Security for Texas Water Utilities  •  AWIA • EPA Section 1433 • OT/SCADA • TCEQ • CISA Shields Up

Texas water utilities are now a foreign-intelligence target. Most don't know they were hit until the tank overflowed.

In January 2024, CyberArmyofRussia compromised water utility HMIs in Muleshoe, Hale Center, Abernathy, and Lockney — Panhandle Texas towns with no cybersecurity program and PLCs exposed to the internet. A tank overflowed in Muleshoe before operators manually intervened. AWIA Section 2013 requires a Risk & Resilience Assessment and Emergency Response Plan. Most Texas water systems are not in compliance.

Get your free $2,500 assessment → Model a breach cost for water utilities ↗
⚠️
AWIA Section 2013 Compliance: Ongoing 5-Year Cycle. Community water systems serving >3,300 people must certify a completed Risk & Resilience Assessment (RRA) to EPA and develop an Emergency Response Plan (ERP) within 6 months. Cybersecurity of SCADA, HMI, and control systems is a mandatory RRA component. CoreRecon provides AWIA evidence collection as a Compliance Pack add-on — included at Fortress tier.
Threat Reality — Texas Water Utilities

Three attack vectors
your operators aren't watching.

Water utilities have become a priority target for state-sponsored actors, ransomware groups, and ideologically-motivated hackers alike. Exposed OT equipment, remote access with no MFA, and legacy PLCs accessible via public internet are the common thread. These aren't hypothetical scenarios — they're documented incidents.

State Actor HMI Compromise — January 2024
Muleshoe / Hale Center / Abernathy / Lockney
CyberArmyofRussia — a Sandworm-linked hacktivist group — accessed HMI systems at four Texas Panhandle water utilities via exposed VNC with no authentication. In Muleshoe, operators lost control of a water storage system; the tank overflowed before manual intervention. Unitronics Vision PLCs found on Shodan with factory-default credentials. CISA issued Emergency Advisory AA24-057A following the incidents. Average time before detection: operators discovered it via physical observation, not monitoring.
Chemical Setpoint Manipulation — Oldsmar-Pattern Attack
Remote Access Without MFA Is an Operator
In February 2021, an attacker accessed the Oldsmar, Florida water treatment plant via TeamViewer and briefly raised sodium hydroxide (lye) setpoints to 111x normal levels. An alert operator noticed the cursor moving and manually reversed it. Texas utilities using RDP, TeamViewer, or VNC for remote SCADA access without multi-factor authentication face identical exposure. The attack vector requires no exploit — just a credential. CISA's ICS-CERT has documented similar unauthorized access attempts at water utilities across the country since 2021.
Billing & Customer Data Ransomware — 2023–2024
IT-Side Attacks Disable Billing, SCADA Adjacency
Veolia North America's water division was hit by ransomware in January 2024, disrupting billing systems and customer data for U.S. municipal water customers. The Municipal Water Authority of Aliquippa, PA was breached in November 2023 by the Cyber Av3ngers group (Iranian state-linked) via exposed Unitronics PLCs — the same hardware and attack vector used in the 2024 Texas incidents. Ransomware on IT systems adjacent to SCADA creates dual exposure: direct operational risk and regulatory notification obligations under AWIA.
Water Utility Compliance Landscape

Six frameworks.
One team to manage them all.

Texas water utilities operate under a layered regulatory environment — federal AWIA and EPA obligations, CISA sector goals, TCEQ state oversight, and voluntary NIST/CISA frameworks that are increasingly referenced in enforcement actions. Here's every requirement in scope and how CoreRecon covers it.

