The CIP Briefing

State-sponsored threat actors continue to maintain persistent access to U.S. water and wastewater systems, with no indication that the Volt Typhoon or CyberAv3ngers campaigns have been fully eradicated from compromised networks. CISA continues to push ICS advisories at a sustained pace affecting PLCs and SCADA platforms commonly deployed in the water sector. Meanwhile, EPA's enforcement posture on cybersecurity compliance under SDWA Section 1433 remains aggressive — if your utility hasn't completed or updated its Risk and Resilience Assessment and Emergency Response Plan, you are operating outside the law and outside common sense.

Persistent Nation-State Threats to Water Infrastructure Remain Active

Let me be direct: nothing has changed for the better. The PRC-affiliated Volt Typhoon campaign — which pre-positions inside U.S. critical infrastructure for potential disruption during a geopolitical crisis — remains the most significant strategic cyber threat to the water sector. CISA and the intelligence community have confirmed that these actors exploit end-of-life network equipment, unpatched edge devices (especially VPN appliances and routers), and living-off-the-land techniques that evade traditional antivirus tools. If you are running legacy Cisco, Fortinet, or Netgear equipment at your perimeter without current firmware, you are an open door.

Simultaneously, the IRGC-affiliated CyberAv3ngers group that compromised Unitronics Vision Series PLCs at multiple water utilities continues to be tracked. CISA's standing advisory to change all default passwords on Unitronics PLCs, disconnect them from the public internet, and implement multi-factor authentication on all remote access remains in full effect. If you took action 18 months ago when this first broke, verify that your mitigations are still in place. Configurations drift. People leave. Passwords get reset to defaults during troubleshooting. Check your work.

Key References: