Free Tool

Water Utility Cybersecurity
Self-Assessment

30 questions across 7 control domains. AWWA V4.0 and EPA-aligned. Understand your risk posture and see where your gaps are before an attacker finds them.

~10 min to complete
7 domains AWWA-aligned
100% confidential
AWIA 2018 compliance mapped
Aligned with
AWWA V4.0 Risk Management Guidance AWIA 2018 ยง2013 NIST CSF 2.0 EPA Priority Controls CISA Water Sector Guidance
Answer all questions to generate your risk report. 0 of 30 answered.
๐Ÿ“‹
Asset Inventory & Management AWIA Required
5 questions โ€” Do you know what's on your network?
โ€”
Do you maintain a current, documented inventory of all OT/ICS devices โ€” PLCs, RTUs, HMIs, SCADA servers, and engineering workstations?
AWIA RequiredAWWA P1
Do you know which of your OT devices are accessible from the internet (internet-facing PLCs, HMIs, or remote access portals)?
AWWA P1EPA Priority
Is your OT asset inventory reviewed and updated at least annually?
AWWA P2
Do you maintain an approved software/firmware list for OT systems, and is unauthorized software prohibited?
AWWA P3
Are end-of-life devices (e.g., Windows XP/7 HMIs, unsupported PLCs) tracked with documented compensating controls in place?
RedEye P1EPA Priority
๐ŸŒ
Network Architecture & Segmentation AWIA Required
5 questions โ€” Is IT separated from OT?
โ€”
Are your OT/ICS networks physically or logically separated from your IT/corporate and internet-connected networks?
AWIA RequiredAWWA P1EPA Priority
Is there a firewall or DMZ between your IT and OT networks with documented, restrictive rule sets?
AWWA P1
Are remote access connections (VPN, RDP, TeamViewer) to OT systems controlled, logged, and restricted to approved personnel?
AWWA P1EPA Priority
Have direct internet connections to OT devices (PLCs, HMIs, SCADA) been removed or blocked at the perimeter?
RedEye P1EPA Priority
Are wireless networks fully isolated from OT systems, with no path from wireless to control system networks?
AWWA P2RedEye P1
๐Ÿ”
Access Control & Authentication AWIA Required
5 questions โ€” Who can reach your control systems?
โ€”
Have default credentials been changed on ALL OT devices โ€” PLCs, HMIs, RTUs, switches, and SCADA servers?
AWWA P1EPA Priority
Is multi-factor authentication (MFA) required for all remote access to OT systems?
AWWA P2EPA Priority
Is access to OT systems limited to personnel with documented, role-based need โ€” and are access lists reviewed at least annually?
AWIA RequiredAWWA P2
Are shared or generic accounts (e.g., "admin", "operator") prohibited on OT systems and SCADA platforms?
AWWA P1RedEye P1
Are vendor/contractor accounts disabled or removed when not in active use, and is vendor access logged?
AWWA P3RedEye P2
๐Ÿ”ง
Patch & Vulnerability Management
4 questions โ€” Are known vulnerabilities being fixed?
โ€”
Is there a documented process for identifying, evaluating, and applying patches to OT systems โ€” including PLCs and HMIs?
AWWA P2EPA Priority
Are CISA Known Exploited Vulnerabilities (KEV) addressed on OT systems within 30 days of release?
AWWA P2RedEye P1
Are OT devices scanned or assessed for known vulnerabilities at least annually โ€” including firmware versions?
AWWA P3EPA Priority
Is there a plan to migrate away from end-of-life operating systems (Windows 7/10/Server 2008) on OT workstations and SCADA servers?
RedEye P1
๐Ÿ‘๏ธ
Monitoring & Detection
4 questions โ€” Would you know if something was wrong?
โ€”
Are OT network communications (Modbus, DNP3, EtherNet/IP) monitored for anomalies or unauthorized commands?
AWWA P2RedEye P1
Is logging enabled on OT systems and stored in a centralized, tamper-resistant location (not on the OT device itself)?
AWWA P2EPA Priority
Are there alerts configured for after-hours OT access, unauthorized login attempts, or anomalous control commands?
AWWA P2RedEye P1
Are security logs reviewed by a qualified person at least weekly, with documented follow-up on flagged events?
AWWA P3
๐Ÿšจ
Incident Response Planning AWIA Required
4 questions โ€” Can you respond when something happens?
โ€”
Do you have a written cybersecurity incident response plan (IRP) that specifically covers OT/ICS scenarios?
AWIA RequiredAWWA P1EPA Priority
Has your incident response plan been tested or exercised (tabletop or drill) within the last 12 months?
AWIA RequiredAWWA P2
Do you have documented, current contact information for CISA (888-282-0870), WaterISAC (866-H2O-ISAC), and local law enforcement for cyber incidents?
AWWA P1RedEye P1
Are OT system configurations backed up regularly, with at least one copy stored offline or air-gapped and tested for restorability?
AWWA P1EPA Priority
๐Ÿญ
Physical Security & Insider Risk
3 questions โ€” Can someone walk up and plug in?
โ€”
Is physical access to control rooms, PLC panels, and OT hardware restricted via key card, PIN, or lock โ€” with access logs maintained?
AWIA RequiredAWWA P1
Are USB ports and removable media disabled or locked on OT workstations, HMIs, and engineering stations?
AWWA P2RedEye P1
Are vendor and contractor visits to OT areas pre-approved, escorted, and logged โ€” with no unsupervised access to control systems?
AWWA P3RedEye P2

