EPA Launches Comprehensive Cybersecurity Resources as Water Sector Faces Escalating Threats

The U.S. Environmental Protection Agency recently released a set of new planning and response tools designed to strengthen the cybersecurity defenses of the nation's at-risk water treatment systems. The move marks the latest in a series of federal actions aimed at bolstering the protection of drinking water and wastewater infrastructure in the U.S. from nation-state-driven cyberattacks. 

The timing of these EPA resources coincides with the water sector's growing concern about a surge in cyber incidents that have exposed critical vulnerabilities across public utilities. This week's EPA announcement includes an updated Emergency Response Plan Guide for wastewater utilities, a new Cybersecurity Incident Response Plan template, incident action checklists, and a cybersecurity procurement checklist specifically designed to help utilities evaluate the security practices of vendors and manufacturers. 

"You had Russian hacktivists target five water treatment facilities in northern Texas, actually manipulated them in such a way to defeat industrial control systems and caused water overflow storage issues to happen," said Richard Evanchec, section chief of the FBI's Cyber Division's Critical Incident Operations Section during a presentation on critical infrastructure response at this year's RSA Conference. "The intent of our adversaries, including terrorist organizations, to compromise our industries and to put our public at risk is clear," Evanchec said.  

Patrick Gillespie, operational practice director at GuidePoint Security, said success in defending against those adversaries starts with the right foundations in treatment plant people, process, and technology. That begins with the proper preparation of treatment plant workers. 

"The intent of our adversaries, including terrorist organizations, to compromise our industries and to put our public at risk is clear."

—Richard Evanchec, Section Chief, FBI's Cyber Division's Critical Incident Operations Section

"Operators, engineers, and IT/OT teams are the front line of cybersecurity," he said, and added that proper training and clearly defined roles come before tool implementation.

"If people don't understand their part in defending the plant, even the best technology will be misused, ignored, or bypassed," Gillespie explained. From there, Gillespie advised treatment plants to implement proper security processes before deploying new technology. These processes include building and maintaining an accurate asset inventory, developing and testing incident-response plans, and creating requirements for technology-based controls on existing assets and protocols. Finally, he added, conduct tabletop exercises and define reporting lines.

"Without these processes, even well-funded programs collapse under confusion and inconsistency," he said. Finally, get the security technical defenses in place. "Once people and processes are aligned, technology becomes an enabler instead of a crutch. The right tools, such as segmentation, OT monitoring, and secure remote access, should follow the requirements, not lead them. When tech is chosen first, it's often mis-deployed, mis-managed, or unused," he said. 

That's certainly great advice, but it remains a challenge for under-resourced plants and municipalities to achieve, especially when they may not have the staff available who understand how to put such plans into action.

Water Sector Vulnerable to Coordinated Attacks

Even if treatment plans have the right staff, they're still facing an uphill defensive battle. Consider what they are up against. Recent years have witnessed a troubling escalation in cyberattacks that target water infrastructure across the United States. In September 2024, the water treatment facility in Arkansas City, Kansas, experienced an incident that forced operators to switch temporarily to manual operations. While the facility maintained uninterrupted water service delivery, the incident underscored the vulnerability of American water systems to remotely coordinated attacks. 

"Once people and processes are aligned, technology becomes an enabler instead of a crutch."

—Patrick Gillespie, Operational Practice Director, GuidePoint Security

In January 2024, water and wastewater plants in Texas cities, including Hale Center, Muleshoe, Lockney, and Abernathy, were targeted by threat actors who posted videos online showing their ability to remotely interact with supervisory control and data acquisition (SCADA) systems and arbitrarily adjust operational settings. The Tipton Wastewater Treatment Plant in Indiana also fell victim to attackers in April 2024, with the Cyber Army of Russia publicly displaying their system access before facility staff detected the suspicious activity and transitioned to manual control. 

In October 2024, American Water—the nation's largest publicly traded water utility company, serving 14 million customers—suffered a cyberattack that disrupted its MyWater account system for a week, resulting in the disruption of bill payments and the shutdown of customer service call centers. 

