EPA Unveils Critical Cybersecurity Planning Tools to Protect Water Systems from Rising Cyberattacks

EPA's 2025 Water Infrastructure Cybersecurity Guide: 4 Critical Resources & Implementation Strategies

Water infrastructure cybersecurity has reached a critical inflection point in 2025. In October 2024, American Water—the largest regulated water and wastewater utility company in the United States—was forced to shut down its billing systems following a cyberattack that disrupted services for millions of customers. Just months earlier, in January 2024, a water tank in Muleshoe, Texas overflowed after threat actors exploited default passwords to access control systems. These incidents underscore an uncomfortable reality: water utilities have become prime targets for nation-state adversaries and cybercriminals seeking to disrupt essential services that millions of Americans depend on daily.

Against this backdrop of escalating threats, the Environmental Protection Agency (EPA) announced in October 2025 the release of four comprehensiacacave cybersecurity planning resources specifically designed to help water and wastewater utilities strengthen their defenses, respond to incidents, and maintain operational continuity. For CISOs and security leaders at water utilities, these resources arrive at a pivotal moment when federal mandates, insurance requirements, and board-level scrutiny all demand demonstrable progress toward cyber resilience.

This article examines the current threat landscape facing water infrastructure, breaks down the EPA's new cybersecurity toolkit, explains regulatory compliance requirements, and provides actionable implementation strategies that address people, processes, compliance, and technology dimensions of building a modern defensible architecture for water utilities.

What Are the Top Cyber Threats to Water Infrastructure in 2025?

The cybersecurity challenges facing water utilities extend far beyond isolated incidents. According to research from Claroty's Team82 State of OT Exposures Report, adversaries are targeting operational technology with greater frequency in the hopes of impacting national security, economic stability, and, in some cases, public safety. The leverage point in an OT attack is often the inadvertent exposure of a device that is insecurely connected to the internet, including OT assets that are directly connected online rather than through secure access technology.

The Scale of Vulnerability in Water System Cybersecurity

Water systems face a convergence of vulnerabilities that create substantial risk exposure. The Cybersecurity and Infrastructure Security Agency (CISA) released foundational guidance in August 2025 titled "Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators" that emphasizes operational technology includes a broad set of technologies covering process automation, instrumentation, cyber-physical operations, and industrial control systems. Many OT systems are increasingly connected to business operations and applications that rely on process data, and if not assembled and integrated securely, these connections introduce paths for cyber actors to move between networks.

The challenge is particularly acute because water utilities typically operate SCADA systems, programmable logic controllers (PLCs), remote terminal units (RTUs), and distributed control systems that were designed to prioritize consistent functionality over cybersecurity. These devices often cannot accommodate security agents, lack modern authentication mechanisms, and run on legacy operating systems that no longer receive security patches. According to research on operational technology security in critical infrastructure, these vulnerabilities continue to increase year over year.

Nation-State Threat Actors Targeting Water Infrastructure

Recent years have witnessed a dramatic increase in sophisticated attacks against water infrastructure by well-financed state-sponsored threat actors. China-linked groups including Volt Typhoon and Salt Typhoon have infiltrated U.S. military and critical infrastructure operations. CISA has labeled Volt Typhoon's activity as disruptive or potentially destructive in the event of a major crisis or conflict with the United States, as documented in their advisory on state-sponsored actors. These groups use native legitimate tools on systems they infiltrate by exploiting weak or default passwords for access.

Russian intelligence-linked groups, particularly Sandworm, have demonstrated capability and willingness to target critical infrastructure. This APT is responsible for several attacks against Ukraine's power grid and the deployment of Industroyer malware—purpose-built tools targeting industrial equipment communicating over IEC-104 protocols. Iran-affiliated actors, operating under the watch of the Islamic Revolutionary Guard Corps, have also targeted water facilities. The CyberAv3ngers group targeted Unitronics integrated HMI/PLC devices inside U.S. water facilities in late 2023, as reported in threat intelligence from Claroty and other cybersecurity firms.

How Do Cyberattacks Use Lateral Movement in Water Systems?

The most prevalent attack pattern involves initial compromise through weak authentication, followed by lateral movement across flat networks to reach critical operational systems. According to cybersecurity research, lateral movement is the preferred tactic used in 70% of successful breaches because it allows cybercriminals to spread across an organization to find valuable data and assets. By the time defenders detect unusual activity, attackers may have already exfiltrated data, deployed ransomware, or established long-term surveillance within the network.