Your Risk Assessment Results

Parallel Guidelines: AWWA Standard vs. RedEye Recommendation

AWWA / EPA Standard
RedEye ICS Recommendation
Priority 1 Conduct a baseline asset inventory

AWWA V4.0 requires all OT/ICS devices documented before any other controls. Use AWWA's Getting Started Guide to complete an inventory within 30 days.

RedEye P1 Passive OT discovery โ€” zero risk to operations

We deploy a passive network tap to discover every ICS device communicating on your network โ€” including devices no one knew existed. Cross-referenced against Shodan for internet exposure. Results in 48 hours.

Priority 1 Eliminate internet-exposed OT devices

EPA guidance and AWWA both list internet exposure of PLCs/HMIs as the single highest-priority risk to remediate immediately. Remove all direct internet paths to control systems.

RedEye P1 Live Shodan scan of your IP space

We run a Shodan/Censys search against your public IP ranges and SCADA domains before the engagement begins. On-the-call, we'll show you what adversaries can already see about your systems.

Priority 1 Change default credentials on all OT devices

AWWA Getting Started Guide Step 1: Unitronics Vision Series, Siemens S7, Allen-Bradley PLCs, and most HMIs ship with known default passwords publicly listed online.

RedEye P1 Default credential audit against known ICS CVEs

We test against the CISA Known Exploited Vulnerabilities catalog for your specific device makes and models โ€” including Unitronics, Siemens, Rockwell, GE, and Schneider Electric.

Priority 1 Implement network segmentation (IT/OT separation)

AWWA and EPA both require logical or physical separation between IT and OT networks. Flat networks are the root cause of most water sector incidents.

RedEye P1 ICS protocol traffic analysis and lateral movement mapping

Passive capture of Modbus, DNP3, and EtherNet/IP traffic to map exactly how your OT network communicates. Identify flat-network paths an attacker would use to pivot from IT to PLC.

Priority 2 Require MFA for all remote OT access

EPA priority control: all remote access (VPN, RDP, vendor tools) to OT systems requires multi-factor authentication. Single-factor remote access is not acceptable.

RedEye P2 Remote access configuration review + threat hunt

We enumerate all remote access paths (including shadow IT: TeamViewer, AnyDesk, cellular modems) and hunt for unauthorized remote sessions in logs going back 90 days.

Priority 2 Develop and test an OT incident response plan

AWIA 2018 ยง2013 legally requires a cybersecurity IRP. AWWA provides a template. It must cover OT-specific scenarios and be tested within 12 months of creation.

RedEye P2 ICS-specific IRP + AWIA certification documentation

We deliver a ready-to-sign AWIA-compliant incident response plan as part of every assessment โ€” tailored to your specific SCADA platform, control systems, and utility size. Includes tabletop exercise guide.

Priority 3 Implement OT monitoring and anomaly detection

AWWA V4.0 Priority 2: deploy OT-aware monitoring tools. Passive monitoring of ICS protocols (Modbus, DNP3) to detect unauthorized commands or anomalous behavior without impacting operations.

RedEye P3 Continuous ICS protocol monitoring (post-assessment)

After the assessment, RedEye offers continuous passive monitoring of your OT network โ€” $5,000-$12,000/month depending on site count. We alert on unauthorized control commands, new devices, and active threat IOCs targeting water sector.

Your Priority Actions

Get the professional version of this assessment

RedEye's 2-week OT assessment covers everything above โ€” with findings, prioritized remediation, and AWIA certification documentation. Most engagements are fully grant-funded.

Schedule Free Scoping Call

Risk Score

0 / 60 (0%)
Risk Level Not Started
Asset Inventory
โ€”
Network Security
โ€”
Access Control
โ€”
Patch Mgmt
โ€”
Monitoring
โ€”
Incident Response
โ€”
Physical Security
โ€”

Want a professional assessment?

RedEye's 2-week OT assessment finds what this tool can't. Most are fully grant-funded.

Schedule Free Scoping Call