EPA Cybersecurity for Water Systems: What to Expect (2025–2026)

Catching You Up

After withdrawing its sanitary-survey cyber memo in 2023, the EPA is back! In 2024 the agency signaled tougher oversight using existing Safe Drinking Water Act §1433 authority (the AWIA risk-and-resilience/ERP requirements). Why now? Because inspections keep finding the same avoidable weaknesses - factory-default PLC passwords, flat networks, exposed remote access -and adversaries are taking advantage. Expect more inspector requests tied to your Risk & Resilience Assessment (RRA) and Emergency Response Plan (ERP), plus a stronger emphasis on evidence: not just “we have a policy,” but “we do it, we can prove it, and we tested recovery.” 

Two timelines matter. First, the RRA/ERP five-year recertification cadence: systems serving ≥100k residents must recertify by March 31, 2025; 50k–99,999 by December 31, 2025; 3,301–49,999 by June 30, 2026. ERPs recertify six months after the RRA. Second, CIRCIA (federal cyber incident reporting) isn’t final until May 2026, but you should consider operationalizing this now to prevent scrambling later.  

Who’s Affected & When Your Deadlines Land

Drinking water (Community Water Systems, CWS ≥3,301 served). AWIA §2013 / SDWA §1433 requires a documented RRA and ERP, with five-year recertifications: 

• ≥100,000 served: RRA recert by March 31, 2025 
• 50,000–99,999: RRA recert by December 31, 2025 
• 3,301–49,999: RRA recert by June 30, 2026 
• ERP recertification: within 6 months after your RRA date 

Wastewater. Not covered by AWIA §2013, but increasingly held to similar expectations through state rules, funding conditions, and sector guidance. If you operate both drinking and wastewater systems, align practices—one inspection binder with one control baseline. 

Practical planning tip. Tie recert dates to board agendas, capital planning, and procurement lead times. If your RRA points to segmentation, MFA for remote access, and backup/restore testing (it will), you’ll want those purchase orders and services in flight before the ERP window opens. 

What Inspectors Will Ask to See

These inspection requests underscore the need for proactive EPA cybersecurity planning. Not just policies on paper, but demonstrable proof of practice.

Expect to show: 

1. Current RRA/ERP with cyber risks: covered for OT/ICS, approved and version-controlled. 
   
2. Access hygiene in practice: default creds removed; unique, non-shared accounts; prompt deprovisioning; MFA for all remote access (staff and vendors). 
3. No unnecessary internet exposure: no open RDP/VNC/TeamViewer; brokered access via VPN/jump host with MFA and logging. 
4. IT/OT segmentation: DMZ between business and control networks; allow-list rules documented; diagrams dated. 
5. Logging & monitoring: centralized logs; alerts for failed logins, new admin accounts, PLC/HMI config changes, remote sessions, unusual outbound OT traffic; evidence of triage and closure. 
6. Recoverability: offline/immutable backups for PLC projects, HMI configs, historians, and critical OT workstations; test-restore records with dates, outcomes, and sign-offs. 
7. Vendor access control: named, time-boxed accounts; session logging/recording where feasible; disablement after job completion; contract language requiring secure remote access and cooperation during incidents. 
8. Exercises: recent tabletop(s) for “malicious chemical dosing change” and “SCADA workstation ransomware,” with after-action items tracked to closure. 

Things you should do anyway (if not asked): 

• Evidence hygiene: maintain a simple “inspection binder” index (RRA/ERP approvals, network diagrams, access lists, backup/restore reports, tabletop AARs, vendor roster, change logs). 
• Change management for OT: capture PLC/HMI firmware/config baselines and approval workflows; keep “golden config” exports. 
• Training & competency: annual role-based training for operators and engineers (remote access etiquette, MFA, USB hygiene); keep rosters and completion dates. 
• Vulnerability & exception management: documented patch windows for OT (with risk-based exceptions), plus interim compensating controls. 
• Deprovisioning proof: monthly report showing closed/disabled accounts (employees and contractors), matched against HR and access tickets. 
• Data retention & chain-of-custody: preserve key OT logs and configs for the period your state records office or insurer expects; document how you’d hand evidence to investigators. This could tie to #5 “Logging and Monitoring” above. 
• Segmentation verification: quarterly test that OT remains unreachable from IT without the jump path (screenshots or penetration test plan results). 

