EPA's cyber rule got killed in court, but a 2024 enforcement alert and a scathing GAO report reopened the same door — exposing 50,000 water systems that barely have a vendor built for them.
The mechanism. In March 2023, EPA tried to force states to check cybersecurity during routine drinking-water "sanitary surveys." Missouri, Arkansas, and Iowa sued, the Eighth Circuit stayed it, and EPA formally withdrew the memo that October. Case closed, threat neutralized — except it wasn't. A February 2024 GAO report (GAO-24-106744) blasted EPA for having no coherent cybersecurity strategy for water and wastewater systems, and by May 2024 EPA came back through a different door: an enforcement alert invoking existing Safe Drinking Water Act §1433 authority, the provision requiring community systems serving 3,300+ people to file risk-and-resilience assessments. EPA disclosed that over 70% of systems it inspected since September 2023 were violating basic §1433 cyber-hygiene requirements — default passwords, single-factor remote access, no asset inventory — and pledged more inspections, not fewer. No new rule was needed. The existing statute plus inspection pressure does the same job, just slower and quieter, on roughly 50,000 community water systems and 16,000 wastewater systems that mostly have never bought a dedicated OT security product in their history.
Who cashes in:
EPA lost the rule in court and won the market anyway — the same 50,000 water systems now face compliance pressure through inspections, not mandates.
- Fortinet (FTNT) is the one name in the cyber universe with an actual shipped OT/ICS product line — the FortiGate Rugged series and OT Security Platform, purpose-built for the programmable logic controllers, SCADA systems, and flat, air-gapped-in-theory networks that run treatment plants. Fortinet has run water-utility case studies and an annual "State of OT" survey for years because it already sells into this buyer, unlike IT-first vendors retrofitting a pitch. This is a genuine build-out: thousands of small, budget-constrained municipal buyers newly forced to document compliance is incremental total addressable market, not a wallet-share fight against CrowdStrike.
- Palo Alto Networks (PANW) has been assembling an OT story through its Zingbox-derived IoT/OT security and Cortex Xpanse attack-surface tooling, and its systems-integrator and public-sector channel gives it a plausible path to municipal utility budgets even without Fortinet's install-base head start.
- Palantir (PLTR) benefits indirectly: CISA and EPA both need to fuse fragmented utility vulnerability data to prioritize the "worst-first" inspections GAO demanded, and Palantir's federal footprint positions it for that data-integration layer rather than the endpoint itself.
Who is exposed: CrowdStrike (CRWD), SentinelOne (S), and Zscaler (ZS) are endpoint- and cloud-native by design — their agents assume modern operating systems and internet-connected architecture that most water-plant PLCs and legacy SCADA gear simply cannot run. This buyer base doesn't convert into their pipeline without years of product rebuild; the enforcement wave grows a market they're structurally absent from.
The play. This isn't a share-shift story like the last decade of endpoint consolidation — it's a market that barely exists yet for a vendor that already has the product. Watch EPA's inspection cadence and whether Congress revives a water-cyber mandate (several bills have circulated) as the next re-acceleration point, and watch Fortinet's OT-specific disclosure (it doesn't break out water-vertical revenue) for any signal this cohort is showing up in bookings.
What to watch: EPA's next enforcement-alert update, GAO follow-up reporting on EPA's water-cyber strategy, and any renewed congressional water-security legislation.
Source: original report ↗
Free alerts Free: catalyst alerts, straight to your inbox.
Get the White House orders, federal contracts, and FDA decisions that move money — with who cashes in — free. Unsubscribe in one click.
Free · weekly · unsubscribe anytime. Privacy.
Stay three moves ahead of every practice in your market.
Knowing it happened is table stakes. Money Racket Pro hands you the play — what each move means for your margins, your license, and your patients, and exactly what to do about it — in a two-minute brief, twice a week. The owners who read it never get blindsided.
Get the edge · $40/mo Join the owners who run ahead of the industry. Cancel anytime, one click.