Water and wastewater teams live in a world where “downtime” is not a neutral word. 

When something goes wrong, you’re not just protecting systems, you’re protecting a physical process that communities rely on every hour of the day. CIRCIA adds another operational expectation for covered entities: certain cyber incidents may need to be reported within 72 hours after you reasonably believe a covered cyber incident occurred. 
https://www.law.cornell.edu/uscode/text/6/681b 

You’re not being asked to finish the investigation inside that window. You’re being asked to capture defensible facts early, while logs still exist, alarms still tell the story, and everyone remembers what happened in what order. 

Coverage indicators water utilities should document 

Water utilities operate critical infrastructure that directly impacts public health and safety. As a result, many water-sector organizations may fall within CIRCIA’s scope once the rule is finalized. 

One commonly referenced proposed indicator in the water sector includes community water systems and publicly owned treatment works serving populations greater than approximately 3,300 people. 
https://www.cisa.gov/sites/default/files/2024-04/CIRCIA%20NPRM%20Overview%20V2%28FINAL%29_508c%20%28locked%29.pdf 
https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements 

For wastewater utilities, it can also help to define terms clearly. “Publicly Owned Treatment Works (POTW)” is defined in federal environmental regulations, and that definition is useful when you’re writing a coverage memo you may need to defend later. 
https://www.ecfr.gov/current/title-40/chapter-I/subchapter-N/part-403/section-403.3 

A simple coverage memo that saves you time later 

Keep this memo short, factual, and easy to update: 

  • Population served (and how you calculated it) 
  • Ownership and structure (city department, authority, district, regional partnership) 
  • Regulatory oversight (state primacy agency, commission relationships, federal touchpoints) 
  • Operational systems (SCADA, HMIs, PLCs, remote access tooling, key vendors) 

If leadership, counsel, or an insurer asks, “Are we covered?” you don’t want to start from scratch. You want to pull a one-pager and move on. 

Covered Entity Quick Test: circia-covered-entity-quick-test 
Full context: circia-2026-covered-entities-what-to-do-now 

Triage: separating IT compromise from process disruption 

In water and wastewater, the first question is rarely, “Is there malware?” 

It’s, “Is this touching the process?” 

Most utilities run both traditional IT systems and OT environments that control treatment, pumping, and distribution. Some incidents look like standard IT events at first… then you realize the same credentials are used to access remote operations, or that the same network segment hosts a workstation that communicates with the control environment. 

Control environments often include: 

  • SCADA systems 
  • Human-machine interfaces (hmis) 
  • Programmable logic controllers (plcs) 
  • Remote access infrastructure used for maintenance and vendor support 

OT incident response differs because the constraints do. NIST’s ICS guidance is a strong reference for why OT response needs its own playbook. 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 

A few examples you already know in your bones: 

  • Aggressive scanning can disrupt control equipment 
  • Patching or rebooting devices can interrupt operations 
  • Isolating networks too quickly can cut off visibility right when you need it 

CISA’s ICS incident response guidance reinforces the same point: containment decisions need coordination, so you don’t “fix” a cyber issue by creating an operational one. 
https://www.cisa.gov/sites/default/files/2023-01/final-RP_ics_cybersecurity_incident_response_100609.pdf 

A real-world watch item: internet-exposed HMIs 

Remote access is often where water-sector incidents can become dangerous quickly, especially when operational interfaces are exposed. A joint EPA/CISA fact sheet calls out how internet-exposed HMIs have contributed to multiple incidents in the sector. 
https://www.epa.gov/system/files/documents/2024-12/joint-factsheet-epa-cisa-internet-exposed-human-machine-interfaces-508c.pdf 

A good early triage decision is simply this: 
Is this an IT inconvenience or a process risk? 
If there’s any chance it’s a process risk, pull in operations immediately. 

The 72-hour incident response runbook 

CIRCIA’s statutory requirement is clear about the clock: covered entities must report certain cyber incidents within 72 hours after reasonably believing a covered cyber incident occurred. 
https://www.law.cornell.edu/uscode/text/6/681b 

Small teams can still do this well, but it helps to have a runbook designed for how utilities actually operate. 

Here’s a practical runbook structure you can run with. 

Stage 1 — Detection 

Signals can come from: 

  • Endpoint security alerts 
  • Network monitoring 
  • Operational alarms 
  • Vendor notifications 

At this stage, the goal is simple: confirm whether you’re looking at a potential cyber incident rather than a routine equipment or process anomaly. 

Stage 2 — Initial triage 

Determine what lane you’re in: 

  • Administrative IT systems 
  • OT environments 
  • Vendor-managed systems 
  • Some combination of the above 

If OT is potentially involved, bring engineering in right away. Not later. Not after you “confirm.” 

Stage 3 — Escalation 

When critical operations may be affected, escalate early. The clock doesn’t care that it’s a weekend. 