Meanwhile, research conducted by Censys in October 2024 identified approximately 400 exposed web-based human-machine interfaces (HMIs) connected to U.S. water facilities, with 40 systems completely open and fully controllable without requiring any login credentials. 

Legislative Response Builds Momentum

Additional federal help is on the way. Congress has recognized the urgency of this crisis and introduced multiple bipartisan legislative measures to address the cyber resilience gap in water treatment plants. The Water Cybersecurity Enhancement Act of 2025, introduced by Sens. Ruben Gallego and Tom Cotton, seeks to bolster cyber resilience by amending the Safe Drinking Water Act to expand the Drinking Water Infrastructure Risk and Resilience Program. The legislation extends federal grant funding through 2031, enabling utilities to invest in cybersecurity training, instructional materials, and enhanced prevention and response capabilities—resources particularly critical for small and medium-sized utilities that lack dedicated IT and security personnel. 

Representative Rick Crawford and Representative John Duarte also championed H.R. 7922, legislation that authorizes an independent, non-federal entity to lead development of cybersecurity requirements in the sector while maintaining federal oversight through the EPA. This collaboration leverages the technical knowledge of utilities, cybersecurity experts, and regulators to implement comprehensive cybersecurity risk management strategies. 

Additionally, two bipartisan bills addressing the specific needs of rural water systems have gained traction in the Senate. The Cybersecurity for Rural Water Systems Act of 2025 would create "Circuit Rider" cybersecurity specialists to deliver onsite training and technical assistance to small rural utilities that lack financial resources and in-house expertise. The Rural Water System Disaster Preparedness and Assistance Act of 2025 complements this effort by improving emergency preparedness and providing essential equipment for disaster response.

These measures directly address the fact that currently only 20 percent of water and wastewater systems across the United States maintain even basic cybersecurity protections — and help close that staffing gap. 

Multi-Agency Coordination and Federal Resources

Meanwhile, the EPA's new resources align with ongoing federal efforts by the Cybersecurity and Infrastructure Security Agency (CISA), which has intensified engagement with water utilities nationwide. In 2023 alone, CISA conducted more than 1,700 engagements with water entities, providing risk assessments, guidance, and cybersecurity exercises. CISA's free vulnerability scanning service helps water systems identify and address weaknesses before attackers can exploit them. 

The October 2024 discovery of exposed HMI systems showcased the effectiveness of coordinated federal action. Within nine days of EPA notification, 24 percent of exposed systems were secured; within a month, 58 percent had been protected and removed from the internet. The software manufacturer also used the incident as an opportunity to strengthen security across affected utilities by implementing multifactor authentication and other best practices. 

Addressing the Vulnerability Landscape

In May 2024, EPA Assistant Administrator for Water Jess Kramer emphasized that cybersecurity and water security are inextricably linked to national security. The agency's enforcement alert, issued in May 2024, increased enforcement activities to ensure that community water systems serving more than 3,300 people comply with Section 1433 of the Safe Drinking Water Act, which requires Risk and Resilience Assessments and Emergency Response Plans. 

The new EPA tools directly support this mandate by providing utilities with standardized templates, checklists, and guidance for developing incident response plans, conducting procurement reviews, and preparing for specific emergencies, including cyberattacks, wildfires, power outages, and floods. 

As nation-state actors and cybercriminals continue targeting water infrastructure as "target-rich, cyber poor" organizations, the convergence of EPA resources, bipartisan legislation, and multi-agency coordination represents a comprehensive federal strategy to transform America's water systems from vulnerable to resilient. With $9 million in EPA grant funding announced in August and expanded authorization for grants through 2031, the water sector now possesses both the regulatory framework and financial mechanisms necessary to build meaningful cyber defenses that protect the critical infrastructure delivering safe water to millions of Americans. 

Cybersecurity in water treatment isn't just a technology problem; as GuidePoint Security's Gillespie pointed out, it's a people and process challenge. "The EPA's guidance helps, but lasting resilience will only come when utilities invest first in their teams, then in their playbooks, and finally in the tools that enable them," he said. And, perhaps, with a lot of help from the government and a little bit of luck.