Insights

Public water systems are essential to the health, safety and well-being of communities, but they are increasingly under threat. Today’s risk environment is more complicated and uncertain than ever before, with threats ranging from insider intrusions and targeted cyberattacks to more severe natural disasters.  

With the second round of Risk and Resilience Assessments (RRAs) due by the end of 2026, public utilities have the opportunity and responsibility to reassess vulnerabilities and emergency preparedness. These assessments are strategic tools for identifying critical weaknesses, prioritizing improvements and protecting the infrastructure that communities rely on every day. 

Water Infrastructure’s Backbone: America’s Water Infrastructure Act  

In the wake of 9/11, water utilities were required to conduct vulnerability assessments and submit them to the Environmental Protection Agency (EPA) as a part of the Bioterrorism Act of 2002. Many of these assessments were never updated and treated as a static document. This round of initial assessments served as the foundation for the America’s Water Infrastructure Act (AWIA) of 2018 to introduce a more proactive, recurring approach that requires RRAs to be completed and certified every five years.  

Now, utilities are evaluating more than just physical threats. They are also looking at cybersecurity risks, accidental hazards, insider threats, operational failures and system interdependencies. This reframes the RRA as a living risk management strategy designed to strengthen long-term resilience and build public trust.  

Evolving Threats 

Threats have changed significantly since the initial round of assessments in 2020–2021. Many traditional risks still exist, but there are more complex and new challenges. Cybersecurity has become a top concern as foreign actors, ransomware campaigns and malware attacks regularly target the digital systems that operate and secure water infrastructure. These vulnerabilities were brought to light in one notable instance in Oldsmar, Florida. An unauthorized user remotely accessed a water treatment plant in an attempt to alter chemical levels, highlighting the vulnerabilities of operational technology. 

However, natural disasters like hurricanes, wildfires and winter storms still pose a threat to system dependability. Other physical dangers, like a broken fence or unguarded entrances, are still very real. Today’s threats cannot be taken into consideration by an assessment from five years ago. For RRAs to be effective, they must adapt to this changing environment.  

Assessments Rooted in Strategy 

Based on practical application and regulations, B&N’s approach to RRAs doesn’t just identify risks; it builds a roadmap to address them. Our process includes:  

• Interviewing utility personnel to evaluate operational practices and security culture 

• On-site walkthroughs utilizing the Multiple Zones of Security to examine everything from perimeter defenses to core operational systems

• Using EPA-endorsed tools like the Vulnerability Self-Assessment Tool and the Water Health and Environmental Assessment Tool

This process prioritizes risks by likelihood, impact and cost-effectiveness. The goal is to make every recommendation practical and scalable, whether that means installing motion-sensing cameras, updating access controls or enhancing cybersecurity protocols. 

Turning Insights into Action 

Completing an RRA is just the start. How the results are applied is the true value of an RRA. Capital investments such as upgrading aging infrastructure or adding system redundancies can help address some vulnerabilities. Other areas may require operational changes, like implementing multi-factor authentication or establishing a formal security policy.  

Planning for future events is essential to the process. Because our security recommendations are based on both experience and compliance requirements, they are adaptable and realistic regardless of the utility’s size or available resources.  

Being prepared for emergencies is more than just creating a plan. It’s making certain everyone knows their role and responsibilities. This is why B&N leads Incident Action Checklist Workshops, bringing together utility staff, first responders and cybersecurity experts to walk through realistic scenarios. These collaborative sessions clarify responsibilities, identify gaps and strengthen interagency coordination. Nobody starts from scratch after these incidents occur and response measures are tailored to the circumstances.  

Resources and the Road Ahead 

With the 2026 RRA deadline approaching, the time to prepare is now. There are resources available to help utilities evaluate their vulnerabilities and strengths:  

• The Cybersecurity & Infrastructure Security Agency offers site assessments, cyber threat simulations and incident action checklists to help utilities assess and strengthen their physical and digital security posture.  

• The Federal Emergency Management Agency has planning tools, hazard mitigation guidance and grant opportunities that can support resilience investments.  

• The Ohio Cyber Reserve is a specialized team of cybersecurity professionals available to assist Ohio-based utilities with threat assessments and response preparation.   

Although these resources may seem overwhelming, utilities don’t have to do it alone. B&N helps utilities make the most of the RRA resources and develop a holistic emergency response plan. Are you ready for the next assessment deadline? Contact us to take the first steps to reevaluate your infrastructure security and response plans.  

Tune into this episode of B&N's podcast "Infrastructure Insights: Engineering Explained" to learn more about RRAs.