Cybersecurity for municipal utilities refers to the combination of technical controls, operational procedures, and regulatory compliance measures that protect water, electric, and gas utility systems from cyberattacks, ransomware, and unauthorized access, covering both the software platforms that manage billing and customer accounts and the operational technology that controls physical infrastructure.
For years, cybersecurity in the water sector was largely voluntary. That changed. The EPA's cybersecurity requirements for public water systems, implemented under the Safe Drinking Water Act, now require utilities serving more than 3,300 people to conduct cybersecurity assessments as part of their sanitary surveys. Your next EPA sanitary survey may include a direct evaluation of whether your operational technology — SCADA systems, remote monitoring, and your billing and customer information platform — meets baseline cybersecurity standards.
Directors who arrive at that review without a documented cybersecurity posture face scrutiny they cannot afford — both regulatory and political. The key agency here is CISA (the Cybersecurity and Infrastructure Security Agency), which has issued specific advisories and baseline performance goals for the water and wastewater sector. Registering with Water ISAC gives your utility access to real-time threat intelligence that most small and mid-sized systems currently lack.
The assumption that small municipal utilities are too obscure to attract sophisticated attackers is operationally dangerous. Ransomware groups do not select targets by notoriety — they select by vulnerability. Small, under-resourced municipal systems running aging on-premise software with limited IT staff are, by that measure, highly attractive.
The Oldsmar, Florida incident remains the defining US case: hackers accessed the water treatment facility's control systems through remote desktop software and attempted to increase sodium hydroxide to levels that would have poisoned the water supply for 15,000 residents.
The attack pattern that CISA and Water ISAC consistently document is not sophisticated. Attackers enter through legacy remote access software, default credentials that were never changed after installation, or unpatched on-premise systems that an overstretched IT team has not had bandwidth to update. The entry vector exploits the gap between how long utilities keep aging infrastructure running and how quickly the threat landscape evolves around it.
Compliance obligations differ significantly depending on whether you operate water, electric, or gas infrastructure. The table below summarizes the key frameworks and where your utility stands:
The America's Water Infrastructure Act (AWIA) of 2018 is defined as federal legislation requiring community water systems serving more than 3,300 people to conduct a risk and resilience assessment covering both physical security and cybersecurity threats, and to develop an emergency response plan based on that assessment. Assessments must be certified to the EPA on a defined schedule.
The EPA's cybersecurity rule under the Safe Drinking Water Act adds a second compliance layer by incorporating cybersecurity elements into sanitary surveys. Directors of water utilities should confirm with their state primacy agency exactly how cybersecurity will be evaluated at their next scheduled survey — and ensure their utility management software vendor can provide documentation supporting that evaluation.
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards are defined as a mandatory set of cybersecurity requirements for bulk electric system operators in North America, enforced by FERC with penalties that can reach up to $1 million per violation per day.
Applicability to municipal electric utilities depends on whether your system is classified as part of the Bulk Electric System (BES). Directors of municipal electric utilities should confirm their BES classification with their regional reliability coordinator. Regardless of BES classification, CISA's Cybersecurity Performance Goals for the electric sector apply as a baseline framework.
Municipal gas utilities operating pipeline infrastructure fall under Transportation Security Administration (TSA) Pipeline Security Directives, which include mandatory cybersecurity incident reporting requirements and architecture review obligations for pipeline operators.
For directors overseeing any combination of these service types, the connection between your software platform and your compliance posture is direct. Your municipal utility management software is both a compliance reporting tool and a potential security liability if it is not maintained and certified to current standards.
CISA and Water ISAC consistently identify the following vulnerability patterns in small and mid-sized municipal utility systems:
1. Legacy OT/IT convergence without network segmentation. When operational technology (SCADA, AMI systems, control networks) is connected to IT networks (billing systems, office networks) without proper segmentation, a breach on the IT side can reach operational controls. Many utilities that integrated digital billing and remote monitoring over the past decade did so without the network architecture expertise to isolate the two environments. (CISA ICS-CERT advisories)
2. Default or unchanged credentials on remote access systems. Remote desktop software, SCADA interfaces, and utility management portals running on factory-default usernames and passwords are the single most common ransomware entry point documented in utility incident reports.
3. Unpatched on-premise CIS and billing software. Legacy on-premise customer information systems running outdated software versions — often because upgrading requires extensive vendor coordination and downtime — create known vulnerability windows that threat actors actively scan for. Deferred patching is not an IT inconvenience; it is a documented attack surface.
4. Insufficient access controls and privilege management. Utility staff accounts that retain system access after role changes or departure, and accounts with broad administrative privileges not required for day-to-day tasks, are a persistent internal and external risk. The principle of least privilege is rarely enforced on aging systems.
