What Water Utilities Actually Have to Do on Cybersecurity Right Now

In late November 2023, an operator at the Municipal Water Authority of Aliquippa, a small utility serving about 15,000 people north of Pittsburgh, noticed an alarm on a pressure-regulating station. When crews arrived on site, the screen of the programmable logic controller was displaying an anti-Israel political message, signed by a group calling itself CyberAv3ngers. The controller, a standard Unitronics PLC used by thousands of small water systems worldwide, had been reachable from the open internet with a default password. Aliquippa switched to manual operation and kept water flowing. Nothing catastrophic happened. The story still traveled everywhere in the water sector, because it confirmed what people already knew: the attack surface is enormous, the bar to entry is low, and the regulatory framework for doing something about it is a mess.

The EPA has been trying to tighten that framework for several years. Each attempt has collided with legal challenges, withdrawn guidance, enforcement alerts, voluntary programs, and a state-by-state patchwork. For utility staff who want to know what they actually have to do, and for water tech founders whose products touch operational technology, the current picture takes some translating. This post is an attempt to do that translation as of early 2026, with appropriate humility about how much is still moving.

What is actually in law today

The durable federal requirement is not new. It is the America’s Water Infrastructure Act of 2018, specifically Section 2013, which amended the Safe Drinking Water Act. AWIA requires every community water system serving more than 3,300 people to complete a risk and resilience assessment (RRA) and an emergency response plan (ERP), and to update each on a five-year cycle. The assessment must consider, among other categories, the risk from “malevolent acts,” which the EPA has consistently interpreted to include cyberattacks on the control systems and business networks a utility depends on to deliver water.

Systems above 100,000 people had their first RRAs due by March 31, 2020, with ERPs six months later. Systems between 50,000 and 100,000 had RRAs due December 31, 2020 and ERPs in mid-2021. Systems between 3,301 and 49,999 had RRAs due June 30, 2021 and ERPs by year-end. The five-year update cycle has already brought the largest systems back around to recertification, and the second full round is underway for mid-sized and small systems now.

What AWIA does not do is prescribe a specific cybersecurity control set. It requires the assessment and the plan. It requires certification that both were completed. It does not tell a utility which firewall to buy, which segmentation architecture to adopt, or which identity controls to apply to remote access. That gap has been the source of almost every argument since.

The sanitary survey episode

In March 2023, the EPA issued a memorandum directing states to incorporate cybersecurity into their sanitary surveys of public water systems. Sanitary surveys are the routine on-site inspections that state drinking water programs conduct to verify compliance with the Safe Drinking Water Act. Folding cybersecurity into the survey would have effectively turned cyber hygiene into a compliance item that could generate formal deficiencies.

The memorandum was challenged almost immediately. Missouri, Arkansas, and Iowa, joined by the American Water Works Association and the National Rural Water Association, filed suit in the Eighth Circuit in April 2023. Their argument was that the Safe Drinking Water Act did not authorize the EPA to regulate cybersecurity through the sanitary survey mechanism, and that the agency had skipped notice-and-comment rulemaking. The Eighth Circuit granted a stay of the memorandum in July 2023. The EPA withdrew the memo in October 2023 rather than continue to litigate.

The withdrawal did not reflect a policy decision that cybersecurity was unimportant. It reflected a legal conclusion that the sanitary survey was not the correct vehicle. What replaced it was a combination of enforcement pressure, voluntary technical assistance, and renewed talk of new legislation.

Where the EPA still has teeth

Two federal hooks remain enforceable without new authority, and both matter.

The first is the RRA and ERP certifications under AWIA. These are not voluntary. The EPA has publicly stated that incomplete or superficial cybersecurity treatment inside an RRA is grounds for follow-up. The agency’s May 2024 enforcement alert on drinking water cybersecurity emphasized this point, noting that more than 70 percent of utilities inspected since September 2023 were in violation of basic Safe Drinking Water Act Section 1433 requirements, including missing RRA and ERP content and basic cybersecurity failings visible during on-site review (default passwords, single logins shared across staff, failure to revoke access for former employees). Those findings can be cited under existing authorities, even without the sanitary survey vehicle.

