EPA Cybersecurity Requirements for Water Utilities: What SCADA Operators Need to Know
Key Takeaway
Water utilities face growing cybersecurity regulatory pressure from AWIA 2018, EPA enforcement, and CIRCIA 2022. This article covers Risk and Resilience Assessments, OT network hardening, and practical security measures every SCADA operator should implement to protect public health infrastructure.
Why Water Utility Cybersecurity Is Urgent
In February 2021, an attacker remotely accessed the SCADA system at the Oldsmar, Florida water treatment plant and attempted to raise sodium hydroxide (lye) levels to approximately 100 times normal levels. A vigilant operator observed the unauthorized change on-screen and immediately corrected the setpoint — the change was reversed within minutes before any affected water reached consumers. It is worth noting that the external-attacker attribution for this incident remains disputed by investigators, and the root cause may have involved shared credentials or an insider scenario, but regardless of origin the incident exposed severe access control gaps in the facility's SCADA system: the operator's mouse was visibly moving on its own, indicating remote desktop access without any apparent authentication challenge.
The Oldsmar incident became a turning point. EPA, CISA, and state drinking water agencies had already been urging water utilities to improve cybersecurity posture — Oldsmar demonstrated in concrete terms that inadequately secured water SCADA could directly threaten public health. Since that incident, EPA and CISA have substantially accelerated their cybersecurity guidance and enforcement activity directed at water and wastewater utilities.
AWIA 2018: The Foundation of Water Utility Cybersecurity Requirements
The America's Water Infrastructure Act of 2018 (AWIA) established the current legal framework for water utility cybersecurity. Section 2013 of AWIA amended the Safe Drinking Water Act to require community water systems serving more than 3,300 people to complete two interrelated documents:
- Risk and Resilience Assessment (RRA): A formal evaluation of risks to the utility's infrastructure, including malevolent acts and natural hazards. The assessment must specifically address cybersecurity risks to SCADA and other process control systems. It must be certified to EPA every five years.
- Emergency Response Plan (ERP): A documented plan for responding to the risks identified in the RRA, including cybersecurity incidents affecting control systems. The ERP must be reviewed and updated every five years following the RRA.
AWIA established phased compliance deadlines based on system size. Systems serving more than 100,000 people were required to certify their RRA to EPA by June 30, 2021. Systems serving 50,001–100,000 were due by December 31, 2021. Systems serving 3,301–50,000 were required to certify by June 30, 2022. These initial deadlines have passed — utilities that have not yet completed their RRA and ERP are in violation of SDWA Section 1433 and subject to EPA Administrative Orders and civil penalties.
EPA's enforcement authority for AWIA non-compliance includes issuing Administrative Compliance Orders (ACOs) and civil penalties. Utilities that received an ACO and failed to comply face additional penalty exposure. The five-year recertification cycle means utilities that completed their initial assessments in 2021–2022 will need to conduct updated assessments in 2026–2027.
What an AWIA Risk and Resilience Assessment Must Address
The RRA must evaluate risk to the utility's pipes and constructed conveyances, physical infrastructure, source water, financial infrastructure, information technology, operational technology (SCADA/ICS), and chemical handling and storage. For cybersecurity purposes, the most critical sections are the OT/SCADA assessment and the IT assessment. EPA's guidance document Baseline Information on Malevolent Acts for Community Water Systems provides threat scenarios utilities should address in their RRA.
A cybersecurity-focused RRA for a water utility typically includes:
- Asset inventory of all SCADA servers, HMI workstations, PLCs, RTUs, and communication equipment
- Network architecture diagram identifying connections between OT, IT, and external networks
- Identification of remote access methods and authentication controls
- Threat and vulnerability assessment using CISA's CSET (Cyber Security Evaluation Tool) or equivalent methodology
- Consequence analysis: what process could an attacker affect, and what is the public health impact?
- Risk prioritization and mitigation recommendations
CIRCIA 2022: Mandatory Incident Reporting Is Coming
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to develop rules mandating that covered critical infrastructure entities — including water and wastewater utilities — report significant cyber incidents within 72 hours and ransomware payments within 24 hours. Water utilities are covered entities under CIRCIA as operators of critical infrastructure.
However, as of early 2026, CIRCIA's Final Rule has not yet been published. CISA released a Notice of Proposed Rulemaking (NPRM) in April 2024, but the rulemaking process has not concluded. Mandatory reporting timelines are not yet in force. Utilities should monitor CISA's CIRCIA rulemaking page for updates and begin preparing incident response procedures and reporting capabilities now, so they can comply promptly when the Final Rule takes effect.
Even without mandatory CIRCIA reporting currently in force, EPA's existing authority under SDWA and the Clean Water Act provides enforcement tools for utilities that experience incidents resulting from negligent cybersecurity practices. Voluntary reporting to CISA and WaterISAC is encouraged and does not trigger enforcement — early reporting helps CISA develop threat intelligence that protects other utilities.
EPA's 2023 Cybersecurity Memo and Subsequent Developments
In March 2023, EPA issued a memorandum requiring states to include cybersecurity evaluation in sanitary surveys of public water systems. This memo was challenged in federal court by Missouri, Arkansas, and Iowa, and EPA ultimately withdrew the sanitary survey cybersecurity requirement in August 2023 following the legal challenge. The withdrawal does not eliminate EPA's underlying authority to address cybersecurity through other mechanisms — EPA continues to cite cybersecurity in AWIA enforcement and has issued guidance encouraging states to voluntarily incorporate cybersecurity into their oversight programs.
