EPA Warns Water Utilities Against Cyberattacks

The U.S. Environmental Protection Agency (“EPA”) published a report in July 2025 containing a sector-wide set of nonregulatory recommendations to strengthen U.S. drinking water and wastewater systems against cyberattacks, alongside new funding for resilience projects.^[1] Although the document itself is advisory, it lands amid stepped-up inspections and enforcement tied to Safe Drinking Water Act (“SDWA”) section 1433 risk-and-resilience obligations.^[2] Utilities, vendors, investors, and acquirers should treat these recommendations as the new baseline for diligence, budgeting, and compliance planning. 

What’s New

EPA’s July 2025 Report 

Securing the Future of Water: Addressing Cyber Threats Today, a report issued by EPA in July 2025, consolidates practical steps for both drinking water and wastewater utilities, calling for a “holistic” approach and tighter coordination among utilities, states, federal partners, and sector associations.^[3]

Funding Window 

On August 5, 2025, EPA opened approximately $9 million in grants for midsize and large public water systems (≥10,000 population) under the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability program.^[4] The solicitation remained open for sixty days on grants.gov. Utilities may consider pairing future grant proposals with the EPA report’s priority actions.

Enforcement Backdrop 

EPA’s May 2024 Enforcement Alert (updated July 24, 2025) reports that more than 70 percent of inspected systems since September 2023 violated basic SDWA section 1433 requirements (e.g., incomplete Risk and Resilience Assessments (“RRAs”) and Emergency Response Plans (“ERPs”)) and warns of increased inspections, potential use of SDWA emergency powers (section 1431), and even criminal sanctions for false certifications.^[5]

Deadlines Continue

America’s Water Infrastructure Act (“AWIA”) section 2013 and SDWA section 1433 five-year cycles are active. For example, systems serving 50,000–99,999 people have RRA recertifications due December 31, 2025 (and ERPs six months later); systems serving 3,301–49,999 people face a June 30, 2026, deadline for RRAs (and ERPs six months later).^[6]

Context

The U.S. Government Accountability Office (“GAO”) 2024 report pushed EPA to adopt a national water-sector cyber strategy. GAO now notes that EPA issued a sector risk assessment/plan in January 2025 and is evaluating further authority needs—underscoring that voluntary guidance is increasingly informing oversight.^[7]

The Report’s Ten Core Recommendations

EPA’s task force organizes near-term steps for utilities and partners. We can expect these themes to show up in inspections, grant scoring, and diligence checklists.

In EPA’s July report, the task force highlights the following key areas for water utilities to consider:^[8]

1. Clear ownership and coordination. Assign clear executive responsibility; create standing coordination forums across utility/state/federal partners.
2. Communication to leaders. Tailor messages and training for boards, mayors, and utility executives; integrate cyber into leadership programs.
3. The basics. Normalize a short list of “must-do” controls (e.g., leadership commitment, staff training, access control, and incident response planning).
4. A culture of security. Offer continuous webinars/resources; weave cybersecurity into operator certification and continuing education.
5. Expanded hands-on help. Prioritize more technical assistance, virtual office hours, Cybersecurity and Infrastructure Security Agency (“CISA”) adviser support, and peer-to-peer mentoring.
6. Dedicated funding. Budget explicitly for cybersecurity, ensure Water Information Sharing and Analysis Center (“WaterISAC”) access,^[9] expand grant/loan eligibility, and resource state resilience roles.
7. No information gaps. Share sanitized attack summaries and implementation examples; maintain a best-practices hub and model policies.
8. Expectations for vendors/consultants. Use model contracts and clear principles, raise vendor awareness, and align procurement with security outcomes.
9. Support for state partners. Train state staff, share successful state program models, and equip field staff with cyber talking points.
10. Resourced and engaged partners. Leverage national associations and cyber groups to grow the sector workforce and deliver training/assistance.

