Your general manager just walked into your office and asked a straightforward question: "If someone hit our billing system with ransomware tomorrow, what customer data would be at risk?"
If you had to pause before answering, you're not alone and that pause is precisely the problem. Most small and mid-size US utilities have a Customer Information System that has been running for years, holding every billing record, meter reading, and payment transaction the utility has ever processed. What lives inside it, and how well it's protected, is often less clear than it should be.
This guide is for the IT Director or system administrator responsible for that system. It covers what data actually lives in your utility CIS, why that data is a specific ransomware and breach target, what the correct US regulatory framework looks like, and what to require from any CIS vendor who is handling it on your behalf.
A utility CIS is defined as the software platform that stores and manages all customer account data, billing history, meter readings, payment records, and service order activity for a water, electric, or gas utility. Protecting it requires encrypting all six data categories in transit and at rest, applying role-based access controls, and requiring SOC 2 Type II certification from any vendor who hosts or processes that data.
Most utility IT staff can name one or two categories of data in the CIS. The full picture is typically broader than expected. A utility CIS contains six distinct data categories, and each one carries its own specific breach liability:
• Customer account and contact data (PII) - name, mailing address, phone number, email address, social security number or federal ID (used for credit checks), and account number. This is governed by state breach notification laws in all 50 states. A breach of this data triggers mandatory customer notification requirements.
• Billing history and invoice records - rate codes, billing period data, charges, adjustments, final bills, and dispute history. This data is frequently targeted by fraud actors who use historical billing data to impersonate customers or manipulate account balances.
• Meter consumption readings - interval or monthly reads, often including AMI/smart meter data. For many utilities, consumption data is now time-stamped at 15-minute intervals, creating a detailed behavioral record of when a customer is home and active.
• Payment card and bank account data - if your CIS or an integrated payment processor handles card or ACH transactions, this data falls under PCI DSS v4.0 compliance requirements, regardless of whether you process payments in-house or through a third party.
• Service order history - connection and disconnection requests, field service notes, leak complaints, and emergency shutoffs. This data often contains location-specific details that are sensitive in dispute or legal contexts.
• Meter asset records - meter serial numbers, installation dates, and associated service addresses. While lower sensitivity individually, this data enables physical infrastructure targeting when combined with other records.
The reason this taxonomy matters: when evaluating a CIS vendor's security posture, or auditing your own controls, you need to know which data categories are in scope — because the appropriate controls differ by category. Payment card data requires PCI DSS controls. PII requires breach notification readiness. Consumption data may require utility privacy policy protections under state regulations.
The water and wastewater sector has appeared in multiple CISA (Cybersecurity and Infrastructure Security Agency) advisories as a high-priority critical infrastructure target. CISA and the EPA issued a joint advisory in 2024 warning that threat actors — including state-sponsored groups — were actively targeting internet-exposed operational technology at water utilities. The advisory specifically named legacy software systems with remote access capabilities as a primary vulnerability.
For the utility IT director, the threat profile specific to CIS systems breaks down as follows:
• Ransomware targeting billing continuity - attackers know that a utility cannot stop billing. Encrypting the CIS creates immediate operational pressure and strong leverage for ransom payment.
• PII harvesting for identity fraud - customer databases from utilities are valuable because they contain verified name, address, and sometimes SSN data for a geographically defined community. This data sells on criminal markets.
• Payment data interception - CIS systems that process payments without current PCI DSS controls are a target for card skimming attacks, particularly where legacy systems have not been updated to remove deprecated TLS versions or unpatched payment modules.
• Insider access exploitation - utilities frequently have broad, undifferentiated access roles in aging CIS deployments, meaning a single compromised credential can expose the entire customer database.
The risk is compounded by a structural issue common across small and mid-size utilities: the CIS is often the oldest, least-patched system in the technology environment, hosted on on-premise hardware that has not been subject to the same security investment as newer systems.
A note on what is not the framework: GDPR is a European regulation governing data subjects in the EU. It does not apply to US municipal utilities. Content that cites GDPR as the primary compliance standard for US utility data security is incorrect. The relevant US frameworks are:
The updated federal standard for enterprise cyber risk management. NIST CSF 2.0 introduced a new "Govern" function alongside the existing Identify, Protect, Detect, Respond, and Recover functions. For utilities, CSF 2.0 is the baseline expectation in any federal funding or grant context (EPA, USDA Rural Development) and increasingly referenced in state PUC audits.
The EPA has conducted cybersecurity assessments at water utilities and issued guidance on minimum security practices for systems that store or process customer data. The 2024 rule on cybersecurity requirements for public water systems has faced legal challenge, but EPA's informal guidance and assessment program remain active. Utilities should monitor developments in this area.
Mandatory for electric utilities operating grid-connected systems. NERC CIP-004, CIP-007, and CIP-011 are directly relevant to customer data stored in systems that interface with operational technology. Electric utility IT directors whose CIS is integrated with SCADA or grid management systems need to confirm the scope of CIP applicability with their compliance team.
