EPA Security Advisory

CDPHE is sending you the following information in partnership with EPA: 

Stay connected with the Office of Water Emergency Response & Cybersecurity at EPA

EPA Advisory: Protecting Sensitive Operational Information in Water and Wastewater Systems

cyber alert

The U.S. Environmental Protection Agency (EPA) is advising water and wastewater systems to consider the risks of disclosing sensitive operational information following multiple public records requests from artificial intelligence (AI) service providers, as reported by the WaterISAC and the American Water Works Association (AWWA).

In at least one instance, an AI service provider requested “all SCADA logs for 2026 for all treatment, distribution and wastewater management systems.” The requestor also indicated they were seeking “daily or hourly historical logs” for specific environmental and physical process indicators, including inflow and outflow water volumes and flow rates, aggregate water quality baseline metrics, historical reservoir and tank storage levels, and aggregate daily energy consumption or equipment run-times.

This type of information carries significant operational sensitivity given the insight it provides to a utility’s operations. EPA concurs with the WaterISAC’s and AWWA’s recommendation that water and wastewater utilities recognize that the aggregation of operational data across multiple utilities has the potential to reveal patterns, vulnerabilities, and system behaviors in the water sector. Such data, if obtained with malicious intent, could be used to jeopardize continuity of service, endangering public health and national security.

EPA encourages water sector utilities to evaluate the potential sensitivity of information requests and to make risk‑informed decisions about whether—and under what conditions—to respond, consistent with applicable state information protection laws.

Upcoming Perchlorate Rule

Program Manager message:

Colorado’s Safe Drinking Water Program is not the only such program in the United States with a newsletter. Over the years, I have subscribed to a few of these newsletters, and sometimes we have reprinted or used articles from them with permission. In this case, I recently read an excellent article in the Arkansas Drinking Water Update newsletter regarding EPA’s proposed perchlorate rule. I reached out to my counterpart in Arkansas, Lance Jones, who authored the article and gained his permission to reprint it here. We are also adding a Colorado perspective regarding likely perchlorate rule impacts on Colorado’s public water systems. 

➽ Ron Falco, P.E., Safe Drinking Water Program Manager

EPA Proposes Perchlorate Rule

On January 2, 2026, the Environmental Protection Agency (EPA) issued a proposed Rule under the Safe Drinking Water Act to regulate perchlorate (ClO4-) in drinking water as part of the National Primary Drinking Water Standards.

The proposed Rule includes a Maximum Contaminant Level Goal (MCLG) of 20 micrograms per liter (ug/L). EPA is also co-proposing enforceable Maximum Contaminant Levels (MCLs) of 20 ug/L, 40 ug/L, or 80 ug/L for perchlorate and will apply to community and non-transient public water systems.

Initial monitoring consists of quarterly monitoring or semi-annual for small ground water systems, for a 12-month period, with routine monitoring determined by those results. Systems with a running annual average above the MCL require quarterly monitoring, systems less than the MCL but greater than or equal to 4 ug/L require annual monitoring (surface water) or triennial (ground water) monitoring, and every 9 years for systems less than 4 ug/L. 

Perchlorate has had a back-and-forth regulatory history for the past 25+ years. Starting with including perchlorate levels in drinking water systems under the 1999 Unregulated Contaminant Monitoring Rule (UCMR). The results led to a 2011 decision by EPA to regulate perchlorate in drinking water. EPA proposed a Rule to regulate perchlorate in drinking water in 2019. In July 2020, EPA withdrew the determination to regulate perchlorate. A legal challenge of the decision to withdraw was filed and led to a 2023 court decision to vacate the withdrawal. EPA entered into a consent decree to sign and issue a final Rule to regulate perchlorate in drinking water by May 21, 2027.

Perchlorate is commonly used in solid rocket propellants, munitions, fireworks, matches, signal flares, and vehicle airbag initiators. It has also been associated with some imported fertilizers and trace amounts can result from improper handling and degradation of hypochlorite solutions.

Perchlorate can potentially interfere with the thyroid gland hormone production. Changes in thyroid hormone production in pregnant women are associated with adverse neurodevelopmental effects in their children. Thyroid hormone level changes at other life stages can lead to hyperthyroidism, developmental outcomes, and cardiovascular system impacts.

EPA’s data show that perchlorate is not widespread in drinking water systems and EPA expects less than 1,300 of the over 135,000 regulated water systems nationwide to find perchlorate levels above the proposed limits. For systems that do find elevated levels of perchlorate, treatment options include ion exchange, biological reduction, reverse osmosis, and blending with another source.

The sampling of several Arkansas water systems in 2001 and 2002 found no detects of perchlorate. ASD will add sampling of perchlorate to the current compliance monitoring efforts upon EPA promulgating a final Rule.