Legal and Operational Implications

Compliance with the SDWA’s Cybersecurity Provision 

While EPA’s July report is not a rule, inspectors already examine cyber elements in RRAs/ERPs under SDWA section 1433. Gaps like unchanged default passwords, shared logins, and no asset inventory have triggered findings. Where risk rises to “imminent endangerment,” EPA signals that it may invoke section 1431 emergency powers.^[10]

Diligence and Transactions

We can expect lenders, buyers, and insurers to benchmark utilities against the EPA task force’s ten recommendations and SDWA section 1433 status. Documenting progress (governance, funding, contracts, training, and incident drills) may materially reduce risk in deals and financings.

Grants and Prioritization 

Aligning projects with the report’s priority actions (leadership training, direct tech assistance, operator certification integration, coordination with state chief information officer (“CIO”) offices, etc.) can strengthen grant narratives.

The Big Seven: Key Near-Term Actions

Over the next ninety to 180 days, the water sector may want to discuss with counsel the following key considerations and timely moves:

1. Name an accountable executive (e.g., general manager or utility director) for cyber risk; brief governance quarterly using a simple key performance indicator dashboard.
2. Validate SDWA section 1433 status against the current five-year cycle; correct RRA/ERP gaps (cyber asset inventory, incident response, backups, operational technology segmentation).
3. Lock in “Top Actions”: reducing internet exposure, changing defaults, enforcing multifactor authentication (“MFA”), backing up and testing restores, and exercising EPA and CISA incident plans.^[11]
4. Train leadership and operators; add cyber modules to manager briefings and operator continuing education units, join WaterISAC, and subscribe to CISA advisories.
5. Update vendor contracts: add baseline controls (e.g., MFA, patching service level agreements, remote-access rules), incident notice, logging/monitoring, right-to-audit, and data-handling clauses consistent with the report’s vendor engagement recommendations.
6. Schedule a third-party assessment (EPA Water Sector Cybersecurity Evaluation Program or equivalent), and convert findings into a funded, time-bound mitigation plan.
7. Coordinate with your state: engage the state primacy agency and state CIO/cyber office to align resources and messaging. Anticipate increased scrutiny during sanitary surveys and follow-on inspections.

A Final Word

There is no time like the present for public water systems and their partners to (i) align RRAs/ERPs and governance with SDWA section 1433 and EPA’s recommended practices, (ii) structure vendor and integrator contracts to reflect cyber obligations, (iii) prepare targeted grant applications mapped to the task force’s priority actions, and (iv) conduct transactional diligence on cyber risks in utility acquisitions or financings. Consult with counsel to mitigate risk and plan your path forward.

1. U.S. Env’t Prot. Agency, Securing the Future of Water: Addressing Cyber Threats Today (July 2025). ↑

2. Safe Drinking Water Act, tit. XIV of the Public Health Service Act, 42 U.S.C. §§ 300f et seq. ↑

3. U.S. Env’t Prot. Agency, supra note 1. ↑

4. Press Release, U.S. Env’t Prot. Agency, EPA Announces Availability of $9 Million to Protect Drinking Water from Natural Hazards and Cybersecurity Threats (Aug 5, 2025) (announcing approximately $9 million in grants and publication of a report flagging ten recommendations and “priority actions”). ↑

5. Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities, U.S. Env’t Prot. Agency (May 2024) (updated July 24, 2025) (noting greater than 70 percent noncompliance, increased inspections, and potential SDWA section 1431 action). ↑

6. AWIA Section 2013: Public Certification Data, U.S. Env’t Prot. Agency (last visited Nov. 6, 2025) (RRA/ERP five-year deadlines through 2026). ↑

7. U.S. Gov’t Accountability Off., GAO-24-106744, Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems (2024, updated 2025) (urging national strategy; noting EPA risk plan (January 2025) and continuing authority evaluation). ↑

8. U.S. Env’t Prot. Agency, supra note 1, at 4–9. ↑

9. WaterISAC (last visited Nov. 6, 2025). ↑

10. Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities, supra note 5. ↑

11. Id. ↑