Funding Opportunities

Most utilities can pay for core cyber upgrades with Drinking Water State Revolving Funds: DWSRF for drinking water and CWSRF for wastewater. EPA’s fact sheets explicitly list cybersecurity as eligible. Think secure remote access and MFA, network segmentation/DMZs, logging/monitoring, backup/restore infrastructure, and even physical protections for IT/OT rooms. Because State Revolving Fund (SRF) dollars are awarded by states, the winning move is to tie each line item to a specific RRA/ERP finding and measurable risk reduction; many states also pair SRF with technical assistance to help smaller systems scope and deliver projects.  

For larger or multi-year programs, EPA’s Water Infrastructure Finance and Innovation Act (WIFIA) offers low-interest, long-tenor loans on a rolling basis - typically up to 49% of eligible project costs (and up to 80% for small communities) - and can include cybersecurity as part of broader water/wastewater improvements. Rural systems should also look at USDA Rural Development loans/grants, which can fund water and wastewater upgrades in communities under 10,000 people. EPA hosts a program called the Water Sector Cybersecurity Evaluation Program and related assessment resources provide free, confidential gap analyses and planning help you can use to strengthen applications and prove outcomes.  

Preparing for CIRCIA Compliance

Preparing now for CIRCIA

CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act) is the federal playbook that will require covered critical-infrastructure entities - including water and wastewater utilities - to report significant cyber incidents within 72 hours and ransom payments within 24 hours to CISA. The rule details are being finalized now, with enforcement expected to begin after the final rule goes live (targeted for 2026). Think of CIRCIA as a clock and a checklist: when something material happens, you must quickly assemble facts, artifacts, and a narrative of what you saw and did. 

Two compliance birds, one compliance effort 

If you only have budget and political capital for one heavy lift this quarter, make it a brokered remote-access program for OT and OT-adjacent admin accounts: VPN or jump host, enforced MFA, named/time-boxed vendor identities, approvals before each session, and full session/log capture. On the EPA §1433 side, this checks multiple inspector boxes in one stroke: access hygiene (no defaults or shared logins), removal of unnecessary internet exposure, IT/OT boundary control, vendor management, and proof that you can see who touched what and when. On the CIRCIA side, the same plumbing gives you the artifacts you’ll need when an event crosses the “covered incident” bar: a clock-accurate trail of remote activity, configuration changes, and containment steps that can be marshaled within 72 hours (and, if applicable, the 24-hour ransom-payment timeline). In practice, your jump host and SIEM become the single source of truth for both inspection evidence and federal incident reporting—one investment, two obligations handled. 

Summary

This isn’t about chasing shiny tools, it’s about doing the high-leverage basics and being able to show your work. EPA is leaning on §1433 through your RRA and ERP; CIRCIA is the shot clock that’s about to start. One smart push covers both: broker remote access (VPN/jump host), put MFA on every session, separate IT from OT, turn on logging that actually catches bad behavior, and practice restoring from backups like it matters. Then keep the receipts: screenshots, configs, restore notes, and tabletop takeaways in a tidy binder so inspections feel like a status update, not a courtroom drama. 

Over the next 90 days, lock those foundations, tap SRF dollars for the bigger lifts, and name one accountable exec to own the calendar. Treat CIRCIA as a timed drill you can pass today. Define what triggers a report, wire your jump host and SIEM as the system of record, and rehearse packaging a clean 72-hour incident submission. Do that, and you won’t just comply, you’ll sleep better. 

Explore further how you can prepare your water systems for EPA cybersecurity requirements. Consult with our experts.

Don't miss another article. Subscribe to our blog now.