Coordination with Public Water Systems on SCADA Vulnerabilities

In June 2025, the EPA’s Water Infrastructure and Cyber Resilience Division (WICRD) notified the Water Quality Control Division (WQCD) that they had identified potential cybersecurity vulnerabilities at four Colorado public water systems (PWSs). While scanning for vulnerable devices, EPA identified the specific TCP/IP addresses of four BIF3800 SCADA Control Systems that were internet-exposed and could potentially allow a remote user to access the device and disrupt the utility’s operations. WQCD Field Services immediately reached out to the four water systems to notify them of the potential vulnerability so they could take action to protect their systems. 

Many utilities installed SCADA BIF3800 units as early as the 1990s and were controlling ancillary processes in the distribution systems of the water systems. There was a common thought that hackers would not be interested in equipment that is so old, or that the older control systems would be less vulnerable to cyber attacks. Unfortunately, hackers can exploit any internet-exposed interfaces like these. The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) recently published this joint fact sheet, which highlights the risks posed by internet-exposed Human Machine Interfaces (HMIs), including how hackers can find and exploit HMIs with cybersecurity weaknesses easily. The EPA and CISA fact sheet includes recommended mitigations to secure HMIs, including:

• Conduct an inventory of all internet-exposed devices.
• If possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
• If it is not possible to disconnect the device, secure it by creating a username and a strong password to prevent a threat actor from easily viewing and accessing the device. Change factory default passwords.

Thankfully, the four water systems quickly responded to remove the exposure and did not experience any cyber events due to this issue. The CISA team in Colorado also reached out to the water systems to provide technical support to mitigate the vulnerabilities.  

WQCD encourages water systems to continue to evaluate and protect their systems against cyber threats. Utilities that need support can contact the Colorado CISA Team, including Edward (Charlie) Marmon at edward.marmon@cisa.dhs.gov  or Kindra Brewer at kindra.brewer@cisa.dhs.gov, and the EPA’s Cybersecurity Technical Assistance Help Desk is also available for assistance. The WQCD Drinking Water Security Response Toolbox is a one-stop shop for security resources. 

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Naheem Noah, Field Services Section

Cyber Alert: Global Conflict Potential to Impact US Critical Infrastructure

EPA Cyber Alert: Iran Conflict is Increasing the Likelihood of Low-Level Cyberattacks Against US Networks

Note: The Water Quality Control Division is posting the following information out in partnership with the Environmental Protection Agency (EPA) .

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance for potential cyber activity in the United States due to the current geopolitical environment. The U.S. Department of Homeland Security (DHS) published a National Terrorism Advisory System Bulletin, indicating that low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian Government may conduct attacks against U.S. networks. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) published a fact sheet warning that Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.

Iranian-affiliated cyber actors have demonstrated the ability to exploit operational technology (OT) devices at U.S. water and wastewater systems, forcing many systems to revert to manual operations and resulting in operational impacts.

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

• Reduce OT Exposure to the Public-Facing Internet
• Replace All Default Passwords on OT Devices with Strong, Unique Passwords
• Implement Multifactor Authentication for Remote Access to OT Devices

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government

Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.

Water and wastewater system owners and operators should direct their IT/OT system

administrators to review this alert for further use and implementation. If you rely on third party vendors for technology support, then you are encouraged to contact them to confirm their awareness of this threat. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System. If you have questions about any of the information contained in this document, please contact the Water Infrastructure and Cyber Resilience Division, Cybersecurity Branch at watercyberta@epa.gov.

Stay Informed

If you are interested in subscribing to receive security alert notifications immediately upon release, please sign up using this form and select the topics that interest you. This topic is General - Security updates - Water and wastewater systems.

➽ WQCD Security Workgroup

Aqua Answers: Bag and Cartridge Filters in Surface Water Treatment

Dear Aqua Answers,

I’m the operator for a surface water treatment system that uses bag and cartridge filters, and I have a few questions!

___________________________________________________________________________

Question 1: What’s the difference between compliance filters and other bag or cartridge filters at my plant?

For suppliers of surface water or groundwater under the direct influence of surface water (SW/GWUDI), the treatment system must be designed to meet the requirements of Section 11.8 of Regulation 11, also known as the Surface Water Treatment Rule (SWTR). This rule requires the treatment process to remove specific levels of Giardia and Cryptosporidium to ensure public health protection.

One way to meet these requirements is by using bag or cartridge filtration. These filters use a straining process where water passes through a disposable bag or cartridge housed in a permanently installed filter housing. Each filter and housing combination used for compliance filtration must be approved by the Colorado Department of Public Health and Environment (the Department) through the alternative technology approval process. Typically, this approval is obtained by the filter manufacturer rather than through a site-specific approval.

Every installation of bag or cartridge filters at a public water system (PWS) must also be reviewed by the Department as part of a design submittal.

Additional filters, sometimes called “roughing filters” may be installed upstream of the compliance filters. These do not require separate Department alternative technology approval but usually still require review as part of the design submittal.

For more details on design requirements, see the State of Colorado Design Criteria for Potable Water Systems (DCPWS), Section 4.3.9.

Question 2: How do I know which cartridges or bags I should use in my compliance filters?

Many SW/GWUDI suppliers have been issued a Record of Approved Waterworks (RAW) that lists all the supplier’s approved treatment and storage facilities and water sources. To find your facility’s RAW, visit the Department’s RAW webpage and enter your PWSID or facility name.

If you don’t have a RAW, you can find this information in the approval letter issued by the Department for your filtration system, or you can contact the Engineering Section for assistance.

Your RAW (or approval letter) will specify the approved filter manufacturer, model number, and the Department’s alternative technology acceptance letter. You can find the acceptance letter on our drinking water alternative technology website.

Important: Many bag and cartridge filters on the market have not been approved by the Department. Using unapproved filters or filter/housing combinations for compliance filtration can result in a treatment technique violation or a significant deficiency noted during a sanitary survey—both of which would require the supplier to issue a public notice.

Question 3: I have a sanitary survey coming up. Is there anything I should know about my bag or cartridge filters?

Yes! Suppliers using alternative filtration technology must continuously meet the design, performance, and operation and maintenance requirements in Sections 4.3.9.6 – 4.3.9.8 of the DCPWS and in the Department’s acceptance letter for the specific filtration technology.

For bag and cartridge filtration systems, this typically includes:

• Not exceeding the maximum specified pressure differential.
• Keeping daily records of pressure differentials and filter change-outs. These records will be reviewed during the sanitary survey.
• Maintaining specific spare parts on-site, which may also be checked during the survey.

Be sure to review your RAW and acceptance letter to understand all conditions of approval and ensure you’re keeping the required records. Both your RAW conditions and site-specific records will be evaluated during the sanitary survey.

Question 4: I’m a contract operator managing multiple public water systems. Do the requirements for bag and cartridge filters differ by system type?

Yes, the requirements can vary based on system size and type (e.g., community, non-community, or transient systems). These differences may include NSF 61 certification, the number of redundant filters required, and other system-specific considerations. The DCPWS outlines these requirements in detail, but if you have any questions, please reach out to the Department’s Engineering Section for assistance.

Sincerely,

Aqua Answers