From Guidance to Enforcement: EPA's Cybersecurity Pivot and What Water Utilities Must Do Before the Next Inspection

When the EPA announced that over 70 percent of water systems inspected since September 2023 failed to comply with basic cybersecurity requirements under the Safe Drinking Water Act, the message was unmistakable: the era of voluntary compliance is ending. For water utility executives and OT security professionals, this statistic represents more than a regulatory concern; it signals a fundamental shift in how the federal government approaches cybersecurity in the water sector.

The EPA's May 2024 Enforcement Alert, updated in July 2025, made clear that inspectors are no longer treating cybersecurity as a peripheral concern. They are identifying what the agency describes as "alarming cybersecurity vulnerabilities" at drinking water systems across the country, including failures to change default passwords, the use of single shared logins for all staff, and continued access credentials for former employees. These findings, combined with an escalating threat environment that has seen nation-state actors and hacktivists successfully compromise water utilities from Massachusetts to Denmark, have transformed EPA enforcement from a compliance formality into an operational priority.

The Legal Framework: What AWIA Section 2013 Actually Requires

Understanding EPA's enforcement authority begins with America's Water Infrastructure Act (AWIA) of 2018, specifically Section 2013, which amended Section 1433 of the Safe Drinking Water Act. This legislation requires community water systems serving more than 3,300 people to complete two critical documents: a Risk and Resilience Assessment (RRA) and an Emergency Response Plan (ERP).

The RRA must evaluate risks to six distinct asset categories from both malevolent acts and natural hazards. These categories explicitly include "electronic, computer, or other automated systems" and require assessment of "the security of such systems." The ERP must include "strategies and resources to improve resilience, including physical security and cybersecurity."

These are not voluntary guidelines. Water utilities must certify completion to EPA, and the five-year recertification cycle is now active. Systems serving 50,000 to 99,999 people are now in their five‑year RRA and ERP recertification window, with specific deadlines set by EPA based on their original 2019–2020 certification dates. Systems serving 3,301 to 49,999 people are entering their five‑year recertification window, with RRA and ERP due dates established by EPA according to when they first certified completion.

The consequences of non-compliance extend beyond regulatory citations. Under SDWA Section 1433, EPA may seek civil penalties up to $69,733 per day of violation, adjusted annually for inflation. The agency has already taken over 100 enforcement actions nationally against community water systems for Section 1433 violations since 2020. Perhaps more significantly, the Enforcement Alert warns of potential use of SDWA Section 1431 emergency powers and even criminal sanctions for false certifications.

The Inspector General's Findings: A Sector Under Threat

The scale of the vulnerability facing water utilities became starkly clear in November 2024 when the EPA Office of Inspector General published its Management Implication Report (25-N-0004). The OIG conducted passive cybersecurity assessments of 1,062 drinking water systems serving populations of 50,000 or more, representing over 193 million Americans.

The findings were alarming: 97 drinking water systems serving approximately 26.6 million people exhibited critical or high-risk cybersecurity vulnerabilities. An additional 211 systems serving 82.7 million people showed medium or low-risk vulnerabilities, including externally visible open portals. The OIG determined that if malicious actors exploited these vulnerabilities, they could "disrupt service or cause irreparable physical damage to drinking water infrastructure."

The 2024 Government Accountability Office report (GAO-24-106744) provided additional context, noting that nearly 170,000 U.S. water systems face cyber risks and that the sector has made "limited investments in cybersecurity protections because water systems prioritize funding to meet regulatory requirements for clean and safe water….." The GAO urged EPA to develop a national cybersecurity strategy and assess whether it needs additional authority to compel the sector to address risks.

What Inspectors Are Finding: The Common Failures

EPA inspection findings reveal a consistent pattern of basic security failures that have enabled successful attacks across the sector:

Default credentials remain unchanged. Water systems continue to operate SCADA systems, PLCs, and HMI devices with manufacturer default passwords. These credentials are widely known and actively targeted by threat actors, as demonstrated by the CyberAv3ngers attacks on Unitronics controllers in 2023 and 2024.

Single shared logins eliminate accountability. Multiple operators using the same credentials makes it impossible to track who accessed what, when, and prevents effective access revocation when employees depart.

Former employee access persists. Systems fail to revoke credentials promptly when staff leave, creating persistent unauthorized access vectors.

Internet-exposed OT devices go unmonitored. EPA's Cole Dutton, speaking at an October 2025 Censys webinar, noted that many utilities are unaware that their control systems are visible on the open internet. The agency has been actively identifying internet-exposed operational technology devices used by water and wastewater systems, and what they are finding is troubling.

Many RRAs lack meaningful cybersecurity assessments. Many systems treat the cybersecurity component of the Risk and Resilience Assessment as a checkbox exercise rather than a genuine evaluation of vulnerabilities, threats, and consequences.

Many ERPs omit cyber incident response. Emergency Response Plans fail to include strategies for detecting, responding to, and recovering from cyber incidents, leaving utilities without playbooks when attacks occur.

EPA's Resource Offensive: Tools for Compliance

In October 2025, EPA released an updated suite of resources designed to help utilities meet compliance requirements while improving actual security posture. These tools represent the agency's most comprehensive cybersecurity guidance to date as follows:

Emergency Response Plan Template and Instructions: Updated templates that utilities can customize, incorporating new cybersecurity modules aligned with CISA guidance.