The second is Section 1433 of the Safe Drinking Water Act more broadly, which gives the EPA authority to require reasonable steps to reduce risk from malevolent acts. The agency has used this authority sparingly in cyber enforcement, but it is the mechanism behind the enforcement alert and behind the expectation that an RRA’s cyber section be more than a box-check exercise.

For water utility boards and general counsels who ask “what are we actually required to do,” the practical answer today is approximately this: complete and recertify a serious RRA that treats cyber risk substantively; maintain a current ERP that reflects the cyber scenarios identified in the RRA; remediate the basic hygiene failings that EPA enforcement has repeatedly cited; and keep an eye on your state program, because the state-level picture is where most of the new requirements are actually landing.

The state patchwork

Federal uncertainty has pushed real regulation to the states. The result is uneven.

New Jersey has been among the most active. The state’s Board of Public Utilities has issued cybersecurity reporting requirements for its regulated water utilities, including incident notification timelines and periodic attestation. California’s State Water Resources Control Board has pushed a combination of guidance, assistance programs, and expectations tied to its own funding decisions. Several states have integrated cyber into their AWIA-aligned review processes, effectively doing at the state level what the EPA’s sanitary survey memo attempted federally. Other states have done very little and continue to rely on the federal floor.

For a utility operating in a single state, the practical starting point is the state drinking water program’s current guidance, plus the state public utility commission if the utility is rate-regulated. For a water tech vendor selling across states, the patchwork means that a cyber-sensitive product (anything with remote access, anything that touches SCADA, anything cloud-delivered with a control-system interface) needs to be conversant in more than one regime. A single federal answer does not exist yet.

The voluntary stack that most utilities actually use

Parallel to the regulatory push, a voluntary technical stack has emerged that does most of the real work inside utility cybersecurity programs today. It is worth knowing as an operator and as a vendor.

CISA, the Cybersecurity and Infrastructure Security Agency, runs a set of programs specifically aimed at water. The Cyber Hygiene Services scan, which provides external vulnerability scanning for critical infrastructure operators, is available at no charge to utilities that enroll. CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) provide a reasonable baseline control set, and the EPA has pointed to them as a starting reference for small and mid-sized utilities that lack the resources to build a program from scratch.

WaterISAC, the water sector’s Information Sharing and Analysis Center, publishes threat intelligence, the widely referenced “15 Cybersecurity Fundamentals for Water and Wastewater Utilities,” and member-only indicator feeds. Most utilities with any serious cybersecurity program are WaterISAC members, and many small utilities with no program at all should be.

The AWWA Cybersecurity Guidance and the companion Use-Case Tool remain the most broadly accepted sector-specific reference. The guidance maps to the NIST Cybersecurity Framework, which many states and consultants default to when they need a recognized control catalog.

The EPA itself offers free technical assistance, including a cybersecurity assessment service for utilities that request it, delivered through contractors on the agency’s behalf. For small utilities, this can be the most practical entry point into a real program, because it arrives at no cost and produces findings that map directly to AWIA obligations.

This voluntary stack is where the actual cybersecurity improvements have been happening. The regulatory churn sets the political context. The technical work is getting done inside utility IT and OT teams, often with CISA, WaterISAC, or consulting partners alongside.

What utility leadership should actually do

For a utility general manager, board, or security lead reading all of this and wondering where to spend the next hour, a short list covers most of what matters.

Start with the RRA. Pull the most recent one, turn to the cyber sections, and read them honestly. If they read like they were written to get the certification signed rather than to identify real risk, they are going to be a liability the next time an inspector or an attacker surfaces a specific failing. A well-written RRA section on cyber should reference specific control-system architecture, identified access points, known vendor dependencies, and the current state of segmentation and authentication. A poorly written one will say “we follow best practices” and not much else.

Address the basics the EPA has publicly said are endemic. Default passwords on internet-reachable controllers. Single-factor remote access into SCADA. Unsegmented networks where the business LAN can reach the HMI. Missing or outdated incident response contacts. These are the things enforcement has repeatedly cited. They are also what the Aliquippa attackers exploited, and what the smaller attacks at other utilities since have exploited. Fixing them is often inexpensive and politically easy to fund, because the narrative is clean.