Water utilities face several common vulnerability patterns that enable these attacks. Default passwords and weak authentication mechanisms provide initial access. Internet-exposed HMI and SCADA systems create direct pathways to operational technology. Poor network segmentation means that once an attacker gains a foothold in the IT environment, they can move laterally to OT systems with limited resistance. The absence of comprehensive asset inventories means many utilities lack visibility into what devices exist on their networks, how those devices communicate, and where communications lead.

What Are the New EPA Cybersecurity Tools for Water Utilities?

The EPA has developed four interconnected resources that provide water utilities with practical frameworks for incident response, emergency planning, vendor evaluation, and operational continuity. Each resource addresses specific gaps in existing guidance while working together to create a comprehensive cybersecurity program. These resources are available through the EPA's Water Sector Cybersecurity Program.

Resource 1: Emergency Response Plan Guide for Wastewater Utilities

The updated Emergency Response Plan Guide provides wastewater utilities with a comprehensive framework for developing and maintaining emergency response capabilities. This resource covers strategies, procedures, and considerations for various incident types including cyber incidents, natural disasters, equipment failures, and intentional attacks. The guide emphasizes the critical importance of having documented procedures that enable manual operations when automated systems are compromised.

What distinguishes this updated version is its explicit treatment of cybersecurity incidents as a category requiring specific response protocols. The guide recognizes that cyber incidents may simultaneously affect IT systems, OT systems, and business operations, requiring coordinated response across multiple teams. Implementation requires utilities to identify key personnel, establish communication protocols, define decision-making authorities, and conduct regular exercises to test response capabilities.

Resource 2: How Do Water Utilities Respond to Cyberattacks? The CIRP Template

The Cybersecurity Incident Response Plan (CIRP) template provides a structured framework for developing organization-specific incident response plans. This template is particularly valuable because it helps utilities translate general cybersecurity guidance into specific, actionable procedures tailored to their operational environment. The template covers critical elements including incident detection and analysis, containment strategies, eradication procedures, recovery operations, and post-incident review processes.

Customization is essential. A large regional utility serving millions of customers will require substantially different procedures than a small community water system. The template guides utilities through considering their specific risk profile, available resources, technical environment, and regulatory requirements. Effective implementation requires integration with existing emergency response plans, clear definition of roles and responsibilities, established communication channels, and regular testing through tabletop exercises and simulations.

Resource 3: Incident Action Checklists for Water Utility Emergency Response

The EPA has developed two comprehensive checklists that provide water utilities with step-by-step response procedures for multiple emergency types including wildfires, floods, power outages, and cyber incidents. These checklists translate complex response requirements into sequential, actionable steps that operators can follow during high-stress incident conditions.

The value of these checklists extends beyond their use during actual incidents. Utilities should use these checklists as the foundation for conducting tabletop exercises that test their response capabilities, identify gaps in procedures or resources, and build muscle memory among response teams. Regular exercises using these checklists help ensure that when a real incident occurs, teams can execute established procedures efficiently rather than improvising under pressure.

Resource 4: What Are the Cybersecurity Procurement Best Practices for Water Systems?

This cybersecurity procurement checklist addresses a critical control point that many utilities overlook: vendor and supply chain security. Every new device, software system, or service introduces potential vulnerabilities into the operational environment. The procurement process provides an opportunity to establish security requirements before solutions are selected and deployed.

The checklist guides utilities through assessing vendor cybersecurity practices, evaluating product security features, understanding support and patching procedures, and managing supply chain risks. Key questions include: Does the vendor follow secure development practices? How quickly does the vendor release security patches? What authentication mechanisms does the product support? Can the product integrate with existing security monitoring tools? Does the vendor maintain an incident response capability?

Implementing effective procurement controls requires collaboration between IT, OT, procurement, legal, and operational teams. The goal is not to create bureaucratic barriers but rather to ensure that security considerations inform purchasing decisions before investments are made.

Understanding Your Obligations: What Are AWIA Cybersecurity Requirements for Water Systems?

Water utilities operate under a complex regulatory framework that mandates specific cybersecurity and emergency preparedness activities. Understanding these requirements is essential for building compliance-driven business cases for security investments.

