The Environmental Protection Agency has released substantial cybersecurity guidance for drinking water and wastewater utilities, and most operators aren't taking it as seriously as they should. The EPA isn't a regulator with enforcement authority—that's typically your state drinking water authority or your state environmental agency—but EPA guidance carries significant weight. When auditors come, they'll be checking whether you've followed EPA recommendations. Ignoring EPA guidance is a liability.
Unlike NERC CIP, which is prescriptive and legally binding, EPA guidance is advisory but detailed. It recommends specific practices: asset management, access controls, incident response, training. It doesn't mandate specific tools or certifications. This flexibility is helpful, but it means you need to interpret the guidance and apply it to your specific operation. Many water utilities miss the forest for the trees—they focus on the technical parts and miss the governance and process changes the EPA expects.
Core EPA Cybersecurity Principles for Water Utilities
The EPA emphasizes that cybersecurity is not IT's job alone—it's an operational priority that requires leadership support and integration into your utility's risk management program. Leadership must understand the threats and the controls. Operations must understand why certain access restrictions exist. IT must understand the constraints of water operations. The EPA expects coordination across departments, not siloed security.
EPA guidance recommends a risk-based approach: identify your critical assets (which systems, if compromised, would disrupt service or endanger public health), assess threats and vulnerabilities, implement controls proportional to risk, and monitor for effectiveness. This is simpler than NERC CIP but requires discipline and ongoing attention. Many utilities do a vulnerability assessment once and then forget about it. EPA expects vulnerability assessment to be ongoing and results to inform your control investments.
Specific Recommendations in Practice
- Asset inventory and criticality assessment: Document every system that touches water treatment or distribution. Classify each as critical or non-critical. Focus security controls on critical systems. Quarterly review and update this inventory.
- Network segmentation and access control: Critical systems should not be directly accessible from the internet or from corporate IT networks. Implement firewall rules, VPNs, and multi-factor authentication for remote access. Change default passwords on all systems.
- Patch and configuration management: Apply security patches promptly. Maintain and document configuration baselines. Control changes through a change management process. Document who has administrative access to which systems.
- Incident response and reporting: Establish procedures for detecting, responding to, and reporting cybersecurity incidents. Notify your state drinking water authority when appropriate. Conduct incident response tabletop exercises annually.
Working with Your State Authority
Water utilities are regulated at the state level, not federally. Your state drinking water authority or public utilities commission may have adopted EPA guidance formally or may have developed its own cybersecurity requirements. Understand what your state expects. Build a relationship with your state regulator. Share your cybersecurity program and ask for feedback. Proactive communication prevents surprises during inspections.
EPA cybersecurity guidance is comprehensive and well-developed. If you follow it, you'll build a security program that protects your utility and meets regulator expectations. We help water utilities interpret EPA guidance, build risk-based security programs, and prepare for state inspections. Let's talk about EPA compliance and cybersecurity readiness for your utility.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.