Who is required to do an assessment? (IC 13-18-16.5-1)
The requirement to complete a cybersecurity vulnerability assessment applies to entities that meet both of the following criteria:
- Facility Type:
- Community water systems serving populations of 500 or more
- Publicly owned treatment works
- Class III and IV Semipublic wastewater facilities
- Technology Use:
- Utilize a computerized system to monitor and control processes from a central location (SCADA, Omnisite, etc), or
- Operate other vulnerable monitoring or management systems as identified by the Indiana Office of Technology (IOT)
What is an assessment?
A Water Cybersecurity Vulnerability Assessment is a structured evaluation of a water system’s digital and operational security to identify weaknesses, assess risks, and provide actionable recommendations for strengthening defenses. As water and wastewater infrastructure becomes increasingly digitized, it faces growing threats from cyberattacks that could disrupt operations, compromise water quality, and endanger public health.
This assessment involves:
- Identifying vulnerabilities in networked and operational technology systems
- Analyzing potential cyber threats and their impact
- Evaluating existing security measures and controls
- Providing strategies to enhance resilience and incident response
By conducting regular assessments, water utilities can proactively manage risks, ensure compliance with regulations, and protect critical services from evolving cyber threats. Safeguarding water infrastructure is not just an IT concern—it’s a public safety priority.
Free Cybersecurity Assessment Tools
Timeline
| Date / Timeline | Requirement | Notes |
|---|---|---|
| Jul. 1, 2025 | SB459 takes effect | N/A |
| Jul. 1 - Aug. 31, 2025 | Facilities provide a contact to IOT for cybersecurity incidents | Required yearly, before Sept. 1 |
| Jan. 1 - Aug. 31, 2026 | Facilities provide a contact to IOT for cybersecurity incidents | Required yearly, before Sept. 1 |
| Jan. 1 - Dec. 31, 2026 | Facilities conduct cybersecurity vulnerability assessment | Required yearly, no later than Dec. 31 |
| Jan. 1 - Dec. 31, 2026 | Facilities submit certification of assessments to IOT | Required in 2026 and every two years |
| Jan. 1 - Aug. 31, 2027 | Facilities provide a contact to IOT for cybersecurity incidents | Required yearly, before Sept. 1 |
| Jan. 1 - Dec. 31, 2027 | Facilities conduct cybersecurity vulnerability assessment | Required yearly, no later than Dec. 31 |
| Jan. 1 - Aug. 31, 2028 | Facilities provide a contact to IOT for cybersecurity incidents | Required yearly, before Sept. 1 |
| Jan. 1 - Dec. 31, 2028 | Facilities conduct cybersecurity vulnerability assessment | Required yearly, no later than Dec. 31 |
| Jan. 1 - Dec. 31, 2028 | Facilities submit certification of assessments to IOT | Required in 2026 and every two years |