NIST offers security guidance for water utilities using remote-access tools
NIST offers security guidance for water utilities using remote-access tools
https://www.cybersecuritydive.com/news/water-utilities-remote-access-nist-guidance/823776/
Publish Date: 2026-06-25 11:55:00
Source Domain: www.cybersecuritydive.com
Dive Brief:
- Water utilities that use remote-access software should carefully restrict access, enforce multifactor authentication (MFA) and maintain comprehensive access logs to help them investigate possible breaches, the National Institute of Standards and Technology (NIST) said in guidance published on Wednesday.
- The secure remote-access guidance, developed through NIST’s National Cybersecurity Center of Excellence (NCCoE), lists security considerations and describes how water utilities can implement remote access through either on-premises or cloud environments.
- Remote-access software is one of the water sector’s biggest cybersecurity weaknesses, enabling several Iran-linked cyberattack campaigns against U.S. water systems.
Dive Insight:
NCCoE experts included several example architectures in their guidance document. One illustrates how to set up role-based access controls through the remote-access software TDI ConsoleWorks. Another demonstrates how to use Cisco Duo’s MFA service with the StrongDM access-management platform. A third describes how to use Q-Net Security products to encrypt communications between network devices.
“The ability to provide secure remote access to the water systems is crucial to the efficient operation of today’s [water systems],” the document says. “Each utility should tailor their cybersecurity practices to address the unique needs of its own organization. The goal is to assist the [water] utilities in ensuring the security and availability of remote access capability so that operations can continue uninterrupted, despite current and evolving threats.”
One of the document’s most important sections is a list of security considerations for utilities that want to use remote access. Recommendations include employing least-privilege principles, regularly updating remote-access software to the latest version, carefully inventorying remotely accessible systems…
