SCADA, HMI, PLC, and the unmanaged switches in the pump house — the inventory regulators are now asking for.

What's regulated and who's asking

The water-sector cybersecurity register is more layered than most utilities walked into. The recurring asks:

• America's Water Infrastructure Act (AWIA) §2013. Community water systems serving more than 3,300 people must conduct a risk and resilience assessment and prepare an emergency response plan. Five-year recurrence. Network and information-technology infrastructure is one of the named asset classes.
• EPA sanitary survey, cyber components. State primacy agencies conduct sanitary surveys on a regular cycle. Cybersecurity is increasingly part of the survey scope, especially in states that have adopted EPA's cyber assessment guidance.
• AWWA G-430 — Security Practices for Operation and Management. The water sector's de facto standard. Section G430.8 covers asset management explicitly.
• WaterISAC threat-sharing. Member utilities exchange threat indicators and incident patterns; inventory is the prerequisite for matching indicators against the local environment.
• State-level mandates. Some states (New Jersey, California) have direct water-cyber assessment requirements above the federal floor.
• Cyber-insurance carriers. A water utility renewing cyber coverage in 2026 is asked specifically about OT segmentation, SCADA/HMI inventory, and unauthorized-device monitoring on plant networks.
• EPA & CISA as SRMAs. EPA is the Sector Risk Management Agency for water; CISA provides shared services. The Water Sector Coordinating Council and the Water Sector Risk Profile drive the broader expectation.

Why the device-inventory question is hard for a water utility

• Plant networks have unmanaged switches. The pump house, the lift station, and the chlorine room often run with switches the IT team did not buy and may not be able to query. Standard asset-discovery tools that depend on managed-switch SNMP miss what's connected downstream.
• SCADA is sensitive to perturbation. Active scanning crashes PLCs. Many discovery tools that work in IT cannot be turned on against an OT segment without a coordinated outage window.
• Vendor contractors plug into HMI segments. Pump maintenance, instrumentation calibration, and SCADA-system upgrades involve vendor laptops attaching to plant networks. The inventory of those connections is rarely maintained.
• Geographic spread, single IT staff. A regional water utility may run twenty pump stations, three treatment plants, and a collection-system telemetry network — operated by an IT team of two.
• OEM PLCs and HMIs do not announce themselves. Allen-Bradley, Siemens, Schneider Electric, Emerson, GE — each PLC family fingerprints differently at Layer 1. An IT-shop discovery tool may identify "an Ethernet device" without identifying it as a PLC.

How CybrIQ identifies devices on a water-utility network

• Switch-side, read-only signals. CybrIQ reads link negotiation, MAC OUI, LLDP/CDP TLVs, port statistics, and VLAN context from managed switches via SNMP with read-only credentials. The SCADA segment is not scanned; the PLCs are not interrogated.
• OT and ICS reference library. The Device DNA library identifies common SCADA, HMI, and PLC families — Allen-Bradley CompactLogix and ControlLogix, Siemens S7, Schneider Modicon, GE PACSystems, Emerson DeltaV, and the OEM-specific HMI products that run on top.
• Unauthorized-device detection. A vendor laptop plugged into an HMI segment that should not host one. A contractor's flash-loaded edge device left behind after a maintenance visit. A Raspberry Pi-class implant. CybrIQ identifies each as not-on-authorization-list within one polling interval.
• Air-gap capable. Where the OT segment is genuinely air-gapped from corporate IT, CybrIQ ships reference-library updates as signed offline packages that move into the OT enclave through the utility's approved-media process.
• No agents, no SPAN. No software installed on PLCs, HMIs, RTUs, or operator workstations. No SPAN or mirror port required.

Reporting alignment

What CybrIQ produces, mapped against the documents a water utility is asked for:

• AWIA risk and resilience assessment, network section. Per-segment device inventory with class, vendor, model, port, VLAN. Re-runnable for the five-year recurrence.
• AWWA G-430 §G430.8 (asset management). Continuous inventory, signed exports with current date, deviation log.
• Sanitary survey, cyber components. A current device inventory and a deviation log are typically the answer to the survey question on asset management.
• Cyber-insurance renewal. See the carrier-evidence breakdown on the SLED home page; the OT-segmentation and unauthorized-device questions are the ones that drive premium for water utilities.
• WaterISAC indicator matching. A current inventory matched against shared indicators of compromise.

Recent incident context (named on purpose)

The water-sector incident pattern of 2021-2024 is publicly documented and worth naming directly. The pattern is not theoretical:

• Oldsmar, FL (Feb 2021). Remote-access tool used to alter sodium hydroxide setpoint. Caught by operator.
• Aliquippa, PA (Nov 2023). Iranian-affiliated CyberAv3ngers compromised a Unitronics PLC at the Municipal Water Authority. Operationally significant; widely publicized.
• Muleshoe, TX (Jan 2024). Russian-affiliated group caused a water tower to overflow. Published by Mandiant.
• Wrightsville Beach, NC (2024). Cyberattack on the town's water utility; resilience response handled it.
• Arkansas City, KS (Sep 2024). Cyberattack forced switch to manual operations.

The deployment shape that the incident pattern argues for: visibility before remote access can do operational damage; visibility on plant networks specifically; and an inventory the IT team can show the EPA, the state primacy agency, the cyber-insurance carrier, and the city council.