- New EPA resources strengthen cybersecurity across U.S. water systems.
- Utilities gain checklists and templates to assess risk and vendor security.
- Rising cyber threats prompt national collaboration and preparedness.
Thursday, October 29, 2025 — Last week, the U.S. Environmental Protection Agency
announced a suite of new resources designed to help water and wastewater utilities defend against cyberattacks. The move comes as cyber threats against essential infrastructure continue to rise, targeting not only large municipal systems but also small rural utilities that often lack dedicated cybersecurity personnel.
EPA Assistant Administrator for Water Jess Kramer emphasized the urgency of the effort, noting that “strengthening cybersecurity for the U.S. water sector is critically important because cyber resilience and water security are key to national security.”
The updated materials include practical planning guides, model templates, and new evaluation tools that utilities can use to test their preparedness and strengthen procurement practices.
Key New Tools and Templates.
The newly released tools provide utilities with clear frameworks for identifying vulnerabilities and creating response plans. Among the highlights:
-
Emergency Response Plan (ERP) Guide for Wastewater Utilities
: Updated to include detailed strategies for managing incidents—whether natural or man-made—that threaten life, property, or the environment. -
Cybersecurity Incident Response Plan Template
: A step-by-step format to help systems prepare for and recover from cyber intrusions. -
Incident Action Checklists
: Two new checklists requested by the industry focus on power outages, floods, wildfires, and cyber incidents. -
Cybersecurity Procurement Checklist
: A new evaluation tool that helps utilities verify that vendors, manufacturers, and software providers meet minimum cybersecurity standards before procurement.
EPA’s checklist, mirrored in the attached Cybersecurity Procurement Evaluation Workbook, guides utilities through a series of questions covering vendor security practices, authentication standards, update procedures, and data access controls. It encourages procurement teams to vet suppliers’ cybersecurity posture rather than simply relying on product assurances.
Vendor Risks and System Exposure.
As reported by Federal News Network on October 28, 2025, the EPA has identified a troubling pattern in its outreach: many water utilities are unaware that some of their control systems are visible on the open internet. Cole Dutton, a cybersecurity analyst in the EPA’s Water Infrastructure and Cyber Resilience Division, described this as a widespread “lack of asset awareness” across the sector.
The agency’s recent analysis found that utilities frequently depend on outside vendors for control technologies—arrangements that may expose critical infrastructure if contractors fail to implement proper safeguards. The procurement checklist is meant to help local systems ask the right questions of their vendors, such as:
-
How are system assets being protected from remote access?
-
What security standards apply to installed components?
-
How are updates and patches verified?
Small Systems, Big Challenges.
EPA officials have repeatedly acknowledged that small and rural utilities face unique challenges. Many lack in-house cybersecurity staff and must balance daily operational needs with long-term resilience planning. The new resources are designed to simplify compliance under the Safe Drinking Water Act, particularly for systems serving more than 3,300 people that must maintain certified emergency response plans.
EPA’s updated templates—issued in September 2024 for drinking water utilities and October 2025 for wastewater utilities—include embedded Word versions that utilities can tailor to their own needs. They incorporate new cybersecurity modules and mitigation strategies that align with guidance from the Cybersecurity and Infrastructure Security Agency.
Collaboration and National Security Implications.
EPA’s initiative builds on earlier federal grants announced in August 2025 totaling $9 million for medium and large water systems to strengthen cybersecurity and resilience to extreme weather. The agency continues to coordinate with CISA, state programs, and industry associations to protect what it calls a “critical lifeline of clean and safe water.”
Cyberattacks on water utilities have grown more frequent and sophisticated, posing threats not only to local operations but to broader public health and economic stability. As the EPA noted, “guarding against cyberattacks is central to ensuring every American has access to safe water.”
FAQ
Q: Why is cybersecurity now a top priority for water systems?
Because attacks on control systems can directly affect the safety of drinking water and wastewater treatment. EPA and CISA have both confirmed that hackers have targeted these systems in recent years.
Q: What is the Cybersecurity Procurement Checklist?
It is a new EPA resource that helps utilities evaluate vendor cybersecurity practices before purchasing or upgrading operational technology systems.
Q: Are utilities legally required to follow this guidance?
Drinking water utilities serving more than 3,300 people must maintain Emergency Response Plans under the Safe Drinking Water Act. While wastewater utilities are not legally required, EPA strongly recommends voluntary compliance.
Q: How can smaller or rural utilities get help?
EPA offers free templates, training, and regional assistance through its Water Security Division. Utilities can customize the downloadable ERP and CIRP templates to fit their system size and available staff.
Q: What happens next?
EPA plans to continue auditing vulnerabilities, sharing data with federal partners, and updating its tools as new cyber risks emerge.