Enroll in CISA Cyber Hygiene scanning and join WaterISAC. Both are nearly free. Both produce material that shows up credibly in an RRA. Neither requires a major procurement.

Treat the ERP as a real document. When the incident happens, the ERP is what the on-call operator will actually look at. If its cyber section is out of date or gestural, it will not help during the event. Tabletop exercises, even short ones with the same operations staff who will actually respond, are worth more than almost any additional technology purchase.

Talk to the state drinking water program and the state PUC, if applicable, about current expectations. The most actionable regulatory pressure today is coming from them, not from Washington.

What water tech vendors should know

For founders building products that touch water utility operational technology, the regulatory picture creates a meaningful sales dynamic. Utilities know they have a cyber problem. They are being told so by CISA, by their consultants, by their insurers, and increasingly by their state regulators. Budgets that would not have existed three years ago are starting to exist, though unevenly.

Two things matter for vendors in this environment.

The first is that your product’s security posture is now part of the evaluation, earlier and more seriously than before. Utility IT and OT staff ask about authentication, logging, segmentation compatibility, firmware update processes, and vendor incident response in a way they mostly did not a few years ago. A vendor that cannot answer those questions credibly is increasingly being disqualified during technical review, which is a decision point described in more detail here. A vendor that can answer them well, with documentation, reference architectures, and a credible posture, has a real advantage.

The second is that cybersecurity-adjacent products sold to water utilities inherit the specification dynamics of the rest of the sector. The engineering consultant channel still matters, and consultants are increasingly asked by their utility clients to evaluate cyber risk inside designs that include third-party technology. A product that fits cleanly into a defensible cybersecurity posture is easier to specify than one that raises questions during design review. The consultant channel dynamics apply here the same way they apply to any other process technology.

For vendors selling explicit cybersecurity products into the sector (network monitoring, OT-aware firewalls, identity and access management for industrial environments, managed detection and response), the market is real but noisy. Utilities are inundated with pitches. The ones that break through tend to be anchored to specific AWIA RRA findings, to specific CISA CPG controls, or to specific state requirements the utility is already responding to. Abstract cyber posture pitches tend to lose against concrete alignment with a regulatory or framework reference the utility is already working through.

What is likely to come

Predictions about water cybersecurity regulation have a poor track record, so this section is tentative. A few directional bets seem reasonable.

New federal legislation specifically on water sector cybersecurity has been introduced multiple times and may eventually pass. Whatever emerges will probably look less like the original sanitary survey memo and more like explicit authority for the EPA to prescribe a baseline control set, with scaled expectations by utility size. The state patchwork will continue to expand and will probably become the more aggressive of the two layers for the next few years, particularly in states with active PUC involvement. The insurance market will keep doing quiet work that does not make headlines, as carriers tighten requirements for water utility cyber coverage and effectively push utilities toward specific controls through premium and deductible structures.

Attack frequency will keep increasing. The Aliquippa story was not an outlier; it was an early public example of a pattern that was already happening and has continued. The combination of exposed industrial control systems, widely available exploitation tools, and geopolitical actors looking for soft targets means water utilities will remain in the target set indefinitely. Every serious utility board by now understands this, and the ones that do not will be educated by the next incident, not by this post.

The bottom line

The EPA’s water sector cybersecurity mandate, in the strict sense, is a moving target. What is stable underneath the moving target is this: every community water system above 3,300 people has binding obligations under AWIA to assess cyber risk and plan for cyber incidents; the EPA can and does enforce against the most basic failings during inspections; states are filling in the regulatory detail at varying speeds; and a mature voluntary technical stack exists to help utilities do the actual work. For operators, the practical priority is to do the actual work rather than wait for the regulatory picture to settle. For vendors, the practical priority is to be a product that fits cleanly into that work, not one that adds friction to it.

The utilities that get ahead of this do not do so by reading the legal commentary. They do it by fixing the controllers with default passwords, treating their RRAs as real documents, and making cyber a standing item in their operations meetings. The regulators will eventually catch up to what the operators already know.

---

HydroKnowledge advises water technology founders and water utilities on regulatory strategy, go-to-market, and the translation between the two. Get in touch if you are navigating the cybersecurity landscape from either side.