Framework Who's in Scope Key Requirements Penalty / Consequence CoreRecon Coverage
AWIA Section 2013 Community water systems serving >3,300 people; wastewater systems serving >3,300 for ERPs Risk & Resilience Assessment (RRA) every 5 years — cybersecurity of SCADA, monitoring systems, and chemical handling is mandatory scope; Emergency Response Plan (ERP) within 6 months of RRA; certify to EPA EPA enforcement action; TCEQ compliance referral; reputational exposure in public certification record Fortress AWIA RRA cyber component documentation, control system asset inventory, SCADA vulnerability mapping, ERP cybersecurity annex — Compliance Pack add-on included at Fortress tier
EPA Section 1433 / SDWA All public water systems; enforceable under Safe Drinking Water Act Vulnerability Assessments for systems >100,000 service connections; cybersecurity now embedded in EPA enforcement posture following 2023 failed rulemaking; EPA March 2023 memo directing SDWA survey to include cybersecurity Civil penalties up to $25,000/day; compliance orders; operator license jeopardy on TCEQ side Sentinel Vulnerability assessment support, 24/7 SOC monitoring, incident documentation for EPA/TCEQ reporting obligations
CISA Water Sector Goals All water and wastewater systems; non-binding but referenced in TCEQ audits and EPA guidance CISA Cross-Sector Cybersecurity Performance Goals (CPGs): asset inventory, MFA on remote access, network segmentation, patch cadence, incident reporting to WaterISAC and CISA Non-binding but creates expected standard of care; cited in post-incident enforcement; grants contingent on adoption Fortress Full CPG implementation mapping, MFA enforcement on remote access, OT network segmentation, WaterISAC threat feed integration
TCEQ Requirements All Texas public water systems; TCEQ has oversight authority for water quality and operator compliance TCEQ inspections now include IT/OT security posture; operator license requirements include safeguarding instrumentation and monitoring systems; public notification obligations when monitoring systems are compromised Operator license suspension; compliance orders; public notification mandates; fines for delayed notifications Sentinel TCEQ inspection documentation, incident timeline preservation, public notification support, operator compliance evidence package
NIST CSF 2.0 Voluntary but referenced by AWIA, EPA, and CISA as the expected implementation framework for water utilities Identify (asset inventory, risk assessment), Protect (access controls, OT segmentation), Detect (continuous monitoring), Respond (incident response plan), Recover (business continuity for water service) Non-binding; failure to implement creates evidentiary gap in post-incident litigation and regulatory enforcement Fortress NIST CSF maturity assessment, control gap remediation, ongoing monitoring mapped to Detect function, IR plan documentation
CISA Shields Up All critical infrastructure operators including water; heightened since Russia-Ukraine conflict and 2024 TX incidents Reduce attack surface (patch exposed systems), increase logging, prepare IR plans, report incidents to CISA, implement emergency remote access controls; WaterISAC membership for threat intel sharing Non-binding; failure to act on known advisories creates FCA-style liability if federal funds received Command External attack surface reduction, CISA advisory implementation tracking, 30-min SLA on OT incidents, WaterISAC integration, threat intel sharing
See all Texas compliance deadlines including AWIA →
OT/SCADA Security for Water Utilities

The air gap is a myth.
Your PLC is on the internet.

Water utilities built SCADA systems before cybersecurity was a consideration. Unitronics Vision, Allen-Bradley ControlLogix, Modicon M340 — these PLCs control chlorination, pressure regulation, and tank levels. Many are reachable from Shodan. Here's how CoreRecon closes each exposure without disrupting treatment operations.