In most utilities, escalation should include: 

  • Utility management 
  • Operations/engineering leadership 
  • Cybersecurity responders (internal or external) 
  • Legal or compliance advisors (as needed) 

If you want a solid “who to call, what to do next” reference tailored to your sector, the Water & Wastewater Sector Incident Response Guide (CISA, FBI, EPA) is worth bookmarking. 
https://www.cisa.gov/sites/default/files/2024-10/WWS-Sector_Incident-Response-Guide.pdf 

Stage 4 — Evidence collection 

This is where utilities either gain control… or spend days reconstructing a story from fragments. 

During the first day, focus on collecting what you’ll need to answer basic questions: 

  • What did we see, and when did we see it? 
  • What systems are impacted, and what’s the operational effect? 
  • What actions did we take, and why? 

EPA’s incident response plan template instructions are a usable foundation for documenting this, especially if your current process lives in people’s heads. 
https://www.epa.gov/system/files/documents/2025-10/250414_cybersecurity-incident-response-plan-template-instructions_508c_0.pdf 

Stage 5 — Initial reporting narrative 

Your first narrative should be plain, time-stamped, and honest about what’s still unknown: 

  • When the incident was detected 
  • Systems affected (working list, updated as facts change) 
  • Operational impacts observed 
  • Containment actions taken 
  • Who is investigating (internal team, vendor, incident response partner) 

That narrative becomes your backbone for leadership briefings and reporting decisions. 

If you need to coordinate multiple reporting timelines, keep one master incident timeline from the start: 
circia-72-hour-unified-timeline 

One practical habit that helps a lot: assign a timeline owner. Not the lead investigator, someone whose job is to keep the facts and timestamps clean while everyone else is moving. 

Evidence checklist for water and wastewater utilities 

During cyber incidents that touch operational environments, evidence disappears quickly, sometimes just from normal log rotation, sometimes from well-intentioned recovery actions. 

EPA’s Incident Action Checklist is a strong “first 24 hours” companion for water utilities. 
https://www.epa.gov/system/files/documents/2024-09/240909_cybersecurityiac_fillable_508c.pdf 

A practical evidence packet often includes: 

Operational telemetry 

SCADA and control system telemetry can show abnormal behavior that aligns with suspected intrusion windows. 

Alarm and event logs 

Sequence-of-events and alarm logs are often your earliest “something changed” signal. 

Access logs 

Authentication logs from remote access platforms, jump hosts, and identity systems. 

Configuration records 

Change logs that show whether settings were modified, when, and by whom. 

Backup and recovery systems 

Backup status, restore points, and evidence of access or tampering. 

Vendor investigation artifacts 

If a vendor is involved, request artifacts early, and get the request in writing: 

  • Incident timelines 
  • Logs and audit trails 
  • Indicators of compromise 
  • A short findings summary (what they saw, what they did, what they can’t yet confirm) 

For logging and retention fundamentals that support credible investigations, NIST’s log management guide remains one of the clearest references. 
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf 

A 30-day readiness plan for water utilities 

You don’t need a giant program to get better quickly. You need a short sprint with practical outputs. 

Week 1 — Identify logging gaps 

Figure out what you can actually see today across identity, endpoints, remote access, and OT touchpoints. 

CISA Logging Made Easy is a budget-friendly way to quickly tighten log centralization. 
https://www.cisa.gov/resources-tools/services/logging-made-easy 

Week 2 — Document an incident response runbook 

Define: 

  • Roles and responsibilities 
  • Vendor escalation contacts (and backups) 
  • Where evidence lives, and who can pull it 
  • Reporting workflow and approvals 

Use EPA’s plan template instructions as your structure if you need something you can implement without reinventing the wheel. 
https://www.epa.gov/system/files/documents/2025-10/250414_cybersecurity-incident-response-plan-template-instructions_508c_0.pdf 

Week 3 — Run a tabletop exercise 

Tabletops don’t need to be fancy to be effective. The goal is to test your first 24 hours. 

CISA tabletop exercise packages: 
https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages 

Test the stuff that usually breaks: 

  • Can operations and IT coordinate containment decisions fast? 
  • Can you get the vendor logs within the window, or do you wait 2 days? 
  • Can you produce a clean timeline without digging through chat threads? 

Week 4 — Create an incident documentation toolkit 

Prepare templates you can reuse under pressure: 

  • Incident timeline format 
  • Evidence checklist 
  • Vendor evidence request template 
  • Leadership update format (what happened, what’s impacted, what we did, next update time) 

If you want a broader plan that stays budget-aware across multiple compliance requirements: 
low-cost-circia-readiness-report-ready 

Conclusion: operational readiness is the goal 

Water and wastewater utilities keep communities safe and stable. When cyber incidents affect operational systems, they can impact treatment processes, distribution, and public safety operations. 

CIRCIA adds a clear expectation for covered entities: rapid incident reporting supported by structured evidence collection. 
https://www.law.cornell.edu/uscode/text/6/681b 

Utilities that do well with this focus on the basics: 

  • Document coverage logic now, while it’s calm 
  • Tighten logging where it matters most (identity, remote access, OT touchpoints) 
  • Test your first 24 hours with a tabletop 
  • Keep one clean timeline and one narrative that leadership can trust