Free cybersecurity training can help water and wastewater utilities protect themselves against hackers, but only when paired with hands-on assistance and incentives for employees to build cybersecurity skills, Microsoft said in a report published on Thursday.

The report — a summary of a 2023-2025 cybersecurity assistance pilot program that Microsoft ran in partnership with the Cyber Readiness Institute (CRI) and the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation (CCTI) — contains several recommendations for how the federal government and water industry associations can support utility operators as they harden their defenses.

“Strengthening the cybersecurity of the nation’s water sector requires shifting from information distribution to capacity building — embedding hands-on assistance, aligning cybersecurity with existing operator requirements, and leveraging trusted sector associations to scale participation,” the report said.

Microsoft sought to recruit 200 small and medium-sized utilities to complete CRI’s free Cyber Readiness Program, which teaches organizations basic concepts and emphasizes the importance of strong authentication technologies, regular software updates, phishing awareness and secure file storage. Participating organizations complete a series of asset-management worksheets, incident-response templates and other documents meant to put their new knowledge into practice.

As part of the pilot program, CRI provided utilities with free cyber coaches, who met regularly with utilities’ designated cyber leaders and helped them establish a culture of cybersecurity inside their organizations.

“Enthusiasm and interest [in the program] were high,” Microsoft said, following outreach by CRI and CCTI employees at conferences, on webinars and in phone calls to more than 1,000 utilities. Many utilities said the program appealed to them because they were worried about ransomware attacks.

But the way the program unfolded reflected persistent challenges facing the water community and other critical infrastructure sectors composed largely of small, underfunded organizations.

High dropout rate

Of the 113 utilities that formally expressed interest in the program, 72 joined, and only 43 completed it. Utilities were far more likely to complete the program if they accepted help in doing so — 77% of utilities with cyber coaches finished the program, compared with only 23% of “self-paced” utilities.

Microsoft said the high dropout rate “raises concerns about the capacity of the sector — particularly of the small and medium-size members — to address cybersecurity gaps without more significant financial and technical support.”

Utilities that dropped out of the program didn’t say why they did so, but in feedback surveys, participants that completed the work said they struggled with “limited staff time and capacity,” according to Microsoft.

Big help for those who stuck it out

The 72 utilities that participated in the program from 27 states and territories overwhelmingly praised it.

More than 90% of the 57 utilities that submitted feedback said they better understood the basics of cybersecurity, according to Microsoft, and “a similar proportion reported they were likely to take action to improve their utilities’ cybersecurity posture based on the training.”

Utilities said they especially appreciated learning about the importance of developing and testing incident response plans. Several said the program “helped them identify gaps in their cybersecurity posture they had not documented,” including obsolete password rules and spotty staff training.

One of the requirements for completing the program was that utilities had to attest to having trained their workers in cybersecurity basics. Microsoft said the program ended up training 551 employees nationwide.

“Despite lower completion rates, participation in the Resiliency for Water Utilities Pilot is encouraging, demonstrating that when effective assistance is provided, utilities were ready, willing, and able to make the necessary time and effort to work toward securing their utilities,” Jennifer Lyn Walker, director of infrastructure cyber defense at the Water Information Sharing and Analysis Center, said in a comment included in the report.

Plea for more federal aid

Given how the program unfolded, Microsoft said, policymakers should “recognize that ‘free’ is not enough” and “invest in hands-on technical assistance models” to help utilities — especially small ones — adopt the necessary defenses.

“Federal and state cybersecurity programs therefore must move beyond the assumption that no-cost tools, checklists, and voluntary offerings are sufficient for improving sector-wide cybersecurity,” the company said.

Microsoft criticized the Trump administration for scaling back CISA’s support to critical infrastructure organizations, saying the agency’s “recent decision to rely even more heavily on its own free services and cut funding to organizations like Multi-State Information Sharing Analysis Center and other associations that provide hands-on assistance will only exacerbate the practical constraints highlighted by the survey.”

Understaffed utilities acutely need hands-on support, said Kevin Morley, senior manager for federal relations at the American Water Works Association, an industry trade group.

“Smaller systems are typically the most resource-stressed and benefit most from direct assistance to support implementation of various controls,” Morley told Cybersecurity Dive. He said this kind of implementation help is particularly important for “entities with legacy technology where the transition is especially complex when it comes to operational technology.”

Microsoft also encouraged states to require utility operators to undergo cybersecurity training in order to maintain their certifications.

“Because operators are already required to complete continuing education hours,” the report said, “aligning cybersecurity training with existing workforce requirements offers a powerful, low-burden, nonregulatory incentive.”