider Threats section was appropriately merged with building a cyber secure culture (this quarters’ release).
• Address All Smart Devices (IIoT, IoT, Mobile, etc.) was consolidated with the fundamental on asset management (which will be released next quarter in June 2024).
• Among other things, given AWIA requirements it was decided that Assess Risks (risk assessments) is an “assumption” and as such there will be a discussion in the introduction.

What other changes?

• To keep the Fundamentals practical, especially for smaller systems to address, they will be released in small manageable chunks - three per quarter (in March, June, September, and December).
• One of the most significant updates to this version is extensive incorporation throughout each section of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and references to The Five ICS Cybersecurity Critical Controls.

Note: the current 2019 version of WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities will remain on the website until the end of the year, so there will be a full set available until all 12 refreshed ones have been released.

BACKGROUND ABOUT THE CYBERSECURITY FUNDAMENTALS FOR WATER AND WASTEWATER UTILITIES

Water and wastewater utilities provide critical lifeline services to their communities and their regions. Supporting these vitally important functions requires secure information technology (IT) and operational technology (OT), yet our sector’s IT and OT networks continue to face an onslaught of threats from cyber criminals, nation states and others.

To support members and the wider sector in its cybersecurity goals, and in response to continually evolving threats, WaterISAC published 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The original guide, first published in 2012, has been downloaded thousands of times.

The guide contains dozens of best practices, grouped into 15 main categories, that water and wastewater systems can implement to reduce security risks to their IT and OT systems. Each recommendation is accompanied by links to corresponding technical resources, giving you the information and tools you need to take a dive deep into this acutely important issue.

The guide will also be helpful to utilities preparing risk and resilience assessments required by America’s Water Infrastructure Act, or AWIA. The 15 fundamentals will also be especially useful for informing emergency response plans, because AWIA requires those plans to address mitigation and resilience options.

The 15 fundamentals are: 

1. Perform Asset Inventories
2. Assess Risks
3. Minimize Control System Exposure
4. Enforce User Access Controls
5. Safeguard from Unauthorized Physical Access
6. Install Independent Cyber-Physical Safety Systems
7. Embrace Vulnerability Management
8. Create a Cybersecurity Culture
9. Develop and Enforce Cybersecurity Policies and Procedures
10. Implement Threat Detection and Monitoring
11. Plan for Incidents, Emergencies, and Disasters
12. Tackle Insider Threats
13. Secure the Supply Chain
14. Address All Smart Devices (IoT, IIoT, Mobile, etc.)
15. Participate in Information Sharing and Collaboration Communities

Download the guide below.