Microsoft is converting a cybersecurity pilot aimed at water and wastewater utilities into a permanent offering, after a trial conducted with the Cyber Readiness Institute and the Center on Cyber Technology and Innovation found that guided coaching produced significantly better outcomes than self-directed training alone.
The move reflects growing concern about the exposure of critical water infrastructure to cyber threats at a time when attacks on operational technology systems have become more frequent and more disruptive.
Water and wastewater utilities present a particular challenge for cybersecurity policymakers because the sector is heavily fragmented, with thousands of small and rural operators that serve essential public health functions but lack the internal expertise and budget to build meaningful defences.
The pilot tested whether pairing structured training with dedicated coaches could bridge that gap.
Participating utilities used the Cyber Readiness Institute's free training programme under the guidance of CRI-certified coaches, who worked with designated internal leads to translate completed modules into tangible outputs: written policies, incident response playbooks and business continuity plans.
The results were encouraging but also revealing about the scale of the challenge.
Of 113 utilities that expressed initial interest, 72 began the programme and only 43 completed it, a completion rate that the report attributes directly to staffing constraints, funding limitations and dependence on third-party vendors rather than any failing in the training content itself.
Utilities that worked with a coach were significantly more likely to finish the programme than those who attempted it on a self-paced basis, a finding that the report says demonstrates that free guidance alone cannot overcome the structural resource constraints facing smaller operators.
Common gaps surfaced during the pilot included absent business continuity plans and weak password practices, vulnerabilities that are well understood in principle but evidently difficult to address without sustained external support.
Related reading
- Microsoft merges Copilot teams and shifts AI chief Suleyman to focus on building frontier models
- Microsoft trains AI model to convert standard pathology slides into protein maps
- Microsoft disrupts Tycoon 2FA infrastructure
Amy Hogan-Burney, Microsoft's corporate vice president for customer security and trust, said the findings pointed to a clear conclusion: resilience is achievable when training is delivered alongside practical support through trusted partners.
Microsoft is calling for broader collaboration among policymakers, sector bodies and the private sector to scale the model.
The recap
- Microsoft releases report on a water sector cyber readiness pilot
- 113 utilities expressed interest; 72 began, 43 completed the program
- Program becomes a permanent offering for water utilities' cybersecurity