America's Water Infrastructure Act (AWIA) Requirements

The America's Water Infrastructure Act of 2018 includes Section 2013, which requires community water systems serving more than 3,300 people to develop or update Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs). These requirements explicitly include cybersecurity considerations, recognizing that cyber threats pose material risks to water infrastructure resilience.

The timing requirements are based on system size. Systems serving more than 100,000 people were required to complete RRAs by March 2020 and certify ERPs by September 2020. Smaller systems have later deadlines extending through 2021 for the smallest covered systems. The EPA has enforcement authority to compel compliance and can impose administrative penalties for failures to meet requirements.

Safe Drinking Water Act Section 1433 Mandates

Section 1433 of the Safe Drinking Water Act requires community water systems to conduct vulnerability assessments and develop emergency response plans. While originally focused on physical security following 9/11, the statute's broad language regarding "malevolent acts" clearly encompasses cyber incidents. Regulatory interpretations and EPA guidance increasingly emphasize that water systems must address cyber vulnerabilities as part of their Section 1433 obligations.

Importantly, federal law provides protections for vulnerability assessment information that utilities submit to EPA, recognizing the sensitivity of detailed security information. These protections should give utilities confidence to be transparent about vulnerabilities when seeking federal assistance while maintaining appropriate information security.

CISA Cybersecurity Performance Goals and Guidance

While not legally binding, CISA's Cybersecurity Performance Goals (CPGs) provide practical guidance that many utilities use as a roadmap for improving security maturity. These goals emphasize fundamentals including asset inventory, vulnerability management, network segmentation, and incident response capabilities. CISA also provides free cyber hygiene services that utilities can leverage to identify gaps and prioritize improvements.

The relationship between EPA and CISA is collaborative rather than duplicative. EPA maintains regulatory authority over water sector compliance, while CISA provides technical cybersecurity expertise, threat intelligence, and operational support. Utilities benefit from engaging with both agencies to access the full range of available federal resources.

How Can Small Water Utilities Improve Cybersecurity on Limited Budgets?

Having comprehensive policies and templates provides necessary foundation, but translating guidance into operational reality requires addressing technology, processes, people, and budget constraints that water utilities face. This section examines practical implementation strategies across these dimensions.

Conducting Comprehensive Cybersecurity Assessments

Effective cybersecurity programs begin with understanding current state. Utilities should leverage free assessment programs available through EPA's Water Sector Cybersecurity Program Case Studies and CISA before making significant technology investments. These assessments provide external validation of vulnerabilities and help prioritize remediation efforts based on risk rather than arbitrary criteria.

Internal assessments are equally important. Following CISA's guidance, utilities should create comprehensive inventories of all operational technology assets including SCADA systems, PLCs, RTUs, HMIs, network devices, and monitoring systems. For each asset, document its function, criticality, communication patterns, security posture, and dependencies on other systems.

CISA provides a structured taxonomy specifically for water and wastewater systems that classifies assets into high-criticality (SCADA systems, emergency shutdown systems, primary treatment systems), medium-criticality (RTUs, PLCs, network switches), and low-criticality (HMIs for non-critical processes, ambient sensors) categories. This criticality classification informs where to focus security investments and monitoring resources for maximum risk reduction.

What Is the Difference Between OT and IT Security in Water Treatment?

Understanding the distinction between operational technology (OT) and information technology (IT) security is fundamental to effective water utility cybersecurity. OT systems control physical processes—pumps, valves, chemical treatment, and water quality monitoring. These systems prioritize availability and safety over all other considerations. A SCADA system that goes offline can mean communities lose access to safe drinking water.

IT systems, by contrast, manage data and business processes—billing, customer service, human resources, and administrative functions. While important, IT system outages rarely create immediate public safety risks. This fundamental difference means that security approaches developed for IT environments often fail when applied directly to OT environments without modification.

Network segmentation represents one of the most effective controls for protecting OT systems while allowing necessary IT/OT integration. The NIST Special Publication 800-207 Zero Trust Architecture provides a framework for implementing identity-based security controls that continuously verify users and devices before granting access to resources. According to NIST, Zero Trust is defined as "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised."

How to Implement Network Segmentation in Water Systems

The CISA Zero Trust Maturity Model provides a structured framework for organizations to implement Zero Trust principles across five core pillars: Identity, Devices, Networks, Applications and Workloads, and Data. These pillars are supported by three cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance. Organizations progress through maturity stages from Traditional to Initial, Advanced, and Optimal, with each stage requiring greater levels of protection and dynamic policy enforcement.

