THE BLUF

The June 30, 2026 AWIA deadline is here. If your utility serves 50,000–99,999 people, your updated Emergency Response Plan certification is due to the EPA. If you serve 3,301–49,999, your recertified Risk and Resilience Assessment is also due. There are no extensions and no grace periods — failing to certify means your utility leadership has personal legal exposure and your community's federal funding eligibility is at risk. Beyond compliance, this week brings a genuinely dangerous new KEV entry: three actively exploited vulnerabilities in Ubiquiti UniFi OS — hardware that is cheap, popular, and deployed in an alarming number of small utility networks as switches, access points, and security cameras. If you have UniFi gear bridging your IT and OT networks, an attacker now has a proven path through it. Separately, a Lantronix EDS5000 code injection vulnerability hit the KEV catalog. Lantronix serial-to-Ethernet device servers are the exact kind of legacy OT bridge hardware found in water treatment plants connecting serial PLCs to IP networks. This isn't an enterprise IT problem — this is your plant floor. Meanwhile, WaterISAC (Member Login Required) posted a TLP:GREEN Security & Resilience Update on June 25 referencing the Handala attack on a U.S. water utility and the availability of a Q1 quarterly incident report. The threat tempo against water utilities has not slowed. Act accordingly.

THREAT INTELLIGENCE

🔴 [REGULATORY MANDATE] AWIA Recertification Deadlines — The Deadline Has Arrived

The clock has run out. Under the America's Water Infrastructure Act (AWIA), two critical compliance deadlines hit on June 30, 2026:

  • Utilities serving 50,000–99,999 people: Updated Emergency Response Plans (ERPs) must be certified to the EPA.

  • Utilities serving 3,301–49,999 people: Recertified Risk and Resilience Assessments (RRAs) must be certified to the EPA. (Updated ERPs for this tier are due December 31, 2026.)

EPA certification requires formal submission via the agency's online webform — not a phone call, not an email. If you have not submitted, your utility is actively entering non-compliance status. Source: EPA Cybersecurity for the Water Sector

🟡 [ACTIVE THREAT INTEL] WaterISAC: Handala Attack on U.S. Water Utility and Q1 Incident Report

On June 25, 2026, WaterISAC (Member Login Required) published a TLP:GREEN Security & Resilience Update with new details on the Handala cyberattack against a U.S. water utility, along with notice that the Q1 2026 Quarterly Incident Report is now available to members. The Handala group is a pro-Iranian hacktivist entity that has been escalating operations against Western critical infrastructure. This update signals that the water sector continues to sustain direct, named targeting — not theoretical risk. Separately, WaterISAC published a Tip of the Week on June 25 focused on cybersecurity preparedness. Source: WaterISAC (Member Login Required)

🟠 [CRITICAL VULNERABILITY] Lantronix EDS5000 Code Injection — Active Exploitation (CVE-2025-67038)

On June 23, 2026, CISA added CVE-2025-67038 to the Known Exploited Vulnerabilities (KEV) catalog. This is a code injection vulnerability in the Lantronix EDS5000 serial-to-Ethernet device server. Lantronix device servers are a common legacy bridge in water and wastewater plants — they connect serial-only PLCs and RTUs to modern IP networks. A successful exploit gives an attacker arbitrary code execution on a device that sits directly on the OT network with no authentication boundary. This is not enterprise IT hardware. This is plant-floor infrastructure. Source: CISA KEV Catalog

🟠 [CRITICAL VULNERABILITY] Ubiquiti UniFi OS — Three Actively Exploited Vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910)

On June 23, 2026, CISA added three Ubiquiti UniFi OS vulnerabilities to the KEV catalog: an improper access control flaw (CVE-2026-34908), a path traversal vulnerability (CVE-2026-34909), and an improper input validation issue (CVE-2026-34910). Ubiquiti UniFi products — access points, switches, gateways, security cameras — are widely deployed in small and mid-sized water utilities because of their low cost and ease of management. These devices frequently serve as the de facto network boundary between IT and OT. Active exploitation means attackers are already using these as entry points. Source: CISA KEV Catalog

🟡 [ACTIVE THREAT INTEL] CISA: Russian Intelligence Services Continue to Target Commercial Messaging Applications

On June 26, 2026, CISA published a resource warning that Russian intelligence services are continuing to target commercial messaging applications. Water utility staff who use platforms like Signal, WhatsApp, or Telegram for operational coordination — even informally — should treat this as a direct targeting risk. Social engineering through messaging apps is a proven initial access vector. Source: CISA Cybersecurity Advisories

Subscribe to The CIP Briefing to read the rest.

Become a premium subscriber to unlock the full Compliance Log, specific vulnerability mitigation steps, and the complete Action Plan.

Upgrade

A subscription gets you:

Keep Reading