Prepared pursuant to America's Water Infrastructure Act (AWIA) Section 1433
42 U.S.C. §300i-2
Prepared For
Riverside Water Authority
Serving 8,500 residents · Riverside County, Alabama
PWSID: AL8500123
AWIA §1433(a) requires your Risk and Resilience Assessment to address six statutory elements. Each element below reflects whether your assessment answers cover the requirement without gaps.
Risk from malevolent acts and natural hazards
Resilience of physical infrastructure and electronic/automated systems
4 gaps identified in this area
Monitoring practices
Financial infrastructure
1 gap identified in this area
Use, storage, and handling of chemicals
Operation and maintenance of the system
This summary reflects statutory coverage only. AWIA does not define a pass/fail score or numeric rating for Risk and Resilience Assessments.
This Risk and Resilience Assessment was conducted for Riverside Water Authority, a community water system serving approximately 8,500 residents in Riverside County, Alabama, pursuant to the America's Water Infrastructure Act (AWIA) Section 1433 (42 U.S.C. §300i-2). The assessment evaluated the system's security posture and resilience across all six statutory elements mandated by §1433(a)(1)(A): (i) risk from malevolent acts and natural hazards, (ii) resilience of physical infrastructure and electronic/automated systems, (iii) monitoring practices, (iv) financial infrastructure, (v) use, storage, and handling of chemicals, and (vi) operation and maintenance. The Emergency Response Plan was also reviewed against §1433(b)(1)-(4) requirements.
AWIA §1433 does not define a pass/fail score or numeric compliance rating for Risk and Resilience Assessments. This report instead identifies which statutory elements the utility's assessment has addressed and which need attention. Riverside's assessment fully addresses four of the six statutory elements, reflecting mature practices for physical access control, chemical handling, continuous water quality monitoring, and routine operation and maintenance. Two elements need attention: resilience of electronic and automated systems under §1433(a)(1)(A)(ii), and financial infrastructure under §1433(a)(1)(A)(iv).
As a community water system serving more than 3,300 persons, Riverside is required under §1433(a)(3)(A)(iii) to certify completion of its Risk and Resilience Assessment to EPA. Under §1433(a)(3)(B), the system must review and if necessary revise this assessment at least once every 5 years. This report identifies 5 specific gaps requiring remediation, including 2 high-priority items that should be addressed within 30 days. A detailed remediation roadmap with 30/60/90-day action plans, cost estimates, and federal resource recommendations is provided in subsequent sections. Pursuant to §1433(d), Riverside must maintain a copy of this assessment and the associated Emergency Response Plan for 5 years after certification.
The assessment found that Riverside does not currently require multi-factor authentication (MFA) for remote access to its SCADA system or business network. Remote access is protected by password only. CISA Cross-Sector Cybersecurity Performance Goal 1.1 specifically requires MFA for remote access to critical systems. The 2023 CyberAv3ngers attack on the Aliquippa, PA water authority exploited systems accessible via default credentials without MFA.
Remediation
Implement multi-factor authentication for all remote access to SCADA, VPN, email, and any system accessible from outside the facility. Use authenticator apps or hardware tokens.
Effort Level
Low — can be done internally
Estimated Cost (3,301–49,999 Served)
$1,000 - $5,000
Federal Resources Available
CISA CPG 1.1 implementation guide (free); Many MFA solutions are free or low-cost; CISA Regional Advisor can assist with implementation
Action Plan
30 Days
Identify all remote access points. Select MFA solution (authenticator app is free).
60 Days
Deploy MFA on all remote access points (VPN, email, cloud services).
90 Days
Deploy MFA on SCADA remote access. Verify no bypass exists. Document for compliance.
The assessment found that Riverside's business IT network (email, internet, billing) and operational technology network (SCADA, PLCs, treatment controls) run on a single flat network with no firewall or segmentation boundary between them. A commodity phishing email landing on a business workstation can reach the treatment plant's control systems laterally. CISA CPG 7.1 calls for network segmentation between IT and OT environments as a baseline control.
Remediation
Install a firewall between the business IT and OT networks with default-deny rules. Document and allow only the specific traffic required between segments. Move SCADA, PLCs, and HMIs onto the protected OT segment.
Effort Level
High — requires vendor or integrator support
Estimated Cost (3,301–49,999 Served)
$20,000 - $75,000
Federal Resources Available
CISA CPG 7.1 implementation guide (free); CISA technical assessment (free); Drinking Water State Revolving Fund for infrastructure upgrades
Action Plan
30 Days
Map current network architecture. Inventory every IT/OT connection point.
60 Days
Design segmentation architecture. Procure firewall hardware. Begin phased implementation.