Cybersecurity Incident Response Plan (CIRP) Template: A structured framework for developing cyber-specific response capabilities that can be integrated into the broader ERP.

Cybersecurity Procurement Evaluation Checklist: A tool for vetting vendor cybersecurity practices before purchasing or upgrading OT systems, addressing the supply chain risks that have enabled multiple water sector compromises.

Incident Action Checklists: Quick-reference guides for responding to specific scenarios including cyber incidents, power outages, floods, and wildfires.

The agency announced $9 million in grants in August 2025 for midsize and large public water systems (serving 10,000 or more) to address cybersecurity threats and resilience. While this funding is limited compared to the sector's overall needs, it provides a mechanism for utilities to begin addressing identified vulnerabilities.

Preparing for the Next Inspection: A Practical Roadmap

For utilities facing inspection or recertification deadlines, the path forward requires both immediate actions and sustained commitment:

Conduct an honest self-assessment. Use EPA's Vulnerability Self-Assessment Tool (VSAT Web 3.0) or the Small System Risk and Resilience Assessment Checklist to evaluate your current posture. Do not rely on the RRA completed in 2020; threats, guidance, and your own systems have evolved.

Eliminate default credentials immediately. This is the single most exploited vulnerability in water sector attacks. Inventory every device with default passwords and change them before your next inspection.

Implement unique user accounts. Shared credentials are both a security risk and a compliance failure. Establish individual accounts with role-based access controls and implement prompt revocation procedures for departing staff.

Map your internet-exposed assets. Determine which OT systems are accessible from the public internet and whether that exposure is operationally necessary. For systems that must be remotely accessible, implement multi-factor authentication and VPN requirements.

Develop a genuine Cybersecurity Incident Response Plan. Use EPA's CIRP template as a starting point, but customize it to your specific systems, personnel, and operational requirements. Test the plan through tabletop exercises.

Vet your vendors. Use the Cybersecurity Procurement Evaluation Checklist to assess current and prospective vendors. Add baseline security requirements to contracts, including MFA, patching SLAs, remote access rules, incident notification, and right-to-audit clauses.

Document everything. Inspectors will review not just your RRA and ERP but evidence that you are implementing the assessments' findings. Maintain records of security improvements, training completion, and incident response exercises.

Join WaterISAC. The Water Information Sharing and Analysis Center provides sector-specific threat intelligence, security advisories, and best practices. EPA specifically recommends WaterISAC access as part of a comprehensive cybersecurity program.

The Enforcement Trajectory: What Comes Next

The regulatory landscape is evolving rapidly. EPA issued its sector risk assessment and strategy in January 2025 and continues to evaluate whether it needs additional statutory authority to mandate cybersecurity measures.

The July 2025 EPA report "Securing the Future of Water: Addressing Cyber Threats Today" consolidates ten priority recommendations that will likely appear in future inspections, grant scoring criteria, and diligence checklists. These include clear executive ownership of cybersecurity, expanded technical assistance, dedicated funding, vendor security expectations, and integration of cybersecurity into operator certification and continuing education.

For water utilities, the message is clear: the compliance floor is rising. What constitutes an adequate RRA and ERP in 2026 is significantly more rigorous than what was acceptable in 2020. Utilities that treat recertification as a paperwork exercise rather than a security improvement opportunity will find themselves increasingly exposed, both to cyber threats and to enforcement actions.

The Bottom Line

The EPA's enforcement pivot reflects a fundamental reality: water utilities have become high-value targets for nation-state actors, hacktivists, and cybercriminals. The threat is not theoretical. Attacks on water systems have increased several-fold in recent years, with successful compromises causing operational disruption, infrastructure damage, and in the case of the recent Denmark water utility attack, physical harm to community infrastructure.

Utilities that invest in meaningful cybersecurity improvements now will be better positioned for inspections, more resilient against attacks, and more competitive for federal funding. Those that continue treating cybersecurity as a compliance burden rather than an operational necessity will face increasing regulatory pressure, potential enforcement actions, and the very real possibility of becoming the next case study in a threat intelligence briefing.

This analysis does not touch upon State level regulatory requirements which may be another layer that needs to be addressed specifically in each location.

The time to act is before the inspector arrives, and before the adversary does.

About RubyComm:

RubyComm delivers tailored operational technology cybersecurity solutions designed specifically for the unique challenges of industrial and critical infrastructure environments faced by organizations of all sizes. Unlike one-size-fits-all security products, RubyComm addresses the specific operational constraints, legacy system challenges, and complex integration requirements that conventional off-the-shelf solutions cannot adequately address. Our approach maintains operational efficiency and business continuity while providing comprehensive protection against sophisticated OT-specific threats without the need for an inhouse team of cyber security specialists.

Sources:

EPA Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities (May 2024, updated July 24, 2025); EPA Office of Inspector General Management Implication Report 25-N-0004 (November 13, 2024); GAO Report GAO-24-106744: Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems (August 2024); EPA AWIA Section 2013/SDWA Section 1433 Requirements; EPA "Securing the Future of Water: Addressing Cyber Threats Today" (July 2025); EPA News Release: EPA Announces Availability of $9 Million to Protect Drinking Water (August 5, 2025); Federal News Network; Western Water; American Bar Association Business Law Today.