For water utilities, effective network segmentation requires separating IT networks from OT networks, creating security zones within OT environments based on criticality and function, implementing strict access controls between zones, and monitoring all inter-zone communications for anomalous behavior. The key principle is defense in depth—multiple layers of controls that require attackers to overcome numerous obstacles rather than a single perimeter.

Traditional segmentation using VLANs and firewalls creates broad security zones, but modern threats require more granular controls that can enforce least-privilege access policies at the device level. This is where microsegmentation becomes valuable. Modern microsegmentation solutions enable utilities to create dynamic, identity-based policies that follow devices regardless of their network location, a capability particularly important for water utilities with distributed infrastructure across wide geographic areas.

Real-World Implementation: Case Studies in Water Utility Microsegmentation

Two recent deployments of Elisity in 2024-2025 demonstrate how water utilities can rapidly implement modern network segmentation to meet compliance requirements and improve security posture.

Southwestern City Water Utility: Rapid Compliance Achievement

A water utility in the southwestern United States faced urgent federal cybersecurity mandates in 2024 including EPA Safe Drinking Water Act Section 1433 requirements for water services to strengthen security and implement network segmentation. The utility's network was largely a flat Layer-2 environment with minimal internal segmentation, posing risks of unrestricted lateral movement especially given the mix of IT and operational technology devices (many legacy or unpatched) on the network.

In late 2024, the utility deployed a cloud-managed microsegmentation platform (Elisity) across five city sites including on-premises data center, offices, and water treatment facilities. The solution was layered onto the utility's existing network infrastructure requiring no new hardware or major reconfigurations—a key requirement for rapid time-to-value. Elisity Virtual edge nodes were installed on existing switches and hypervisors, establishing a cloud-managed policy enforcement plane without changes to underlying switching behavior.

Within days of deployment, automated device discovery and classification identified approximately 1,883 devices across the utility's network spanning IT, IoT, and OT assets. The platform categorized devices into dynamic policy groups including 256 physical security systems (surveillance cameras, door badge controllers), 129 network printers, 62 industrial automation devices (SCADA/PLC equipment in water plants), and 51 collaboration/VoIP devices. Integration with Active Directory and endpoint security tools provided additional context to identify verified assets versus unverified or potentially rogue devices.

By early 2025, the utility rolled out microsegmentation across all sites with granular zero-trust zones enforcing least-privilege access and eliminating the broad trust implicit in the old flat network. The Elisity platform's simulation mode allowed the team to review and refine policies before enforcement, catching anomalous device communications that would have caused operational issues. Once policies were validated, the utility activated them globally, restricting lateral movement such that even if one device is compromised, it cannot freely access others. This transformation was achieved without new VLANs or manual ACL management, dramatically improving real-time visibility and control over every connected device while meeting federal water infrastructure cybersecurity guidelines.

Mid-Atlantic Regional Water District: Comprehensive OT/IT Segmentation

One of the largest water, wastewater, and sanitation districts in the mid-Atlantic region operates multiple treatment plants, pump stations, labs, and offices across a wide geographic area. The district's mission-critical infrastructure includes industrial control systems at over 100 pump stations and 9 major plants, as well as traditional IT networks for corporate and plant operations.

Prior to implementing modern microsegmentation, the district relied on legacy network access control for authentication but lacked flexible segmentation—internal networks still permitted too much lateral movement between IT and OT assets. The organization also uses endpoint detection and response, vulnerability management, and anomaly detection tools to monitor threats, but needed a way to enforce least-privilege access based on intelligence from these systems.

In 2025, the district's leadership sought to enhance network security and visibility by implementing zero-trust segmentation across the enterprise with goals including gaining real-time traffic awareness of all devices, preventing malware spread by reducing lateral movement, and managing the myriad of IoT/OT devices under a unified policy framework. This had to be achieved without extensive network downtime, leveraging the utility's existing network infrastructure for enforcement.