🔌
Unitronics / Allen-Bradley / Modicon Exposure
Unitronics Vision and Samba PLCs were found internet-exposed with factory-default passwords across multiple U.S. water utilities in 2023–2024 — including the Texas Panhandle sites. Allen-Bradley and Modicon hardware running on flat networks is similarly reachable. CoreRecon's first step: external attack surface scan identifying every internet-exposed OT device. Typical finding: 3–8 exposed services per site operators are unaware of.
🖥️
VNC / RDP on Public Internet
VNC with no authentication was the attack vector in all four January 2024 Texas incidents. Remote desktop (RDP) and TeamViewer without MFA are equivalent exposure points. CoreRecon enforces MFA on all remote access paths — SCADA, historian, HMI, and administrative consoles — and monitors for brute-force and unauthorized access attempts in real time. Remote access without MFA is a hard AWIA RRA finding and a CISA CPG failure.
🔒
Network Segmentation Playbook
NIST SP 800-82 defines the IT/OT segmentation architecture for industrial control systems. CoreRecon deploys monitored firewall rules between your corporate IT and SCADA networks — creating a defined boundary where authorized communication is documented and unauthorized lateral movement generates immediate alerts. Passive NTA sensors at the OT boundary provide full protocol visibility (Modbus, DNP3, EtherNet/IP) without touching operational systems.
30-Min SLA on OT Incidents
When an anomalous command hits your SCADA system at 3 AM, you need a response that can reach a live analyst before a setpoint change becomes a treatment event. CoreRecon's 30-minute SLA applies to OT incidents — not just IT alerts. Our analysts understand industrial protocols and can distinguish a legitimate operator command from an attacker-issued setpoint manipulation. Water utilities using Fortress or Command tier get this SLA as standard.
Texas Water District Landscape

7,000+ public water systems.
Most with no IT staff.

Texas has more than 7,000 public water systems — the most of any state. Over 80% serve communities under 10,000 population with no dedicated IT staff, no cybersecurity budget, and no visibility into their own control systems. TCEQ oversight is increasing. AWIA compliance gaps are widespread.

Texas Panhandle
Confirmed 2024 CyberArmyofRussia Attack Zone
Muleshoe, Hale Center, Abernathy, and Lockney — four rural water systems hit in a coordinated wave in January 2024. All four had internet-exposed HMI systems. The attacks established that Texas water infrastructure is actively targeted by state-linked actors. Post-incident CISA advisory specifically identified exposed Unitronics PLCs as the common attack surface.
Municipal Utilities
Large Systems Under AWIA + EPA Scrutiny
Cities like Dallas (NTMWD), San Antonio (SAWS), Houston (HPW), and Austin (AWU) operate complex water systems serving millions — with SCADA networks, AWIA certification obligations, and heightened EPA focus following the 2024 incident wave. North Texas Municipal Water District had a confirmed breach in 2024. Large utilities face mandatory AWIA RRA cycles and increasing state legislative pressure post-2024.
Rural Water Districts
7,000+ Systems, No IT Staff, No Visibility
The vast majority of Texas public water systems are small rural districts and special utility districts (SUDs) — serving farming communities, unincorporated areas, and small towns. Most have part-time operators, aging SCADA hardware, and no monitoring. They are the same systems that were compromised in 2024 precisely because they're under-resourced. CoreRecon's Sentinel tier is sized for their budget.
TXWARN & Mutual Aid
Texas Water/Wastewater Agency Response Network
TXWARN provides mutual aid for water utilities during declared emergencies — including cyber incidents. CoreRecon's incident response integrates with TXWARN protocols: incident timeline documentation, forensic preservation, TCEQ notification coordination, and emergency public notification support. We've mapped our IR playbooks to TXWARN activation procedures so utilities don't have to choose between our response and their mutual aid obligations.
SB Legislation Note
Texas has seen increasing legislative activity on critical infrastructure cybersecurity post-2024. SB 2011 (2023) and subsequent session activity have expanded TCEQ's authority to require cybersecurity documentation from water systems. State legislative sessions continue to add teeth to AWIA obligations at the Texas level. CoreRecon tracks Texas legislative developments and updates compliance documentation accordingly.
Confirmed Water Sector Incidents

What actually happened in Muleshoe.
What a 24/7 SOC would have caught.

The January 2024 Texas water utility attacks were the first documented state-linked OT compromise of U.S. water infrastructure. Here's the incident timeline and the detection points that a monitored environment would have identified — and the broader context from similar incidents.

