EPA Threat Briefing Highlights Expanding Cyber, Physical, And AI Risks For Water Utilities
The U.S. Environmental Protection Agency (EPA) convened water-sector leaders on February 26, 2026, for a two‑hour Threat Briefing that underscored what many utilities already feel on the ground: cyber, physical, and operational risks are expanding, and attackers are becoming more opportunistic. Speakers from EPA, CISA, the FBI, NIST, AWWA, and WaterISAC offered a clear takeaway — utilities need to strengthen readiness now, not later.
Cyber Threats: More Attacks, Faster Response Needed
EPA’s Cole Dutton (Office of Water Emergency Response and Cybersecurity, OWERC) opened with the latest cyber threat activity, noting a continued increase in targeting of small and medium utilities. He urged systems to report anomalies quickly:
- CISA 24/7 Operations Center: Report@cisa.gov
- Local FBI field office
- EPA Water Cyber Hotline: watercyberta@epa.gov
EPA’s Water Sector Cybersecurity portal provides ongoing alerts and tools:
https://www.epa.gov/cyberwater
Physical Threat Landscape: Utilities Still Face On‑Site Risks
Alec Davison of WaterISAC highlighted physical threat patterns and encouraged utilities to leverage WaterISAC’s resource center and reporting channels.
https://www.waterisac.org/resources
When An Intrusion Occurs, Speed Matters
Brian Kaiser (FBI) discussed immediate post‑incident steps, emphasizing staff safety, evidence preservation, and early notification to federal partners.
AI Risk Emerges As A New Operational Concern
NIST’s Martin Stanley warned that AI introduces its own vulnerabilities — including manipulated inputs and operational decision risks — and directed attendees to the following tools:
- NIST AI Risk Management Framework (AI RMF 1.0):
https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf - NIST AI RMF Playbook:
https://www.nist.gov/itl/ai-risk-management-framework/nist-ai-rmf-playbook - NIST AI Resource Center:
https://airc.nist.gov/
EPA And CISA Roll Out Expanded Support
EPA cybersecurity specialist Brandon Carter highlighted several free EPA programs:
- EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems:
https://www.epa.gov/system/files/documents/2024-08/epa-guidance-on-improving-cybersecurity-at-drinking-water-and-wastewater-systems-1.pdf - EPA Water Sector Cybersecurity Evaluation Program:
https://www.epa.gov/cyberwater/forms/epas-water-sector-cybersecurity-evaluation-program - Cybersecurity Technical Assistance Program (Help Desk):
https://www.epa.gov/waterriskassessment/forms/cybersecurity-technical-assistance-water-utilities
EPA Case Studies:
- Small Combined System
https://www.epa.gov/system/files/documents/2024-04/water-cybersecurity-case-study-draft-508-041824.pdf - Small Wastewater System
https://www.epa.gov/system/files/documents/2023-09/cybersecurity-program-case-study-small-wastewater-system_508c.pdf - Medium Drinking Water System (two case studies)
https://www.epa.gov/system/files/documents/2023-09/cybersecurity-program-case-study-medium-drinking-water-system_508c.pdf
https://www.epa.gov/system/files/documents/2024-02/cybersecurity-case-study_-medium-drinking-water-system-2_508c.pdf - Medium Combined System
https://www.epa.gov/system/files/documents/2023-12/231205-medium-combined_508c.pdf - Large Combined System
https://www.epa.gov/system/files/documents/2023-10/231010-large-combined-case-study_508c.pdf
Cybersecurity Exercises And Training:
https://www.epa.gov/waterresilience/cybersecurity-exercises-and-technical-assistance-courses
CISA’s Lauren Wisniewski highlighted additional support:
- CISA–EPA Water & Wastewater Toolkit:
https://www.cisa.gov/water - Vulnerability Scanning:
vulnerability@cisa.dhs.gov - Cybersecurity Advisories:
https://www.cisa.gov/news-events/cybersecurity-advisories - Regional Contacts:
https://www.cisa.gov/about/regions - CISA Services Fact Sheet:
https://www.cisa.gov/resources-tools/resources/cisa-services-fact-sheet-regions
Industry Partners Offer Additional Tools
AWWA’s Kevin Morley shared resources including:
- New Cyber Informed Engineering (CIE) publication:
https://www.awwa.org/CIE - AWWA Cybersecurity Guidance:
https://www.awwa.org/cybersecurity - CISA Cyber Hygiene Services (recommended by AWWA):
https://www.cisa.gov/cyber-hygiene-services - AWWA Risk Toolkit:
https://www.awwa.org/risk
WaterISAC’s Chase Snow promoted several practical security tools:
- 12 Cybersecurity Fundamentals for Water & Wastewater Utilities:
https://www.waterisac.org/wp-content/uploads/2024/12/WaterISAC_12-Fundamentals_FULL-12-High-Res.pdf - Case Studies:
https://www.waterisac.org/case-studies - Incident Summaries & Threat Reports:
https://www.waterisac.org/waterisac-publications - Webcast Archive:
https://www.waterisac.org/webcasts - Upcoming Events:
https://www.waterisac.org/events - 6-Day Free Membership Trial:
https://www.waterisac.org/membership
What Utilities Should Do Now
Across agencies, the message was uniform: utilities have actionable steps they can take today:
- Report suspicious cyber or physical activity immediately.
- Adopt core cyber hygiene, including MFA, segmentation, and asset inventories.
- Use EPA and CISA no-cost assessments and training.
- Apply AI risk-management practices when integrating automation.
- Engage with WaterISAC and AWWA for best practices, intel, and training.
EPA emphasized that utilities — regardless of size — can dramatically improve resilience by tapping into the free resources already available to the sector.