A proof-of-value pilot at one operations center discovered approximately 885 devices within a short period, ranging from office IT devices to plant control systems. By integrating with Active Directory and endpoint security tools, the platform immediately correlated many assets with existing identities—about 336 devices matched entries in directory services and 517 had security agents installed. The remaining devices were identified via network discovery, including previously unknown or unmanaged endpoints. This rapid inventory highlighted gaps in the district's visibility: passive network monitoring had seen up to 4,000 active IP addresses, but the utility had estimated roughly 1,800 wired and 239 wireless devices in their environment.

Following the successful pilot, the district moved forward with full deployment in Q4 2025. The deployment architecture leverages virtual edge nodes on virtualization platforms and network switches, all managed via cloud control. The solution integrates with the district's security stack—Active Directory for user/device context, endpoint security for device health status, and planned integration with vulnerability management for risk profiles—enabling policies that consider device risk. The cloud-based policy engine segments the district's network by creating logical groups for IT devices, OT/SCADA equipment, IoT devices, and unverified devices, each with tailored access rules.

The district's goal is to achieve full pilot segmentation by Q1 2026, with policies initially deployed in learning/simulation mode to map normal communication patterns. This informs creation of fine-grained allowlists that permit only necessary flows between systems. By early 2026, the district expects enforcement across its hybrid environment—protecting thousands of devices across 13+ facilities and 130+ remote pump stations—all managed centrally. This will effectively ring-fence critical OT systems, preventing unauthorized access from IT side or from compromised devices, while enforcing least-privilege model for user and device access.

Both deployments demonstrate key principles of modern microsegmentation for critical infrastructure: rapid deployment without infrastructure replacement, automated discovery and classification of all devices, integration with existing security tools, and policy enforcement that stops lateral movement without impacting operations.

Overcoming Budget and Resource Constraints

Many water utilities, particularly smaller community systems, face significant budget and staffing constraints that can seem to preclude major security investments. However, substantial security improvements are achievable even with limited resources through a combination of low-cost technical controls, process improvements, and leveraging free federal assistance.

Low-cost and no-cost security improvements should be the first priority. Eliminating default passwords and implementing strong authentication policies costs nothing but staff time. Disconnecting unnecessary internet-facing systems immediately reduces attack surface. Conducting regular vulnerability scans using free tools like CISA's cyber hygiene services identifies critical exposures. Implementing basic network segmentation using existing VLAN capabilities on current switches provides substantial risk reduction without new hardware purchases.

Leveraging free federal resources significantly extends limited budgets. EPA provides free vulnerability scanning and assessment services through its Water Sector Cybersecurity Program. CISA offers free services including vulnerability scanning, web application scanning, and access to cybersecurity professionals. Both agencies also provide free training, guidance documents, and templates that utilities can use to build security programs without expensive consultants.

Grant opportunities can fund larger security initiatives. The EPA's Water Infrastructure Finance and Innovation Act (WIFIA) program includes cybersecurity projects as eligible uses. State revolving funds administered by state agencies increasingly recognize cybersecurity as eligible for low-interest financing. The Infrastructure Investment and Jobs Act includes substantial funding for water infrastructure improvements, with cybersecurity explicitly recognized as a fundable category.

Managed service providers offer an alternative staffing model that allows utilities to access specialized expertise without hiring full-time security staff. MSPs can provide 24/7 monitoring, incident response, vulnerability management, and compliance reporting at costs significantly lower than building internal capabilities. When evaluating MSPs, utilities should prioritize providers with demonstrated experience in OT environments and understanding of water utility operations.

Building Incident Response Capabilities: From Planning to Execution

Having comprehensive incident response plans provides limited value unless organizations build actual capabilities to detect, contain, and recover from incidents. Effective incident response requires people, processes, technology, and regular practice.

Establishing Incident Response Teams and Roles

Incident response requires coordination across multiple stakeholders with different areas of expertise. At minimum, water utilities should establish an incident response team that includes representatives from IT, OT/SCADA operations, facility operations, executive leadership, legal, communications, and external support including law enforcement and regulatory agencies.

Each team member requires clear definition of their role and decision-making authority. Who has authority to take systems offline during an incident? Who communicates with regulators? Who makes decisions about whether to pay ransom? Ambiguity during a crisis leads to delays and confusion, so these questions must be resolved during planning rather than during response.

Regular training ensures team members understand their roles and can execute procedures effectively. This training should include both technical skills (e.g., how to collect forensic evidence, how to restore from backups) and non-technical skills (e.g., how to communicate during crisis, how to make decisions under pressure with incomplete information).

