
The Environmental Protection Agency’s (EPA) recent push to identify internet-exposed operational technology (OT) assets at water and wastewater systems is revealing a major cybersecurity gap, as many water utilities remain unaware their systems are open to the internet.
Cole Dutton, a cybersecurity analyst within the EPA’s Office of Water, joined a webinar Tuesday hosted by Censys, where he explained that water utilities often lack the IT expertise or resources to secure complex systems.
“What I have found in this year of discovery … is there is a general lack of asset awareness across the water sector,” Dutton said. “Many of the times when we’ve performed outreach notifications, the systems just did not know that they had those devices internet-exposed.”
Dutton explained that oftentimes, water and wastewater systems are using unsecured human machine interface (HMI) devices. By simply obtaining the device’s IP address, he warned that “anybody with an internet connection could find it and turn off valves, turn on valves, change set points, change chemical levels,” etc.
While cybersecurity experts may wonder why the water and wastewater systems are using the internet and not securing their devices, Dutton said he likes to remind them that “the onus is not always on the water systems.”
“Most of the water systems in the United States are small systems, small rural systems, and they don’t have the in-house technical expertise … sometimes they don’t have someone that manages their IT,” Dutton noted. “So, most times, they outsource this to a third party.”
Notably, new research from MeriTalk and Claroty reveals that 60% of federal OT leaders say their agency lacks sufficient in-house expertise for OT/cyber-physical systems.
The EPA official said the agency will focus this year on helping water and wastewater utilities know what to look for when they outsource their IT work. In fact, Dutton said the agency recently published a Cybersecurity Procurement Evaluation Checklist to help them assess the cybersecurity practices of vendors, manufacturers, and service providers.
The resource includes a checklist that is specific to integrators and managed service providers (MSPs), designed for companies that manage and deliver IT services and products to utilities.
“We want systems to know what questions they should be asking potential integrators and vendors before they do business with them,” Dutton said. “We want to make sure they’re asking, ‘How are you going to protect my assets? What are the security measures you use?’”
The agency is also offering direct technical assistance to utilities that receive exposure notifications, helping them identify and secure vulnerable systems.
Overall, Dutton said that his team is trying to help educate the water sector on the importance of having network visibility and knowing what’s exposed to the internet.
“If we can move that needle at EPA, it’s going to make our job here at the government, at both EPA and [the Cybersecurity and Infrastructure Security Agency], it’s going to make our jobs easier,” Dutton said.
“When you think of EPA, maybe you don’t think about cybersecurity … but I want to try to move that needle towards that arena,” he added. “We have a lot of opportunity here to really provide some actionable outreach, but also mitigations, and to really help systems understand their exposure.”
Dutton closed the conversation by saying he is “really excited” for the cybersecurity work to come at EPA in fiscal year 2026.
“We have this full program under us where we are proactively searching for vulnerabilities, identifying them. You know, if we can find a large batch of vulnerabilities and devices that are commonly used in the water sector, we have the opportunity to really provide some outreach, see some mitigations take place, [and] hear those success stories,” he said.
“I get very excited about this, because I just see opportunity,” Dutton said, adding, “There’s a lot to do, but we’re up for the challenge.”