NIST proposes project to improve cybersecurity at water utilities

Run by the National Cybersecurity Center of Excellence, the project aims to develop a reference architecture for the sector.
Aerial view of the wastewater treatment plant. Pumping station and drinking water supply. Industrial and urban water treatment for a big city. Round sedimentation tanks.

The National Institute of Standards and Technology wants feedback on a proposed project that would pilot solutions to common cybersecurity risks faced by water and wastewater plants.

Run out of the National Cybersecurity Center of Excellence, the project would profile commercially available asset management, data integrity, remote access and network segmentation solutions to develop a reference architecture for the sector.

The pilot would respond to concerns heightened last year after a hacker remotely accessed a computer at a water treatment plant in Oldsmar, Florida and attempted to increase the lye in the water supply to dangerous levels. Despite being thwarted, the attack was a wakeup call for government and the water and wastewater systems (WWS) sector that has the NCCoE looking to secure data-enabled capabilities utilities are increasingly using to improve their service.

“There is apparent general consensus from WWS stakeholders that additional cybersecurity implementation references are needed to assist in the protection of its critical infrastructure,” reads the project description, which is open for public comment until Dec. 19. “The advancement of network-based approaches, together with an ongoing increase in cyber threats, merit the need for sector-wide improvements in cybersecurity protections.”


The NCCoE will create a pilot-lab environment for a case study with the goal of producing a NIST Cybersecurity Practice Guide with detailed steps for implementing the reference architecture developed. Ideally the guide will serve as a “starting point” for utilities in securing their production environments, according to the white paper.

WWS utilities increasingly rely on automation, sensors, data collection, network devices and analytics software, which increases the threat of a cyberattack. What’s more, their piped distribution infrastructure typically spans a large geographic area with operational technology (OT) likely reliant on supervisory control and data acquisition (SCADA) systems for real time sensor data transmission.

Industrial Internet of Things devices and platforms, like cloud-based SCADA and smart monitoring, further narrows the gap between OT and IT and increases utilities’ cyber risk.

While the project will focus on municipal-scale utilities, NIST wants to hear from as many WWS utilities as possible.

“In our efforts to ensure our guidance can benefit the broadest audience, the NCCOE is especially interested in hearing from water utilities of all sizes: small, medium and large,” reads the announcement.

Latest Podcasts