90 Days
Complete segmentation. Test default-deny rules. Document for compliance.
Riverside does not have a written financial continuity plan for scenarios that interrupt normal revenue collection — for example, a ransomware event that takes billing systems offline for weeks, or a prolonged SCADA outage that forces manual operations with extra labor cost. No documented cash reserves target, line of credit, or mutual-aid financial arrangement exists for emergency operations.
Remediation
Document a financial continuity plan covering extended billing outage, emergency coordination labor costs, and emergency capital needs. Establish a cash reserves target (typically 90–180 days of operating expenses) and a prearranged line of credit for emergency operations.
Effort Level
Medium — requires board or council approval
Estimated Cost (3,301–49,999 Served)
$2,000 - $10,000
Federal Resources Available
EPA Water Financial Resilience resources (free); WIFIA low-interest loans for capital needs; state drinking water primacy agency financial assistance programs
Action Plan
30 Days
Model financial impact of a 30-day billing outage. Review existing reserves and borrowing capacity.
60 Days
Draft a financial continuity plan. Secure board or council sign-off on reserves target.
90 Days
Establish an emergency line of credit. Document in the utility's financial policies.
The current Emergency Response Plan was last updated in 2020 and does not incorporate findings from this assessment as required by §1433(b). The ERP lacks cybersecurity incident response procedures per §1433(b)(1)...
This assessment addresses all elements required under §1433(a)(1)(A)(i)-(vi) and §1433(b)(1)-(4). The certifying official has reviewed and confirmed the accuracy of this assessment. Record retention per §1433(d) applies for 5 years...
Consolidated 30/60/90 day action plan for all 5 identified gaps mapped to §1433(a)(1)(A) and §1433(b) statutory elements, prioritized by severity with cost estimates and federal resource recommendations...
Your full report includes your complete §1433(a) element- by-element findings, Emergency Response Plan assessment, EPA certification document, and remediation action plan.
Get Your Utility's Full Report — $499Assessment is free. Pay only when you're ready.
Serving 10,000 or more people?
Add Professional Review — have a licensed engineer validate your documents before EPA submission for added defensibility. Coming soon — join the waitlist →
The following tables show how your Regris assessment and plan address each element required by AWIA Section 1433 of the Safe Drinking Water Act.
| Statutory Element | Plain-Language Requirement | Addressed by Regris | Status |
|---|---|---|---|
| §1433(a)(1)(A)(i) | Risk from malevolent acts and natural hazards affecting the system's ability to provide safe drinking water. | RRA categories: Physical Security of System Components, Business Continuity and Emergency Response | Addressed |
| §1433(a)(1)(A)(ii) | Resilience of pipes, conveyances, physical barriers, source water, intake, pretreatment, treatment, storage, distribution facilities, and electronic/computer/automated systems including cybersecurity. | RRA categories: Physical Security of System Components, Cybersecurity of OT and IT Systems | Needs Attention |
| §1433(a)(1)(A)(iii) | Monitoring practices used by the system. | RRA category: Monitoring Practices | Addressed |
| §1433(a)(1)(A)(iv) | Financial infrastructure of the system — the resources and arrangements needed to sustain operations and recovery. | RRA category: Financial Infrastructure | Needs Attention |
| §1433(a)(1)(A)(v) | Use, storage, and handling of chemicals used in water treatment and operations. | RRA category: Chemical Handling and Storage | Addressed |
| §1433(a)(1)(A)(vi) | Operation and maintenance of the system. | RRA category: Business Continuity and Emergency Response | Addressed |
| Statutory Element | Plain-Language Requirement | Addressed by Regris | Status |
|---|---|---|---|
| §1433(b)(1) | Strategies and resources to improve the resilience of the system, including physical security and cybersecurity. | ERP section: Resilience Strategies | Addressed |
| §1433(b)(2) | Plans, procedures, and equipment to respond to a malevolent act or natural hazard event. | ERP sections: Emergency Plans and Procedures, Training and Exercises | Addressed |
| §1433(b)(3) | Actions, procedures, and equipment that can reduce the impact on public health and water supply, including development of alternative water sources, relocation of water intakes, and construction of flood protection barriers. | ERP section: Mitigation Actions | Addressed |
| §1433(b)(4) | Strategies to detect malevolent acts or natural hazards that threaten the security or resilience of the system. | ERP section: Detection Strategies | Addressed |
This mapping reflects Regris's interpretation of statutory coverage and does not constitute legal advice. Consult qualified legal counsel to confirm your system's compliance posture.
Most water utilities spend weeks and thousands of dollars on AWIA compliance. Regris guides you through every federal requirement in an organized workflow — starting at $499.
Takes about 45 minutes. Your progress saves automatically — finish at your own pace.