Muleshoe, TX — January 2024
CyberArmyofRussia HMI Compromise — Tank Overflow
Attack Vector
CyberArmyofRussia accessed the Muleshoe water utility HMI via exposed VNC — no authentication required. The attacker manipulated control settings for a water storage system. A tank overflowed before plant operators discovered the unauthorized access and manually took over. The attack was public and documented; the group posted screenshots of the HMI panel on Telegram.
What Was Missing
No VNC authentication. No external attack surface monitoring. No alerting on unauthorized HMI access. No network segmentation between the internet-facing system and operational controls. Operators discovered the incident physically — not through any monitoring system.
What a 24/7 SOC would have caught: (1) The VNC service would appear in an external scan during onboarding — immediate hardening action before any attack. (2) Unauthorized VNC session initiation at unusual hours would generate a real-time alert. (3) Anomalous setpoint commands via Modbus/DNP3 would trigger OT-specific alert before any physical impact. Timeline to intervention: under 30 minutes.
Aliquippa, PA — November 2023
Iranian-Linked Group Compromises Unitronics PLC
Attack Vector
Cyber Av3ngers — linked to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) — compromised a Unitronics Vision PLC at the Municipal Water Authority of Aliquippa. The PLC controlled a booster station for water pressure regulation. The group accessed it via the internet using the factory-default password "1111". CISA attributed the attack in a joint advisory with FBI, NSA, EPA, and INCD.
Impact
The group displayed a political message on the HMI screen. The booster station switched to manual control. While no water quality impact occurred, the same hardware and default credentials were confirmed present at the four Texas Panhandle utilities hit two months later. EPA used the incident to justify renewed cybersecurity requirements for water systems.
Identical attack vector to the January 2024 Texas incidents — factory-default credentials on an internet-exposed Unitronics PLC. The attack was preventable with an external attack surface scan and credential hardening policy. CoreRecon confirms no Unitronics devices carry default credentials in any client environment before go-live.
North Texas Municipal Water District — 2024
Daixin Team Ransomware — Billing & Customer Data
Attack Vector
Daixin Team ransomware group targeted NTMWD's IT systems — billing, customer account management, and operational data. The attack disrupted customer services and required notification to affected customers. NTMWD supplies water to 13 member cities across Collin, Dallas, and Rockwall counties serving over 2 million people. The IT-side attack illustrates how ransomware on business systems creates regulatory notification obligations under AWIA even when SCADA isn't directly hit.
Impact
Customer data disruption, billing system impact, public notification obligations. AWIA emergency response plan activation required. The scale of NTMWD's service area means a prolonged IT outage creates cascading issues for member city water management. Recovery required weeks of manual billing operations.
IT-side ransomware at water utilities triggers AWIA ERP activation even without OT impact. CoreRecon's cross-layer monitoring — IT and OT — ensures that ransomware on billing systems doesn't have an undetected pathway to historian or SCADA. Segmentation and lateral movement detection is the prevention story.
Pricing for Texas Water Utilities

SCADA-aware SOC.
Month-to-month. No enterprise contract.

CoreRecon's water utility tiers cover your IT staff endpoints, OT/SCADA network monitoring, and AWIA compliance documentation. Compliance Pack add-on for AWIA evidence collection and RRA support. No minimums. No 3-year contracts. Sized for rural districts and large municipal systems alike.