Conducting Cybersecurity Tabletop Exercises

Tabletop exercises provide safe, low-cost opportunities to test incident response procedures, identify gaps, and build team cohesion. The EPA's incident action checklists provide excellent scenarios for tabletop exercises. Effective exercises should be scenario-based, time-bound, and focused on specific learning objectives.

A good exercise scenario for water utilities might involve: "At 2 AM on Saturday, your SCADA system begins showing erratic readings. Your on-call operator logs in remotely and discovers ransomware has encrypted several critical systems. What are your first three actions? Who do you call? How do you verify water safety? When do you notify customers?" Working through this scenario reveals whether procedures are clear, whether contact information is current, whether communication templates are ready, and whether teams understand their roles.

Exercises should occur at least quarterly with varying scenarios that test different aspects of response capabilities. Following each exercise, conduct an after-action review that documents lessons learned, identifies procedure gaps, and assigns remediation tasks. Track these action items to completion before the next exercise. Best practices for tabletop exercises emphasize realistic scenarios tailored to the organization's specific threat profile.

Developing Manual Operation Procedures as Backup

One of the most critical but often overlooked aspects of cyber resilience is the ability to operate essential functions manually when automated systems are compromised. For water utilities, this means having documented procedures that operators can follow to maintain safe water production and distribution even when SCADA systems are offline.

Manual operation procedures should document normal operating parameters, safety thresholds, manual override procedures, and decision criteria for operators. These procedures must be kept current, easily accessible (in physical binders, not just electronic documents), and practiced regularly. Operators who have never performed manual operations will struggle to do so effectively during a crisis when stress levels are high and information is incomplete.

The Strategic Imperative: Water Cybersecurity as National Security Priority

The cybersecurity of water infrastructure extends far beyond individual utilities to represent a strategic national security concern. Water disruptions create cascading effects across communities, economies, and public health that nation-state adversaries understand and may seek to exploit during geopolitical tensions.

Water represents a strategic national asset that underpins virtually all economic and social activity. According to analysis from the U.S. Department of Homeland Security, the economic impact of water service disruptions would be measured in billions of dollars per day due to business closures, public health impacts, and emergency response costs. Water infrastructure also connects to broader critical infrastructure including energy, healthcare, and communications sectors, meaning attacks on water systems could have ripple effects across multiple sectors.

Geopolitical tensions drive increased cyber warfare implications. As documented in threat intelligence reporting from firms like Palo Alto Networks Unit 42, China, Russia, and Iran have all demonstrated capability and willingness to target U.S. critical infrastructure including water systems. These activities represent pre-positioning for potential future conflicts, reconnaissance of vulnerabilities, and attempts to establish persistent access that could be activated during crises.

Federal coordination has intensified in response to these threats. Multiple White House executive orders have strengthened cybersecurity requirements for critical infrastructure. The 2021 Executive Order 14028 laid the foundation for improved cybersecurity including mandatory incident reporting, supply chain security, and zero trust architecture adoption. CISA's expanded role includes providing threat intelligence, technical assistance, and coordinated response capabilities for water sector cybersecurity incidents.

Frequently Asked Questions About Water Utility Cybersecurity

What are the most common vulnerabilities in water treatment SCADA systems?

The most prevalent vulnerabilities in water treatment SCADA security include default passwords on industrial control systems, internet-exposed HMI interfaces without adequate authentication, unpatched legacy systems running outdated operating systems, and poor network segmentation allowing lateral movement from IT to OT networks. According to CISA guidance, these vulnerabilities enable initial access and lateral movement in the majority of successful attacks against water infrastructure.

How do water utilities detect cyberattacks on operational technology?

Water utilities can detect cyberattacks through multiple monitoring approaches including network traffic analysis for anomalous communications patterns, SCADA system logging and alerting for unauthorized access attempts, endpoint detection tools on managed devices, and continuous monitoring of process values for unexpected changes. Integration of these monitoring capabilities with Security Information and Event Management (SIEM) systems enables correlation of events across IT and OT environments for more effective threat detection.

What is the difference between water system incident response and emergency response plans?

Water utility incident response plans focus specifically on cybersecurity events and outline technical procedures for detection, containment, eradication, and recovery from cyber incidents. Emergency Response Plans are broader documents required by AWIA that address multiple types of emergencies including natural disasters, equipment failures, contamination events, and cyber incidents. The EPA's Cybersecurity Incident Response Plan (CIRP) template should integrate with broader emergency response frameworks.

