NIST's New Remote Access Guide for Water Utilities: What SP 1800-45 Means for Telemetry
NIST published a final, vendor-neutral playbook for securely enabling remote access to water and wastewater OT systems. Here is what it says and how to use it.

Key Insight
NIST's final SP 1800-45 practice guide, published June 24, 2026, gives water and wastewater utilities a vendor-neutral blueprint for enabling remote access to OT systems securely. Remote telemetry is still worth it. Now the access layer has a federal playbook.
What NIST Published
On June 24, 2026, NIST released the final version of SP 1800-45, "Cybersecurity for the Water and Wastewater Sector: Build Architecture." The guide comes out of NIST's National Cybersecurity Center of Excellence (NCCoE), and it addresses one specific, practical problem: how water and wastewater utilities can enable remote access to their operational technology (OT) environments without leaving the door open.
Two things make this guide different from the usual cybersecurity framework document. First, it is a practice guide, meaning it demonstrates working builds rather than listing abstract requirements. Second, it was written for utilities of different sizes and resource levels, using commercially available technologies. A small district with one operator and a part-time IT contractor is in scope, not just the metro utility with a security team.
The announcement from NIST's Computer Security Resource Center and the NCCoE publication page both give a summary, and the full guide is available as a free PDF. WaterISAC, the information sharing organization for the water sector, also covered the release and flagged it as practical remote access guidance for utilities.
Why Remote Access Is the Part That Needed a Playbook
Water utilities are widely considered among the less-protected critical infrastructure sectors. Most systems are small, budgets are tight, and the person responsible for the SCADA network is often the same person responsible for everything else. That is not a criticism. It is the operating reality the NIST guide was written for.
Remote access sits at the center of the tension. Operationally, it is the single biggest win telemetry delivers: fewer truck rolls, faster response when something goes wrong at 2 a.m., and visibility into lift stations and tank sites nobody wants to drive to in January. At the same time, a remote connection into the control network is the most common attack surface when it is set up badly. An exposed login on the open internet, a shared password that never rotates, a vendor connection nobody remembers granting.
The lesson is not that remote access is too risky for water systems. It is that access works best when it is built deliberately, and there is now a federal reference for how. That is exactly the gap SP 1800-45 exists to fill: safe patterns for the access layer, demonstrated with off-the-shelf technology, so utilities do not have to invent their own security architecture from scratch.
How to Use the Guide
SP 1800-45 is a build architecture document, so the useful way to read it is against your own system, not cover to cover. A few practical suggestions for putting it to work:
- Match your size and resources honestly. The guide covers utilities at different resource levels. Start from the profile that looks like you, not the one you wish you were.
- Inventory your existing remote connections first. Before comparing anything to the reference architecture, list every path into your OT environment: operator access, vendor access, integrator access, and anything left over from a past project.
- Bring it to your IT or security support. Whether that is in-house staff, a county IT department, or a contractor, the guide gives everyone a shared, vendor-neutral reference point instead of competing vendor pitches.
- Use it in procurement. When a telemetry or SCADA proposal lands on your desk, the remote access portion can now be evaluated against a published federal reference rather than taken on faith.
Because the guide is built on commercially available technologies, none of this requires exotic equipment. That matters for utilities in Ohio and Western Pennsylvania where much of the installed base is a mix of equipment vintages and vendors accumulated over decades.
The Rest of the Federal Toolkit
SP 1800-45 is the newest piece, but it is not the only free federal resource aimed at water system cybersecurity. CISA and EPA maintain a water and wastewater cybersecurity toolkit and resources page at cisa.gov/water, built specifically for protecting water systems from cyberattack. The toolkit gets attention outside government circles too. Tokio Marine HCC's Public Risk Group highlighted it on X as a resource for public entities.
One item from that page worth writing down before you need it: CISA accepts incident reports around the clock at report@cisa.gov or 1-844-Say-CISA. If something ever looks wrong on your network, that reporting channel is available 24/7.
What This Means If You Run (or Are Considering) Telemetry
The takeaway is not "slow down on remote monitoring." It is the opposite. The operational case for telemetry has not changed, and the main historical objection (that remote access is a liability) now has a documented, federal, vendor-neutral answer. A utility that was hesitating on remote monitoring because of security concerns has less reason to hesitate, provided the access layer is built the way the guidance describes.
For utilities already running telemetry, the guide is a useful benchmark. If your remote access setup predates any deliberate security design, comparing it against SP 1800-45 is a reasonable next project, and a cheap one, since the guide is free.
A monitoring system is only as good as the way you reach it. The design of the access layer deserves the same care as the instrumentation itself.
A word on where we fit. Control Associates is not a cybersecurity firm, and we will not pretend to be one. We are an integrator. We have designed and serviced monitoring and control systems since 1968, with more than 5,500 systems installed, and we build remote telemetry systems to work within our customers' IT and security requirements. When a utility's IT staff or security consultant sets the rules for how remote access must work, our job is to deliver a telemetry system that follows them. Guidance like SP 1800-45 makes that conversation easier for everyone, because now there is a common document to point at.
Frequently Asked Questions
Services:
Environmental Compliance
Continuous monitoring and automated reporting to keep plants compliant
Ready to ensure compliance and optimize your systems?
Let's discuss how our monitoring solutions can keep your operations running smoothly and meet regulatory requirements.