Menu

Strengthening Cybersecurity in Indiana’s Water and Wastewater Sectors: New Requirements and Deadlines Under Senate Enrolled Act 459

Featured

Cybersecurity threats to water and wastewater systems are growing rapidly, and Indiana has taken a major step to protect these critical services. With the rise of ransomware, unauthorized remote access, and attacks on industrial control systems, utilities must meet stronger cybersecurity expectations to safeguard public health and operational continuity.

To address these risks, Senate Enrolled Act (SEA) 459 went into effect on July 1, 2025. This establishes mandatory cybersecurity assessments, reporting requirements, and annual compliance obligations for water and wastewater facilities across the state.

Who Must Comply?

Under Indiana Code (IC) 13-18-16.5-1, the law applies to facilities that use computerized systems to monitor or control processes from a central location, including:

  • Community water systems serving 500+ people
  • Publicly owned treatment works (POTWs)
  • Semipublic facilities classified as Class III or Class IV

Mandatory Requirements and Deadlines

1. Perform an Annual Vulnerability Assessment (Annually)

Utilities must evaluate risks to SCADA systems, industrial control systems, remote access, and other digital components.  This assessment may be completed by:

  • Facility staff
  • City or municipal IT personnel
  • A qualified third-party contractor

Deadline: First assessment due by December 31, 2026, and every year afterwards.  Certification must be submitted annually. Note: The assessment is not required to be submitted, but must be completed and documented.

2. Designation of a Cybersecurity Incident Reporter

Utilities must provide the Indiana Office of Technology (IOT) with the name and contact information (email and phone number) of their primary cybersecurity contact. Must be updated as personnel changes. 

Initial Deadline – August 31, 2026, and every year afterwards.

3. Mandatory Cyber Incident Reporting

Utilities must report cyber incidents to IOT within strict timelines:

  • If operations are impacted: Report within 24 hours of discovering the incident.
  • If operations are NOT impacted: Report within two business days of discovery.

Support and Resources

Cyberattacks on water systems can disrupt treatment processes, alter chemical dosing, or disable monitoring equipment—posing direct risks to public health. Meeting the deadlines ensures faster response to cyber threats, reduced downtime, better protection of critical infrastructure, and stronger resilience against evolving cyber risks.

SEA 459 marks a significant advancement in protecting Indiana’s water and wastewater infrastructure. With clear deadlines for assessments, certifications, and incident reporting, utilities now have a structured framework to strengthen their cybersecurity posture. The Indiana Department of Environmental Management (IDEM) provides tools and guidance to help utilities meet these deadlines, including cybersecurity assessment templates, best-practice guides, reporting instructions, and training opportunities.

By meeting these requirements, facilities not only comply with state law—they also protect the communities that rely on them every day.

For more information or assistance on your assessment, contact Brady Dryer.

|