How can water utilities implement Zero Trust architecture with limited budgets?

Small water utilities can implement Zero Trust principles incrementally by starting with foundational controls: comprehensive asset inventory, elimination of default passwords, implementation of multi-factor authentication for remote access, basic network segmentation using existing VLANs, and continuous monitoring of critical assets. Utilities should leverage free CISA assessments and EPA guidance to prioritize investments, and consider modern microsegmentation solutions that overlay on existing infrastructure without requiring complete network replacement.

What cybersecurity requirements does AWIA mandate for water systems?

The America's Water Infrastructure Act requires community water systems serving more than 3,300 people to conduct Risk and Resilience Assessments (RRAs) that evaluate vulnerabilities including cybersecurity threats, and to develop or update Emergency Response Plans (ERPs) that address how the utility will respond to threats identified in the RRA. These requirements explicitly include cybersecurity considerations with enforcement authority vested in the EPA.

How does microsegmentation prevent ransomware spread in water utilities?

Microsegmentation prevents ransomware spread by creating granular security zones with strict access controls between zones. When ransomware infects one device, microsegmentation policies prevent lateral movement to other devices, effectively containing the blast radius. Unlike traditional flat networks where malware can spread freely, microsegmented networks enforce least-privilege access where each device can only communicate with explicitly authorized systems, stopping ransomware propagation even if initial compromise occurs.

Your Action Plan: Practical Steps for Immediate Implementation

Understanding the threat landscape, regulatory requirements, and available resources is valuable only when translated into concrete action. This section provides a phased approach that water utility leadership can implement starting today.

Immediate Actions (Week 1)

Download all four EPA resources from the EPA Water Sector Cybersecurity Program and distribute them to relevant stakeholders including IT, OT, operations, and leadership teams. Ensure these resources are reviewed and understood as the foundation for subsequent planning.

Conduct an inventory of internet-facing systems to understand attack surface exposure. Use tools like Shodan or free CISA vulnerability scanning services to identify what systems are publicly accessible. Document findings and develop a plan to eliminate unnecessary internet exposure.

Review current password policies and immediately remediate any use of default passwords on critical systems. Default passwords represent the single most common initial access vector in water utility compromises according to CISA threat analysis. Changing these costs nothing but reduces risk dramatically.

Identify a cybersecurity point person who will coordinate security improvements across the organization. This role requires someone with sufficient authority to convene stakeholders, allocate resources, and drive accountability. For smaller utilities without dedicated security staff, this might be the IT manager, operations director, or even a general manager who delegates technical execution while maintaining overall responsibility.

Short-Term Actions (Weeks 2-4)

Schedule a free EPA or CISA assessment to get external validation of vulnerabilities and prioritize remediation efforts. These assessments typically take 1-2 days on-site and provide detailed findings with specific recommendations. The assessments are confidential and non-regulatory, meaning findings cannot be used for enforcement actions.

Begin CIRP template customization to develop an organization-specific water utility incident response plan. Start with the EPA template and modify it based on your organizational structure, technical environment, and available resources. This doesn't need to be perfect initially—better to have a basic plan that can be refined than to delay implementation pursuing perfection.

Conduct your first tabletop exercise using the EPA incident action checklists as a scenario. Keep the first exercise simple and focused on basic procedures rather than complex scenarios. The goal is to build familiarity with the exercise format and begin identifying procedural gaps.

Review vendor cybersecurity practices using the EPA procurement checklist. For existing critical vendors, conduct assessments to understand their security posture. For new procurements, integrate security requirements into RFP processes and vendor selection criteria.

Long-Term Strategic Planning (Next 90 Days and Beyond)

Develop a 5-year cybersecurity roadmap that aligns with your utility's strategic plan, budget cycles, and capital improvement programs. This roadmap should identify specific milestones for maturity improvements, technology investments, staffing needs, and compliance requirements. Share this roadmap with leadership, boards, and relevant oversight bodies to build consensus and secure necessary resources. Consider using the CISA Zero Trust Maturity Model as a framework for assessing current state and planning progression.