The practical effect for utilities is that formal cybersecurity inspections through sanitary surveys are not currently required in most states, but AWIA's RRA and ERP requirements remain fully in force. Utilities should not interpret the withdrawal of the 2023 memo as a relaxation of cybersecurity expectations — EPA's enforcement posture on AWIA compliance has hardened, not softened.
Practical OT Security Measures for Water SCADA
Network Segmentation
The most important single security improvement most small and mid-size utilities can make is separating their SCADA/OT network from the business IT network. Many utilities run SCADA servers on the same flat network as email servers, office computers, and internet access — this means a single phishing email that compromises an administrative workstation can provide direct access to SCADA systems. A properly segmented network places a firewall or industrial DMZ between the OT network and the IT network, with only necessary communications permitted through controlled interfaces.
Remote Access Controls
Remote access to SCADA systems is operationally necessary — operators need to check plant status from home, and integrators need to perform remote programming and troubleshooting. The Oldsmar incident reportedly involved TeamViewer remote access software that was inadequately secured. Acceptable remote access requires a VPN (preferably with multi-factor authentication) as the entry point, not direct exposure of SCADA ports or remote desktop services to the internet. Role-based access control should limit what each remote user can view and control.
Patch Management
SCADA servers and HMI workstations running Windows operating systems require security patching. Many utilities run outdated OS versions (Windows 7, Windows XP) on SCADA workstations due to concerns about patch compatibility with SCADA software. A structured patch management process — testing patches on a non-production system before deploying to operational SCADA — addresses this while maintaining operational continuity. ICS-CERT advisories provide notifications of critical vulnerabilities in SCADA software components that require prompt attention.
Incident Response Plan
Every water utility should maintain a documented cybersecurity incident response plan that addresses: how to detect an anomalous SCADA event, who to notify internally and externally (EPA, CISA, WaterISAC, state primacy agency), how to isolate compromised systems while maintaining manual plant operation, and how to recover from a ransomware or destructive attack. The AWIA Emergency Response Plan should incorporate cybersecurity incident scenarios explicitly.
CISA and WaterISAC Resources for Water Utilities
CISA offers free cybersecurity resources specifically for water utilities, including no-cost vulnerability assessments through its CSET tool, physical security assessments, and ICS-CERT advisories on vulnerabilities in water SCADA components. WaterISAC (Water Information Sharing and Analysis Center) provides threat intelligence sharing, incident response assistance, and training for water sector members. Annual membership fees for small utilities are modest relative to the risk reduction benefit. Both organizations have regional representatives who can engage directly with utility management and technical staff.
TCEQ Cybersecurity Guidance for Texas Utilities
TCEQ has published cybersecurity guidance for Texas public water systems aligned with AWIA requirements. Texas utilities are subject to the same federal AWIA thresholds as utilities in other states. TCEQ's Technical Assistance and Investigation (TAI) program provides resources to help small water systems complete their AWIA Risk and Resilience Assessments. Texas utilities should consult TCEQ's drinking water security page and contact their TCEQ regional office for guidance on RRA completion and documentation.
NFM Consulting Water Automation Services
NFM Consulting provides OT cybersecurity assessments, SCADA network segmentation design, remote access hardening, and documentation support for water utilities completing AWIA Risk and Resilience Assessments. Our team combines water treatment process knowledge with industrial control system security expertise to deliver practical, operationally realistic security improvements. Contact NFM Consulting to schedule a water SCADA security assessment.
Frequently Asked Questions
AWIA 2018 Section 2013 requires community water systems serving more than 3,300 people to complete a Risk and Resilience Assessment (RRA) and Emergency Response Plan (ERP) every five years, certified to EPA. The RRA must address cybersecurity risks to SCADA and other OT systems. Initial deadlines were 2021–2022 based on system size; five-year recertifications are due in 2026–2027 for systems that completed initial assessments. Non-compliance can result in EPA Administrative Orders and civil penalties.
As of early 2026, CIRCIA's Final Rule has not been published and mandatory cyber incident reporting requirements are not yet in force for water utilities. CISA issued a proposed rule in April 2024, but rulemaking is ongoing. When the Final Rule takes effect, covered water utilities will be required to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Utilities should prepare incident response and reporting procedures now.
Network segmentation — separating the SCADA/OT network from the business IT network using a firewall — is the single highest-impact improvement most small utilities can make. Many small systems run SCADA and office computers on the same flat network, meaning a single compromised workstation can directly reach SCADA. A properly configured industrial firewall between IT and OT networks, combined with VPN-only remote access with multi-factor authentication, addresses the attack paths most commonly exploited in water utility incidents.
In February 2021, an individual remotely accessed the SCADA system at Oldsmar, Florida's water treatment plant and attempted to raise sodium hydroxide (caustic soda) to approximately 100 times normal treatment levels. An operator observed the change in real time and immediately reversed it. No affected water reached consumers. The external-attacker attribution remains disputed by some investigators, but the incident demonstrated the public health consequences of inadequate SCADA access controls and accelerated EPA and CISA cybersecurity enforcement activity for water utilities.