THE BLUF

The June 30, 2026 AWIA deadline has passed. If your utility serves 50,000–99,999 people and you did not certify your updated Emergency Response Plan, or you serve 3,301–49,999 and did not certify your Risk and Resilience Assessment, you are now non-compliant. This is not a theoretical problem — it is a documented gap that EPA can act on, and it puts your federal funding eligibility and your executive leadership's personal legal exposure at immediate risk. If you missed it, you need to submit immediately and document the delay. Do not wait for someone to notice. Meanwhile, this week's KEV catalog additions hit two products that are directly relevant to small utility operations: SimpleHelp, a remote access tool used by IT contractors to manage utility systems remotely, has an actively exploited authentication bypass (CVE-2026-48558). If your IT contractor uses SimpleHelp to reach into your SCADA workstations or HMI servers, an attacker can now walk right past the login screen. Separately, Microsoft SharePoint Server picked up an actively exploited deserialization vulnerability (CVE-2026-45659). Many mid-size utilities use on-premises SharePoint for document management, including storing AWIA compliance plans, P&IDs, and network diagrams — the exact intelligence an adversary needs to plan a follow-on OT attack. The threat environment has not paused for the holiday week. Neither should your defenses.

THREAT INTELLIGENCE

🔴 [REGULATORY MANDATE] AWIA Compliance — Post-Deadline Status for Non-Compliant Utilities

The June 30, 2026 AWIA deadlines have now expired:

  • Utilities serving 50,000–99,999 people: Updated Emergency Response Plans (ERPs) were legally due June 30, 2026.

  • Utilities serving 3,301–49,999 people: Recertified Risk and Resilience Assessments (RRAs) were legally due June 30, 2026. Updated ERPs for this tier remain due December 31, 2026.

If your utility missed the deadline, you are currently in non-compliance with AWIA Section 2013. EPA certification requires formal submission via the agency's online webform. There is no published grace period. Source: EPA Cybersecurity for the Water Sector

🟠 [CRITICAL VULNERABILITY] SimpleHelp Authentication Bypass — Active Exploitation (CVE-2026-48558)

On June 29, 2026, CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog. This is an authentication bypass vulnerability in SimpleHelp, a widely used remote support and remote access tool. Many small and mid-size water utilities rely on IT contractors who use SimpleHelp to remotely access SCADA workstations, HMI servers, and administrative systems. An authentication bypass means an attacker does not need credentials to gain access — they simply connect. If SimpleHelp is internet-facing and bridging into your OT environment, this is a direct, unauthenticated path from the public internet to your plant control systems. This vulnerability is under active exploitation in the wild. Source: CISA KEV Catalog

🟠 [CRITICAL VULNERABILITY] Microsoft SharePoint Server Deserialization Vulnerability — Active Exploitation (CVE-2026-45659)

On July 1, 2026, CISA added CVE-2026-45659 to the KEV catalog. This is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server. Successful exploitation allows remote code execution on the SharePoint server. Many mid-size water and wastewater utilities run on-premises SharePoint instances to store compliance documentation (including AWIA ERPs and RRAs), engineering drawings, network architecture diagrams, and operational procedures. A compromised SharePoint server gives an adversary access to the exact documents they need to understand your facility's physical layout, control system architecture, and emergency response playbook — information that directly enables a follow-on OT attack. Source: CISA KEV Catalog

Subscribe to The CIP Briefing to read the rest.

Become a premium subscriber to unlock the full Compliance Log, specific vulnerability mitigation steps, and the complete Action Plan.

Upgrade

A subscription gets you:

Keep Reading