THE BLUF
You are now 7 days from the June 30, 2026 AWIA deadline. If your utility serves 50,000–99,999 people, your updated Emergency Response Plan (ERP) is due. If you serve 3,301–49,999, your recertified Risk and Resilience Assessment (RRA) is due. Missing this deadline doesn't just invite an EPA compliance inquiry — it puts your community's federal funding eligibility at risk and creates legal exposure for your utility leadership. Meanwhile, CISA issued a new alert urging immediate hardening of Fortinet devices after reports of credential exposure, and continued adding actively exploited vulnerabilities to the KEV catalog at a steady clip. This week also marks the first time CISA has flagged a Splunk Enterprise authentication bypass on the KEV — if your SCADA historian or log aggregator runs Splunk, that box just became a priority. The persistent threat from Iranian-affiliated actors targeting PLCs across U.S. critical infrastructure (CISA AA26-097A, published April 2026) remains the standing water-sector threat of record. No new water-sector-specific ICS advisories were published in the past 7 days, but the operational tempo of KEV additions means your patch backlog is growing whether you see it or not.
THREAT INTELLIGENCE
🔴 [REGULATORY MANDATE] AWIA Recertification Deadlines — 7 Days Remaining
The clock is almost out. Under the America's Water Infrastructure Act (AWIA), two critical compliance deadlines hit on June 30, 2026:
Utilities serving 50,000–99,999 people: Updated Emergency Response Plans (ERPs) must be certified to EPA by June 30, 2026.
Utilities serving 3,301–49,999 people: Recertified Risk and Resilience Assessments (RRAs) must be certified to EPA by June 30, 2026. (Updated ERPs for this tier are due December 31, 2026.)
EPA certification requires formal submission via the agency's online webform — not a phone call, not an email. If you haven't started this process, you are behind. Source: EPA Cybersecurity for the Water Sector
🟠 [CRITICAL VULNERABILITY] CISA Urges Hardening Fortinet Devices After Credential Exposure Reports
On June 18, 2026, CISA issued an alert urging all organizations to harden Fortinet networking devices following reports of credential exposure. Fortinet firewalls, VPN concentrators, and gateways are ubiquitous in water utility IT networks and frequently serve as the single boundary between corporate IT and OT/SCADA environments. Compromised Fortinet credentials give an attacker a direct path from the internet to your plant network. This is not theoretical — Fortinet devices have been a repeatedly demonstrated IT-to-OT bridge in prior water sector incidents. Source: CISA Cybersecurity Advisory (Search: "Fortinet Credential Exposure")
🟡 [ACTIVE THREAT INTEL] Iranian-Affiliated Actors Continue to Exploit PLCs Across U.S. Critical Infrastructure (AA26-097A)
CISA's April 7, 2026 advisory (AA26-097A) remains the standing water-sector threat of record. Iranian-affiliated cyber actors are actively exploiting Programmable Logic Controllers (PLCs) across U.S. critical infrastructure, including the water and wastewater sector. The advisory specifically calls out the exploitation of default credentials, internet-exposed OT devices, and the lack of multi-factor authentication on remote access points — all issues disproportionately affecting small and mid-sized utilities. No update or rescission has been issued in the past 7 days; this threat remains active. Source: CISA Cybersecurity Advisory (Search: "AA26-097A")
🟡 [ACTIVE THREAT INTEL] WaterISAC: Email Impersonation Remains a Persistent Risk for Water Utilities
On June 18, 2026, WaterISAC (Member Login Required) published a bulletin on email impersonation campaigns continuing to target water utilities. These campaigns use spoofed sender addresses to trick operators and administrative staff into clicking malicious links or divulging credentials. For utilities where the same staff member manages both billing and SCADA access, a single successful phish can bridge the gap from inbox to plant controls. Source: WaterISAC (Member Login Required)
Subscribe to The CIP Briefing to read the rest.
Become a premium subscriber to unlock the full Compliance Log, specific vulnerability mitigation steps, and the complete Action Plan.
Upgrade