Aligned to CISA Cybersecurity Performance Goals 2.0 (CPG 2.0)
For IT Directors managing water and wastewater systems
OT environments carry unique risk. These steps help you build a defensible, resilient security posture — one measurable action at a time, aligned to CISA CPG requirements water utilities should prioritize.
STEP 01
Map and inventory every OT and IT asset
You cannot protect what you cannot see. Catalog PLCs, RTUs, HMIs, SCADA servers, historians, and any device with a network connection — including legacy hardware.
CPG 2.0 — 1.A Asset Inventory
STEP 02
Separate your OT network from IT
Network segmentation limits the blast radius of any breach. A compromised workstation should never have a direct path to your control systems or treatment plant operations.
CPG 2.0 — 2.F Network Segmentation
STEP 03
Enforce MFA on every remote access point
Remote access to OT systems is one of the most common attack vectors. Multi-factor authentication on every VPN, RDP session, and vendor portal is non-negotiable.
CPG 2.0 — 2.H Multi-Factor Authentication
STEP 04
Know who has access — and revoke what isn't needed
Conduct a full access review of your OT environment. Third-party vendors, former employees, and shared credentials are common blind spots. Least privilege is the standard.
CPG 2.0 — 2.E Least Privilege Access
STEP 05
Establish baseline monitoring for OT traffic
OT protocols like Modbus and DNP3 don't behave like IT traffic. Passive OT monitoring tools can detect anomalies without disrupting operations — giving you visibility without risk.
CPG 2.0 — 4.A Network Monitoring
STEP 06
Document and test your incident response plan
A response plan that lives in a drawer isn't a plan. Define roles, escalation paths, and communication protocols for a cyber incident — and test them before you need them.
CPG 2.0 — 5.A Incident Response Plan
STEP 07
Validate your AWIA risk and resilience posture
AWIA requires water systems to assess risk and certify resilience to EPA. CISA CPG is increasingly the benchmark regulators expect. Completing steps 1–6 puts you ahead of the curve.