Applies to any utility that processes, stores, or transmits payment card data, regardless of whether processing is handled in-house or through a third-party gateway integrated with the CIS. The 2024 update introduced new authentication and monitoring requirements that many legacy CIS payment integrations do not yet meet.
All 50 states have breach notification requirements. Timelines and scope vary, California's CCPA has the broadest scope; most states require notification within 30–90 days of confirmed breach. A utility's legal counsel should confirm the specific requirements in its state.
The following six controls are the core of a defensible CIS security posture for a small-to-mid US utility. Each is described in terms of how it applies specifically to CIS data — not generic enterprise IT.
Encrypting billing PII and meter data at rest (AES-256 minimum) and in transit between the CIS and your payment processor or customer portal (TLS 1.2 minimum, TLS 1.3 preferred). Legacy CIS deployments frequently lack one or both. Confirm with your vendor which data stores are encrypted and at what standard.
A billing clerk does not need access to meter asset records. A field technician does not need access to payment history. Broad "administrator" roles across the entire CIS database are one of the most common vulnerabilities in utility environments. Audit your current role assignments and enforce least-privilege access — particularly for accounts that have accumulated permissions over multiple years.
This applies to the CIS administration interface, any customer-facing portal that feeds data into the CIS, and any remote access method (VPN, RDP) used by utility staff or vendor support technicians. Single-factor authentication on a system holding customer PII and payment data is not a defensible posture in any current regulatory context.
Every access event, who queried a customer account, who exported a data set, who modified a billing record — should be logged with a timestamp and user identifier. Audit logs should be stored separately from the CIS database itself so they cannot be deleted or modified in the event of a compromise. This is both a security control and a regulatory compliance tool.
Most utility CIS environments have vendor support access, either permanent credentials for the CIS software vendor or temporary access granted during support calls. Both require formal controls: just-in-time access provisioning, session recording, and automatic termination. Vendor access is a named attack vector in multiple CISA utility advisories.
A backup that has never been tested is not a backup — it is an assumption. Backups of CIS data should be stored in a geographically separate location (not on the same server or local network as the CIS), encrypted, and tested for recovery at least annually. The recovery test should measure actual time-to-restore, since billing continuity SLAs depend on it.
The controls above describe what your utility should maintain. But if your CIS is hosted by a third-party vendor — as is increasingly common with cloud-based utility software, a significant portion of these controls become vendor responsibilities. The critical question is: how do you verify that your vendor is actually meeting them?
The following table compares what a typical legacy on-premise CIS offers versus what a SOC 2 Type II-certified cloud CIS should contractually provide
Beyond the table, the specific questions worth asking any CIS vendor during evaluation:
• Can you provide your most recent SOC 2 Type II report? (Not a summary but the full report from the licensed auditor.)
• What is your contractual breach notification timeline? (72 hours is the standard; anything longer should prompt scrutiny.)
• What encryption standards are applied to customer billing data and payment records at rest and in transit?
• How is vendor and support staff access to customer data provisioned and logged?
• Where is customer data hosted? US-only data residency should be the baseline requirement for a municipal utility.
• What is your penetration testing cadence, and who conducts it?
SMART360 by Bynry is a cloud-native utility customer information system built with no on-premise infrastructure requirements. This architecture eliminates the physical access risk that affects legacy on-premise CIS deployments, there is no server in a utility closet to compromise. SMART360's 25+ pre-built integrations include payment gateway connections that maintain PCI DSS compliance at the integration layer, and the platform's security and compliance standards are documented for vendor evaluation. Utilities evaluating a CIS replacement should request the security documentation as part of any RFP process.
A utility CIS typically contains six data categories: customer account and contact details (PII), billing history and invoice records, meter consumption readings, payment card and bank account data, service order history, and meter asset records. Each category carries distinct breach liability — payment data falls under PCI DSS, PII under state breach notification laws, and consumption data under utility privacy regulations.
No. GDPR is a European regulation and does not apply to US municipal utilities. The relevant US frameworks are NIST CSF 2.0 for enterprise cyber risk, EPA Water Sector Cybersecurity guidance for water utilities, NERC CIP for electric utilities with grid-connected systems, and PCI DSS for any utility processing payment card transactions. State-level breach notification laws also apply in all 50 states.
SOC 2 Type II is an independent audit — conducted by a licensed CPA firm — that verifies a vendor's security controls were operating effectively over a defined period (typically 12 months). Type II is stronger than Type I, which only verifies that controls exist at a single point in time. For a utility evaluating a CIS vendor, requesting the most recent SOC 2 Type II report is the fastest way to verify real security posture rather than relying on self-reported claims.
NIST CSF 2.0 recommends continuous monitoring rather than point-in-time assessments. For a small-to-mid utility, a practical approach is: annual penetration test of the CIS environment, quarterly review of user access roles and permissions, monthly review of audit logs for anomalous access patterns, and immediate review whenever a staff member with CIS access leaves the utility. For cloud-hosted CIS platforms, the vendor's SOC 2 audit schedule replaces much of this burden.
