Introduction
Water and wastewater systems are critical infrastructure, essential to public health, safety, and economic stability. However, as these systems become increasingly digitized, they also become more vulnerable to cyber threats. A cybersecurity vulnerability assessment is a crucial step in identifying and mitigating risks before they can be exploited.
Senate Enrolled Act 459 mandates cybersecurity vulnerability assessments and other cybersecurity measures for certain water and wastewater facilities. These regulations took effect July 1, 2025.
Protecting Public Health and Safety
Cyberattacks on water facilities can lead to damage to human health and the environment, service disruptions, or unauthorized chemical dosing, directly impacting communities. Assessing vulnerabilities helps ensure the safety and reliability of drinking water and wastewater treatment.
Preventing Operational Disruptions
A cyberattack can shut down treatment plants, disrupt distribution networks, or disable monitoring systems. Identifying weaknesses allows utilities to implement safeguards, preventing costly outages and maintaining uninterrupted service.
Defending Against Emerging Cyber Threats
Cybercriminals are constantly evolving their methods, targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. A thorough assessment identifies security gaps and enhances defenses against ransomware, malware, and insider threats.
Compliance with Regulations
Regulatory bodies such as the Environmental Protection Agency (EPA) and the Department of Homeland Security (DHS) emphasize cybersecurity in water infrastructure. Conducting vulnerability assessments ensures compliance with federal and state cybersecurity guidelines, avoiding fines and legal liabilities.
Indiana Code (IC) 13-18-16.5-1, applies to the following water and wastewater facilities who utilize computerized systems to monitor and control processes from a central location:
- Community water systems serving populations of 500 or more.
- Publicly owned treatment works.
- Semipublic facilities classified as Class III or IV.
Cybersecurity Requirements
- As of July 1, 2025, water and wastewater facilities are required to notify the state of cyber incidents. When an actual or reasonably suspect cybersecurity breach occurs, the incident must be reported to IOT within 24 hours after discovery if operations are impacted. If there are no impacts to operations, IOT must be notified within two business days after discovery of the incident.
- Cyber incidents can be reported using the IOT Incident Reporting Form.
- Identify and assign a cybersecurity incident reporter with contact info for IDEM. Due by August 31, 2025 and every year afterwards.
- Perform a vulnerability assessment of the plant’s digital infrastructure. This can be done by the facility, city, or contractor. Due by December 31, 2026 and every year afterwards. It is not required to be submitted to IOT.
- Submit a certification of the cybersecurity assessment verifying that the facility has completed the assessment, mitigated (or have plans to mitigate) identified vulnerabilities, and has an updated emergency response plan. Due by December 31, 2026 and every other year afterwards
Strengthening Incident Response and Recovery
Being prepared for cyber incidents minimizes their impact. A vulnerability assessment helps develop a response plan, ensuring quick recovery and reducing downtime in case of an attack.
Contacts
- Travis Goodwin, Drinking Water Facilities, tgoodwin1@idem.in.gov, (317) 775-5473
- Andrew Dryden Wastewater Facilities, adryden@idem.in.gov, (317) 234-7609
- Report cybersecurity incidents 24/7