More information about perchlorate in drinking water can be found on the EPA website at:

https://www.epa.gov/sdwa/perchlorate-drinking-water#proposed-perchlorate

➽ Lance Jones, P.E. Health Program Administrator, Arkansas DPHP Environmental Health Engineering

EPA Cyber Alerts: Mitigate Vulnerabilities in F5 Devices

The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems about Emergency Directive (ED) 26-01 issued by the Cybersecurity and Infrastructure Security Agency (CISA). This directive highlights an ongoing exploitation campaign by a nation-state affiliated cyber threat actor that has compromised F5 systems. The actor has exfiltrated data, including portions of F5’s BIG-IP source code and vulnerability information, providing them with a technical advantage to exploit F5 devices and software. This poses a critical threat to water and wastewater systems using F5 products. F5 is a is a technology company that provides products and services to protect and enhance the speed, reliability, and security of applications and networks.

• Link to Emergency Directive 26-01
• Specific Common Vulnerability and Exposure (CVE) information can be found on the vendor’s webpage

Mitigations

Although Emergency Directive 26-01 is directed at federal agencies, EPA strongly recommends that water and wastewater systems review the Emergency Directive and follow the mitigation steps. Systems that outsource technology support should consult with their service providers for assistance with these steps.

Important: Water and wastewater systems are not required to report their activities to CISA, including those outlined in mitigation steps 2.b, 6, and 8 in the Emergency Directive. This requirement applies only to federal agencies; however, systems may choose to report voluntarily and are encouraged to do so if a compromise is detected.

Conclusion

If you have questions about any of the information in this alert, including assistance with the mitigation steps included in the Emergency Directive, please submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector. Additionally, CISA has provided the following contact information specific to this Emergency Directive:

• General information, assistance, and reporting: CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise: contact@cisa.dhs.gov

EPA Cyber Alerts: Cisco Products and SonicWall Cyber Incidents

The Colorado Department of Public Health and Environment (CDPHE) is posting the following cyber alerts in partnership with the Environmental Protection Agency (EPA). Please reach out to EPA with any questions about this or any additional Cyber concerns  watercyberta@epa.gov.

Alert: Identify and Mitigate Potential Compromise of Cisco Devices

The United States Environmental Protection Agency (EPA) is issuing this alert to inform water and wastewater systems about Emergency Directive (ED) 25-03 issued by the Cybersecurity and Infrastructure Security Agency (CISA). This directive highlights an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to achieve unauthenticated remote code execution on Cisco ASAs. Additionally, it includes the manipulation of read-only memory (ROM), enabling threat actors to maintain access even through reboots and system upgrades.

Link to Emergency Directive 25-03

Mitigations

Although Emergency Directive 25-03 is directed at federal agencies, EPA strongly recommends that water and wastewater systems review the Emergency Directive and follow the mitigation steps. The Emergency Directive includes a detailed step-by-step guide along with resources to assist in implementing each mitigation. Systems that outsource technology support should consult with their service providers for assistance with these steps.

Important: Water and wastewater systems are not required to report their activities to CISA, including those outlined in mitigation steps 2, 3, and 6 in the Emergency Directive. This requirement applies only to federal agencies; however, systems may choose to report voluntarily and are encouraged to do so if a compromise is detected.

Conclusion

If you have questions about any of the information in this alert, including assistance with the mitigation steps included in the Emergency Directive, please submit a request to EPA’s Cybersecurity Technical Assistance Program for the Water Sector.

Additionally, CISA has provided the following contact information specific to this Emergency Directive:

• General information, assistance, and reporting: CyberDirectives@cisa.dhs.gov
• Reporting indications of compromise: contact@cisa.dhs.gov
• Colroado specific assistance and interpretation of the emergency directive for the water sector: kindra.brewer@cisa.dhs.gov

Upcoming EPA Cyber/Resilience Funding Cycle

EPA Announces Availability of $9 Million to Protect Drinking Water from Natural Hazards and Cybersecurity Threats

The U.S. Environmental Protection Agency (EPA) has announced over $9 million in grant funding through the new competitive Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability grant program, which will assist medium and large size public water systems with protecting drinking water sources from natural hazards, extreme weather events, and cybersecurity threats. The application period is open until October 6, 2025, and can be found on www.grants.gov under opportunity number EPA-OW-OGWDW-25-01, assistance listing number 66.488.

Learn More About The Grant Opportunity on EPA's Website

EPA will host a webinar on the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Grant Program on August 19th, from 2:00 to 3:00 PM ET. Please join us to learn more.

Register for EPA's August 19th Webinar

Coordination with Public Water Systems on SCADA Vulnerabilities

In June 2025, the EPA’s Water Infrastructure and Cyber Resilience Division (WICRD) notified the Water Quality Control Division (WQCD) that they had identified potential cybersecurity vulnerabilities at four Colorado public water systems (PWSs). While scanning for vulnerable devices, EPA identified the specific TCP/IP addresses of four BIF3800 SCADA Control Systems that were internet-exposed and could potentially allow a remote user to access the device and disrupt the utility’s operations. WQCD Field Services immediately reached out to the four water systems to notify them of the potential vulnerability so they could take action to protect their systems. 

