Your next AWIA Risk and Resilience Assessment is coming. If your IT systems aren’t part of the conversation, you have a problem.
The America’s Water Infrastructure Act requires community water systems serving more than 3,300 people to complete Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs) on a rolling five-year cycle. The EPA has made it clear: these assessments must cover both physical and digital infrastructure. For civil engineering firms that design, manage, or operate water systems, that means your SCADA networks, OT controls, document management, and communications systems are all in scope.
The Problem: IT Gets Treated as an Afterthought
Most civil engineering firms approach AWIA compliance from the physical side first. That makes sense. You know pipes, pumps, treatment processes, and distribution networks. Your engineers understand structural risk.
But here’s where firms stumble. The RRA asks you to evaluate threats to the monitoring and control systems that run those physical assets. SCADA systems. Programmable logic controllers (PLCs) — the small computers that automate valves, pumps, and chemical dosing. Historian databases that log sensor data. Remote access tools your operators use from the field.
These are IT systems. And in many firms, nobody owns them.
Your operations team manages them day to day. Your engineering team specifies them during design. But who patches them? Who monitors them for unauthorized access? Who backs them up? Who tests whether they’ll actually work during an emergency?
If the answer is “we’re not sure,” that’s your gap.
Why This Matters
AWIA compliance isn’t optional. The EPA can refer non-compliant systems to enforcement action. But the regulatory penalty is actually the smallest risk you face.
Failed audits cost contracts. Municipal clients increasingly require proof that their engineering partners meet cybersecurity standards. If your firm can’t demonstrate that the systems you designed or manage are secure, you lose work to competitors who can.
Incidents trigger liability. A ransomware attack that takes down a water treatment SCADA system doesn’t just make the news. It creates a paper trail straight back to whoever was responsible for securing that system. If your firm designed it, integrated it, or manages it — and you can’t show you took reasonable precautions — you’re exposed.
ERPs that ignore IT fail in practice. Your Emergency Response Plan might cover a main break or a chemical spill. But what happens when your operators can’t access SCADA because the network is down? What if your document management system — the one holding your as-built drawings and O&M manuals — is encrypted by malware? An ERP that doesn’t account for IT failures isn’t a plan. It’s a wish.
Insurance carriers are paying attention. Cyber liability policies for firms in critical infrastructure sectors now routinely ask about OT network segmentation, backup practices, and incident response procedures. CISA has published guidance specifically for the water and wastewater sector that insurers increasingly reference when evaluating coverage. Gaps in your AWIA documentation can translate directly into higher premiums or denied claims.
What Good Looks Like
Firms that handle this well don’t bolt cybersecurity onto their AWIA compliance at the last minute. They build IT into the process from the start.
That starts with a clear inventory. You need to know every networked device in your OT environment — every SCADA server, every PLC, every remote terminal unit (RTU), every workstation with access to control systems. You can’t assess risk on assets you haven’t cataloged.
Next comes network segmentation. Your OT network — the one running your water system controls — should be separated from your corporate IT network. An employee clicking a phishing link in their email should not create a path to your SCADA system. This is a basic architectural control, but a surprising number of firms still run flat networks where everything talks to everything.
Then there’s monitoring and response. Someone needs to be watching these systems around the clock. Not just checking whether pumps are running, but watching for unusual login attempts, unexpected configuration changes, and unauthorized devices on the network. When something looks wrong, there needs to be a documented process for responding — and that process needs to be referenced in your ERP.
Finally, backups and recovery. Your SCADA configurations, historian data, engineering documents, and communication systems all need tested backup and recovery procedures. “Tested” is the key word. A backup you’ve never restored is a backup you don’t actually have.
What You Can Do This Quarter
You don’t need to overhaul everything at once. Start with these steps:
-
Audit your OT asset inventory. Walk your facilities. Document every networked device in your control systems environment. Include firmware versions, network addresses, and who has access. If this list doesn’t exist yet, that’s your first finding for the RRA.
-
Map your network architecture. Draw the connections between your corporate IT network and your OT network. Identify every point where they touch. If there’s no boundary between them, flag that as a priority remediation item.
-
Review your ERP for IT scenarios. Open your current Emergency Response Plan and look for IT-specific scenarios: SCADA outage, ransomware, loss of communications, corrupted engineering data. If those scenarios aren’t there, add them. Include who gets called, what systems get isolated, and how you maintain manual operations while recovering.
-
Assign ownership. Decide who in your organization is responsible for OT cybersecurity. This doesn’t have to be an internal hire. Many firms partner with a managed IT provider that understands both enterprise IT and operational technology environments. What matters is that someone specific is accountable.
Moving Forward
AWIA compliance is a moving target. The EPA’s expectations around cybersecurity are increasing, not decreasing. The firms that treat IT infrastructure as a core part of their risk and resilience posture — not a side project — will be the ones that pass audits cleanly, win municipal contracts, and sleep better at night.
If your firm is working through an RRA or updating an ERP and you’re not sure where your IT systems stand, we’re happy to walk through it with you. No sales pitch — just a conversation about where you are and what needs attention. Get in touch whenever you’re ready.