5. Third-party and vendor access gaps. Utilities that allow vendor and contractor remote access to billing and operational systems through shared credentials or unmonitored sessions create access paths that are difficult to audit and easy to exploit. Any vendor with system access should be required to use unique, logged, time-limited credentials.
A utility director does not need to become a cybersecurity expert. You do need to ensure the right questions are being asked, the right frameworks are in place, and your board can see documented evidence of your utility's security posture. Here is a practical starting point:
1. Complete or commission your AWIA risk and resilience assessment if you have not done so within your current assessment cycle. This is your legal baseline and your operational roadmap.
2. Register with your sector ISAC. WaterISAC (for water utilities) and E-ISAC (for electric utilities) provide real-time threat intelligence calibrated to utility infrastructure. Registration cost is minimal relative to the intelligence value delivered.
3. Conduct a credential audit. Every account with access to your billing platform, SCADA system, and remote monitoring infrastructure should be reviewed quarterly. Dormant accounts should be deactivated. Shared credentials should be eliminated.
4. Document your incident response plan. AWIA requires it. Your board and city council will want it if an incident occurs. CISA's Water and Wastewater Systems Sector Incident Response Template is a free starting point available at cisa.gov.
5. Evaluate your software vendor's security posture — and consider whether your current platform is creating unnecessary risk. Modernizing to a cloud-based utility management platform is no longer the multi-year disruption it once was. Modern implementations now run in 12–24 weeks, removing the 'too disruptive to change' objection that has left many utilities running vulnerable legacy systems longer than is prudent. See H2.6 for exactly what to require from any vendor.
6. Brief your board. Cybersecurity is a governance issue, not just an IT issue. Directors who have documented their security posture and can point to a formal assessment and response plan are in a materially stronger position — operationally and politically — if an incident occurs.
Your utility management software — handling billing, meter data, customer accounts, work orders, and asset management — sits at the intersection of your IT and operational technology environment. It processes sensitive customer PII, financial data, and consumption records. Its security posture is directly your security exposure. Use this checklist for any new RFP or contract renewal:
• SOC 2 Type II certification. This is the non-negotiable baseline. SOC 2 Type II means an independent auditor has verified that the vendor's security controls have been operating effectively over a sustained audit period — not just a point-in-time snapshot. Require the full audit report, not just a certificate of completion.
• Cloud-native architecture. Legacy on-premise CIS systems require your IT team to manage patching, server security, physical hardware, and backup protocols — creating an attack surface that expands with every deferred update. A cloud-native platform eliminates the on-premise attack surface by design: no local server to breach, no on-premise database to encrypt in a ransomware attack, no physical hardware to replace. SMART360's utility software security and compliance certifications reflect this architecture.
• Secure API integration standards. Every integration with AMI systems, GIS platforms, payment gateways, and ERP systems is a potential attack vector. Require OAuth 2.0-compliant, REST-based integrations with full audit logging on all data access events. SMART360 supports 25+ pre-built integrations built to these standards.
• Data encryption in transit and at rest. Ask specifically: what encryption standard is applied to data in transit? What standard governs data at rest? How frequently are encryption keys rotated? A vendor unable to answer these questions with precision cannot give you the security assurance your compliance obligations require.
• Incident response SLAs. What is the vendor's documented response time for a confirmed security incident? What are their breach notification obligations and timelines? What uptime SLA protects your operational continuity? These commitments must be contractual, not verbal.
• Role-based access controls and audit trails. Your platform must provide granular role-based access so billing staff cannot access operational data they have no business need for — and every data access event must be logged and auditable. This is simultaneously a security requirement and a compliance requirement for AWIA and SOC 2 audit purposes.
The America's Water Infrastructure Act (AWIA) of 2018 requires community water systems serving more than 3,300 people to complete a risk and resilience assessment covering cybersecurity threats, and to develop an emergency response plan based on that assessment. Assessments must be certified to the EPA on a defined schedule, and EPA sanitary surveys now incorporate cybersecurity evaluation elements.
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a mandatory set of cybersecurity standards for bulk electric system operators in North America, enforced by FERC with penalties up to $1 million per violation per day. Applicability to municipal electric utilities depends on Bulk Electric System (BES) classification — directors should confirm their BES status with their regional reliability coordinator.
At minimum, require SOC 2 Type II certification — the independent audit standard that verifies a vendor's security controls are operating over a sustained period. Also require cloud-native architecture (eliminating on-premise attack surfaces), OAuth 2.0-compliant API integrations with audit logging, documented incident response SLAs, and role-based access controls with a complete access audit trail. These should be contractual, not sales-brochure claims.
Ransomware attacks on municipal utilities typically encrypt billing and customer information systems, rendering them inaccessible until a ransom is paid or systems are rebuilt from backup. Where OT and IT networks are not properly segmented, attacks can reach operational control systems. The most common entry points documented by CISA and Water ISAC are unchanged default credentials, unpatched remote access software, and unsegmented IT/OT networks.