Many utilities installed SCADA BIF3800 units as early as the 1990s and were controlling ancillary processes in the distribution systems of the water systems. There was a common thought that hackers would not be interested in equipment that is so old, or that the older control systems would be less vulnerable to cyber attacks. Unfortunately, hackers can exploit any internet-exposed interfaces like these. The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) recently published this joint fact sheet, which highlights the risks posed by internet-exposed Human Machine Interfaces (HMIs), including how hackers can find and exploit HMIs with cybersecurity weaknesses easily. The EPA and CISA fact sheet includes recommended mitigations to secure HMIs, including:

• Conduct an inventory of all internet-exposed devices.
• If possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
• If it is not possible to disconnect the device, secure it by creating a username and a strong password to prevent a threat actor from easily viewing and accessing the device. Change factory default passwords.

Thankfully, the four water systems quickly responded to remove the exposure and did not experience any cyber events due to this issue. The CISA team in Colorado also reached out to the water systems to provide technical support to mitigate the vulnerabilities.  

WQCD encourages water systems to continue to evaluate and protect their systems against cyber threats. Utilities that need support can contact the Colorado CISA Team, including Edward (Charlie) Marmon at edward.marmon@cisa.dhs.gov  or Kindra Brewer at kindra.brewer@cisa.dhs.gov, and the EPA’s Cybersecurity Technical Assistance Help Desk is also available for assistance. The WQCD Drinking Water Security Response Toolbox is a one-stop shop for security resources. 

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Naheem Noah, Field Services Section

Cyber Alert: Global Conflict Potential to Impact US Critical Infrastructure

EPA Cyber Alert: Iran Conflict is Increasing the Likelihood of Low-Level Cyberattacks Against US Networks

Note: The Water Quality Control Division is posting the following information out in partnership with the Environmental Protection Agency (EPA) .

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance for potential cyber activity in the United States due to the current geopolitical environment. The U.S. Department of Homeland Security (DHS) published a National Terrorism Advisory System Bulletin, indicating that low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian Government may conduct attacks against U.S. networks. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) published a fact sheet warning that Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.

Iranian-affiliated cyber actors have demonstrated the ability to exploit operational technology (OT) devices at U.S. water and wastewater systems, forcing many systems to revert to manual operations and resulting in operational impacts.

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

• Reduce OT Exposure to the Public-Facing Internet
• Replace All Default Passwords on OT Devices with Strong, Unique Passwords
• Implement Multifactor Authentication for Remote Access to OT Devices

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government

Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.

Water and wastewater system owners and operators should direct their IT/OT system

administrators to review this alert for further use and implementation. If you rely on third party vendors for technology support, then you are encouraged to contact them to confirm their awareness of this threat. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System. If you have questions about any of the information contained in this document, please contact the Water Infrastructure and Cyber Resilience Division, Cybersecurity Branch at watercyberta@epa.gov.

Stay Informed

If you are interested in subscribing to receive security alert notifications immediately upon release, please sign up using this form and select the topics that interest you. This topic is General - Security updates - Water and wastewater systems.

➽ WQCD Security Workgroup

CDPHE, EPA, & Wigwam Partnership for PFAS Treatment

Resources: 

For more information please visit 

• CDPHE PFAS Proarjects Website
• WQCD Grant Website

The Colorado Department of Public Health and Environment (CDPHE) is excited to highlight Wigwam Mutual Water Company’s PFAS pilot project as an excellent example of the Division’s culture of health initiatives. Wigwam is a small public water system, located in El Paso, County just south of Colorado Springs, that serves approximately 1,300 people. Their source water is drawn from the Fountain Creek alluvial aquifer and through pro-active testing the public water system detected elevated levels of certain PFAS in its drinking water. The test results came back above the established EPA Maximum Contaminant Level (MCL) of 4.0 parts per trillion (ppt) for Perfluorooctanoic acid (PFOA) and perfluorooctanesulfonic acid (PFOS). To address this emerging contaminant issue, CDPHE provided the community with point-of-use treatment to reduce PFAS levels to below the MCL while working towards the implementation of a more permanent treatment solution. This effort was promoted to ensure the community was provided with safe drinking water during the next planning and design phases of the project. 

Last year, CDPHE awarded Wigwam a $300,000 grant to pilot PFAS treatment technologies through the Emerging Contaminants in Small for Disadvantaged Communities (EC/SDC) grant program. This project has been a collaborative approach with direct assistance from the CDPHE, PFAS team and Engineering staff, the Environmental Protection Agency (EPA), and the EPA’s Office of Research and Development (ORD). Wigwam is planning to conduct pilot testing with Granulated Activated Carbon (GAC), Anion Exchange (AIX), and a new emerging technology, namely Electrocoagulation (EC). This innovative pilot project will compare the different treatment technologies and assist Wigwam in determining if the new EC technology is feasible and able to effectively treat PFAS in its drinking water. This collaborative approach will help ensure that this community has the best information to help them find a viable treatment solution to address this water quality challenge. After the study, EPA and CDPHE will utilize the treatment piloting results to provide an assessment of the treatment options for communities in order to effectively remove PFAS and other contaminants with reasonable and sustainable costs. 

CDPHE is excited to promote the partnership between EPA ORD and Wigwam to assist in this effort.

➽ Sierra Mitchell, PFAS Program Coordinator