No Results Found

Try changing the filters or search term

Start Typing To Search

< View all Water Utilities News
Securing water’s future: Xylem signs CISA’s Secure by Design Pledge

Securing water’s future: Xylem signs CISA’s Secure by Design Pledge

Water Utilities , Cybersecurity

By Richard McNally, Product Security Engineer, Xylem Cybersecurity Team

As the water sector embraces digital technologies to improve resilience and efficiency, cybersecurity has become mission critical. Every connected device and cloud-based solution strengthens water management but also expands the attack surface for potential cyber threats.

To address this risk, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced the Secure by Design pledge, a voluntary commitment to embed security principles into product development. Xylem is proud to be the first – and still only – water technology company among 319 organizations to sign.

“Cybersecurity is no longer optional – it’s foundational to protecting water systems and the communities that depend on them,” says Richard McNally, Product Security Engineer at Xylem. "As the first water technology company to sign CISA’s Secure by Design pledge, we’re setting a new standard for security in the water sector and we’re proud to lead by example.”

This update highlights the progress Xylem has made on all seven pledge goals and shares how we’re advancing security beyond compliance toward leadership.

How has Xylem made progress on CISA’s Secure by Design Pledge goals?

1. Multi-factor authentication (MFA)

"Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products."

Xylem has implemented mandatory MFA for all internal applications and enabled MFA by default for partner applications through single sign-on (SSO). Our users can feel secure knowing that we use both device-based and software-based MFA, to provide flexible options to meet customers’ needs.

Looking ahead:
All Xylem cloud-hosted products now include MFA as a standard option, making it easy for customers to activate and benefit from this added layer of security. Learn more about Xylem’s MFA milestones.

2. Default passwords

“Demonstrate measurable progress towards reducing default passwords across the manufacturer’s products.”

Before 2021, default passwords were common in many systems. Today, all new Xylem products either require an immediate password change or use unique device-specific credentials.

Looking ahead:
Xylem continues to maintain these best practices and educate our customers through resources like the recent article on Identity and Access Management (IAM).

3. Reducing vulnerability classes

“Demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.”

Xylem is taking steps to reduce entire classes of vulnerabilities across our products, embedding security-focused code review and automated scanning into our development processes.

This recently published framework demonstrates security features that help create access control policies to better protect IoT devices. Operators limited what the device can do, reducing vulnerabilities and creating a more secure IoT ecosystem.

Looking ahead:
Xylem’s product security team is replicating these achievements with additional product teams.

4. Security patches

“Demonstrate actions taken to measurably increase the installation of security patches by customers.”

Xylem-hosted solutions are continuously updated with new features, bug fixes and security patches. We’ve also automated security checks throughout the product development life cycle to maintain high standards for every release.

For on-premises products, we operate in a shared responsibility model – customers manage patch installation, while Xylem provides timely updates via security advisories, customer communications and downloads.

Looking ahead:
Xylem provides timely automatic updates, upgrades and patches for hosted products, and we aim to simplify patch management for all on-premises customers, including proactive outreach.

5. Vulnerability disclosure policy (VDP)

“Publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commit to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allow for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.”

Xylem maintains a clear, public vulnerability disclosure policy and encourages good-faith security research. We provide a secure reporting channel via security@xylem.com, and when applicable, publish Product Security Advisories and coordinate disclosures through CISA.

Looking ahead:
Xylem continually refines our incident response and vulnerability management processes to stay aligned with global best practices.

6. Common vulnerabilities and exposures (CVE) transparency

“Demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every CVE record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high impact vulnerabilities that either require actions by a customer to patch or have evidence of active exploitation.”  

Xylem is a CVE CNA (CVE Numbering Authority) committed to timely CVE publications for critical vulnerabilities, including accurate CWE and CPE data for transparency and industry collaboration.

7. Evidence of intrusions

“Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.”

Xylem builds security into our products to help customers detect and respond to potential threats. The Xylem Data Lake gives water operators the ability to configure security settings, monitor activity and set up alerts for faster incident response. We have also established internal standards for security logging and provide Intrusion Detection and Alarm products to help our customers defend their physical operations.

Behind the scenes, Xylem uses a Security Information and Event Management (SIEM) solution to collect and correlate security event logs, which can aid in monitoring and responding to cybersecurity threats.

Looking ahead:
Xylem has a long-standing history of sharing our knowledge via trade shows, industry presentations, and written content – such as our article on the importance of the “security onion” – and by sharing CISA “Shields Up” advisories to reduce the likelihood of a damaging cyber intrusion.

The eighth pledge: Leading through collaboration

Beyond the seven pledge goals outlined by CISA, Xylem has made an additional commitment: to demonstrate community leadership across the global water sector.

How does that look in practice? It means going beyond compliance to actively share knowledge, tools, and best practices that help utilities and industry partners strengthen their cybersecurity posture, and working together to protect critical water infrastructure from evolving threats.

We believe that securing water isn’t a competitive advantage – it’s a shared responsibility. We’re committed to making sure every organization – large or small – can access the expertise needed to safeguard our most precious resource.

To learn more about Xylem’s commitment to keep utilities cybersecure, visit our Product Security site.

11/09/2025

About Making Waves

Making Waves is news from Xylem, a leading global water technology company. Xylem's solutions include products and services that move, treat, analyze and monitor water.