Budget allocation for security improvements should reflect realistic assessment of needs and available resources. While major technology investments may require multi-year planning, incremental improvements can begin immediately. Consider both operating expense (staff, training, services) and capital expense (infrastructure, tools) needs. Many utilities find that dedicating 3-5% of IT budget to security initiatives provides sufficient resources for meaningful progress while remaining achievable within existing budget constraints.

Staff training and awareness programs represent critical investments in human capability. Technical staff need specialized training in OT security, incident response, and threat detection. Operational staff need awareness training on social engineering, physical security, and reporting procedures. Leadership needs strategic training on governance, risk management, and compliance obligations. External training resources, professional certifications, and information sharing organizations provide cost-effective ways to build these capabilities.

Continuous improvement and reassessment cycles ensure that security programs evolve with the threat landscape and organizational changes. Schedule quarterly reviews of security metrics, annual reassessments of risk profiles, and regular updates to policies and procedures. Participate in information sharing organizations like the Water Information Sharing and Analysis Center (WaterISAC) to stay informed about emerging threats and proven practices.

Conclusion: Building Resilience Through Proactive Action

The cybersecurity challenges facing water utilities in 2025 are substantial but not insurmountable. The EPA's new resources provide practical frameworks that utilities can adapt to their specific circumstances regardless of size or resources. Federal agencies stand ready to provide free assistance through assessments, training, and technical support. Proven technologies including modern network segmentation capabilities enable utilities to implement controls that dramatically reduce risk without requiring complete infrastructure replacement.

The urgency of action cannot be overstated. Nation-state adversaries continue probing water infrastructure for vulnerabilities. Ransomware operators increasingly target critical infrastructure sectors including water utilities. Regulatory requirements and insurance underwriters demand demonstrable security improvements. Most importantly, the communities that water utilities serve depend on the reliable delivery of safe water—a responsibility that requires protecting operational systems from cyber threats.

The path forward requires commitment from utility leadership, engagement from technical and operational teams, collaboration with federal partners, and sustained investment in people, processes, and technology. No single action will solve all challenges, but the cumulative effect of systematic improvements creates genuine resilience against evolving threats.

Start with one concrete step today. Download the EPA resources. Schedule a CISA assessment. Change default passwords. Conduct a tabletop exercise. Each action reduces risk and builds momentum toward comprehensive cyber resilience.

The water sector has entered a new era where cybersecurity is not optional but essential to mission success. Those utilities that act proactively will be positioned to maintain operational continuity, meet regulatory requirements, and fulfill their critical responsibility to the communities they serve. Those that delay will find themselves increasingly vulnerable to the very threats this article has documented.

Take the Next Step: Partner with Industry Leaders

Building a comprehensive cybersecurity program requires the right combination of expertise, technology, and support. While the EPA resources provide essential frameworks, implementing effective network segmentation and Zero Trust architecture often benefits from proven solutions designed specifically for operational technology environments.

Modern microsegmentation solutions enable water utilities to rapidly implement identity-based security policies across their entire network infrastructure. Leading platforms like Elisity's Cloud Control Center provide comprehensive visibility into IT, IoT, and OT devices, automated device classification, and dynamic policy enforcement—all without requiring hardware replacement or network downtime.

Learn more about protecting your water infrastructure:

• Schedule a consultation to discuss your specific security challenges and compliance requirements: Request a Demo
• Download the Microsegmentation Buyer's Guide and Checklist for detailed evaluation criteria and implementation best practices: Get the Buyer's Guide and Checklist.
• Watch customer success stories. Hear how modern microsegmentation solved lateral movement prevention and did not cause downtime or a large number of change control windows for network reconfiguration projects. 
• Explore the blog for additional insights on preventing lateral movement in critical infrastructure and implementing Zero Trust for water utilities

Essential Federal Resources:

• CISA Cybersecurity Performance Goals - Practical guidance for improving security maturity
• CISA Free Cyber Hygiene Services - Vulnerability scanning and professional assistance
• NIST Zero Trust Architecture (SP 800-207) - Framework for identity-based security
• CISA Zero Trust Maturity Model - Roadmap for ZT implementation
• EPA Water Sector Cybersecurity Program - Tools, assessments, and case studies
• CISA OT Asset Inventory Guidance - Foundational guidance for asset management
• America's Water Infrastructure Act Information - Compliance requirements
• Safe Drinking Water Act Resources - Regulatory framework

Published: October 2025 | Updated: October 30, 2025