Tier Price / Endpoint / Month What's Included Best For
Sentinel $89 24/7 SOC monitoring, endpoint detection & response on IT/staff systems, external attack surface scan (identifies exposed SCADA/VNC/RDP), MFA enforcement on remote access, TCEQ incident documentation support, attack surface hardening for internet-exposed OT devices, monthly executive report, IR letter for cyber insurance Small rural water districts and SUDs (<10 staff endpoints); no dedicated IT; AWIA systems >3,300; first layer of OT exposure remediation; TCEQ audit preparation
Fortress $109 All Sentinel + OT/SCADA passive network monitoring (NTA sensors at IT/OT boundary), AWIA RRA cybersecurity component documentation (Compliance Pack included), Emergency Response Plan cyber annex, NIST CSF 2.0 mapping, CISA CPG implementation, WaterISAC threat feed integration, anomalous setpoint command detection, SIEM, 30-min SLA on OT incidents, vendor access monitoring Mid-size utilities (10–100 staff endpoints); full AWIA RRA + ERP compliance; active OT/SCADA monitoring; municipal utilities with regulatory obligations; systems post-incident requiring remediation documentation
Command $129 All Fortress + continuous OT threat hunting, advanced Modbus/DNP3/EtherNet/IP protocol anomaly detection, CISA Shields Up full implementation, annual OT penetration test, red team tabletop (chemical poisoning scenario), supply chain threat intel for water sector, IRGC/Sandworm hunt packages, EPA enforcement-ready evidence package Large municipal utilities (100+ endpoints); regional water authorities; systems serving >50,000 connections; post-incident EPA/TCEQ audit environments; utilities seeking comprehensive AWIA certification posture
* OT/SCADA monitoring pricing depends on the number of treatment facilities, SCADA nodes, and network topology. An OT network assessment (scope, sensor placement, asset inventory) is included in the free posture assessment. Pricing above is per IT/staff endpoint; OT monitoring is quoted based on asset count and facility count. Compliance Pack (AWIA RRA documentation, ERP cyber annex, NIST CSF mapping) is included at Fortress tier and available as an add-on to Sentinel.
The CoreRecon Track Record

Texas water utilities.
Real threats. Real monitoring.

7,000+
TX public water systems
30min
OT incident response SLA
Jan '24
TX water attacks confirmed
$0
Cost to start (free assessment)

CoreRecon is an SDVOSB-certified MSSP headquartered in Texas. We understand the TCEQ regulatory environment, the AWIA compliance cycle, and the OT architecture of water treatment facilities. Our analysts know the difference between a Modbus function code 15 write and an anomalous setpoint command. We don't route water utility data through offshore systems. U.S.-person-only SOC coverage, 24/7.

Frequently Asked Questions

What Texas water utility
operators and managers ask us.

Active Breach? 24/7 Emergency Response
SCADA compromised? Setpoints changed? We respond in 30 minutes.
No retainer required. TCEQ notification support included. OT-aware response team. TXWARN coordination.
📞 (800) 955-2596 Or submit emergency intake form →
Free Security Assessment — $2,500 Value

Find out how exposed your control systems are before an attacker does.

CoreRecon's water utility assessment maps your IT and OT attack surface, identifies every internet-exposed SCADA and HMI device, documents your AWIA RRA compliance gaps, and delivers a prioritized remediation plan. The external scan alone typically finds 3–8 exposures operators weren't aware of. No credit card. No commitment.

Request your free assessment →

Delivered within 14 days  •  External OT scan included  •  AWIA gap review included

Free Interactive Tool
What Would a Ransomware Attack on Your Water Utility Actually Cost?
Model downtime costs, AWIA emergency response activation, TCEQ notification obligations, and customer notification expenses. Takes 30 seconds.
Calculate My Risk →
Related Industries
City IT Oversight
Municipalities
Many Texas water districts sit under city IT. CJIS, FEMA BRIC, and Texas Data Privacy compliance stack on top of AWIA for combined municipal + water utility environments. →
OT/ICS Security
Oil & Gas Operators
Same OT/SCADA monitoring expertise — SCADA, pipeline controls, TSA Pipeline Security directives. OT security without operational disruption is the shared challenge. →
Renewing Cyber Insurance This Year?
Check Your Carrier Readiness Before Your Broker Does
38 questions mirroring what Coalition, At-Bay, Travelers, Chubb, and Beazley actually underwrite. Water utilities with exposed OT often fail MFA and network segmentation questions — know your gaps before the underwriter does.
Check My Readiness →
2-Minute Diagnostic · Free
Not Sure Which Regulations Apply to You?
Answer 7 questions. Get a ranked map of every federal and Texas regulation your organization is subject to — with deadlines, penalties, and the CoreRecon tier that covers each one.
Run the 2-Minute Mapper →