The CIP Briefing

Twenty-one days. That is what separates you from the June 30, 2026 AWIA deadline. If you serve 50,000–99,999 people, your updated Emergency Response Plan must be certified by then. If you serve 3,301–49,999, your recertified Risk and Resilience Assessment is due June 30 — and your updated ERP follows on December 31, 2026. If you have not submitted your certification through EPA's webform, start today. There will be no extension.

This week's new intelligence is operationally significant. EPA announced a 2026 National Cyber Drill focused on operating water utilities without telecommunications and internet connectivity — a scenario that reflects the government's assessment that state-sponsored pre-positioning in critical infrastructure is not theoretical but ongoing. Separately, CISA and partners issued a new fact sheet urging operators to harden Automatic Tank Gauge (ATG) systems — fuel management devices that are also found in water/wastewater chemical storage and bulk process environments. If you have internet-exposed tank gauging equipment of any kind, you need to read this. CISA also added five new CVEs to its Known Exploited Vulnerabilities catalog in the past seven days, including a SolarWinds Serv-U flaw and a Linux Kernel vulnerability that is four years old and just now being weaponized at scale. Complacency on legacy patching will get you breached.

Published June 4, 2026. WaterISAC (Member Login Required) posted a TLP:CLEAR notice that EPA will conduct a 2026 National Cyber Drill specifically focused on the scenario of water utilities losing all telecommunications and internet connectivity. This is not a generic tabletop — it is a direct acknowledgment by the federal government that adversaries are capable of severing the digital link between your operations center and your remote sites. The drill scenario forces utilities to confront the question: can your operators manually control treatment, distribution, and monitoring if every SCADA screen goes dark and every cell phone goes dead? For small and medium utilities that rely entirely on remote monitoring with skeleton crews, this is an existential scenario.

Published June 2, 2026. CISA released a joint fact sheet with partners urging operators to harden Automatic Tank Gauge systems. While ATGs are most commonly associated with fuel management, water and wastewater utilities use functionally identical tank gauging and level monitoring equipment for chemical storage tanks (chlorine, fluoride, coagulant, fuel for backup generators). Many of these devices use legacy serial-to-IP converters, have default credentials, and are directly internet-accessible. The fact sheet follows prior CISA research identifying thousands of exposed ATG systems nationwide. Threat actors — including hacktivists — have demonstrated the ability to manipulate tank level readings and trigger false alarms or suppress real ones.

Published June 5, 2026. CISA added CVE-2026-28318, a SolarWinds Serv-U uncontrolled resource consumption vulnerability, to the KEV catalog. SolarWinds Serv-U is a managed file transfer (MFT) product deployed in many utility environments to move SCADA configuration files, compliance reports, and lab data between sites. An uncontrolled resource consumption flaw means an attacker can exhaust the service, denying file transfer operations. For utilities that use Serv-U as part of automated data pipelines between field sites and the main operations center, an outage here could blind you to operational data.

Published June 2, 2026. CISA added CVE-2022-0492, a Linux Kernel improper authentication vulnerability originally disclosed in 2022, to the KEV catalog — confirming active exploitation in the wild. This is a cgroup privilege escalation flaw. If your utility runs Linux-based SCADA servers, historians, HMI platforms, or containerized applications (including Docker-based deployments of Ignition, MQTT brokers, or data aggregation tools), and you have not patched your kernel in the last four years, you are running a known-exploited vulnerability in production. This is the exact kind of legacy debt that state-sponsored actors exploit for initial access and lateral movement.