In 2023, the Cyber Readiness Institute and the Foundation for Defense of Democracies launched "Resiliency for Water Utilities" — a two-year pilot, backed by Microsoft, to help small- and mid-sized drinking water and wastewater utilities improve their cybersecurity defense and response capabilities. No doubt a great cause, and its pitch is straightforward: direct CRI's free cybersecurity training and coaching to one of the most vulnerable and under-resourced sectors of American critical infrastructure, and see how many water utilities can become adequately secure. Phase 1 targeted roughly 50 utilities. Phase 2 would reach 150 more.
The final tally: 113 enrolled and only 43 completed the program.
Impressive Backers, Modest Roots
To understand what the pilot was — and wasn't — one needs to understand where CRI came from. The institute launched in 2017, born out of the Obama administration's Commission on Enhancing National Cybersecurity, which had called explicitly for new public-private efforts to help small and medium-sized organizations improve their cyber hygiene. Commission veterans and private-sector heavyweights dutifully obliged, founding CRI with support from Microsoft, Mastercard, and the Center for Global Enterprise. Apple eventually joined as co-chair.
The board reads like a Davos attendee list: former NSA chief Keith Alexander, former National Security Adviser Tom Donilon, (former) Mastercard CEO Ajay Banga. Impressive names. Strikingly few people, zero that I can discern, who've ever worked hands-on to secure SCADA systems at a small or rural water plant.
Initially, CRI built a sector-agnostic program around four foundational pillars—strong authentication, secure devices, phishing awareness, and incident response—and packaged it as free online training for small businesses. Solid, respectable, and … generic. When the institute turned toward water utilities six years later, that same curriculum came along for the ride, with OT and sector expertise bolted on via FDD, CISA regional offices, the EPA, and water associations like the National Rural Water Association.
A Rounding Error
Set 43 completions against reality: the EPA counts more than 148,000 public water systems in the United States, over 97 percent serving fewer than 10,000 people. There are around 16,000 municipal wastewater facilities. Against those numbers, 43 completions is a rounding error.
To be fair, CRI’s interim reporting is candid about the steep drop-off from "interested" to "finished," and about why it happens: chronic staffing shortages, no dedicated cybersecurity budget, aging infrastructure, and operators already buried under regulatory demands who have no bandwidth for optional e-learning modules.
But here's the thing: pilots with a dedicated human coach see completion rates around 70 percent. Self-service delivery struggles to break 40, sometimes cratering into the low double digits. You cannot meaningfully improve critical infrastructure security at scale with online training and downloadable templates. What works? It’s coaches on the ground, doing hard, site-specific implementation work. That’s precisely what a budget-, volunteer-light nonprofit partnership cannot sustain.
Boardroom DNA, Plant Floor Problems
The structural mismatch runs deeper than funding. CRI's founders come from national security, big tech, global finance, and corporate governance. Even Keith Alexander, whose NSA and Cyber Command credentials are genuine, built his career in global signals intelligence—not keeping water treatment facilities security, funded, patched and segmented.
That pedigree shows in the product. CRI's core curriculum is SMB cyber hygiene with a water sector logo bolted on. The actual operational technology expertise—SCADA topology, remote telemetry, vendor access vulnerabilities, the specific nightmare of patching aging control systems—has to be imported from outside. The result is a hybrid: generic small-business content plus some OT awareness, held together by human coaching. Utilities that finish the program report better threat awareness, cleaner password policies, and actual incident response plans. That's not nothing. It's also not "securing a wastewater plant."
The Template for Not Solving Problems: What Actually Works
What’s frustrating is that everyone involved knows what a serious program would require. CRI's own recommendations say so: funded technical assistance teams who work beside utilities, not just advise them remotely. Sustained state and federal grants earmarked for real infrastructure upgrades. Delivery through water sector associations, which demonstrably drive better completion rates. Integration with operator certification and regulatory frameworks so security isn't perpetually treated as optional homework.
New York, to its credit, has moved in this direction—offering utilities tens of thousands of dollars for hands-on assessments and implementation support. That's what meaningful commitment looks like. It costs real money and doesn't fit neatly into a press release as "43 utilities strengthened."
Of course, not every state is as well-resourced as New York. But New York’s answer isn't the only option: it's just proof that political will, not resources alone, is the limiting factor. States with less money can still convene industry, activate associations, and build volunteer frameworks. The absence of that effort across most of the country isn't a capacity problem. It's a priority problem.
What’s Needed To Plug Holes In Water Utility Security
First, real money: sustained state and federal grants earmarked specifically for cybersecurity assessments and infrastructure upgrades, not awareness campaigns. New York's program, which offers utilities tens of thousands of dollars for hands-on assessments and implementation support, is the model. That's meaningful commitment.
Second, people on the ground. Funded technical assistance teams who work beside utilities to inventory assets, harden remote access, segment networks, and deploy monitoring on aging OT and IT infrastructure. Not coaches advising remotely between Zoom calls. CRI's own completion data makes the case: where a dedicated human being shows up and does the work alongside a utility's staff, things get done. Where they don't, they typically don't.
Third, delivery through the right channels. Utilities recruited via water sector associations were far more likely to complete the program than those reached through other means. Any serious successor to this pilot builds the water associations into the program's spine, not the periphery.
Fourth, stop treating security as extra credit. Tying cyber training and practice to operator certification, safety programs, and existing regulatory frameworks is the only way to ensure it isn't perpetually crowded out by the day job. Groups like AWWA and WaterISAC already publish water-specific cybersecurity frameworks. The infrastructure for a real program exists. What's missing is the will to fund and mandate it.
A decade after a presidential commission warned that small organizations are the critical weak links in national cyber defense, the flagship initiative in one of our most vulnerable sectors has helped a few dozen plants write some policies.
The tens of thousands of at-risk water utilities across this country are still out there — now slightly more aware of how exposed they are, which isn’t exactly progress.
