NIST offers security guidance for water utilities using remote-access tools

https://www.cybersecuritydive.com/news/water-utilities-remote-access-nist-guidance/823776/

Publish Date: 2026-06-25 11:55:00

Source Domain: www.cybersecuritydive.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Dive Brief:

Water utilities that use remote-access software should carefully restrict access, enforce multifactor authentication (MFA) and maintain comprehensive access logs to help them investigate possible breaches, the National Institute of Standards and Technology (NIST) said in guidance published on Wednesday.
The secure remote-access guidance, developed through NIST’s National Cybersecurity Center of Excellence (NCCoE), lists security considerations and describes how water utilities can implement remote access through either on-premises or cloud environments.
Remote-access software is one of the water sector’s biggest cybersecurity weaknesses, enabling several Iran-linked cyberattack campaigns against U.S. water systems.

Dive Insight:
NCCoE experts included several example architectures in their guidance document. One illustrates how to set up role-based access controls through the remote-access software TDI ConsoleWorks. Another demonstrates how to use Cisco Duo’s MFA service with the StrongDM access-management platform. A third describes how to use Q-Net Security products to encrypt communications between network devices.
“The ability to provide secure remote access to the water systems is crucial to the efficient operation of today’s [water systems],” the document says. “Each utility should tailor their cybersecurity practices to address the unique needs of its own organization. The goal is to assist the [water] utilities in ensuring the security and availability of remote access capability so that operations can continue uninterrupted, despite current and evolving threats.”
One of the document’s most important sections is a list of security considerations for utilities that want to use remote access. Recommendations include employing least-privilege principles, regularly updating remote-access software to the latest version, carefully inventorying remotely accessible systems (which can help organizations quickly locate and disconnect vulnerable devices) and configuring networks with zero-trust architecture, including packet inspection and demilitarized zones.
NIST recommends organizations first consider alternatives to traditional remote access that carry less risk, such as one-way remote-alarming systems that notify employees of the need to take action. “Some facilities may choose to operate on-site only,” the document says, “requiring employees and contractors to come on-site to perform all operational tasks.”
Water utilities face some of the biggest cybersecurity threats, both because they are among the least-protected infrastructure and because their vital services make them high-value targets for nation-state threat actors. Iran-linked hackers have targeted U.S. critical infrastructure with destructive malware during the war in the Middle East, and China’s Volt Typhoon campaign has breached numerous infrastructure operators over the past several years.
As the threats have grown, the federal government has expanded its scrutiny of water systems’ cybersecurity postures, and volunteer security professionals have deployed across the country to help operators make improvements. But experts say the sector is still woefully unprepared to defend itself.