Cybersecurity in AWIA Risk and Resilience Assessments: What EPA Actually Expects

Published April 23, 2026

If your next AWIA Risk and Resilience Assessment reads like a review of pump stations, treatment plants, and chemical storage, it is already missing a major piece of what the EPA expects to see.

The America’s Water Infrastructure Act (AWIA) of 2018 requires community water systems serving more than 3,300 people to complete a Risk and Resilience Assessment (RRA) every five years and to revise their Emergency Response Plan (ERP) within six months of that assessment. The statute names specific asset categories that must be evaluated. One of them is “electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system.”

In plain language: cybersecurity is not optional in your RRA. It is part of the statute. If the engineering firm supporting the utility treats the IT and OT (operational technology, meaning the systems that run physical processes like SCADA, PLCs, and chemical dosing controls) as out-of-scope, the utility has a compliance gap the EPA can call out on audit.

The Problem: IT and OT Usually Get a Paragraph, Not an Assessment

Most RRAs that cross our desk give cybersecurity a few pages of general discussion and then pivot back to physical assets for the rest of the document. The pattern looks like:

  • A short section acknowledging that the SCADA system exists
  • A general statement that firewalls and antivirus are in place
  • A reference to password policies
  • A conclusion that “cyber risk is moderate”

This is not what the EPA asked for. The EPA’s Baseline Information on Malevolent Acts for Community Water Systems lays out the threat categories utilities must consider, and cyberattacks are treated alongside physical attacks as a category requiring specific analysis. The EPA’s guidance materials and training references reinforce that the cybersecurity analysis must be as rigorous as the physical one.

In practice, that means your RRA should identify specific digital assets, specific threats to those assets, current controls, and residual risk. Not “antivirus is installed.”

Why It Matters to You Specifically

For the civil engineering firm supporting a utility, a shallow cybersecurity section in the RRA creates three distinct exposures.

Audit exposure for the utility. If an EPA review or a state primacy agency request comes in and the RRA does not substantively address the digital systems, the finding is against the utility. But your firm wrote the report. The conversation about what went wrong is happening in your conference room.

Liability exposure for the firm. Engineering firms are increasingly named in litigation when infrastructure incidents occur, including cyber incidents. A thin cybersecurity assessment becomes evidence that known risks were not adequately surfaced during the professional engagement.

Future work exposure. Utilities that experience a cyber incident after a recent RRA that did not substantively cover the digital estate tend not to hire the same engineering firm for the next five-year cycle. The reputational damage is quiet but durable.

What Good Looks Like

A properly scoped cybersecurity section in an AWIA RRA covers several specific elements that the weak versions skip.

A Complete Inventory of Digital Assets

Every system that supports the water utility’s operations is an asset worth evaluating. At minimum:

  • SCADA servers, historian databases, and HMI (human-machine interface) workstations
  • PLCs (programmable logic controllers) and RTUs (remote terminal units) at treatment plants, pump stations, and storage facilities
  • OT network equipment (industrial switches, firewalls, wireless radios)
  • Corporate IT systems that touch operations (billing systems, customer databases, GIS platforms, work order systems)
  • Communication systems (radios, cellular modems, satellite backups)
  • Cloud services the utility uses for any part of operations
  • Backup systems and offsite data copies

Each asset should be documented with enough specificity that someone picking up the report three years later can understand what was assessed.

Threat Identification Beyond Generic Categories

The CISA Water and Wastewater Systems Sector resources list specific threats that water utilities face, and they go well beyond “ransomware.” Common threats worth evaluating explicitly:

  • Unauthorized remote access through legacy VPN or vendor maintenance connections
  • Credential theft leading to SCADA manipulation
  • Ransomware affecting either corporate IT or operational systems
  • Insider threat (current or former employees with lingering access)
  • Supply chain compromise through integrators and vendors
  • Weak boundary between business network and OT network

Honest Evaluation of Current Controls

This is where thin assessments fail most. Listing that a firewall is in place without evaluating whether it is configured correctly, monitored, and current on firmware is not an assessment. The RRA should evaluate controls against a recognized framework. NIST Cybersecurity Framework 2.0 or the sector-specific AWWA Cybersecurity Guidance and Assessment Tool are the common references.

Quantified Residual Risk

After threats and controls are evaluated, the RRA should give the utility a clear picture of residual risk: which scenarios remain most likely or most impactful after current controls, and which require additional investment to reduce. This drives the capital planning discussion the utility has after the RRA is delivered.

Cybersecurity in the ERP

Risk identified in the RRA must flow into the Emergency Response Plan. If a ransomware scenario is in the assessment, the ERP needs a response plan for a ransomware scenario. Contact trees, manual operation procedures, recovery steps, and communication with state primacy, EPA, CISA, and affected customers all belong there. Too often the ERP is assumed to be about physical events, leaving the utility with no documented playbook for a cyber event.

Practical Takeaways

If you are supporting a utility client through an RRA or ERP revision in the next 12 months, these are the specific items worth putting in front of the client early:

  1. Confirm scope in writing. Make sure the engagement letter explicitly covers cybersecurity analysis of IT and OT systems, not just physical assets. Ambiguity benefits nobody.
  2. Bring in IT and OT subject matter expertise. If your firm does not have in-house cybersecurity engineers with OT experience, partner with a managed IT provider who does. Assessing SCADA security with only a civil engineering lens is a gap waiting to be audited.
  3. Use recognized frameworks. The AWWA tool, NIST CSF, and CISA’s water sector resources are the standards auditors recognize. Using them signals rigor and makes the assessment defensible.
  4. Plan for the flow to the ERP. The work does not end at the RRA. Scenarios and controls identified should be reflected in a cyber-aware ERP delivered within six months of RRA certification, per the statute.

A Risk and Resilience Assessment that takes cybersecurity seriously protects the utility, protects your firm, and gives the governing board the information they actually need to make investment decisions.

If you want a conversation about how to integrate IT and OT cybersecurity expertise into an upcoming RRA or ERP project, the HVR Cloud team works with engineering firms on exactly this. Get in touch and we can walk through your specific situation.