The water and wastewater sectors are essential to daily life, and safeguarding them from cyber threats is crucial. The newly updated National Institute of Standards and Technology’s (NIST) password guidelines, along with the range of resources offered by the EPA and CISA, provide a strong foundation for improving cybersecurity across the industry. We encourage you and your colleagues to implement these new password guidelines and general cyber hygiene. Here’s a breakdown of the key updates and additional cybersecurity resources that can help strengthen your system's defenses.
NIST’s Updated Password Guidelines: What’s New?
In September 2024, NIST introduced new password management guidelines aimed at improving both security and user experience. The changes reflect a shift towards longer, more memorable passwords, and away from overly complex password requirements.
Key Updates:
- Password Length: NIST now recommends using passwords or passphrases that are at least 15 characters long. The focus has shifted from enforcing complexity (e.g., mixing uppercase, numbers, and symbols) to prioritizing longer passwords that are easier to remember.
- Password Composition: Gone are the days of forcing users to include specific character types. The new focus is on allowing longer, memorable passwords, which reduces the chances of people creating easily guessable passwords.
- Fewer Password Changes: Unless there’s evidence of a security breach, mandatory password changes are no longer required. This policy change helps users avoid creating predictable patterns due to frequent password resets.
- Password Managers: NIST now strongly encourages the use of password manager software, which can generate and store strong, unique passwords for each account. It’s a vital tool to prevent the risk of password reuse across different accounts.
- Avoid Password Hints & Security Questions: To minimize the risk of social engineering attacks, NIST advises against using password hints or security questions that could easily be guessed.
- Multi-Factor Authentication (MFA): MFA is a non-negotiable security measure. By requiring more than just a password to access sensitive systems, MFA adds an additional layer of protection.
These updated guidelines emphasize simplicity and practicality, reducing user frustration while enhancing security. In an industry like water and wastewater, where systems are critical to public health, these updates offer a crucial balance of usability and protection.
Additional Cybersecurity Resources for the Water & Wastewater Sector
Alongside these password updates, there are also significant resources available to bolster cybersecurity across water and wastewater systems.
On March 13, 2025, the EPA will host a cybersecurity briefing for the water and wastewater sector. The session will cover unclassified threats, along with available funding and technical resources from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA). Here are a few resources to explore:
- CDPHE Security Toolbox - Provides Colorado specific guidance for planning for and responding to cybersecurity and physical security attacks.
- EPA Cybersecurity for the Water Sector - Get comprehensive guidance and tools to safeguard water systems against cyber threats.
- CISA Water and Wastewater Cybersecurity Toolkit - A practical set of tools to strengthen your water sector infrastructure against cyber threats.
By staying informed and adopting the latest cybersecurity practices, water and wastewater utilities can ensure a secure future, protecting critical infrastructure from evolving threats.
