EPA Warns Water Utilities Against Cyber Attacks

The U.S. Environmental Protection Agency (EPA) has published a sector-wide set of non-regulatory recommendations to strengthen U.S. drinking water and wastewater systems against cyber attacks, alongside new funding for resilience projects. Although the document itself is advisory, it lands amid stepped-up inspections and enforcement tied to Safe Drinking Water Act (SDWA) §1433 risk-and-resilience obligations. Utilities, vendors, investors, and acquirers should treat these recommendations as the new baseline for diligence, budgeting, and compliance planning. 

What’s New

• EPA’s July 2025 report. “Securing the Future of Water: Addressing Cyber Threats Today” consolidates practical steps for both drinking water and wastewater utilities, calling for a “holistic” approach and tighter coordination among utilities, states, federal partners, and sector associations.  
• Funding window. On August 5, 2025, EPA opened approximately $9 million in grants for midsize and large public water systems (≥10,000 population) under the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability program. EPA notes the solicitation will remain open for 60 days on Grants.gov. Utilities may consider pairing grant proposals with the report’s priority actions.  
• Enforcement backdrop. EPA’s May 2024 Enforcement Alert (updated July 24, 2025) reports that more than 70% of inspected systems since Sept. 2023 violated basic §1433 requirements (e.g., incomplete RRAs/ERPs) and warns of increased inspections and potential use of SDWA emergency powers (§1431) and even criminal sanctions for false certifications.  
• Deadlines continue. America’s Water Infrastructure Act (AWIA) §2013/SDWA §1433 five-year cycles are active: for example, systems serving 50,000–99,999 had Risk and Resilience Assessment (RRA) recertifications due Dec. 31, 2025 (Emergency Response Plans, or ERPs, six months later); 3,301–49,999 face June 30, 2026 for RRAs (ERPs six months later).  
• Context. The U.S. Government Accountability Office (GAO)’s 2024 report pushed EPA to adopt a national water-sector cyber strategy; GAO now notes EPA issued a sector risk assessment/plan in Jan. 2025 and is evaluating further authority needs—underscoring that voluntary guidance is increasingly informing oversight.  

The Report’s 10 Core Recommendations

EPA’s Task Force organizes near-term steps for utilities and partners. We can expect these themes to show up in inspections, grant scoring, and diligence checklists.

The task force highlights the following key areas for water utilities to consider:

1. Clear ownership and coordination. Assign clear executive responsibility; create standing coordination forums across utility/state/federal partners.
2. Communication to leaders. Tailor messages and training for boards, mayors, and utility executives; integrate cyber into leadership programs.
3. The basics. Normalize a short list of “must-do” controls (e.g., leadership commitment, staff training, access control, and incident response planning).
4. A culture of security. Continuous webinars/resources; weave cybersecurity into operator certification/continuing education.
5. Expanded hands-on help. More technical assistance, virtual office hours, CISA advisor support, and peer-to-peer mentoring.
6. Dedicated funding. Budget explicitly for cybersecurity; ensure WaterISAC access; expand grant/loan eligibility; resource state resilience roles.
7. No information gaps. Share sanitized attack summaries and implementation examples; maintain a best-practices hub and model policies.
8. Expectations for vendors/consultants. Use model contracts and clear principles; raise vendor awareness; align procurement with security outcomes.
9. Support for state partners. Train state staff, share successful state program models, and equip field staff with cyber talking points.
10. Resourced & engaged partners. Leverage national associations and cyber groups to grow the sector workforce and deliver training/assistance.

Legal and Operational Implications

• Compliance with the SDWA’s Cybersecurity Provision. While the July report is not a rule, inspectors already examine cyber elements in RRAs/ERPs under SDWA §1433. Gaps like unchanged default passwords, shared logins, and no asset inventory have triggered findings. Where risk rises to “imminent endangerment,” EPA signals it may invoke §1431 emergency powers.  
• Diligence & transactions. We can expect lenders, buyers, and insurers to benchmark utilities against these 10 recommendations and §1433 status. Documenting progress (governance, funding, contracts, training, and incident drills) may materially reduce risk in deals and financings.   
• Grants & prioritization. Aligning projects with the report’s priority actions (leadership training, direct tech assistance, operator certification integration, coordination with state CIO offices, etc.) can strengthen grant narratives.  

The Big 8: Key Near-Term Actions

Over the next 90-180 days, here are key considerations and timely moves that the water sector may want to discuss with counsel:

1. Naming an accountable executive (e.g., GM or utility director) for cyber risk; briefing governance quarterly using a simple KPI dashboard.  
2. Validating §1433 status against the current five-year cycle; correcting RRA/ERP gaps (cyber asset inventory, incident response, backups, Operational Technology [OT] segmentation).  
3. Locking in “Top Actions”: reducing internet exposure, changing defaults, enforcing Multi-Factor Authentication [MFA], backing up and test restores, and exercising EPA and  Cybersecurity and Infrastructure Security Agency (CISA) incident plans.
4. Applying for funding (if eligible ≥10,000 served). Mapping proposed projects to the Task Force priority actions; submitting within the 60-day window from Aug 5, 2025.  
5. Training leadership and operators. Adding cyber modules to manager briefings and operator CEUs; joining WaterISAC and subscribe to CISA advisories.  
6. Updating vendor contracts. Adding baseline controls (e.g., MFA, patching Service Level Agreements [SLAs], remote-access rules), incident notice, logging/monitoring, right-to-audit, and data-handling clauses consistent with the report’s vendor engagement recommendations.  
7. Scheduling a third-party assessment (EPA Water Sector Cybersecurity Evaluation Program or equivalent) and converting findings into a funded, time-bound mitigation plan.  
8. Coordinating with your state. Engaging state primacy agency and state CIO/Cyber office to align resources and messaging; anticipating increased scrutiny during sanitary surveys and follow-on inspections.  

A Final Word

There is no time like the present for public water systems and their partners to: (i) align RRAs/ERPs and governance with §1433 and EPA’s recommended practices; (ii) structure vendor and integrator contracts to reflect cyber obligations; (iii) prepare targeted grant applications mapped to the Task Force’s priority actions; and (iv) conduct transactional diligence on cyber risks in utility acquisitions or financings. Consult with counsel to mitigate risk and plan your path forward.

Key Dates & References

• Report: Securing the Future of Water: Addressing Cyber Threats Today (EPA, July 2025; page last updated Aug 4, 2025).  
• Funding notice: EPA news release (Aug 5, 2025) opening ~$9M in grants and flagging 10 recommendations and “priority actions.”  
• Enforcement: EPA Enforcement Alert (issued May 2024, updated July 24, 2025)—>70% noncompliance, increased inspections, potential §1431 action.  
• §1433 cycles: AWIA §2013 page with RRA/ERP five-year deadlines through 2026.  
• Independent context: GAO (Aug 2024) urges national strategy; notes EPA risk plan (Jan 2025) and continuing authority evaluation.  
• Recommendation details (plain-language summaries): WaterISAC and trade press coverage.