Storage Tank Rule Guidance and Checklist Updates Underway

In 2020, the division worked with stakeholders to develop the updated Storage Tank Rule regulation and Policies DW-010, DW-012 and DW-015 that accompany the regulation updates. The Commission approved all proposed modifications in August 2020 and the regulation updates were effective on October 1, 2020. The Storage Tank Rule (Regulation 11, Section 28) protects public health and public water systems from potential contamination associated with unprotected storage tanks within the public water system’s drinking water distribution system. 

The Field Services Section is actively working on finalizing the Storage Tank Guidance and the periodic and comprehensive inspection checklists to reflect the 2020 Storage Tank Rule updates. The updates to the checklist will incorporate feedback inspectors have received from operators in the field during sanitary surveys. We hope that the updated checklist will be a clear, concise and useful tool for operators when conducting the periodic and comprehensive inspections that are key in ensuring safe drinking water.   

The goal for publishing the updated Storage Tank Rule guidance and checklists on our website is December 2024. If you have questions regarding implementation of the Storage Tank Rule, please email the Field Services Section at cdphe_wqcd_fss_questions@state.co.us. The department, operators and the supplier share the same goal – “Always Safe Drinking Water”.  

➽ Heather Young, PE, CWP, Field Services Section Manager

Be Prepared for Public Notice

This article originally ran in the Fall 2014 Aqua Talk newsletter. Remember getting hard copies in the mail? We thought running it again now would be a good idea because starting in Fall 2024 Lead Action Level Exceedances will require Tier 1 public notice. 

Is your water system ready to notify the public? 

You do an excellent job running your water system and it never has any violations. You do not need to be prepared to rapidly notify your customers of an acute health risk or other health-based violations. Right? Wrong! We believe that all systems need to be prepared for the possibility of issuing a system-wide public notice for a variety of situations.

Through no fault of your own, due to flooding and the associated damage or if routine and repeat samples in the distribution system come back positive for E. coli, your system may face a situation that represents an acute public health risk. According to the Colorado Primary Drinking Water Regulations, you would need to issue a Tier 1 public notice as soon as practical, but no later than 24 hours after becoming aware of the situation. Remember, that by the time the results come back positive on the repeat samples, a couple of days have gone by since the initial samples were collected. Will your customers be satisfied with waiting another 24 hours before being told not to drink their water without boiling it?

Are you ready to do this? On a weekend? On a major holiday? How will you do this, Reverse 911 or other methods? This kind of public notice has a huge impact in the community. Operations at restaurants, businesses, grocery stores, hotels, schools, daycares and more are all significantly impacted. Are you ready to be in touch with all of these entities? There could be media interest. They will ask what did you know? When did you know it? When is the situation going to be fixed? There could be an explosion of social media interest via Facebook and X. Are you ready to engage in these communication methods? What if the event overwhelms your available resources? Are you a member of CoWARN? If so, you may be able to get help from other water systems.

If there is uncertainty about how you will accomplish a rapid notice or about the answers to any of these questions, then we suggest that planning for this kind of event would be a very beneficial activity. While we do not offer specific training at this point in time about Tier 1 public notice, we would be happy to assist your water system with planning for such an event. Please contact Kyra Gregory at kyra.gregory@state.co.us. 

Now, let’s switch gears to a lesser crisis. Suppose that due to an equipment malfunction followed by an alarm breakdown that does not alert you, your filtration system does not meet turbidity limits for a short time period. The drinking water acute team will evaluate the situation, and if there is not an acute risk, then tier 1 public notice would not be needed. However, this situation likely still represents a health-based violation of the Colorado Primary Drinking Water Regulations and triggers a tier 2 public notice. Tier 2 public notice must be issued as soon as practical, but no later than 30 days after the event. Again, will your customer be satisfied with finding out about a violation a month later? Will this generate media interest along the lines of “Why did you wait so long to tell people?” Again, planning for these situations in advance can help you meet not only regulatory requirements but also customer expectations. 

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager

Coaches' Classroom: How to secure your remote SCADA access

On September 5, 2024 The Federal Bureau of Investigation (FBI), in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners, released a joint Cybersecurity Advisory: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures to protect critical infrastructure against the Russian military cyber actors and other international cyber criminals. This advisory highlights the increasing risk that cyberattacks pose to US critical infrastructure and, by extension, Colorado public drinking water systems and wastewater providers. 

Because of this continued rise in attacks, the department’s Drinking Water Coaches want to take a moment to discuss a crucial potential vulnerability in drinking water cybersecurity: remote SCADA. With the increasing reliance on operational technologies (OT) like smart phones, laptops, and tablets, it is crucial to ensure that these systems are protected from potential cybersecurity threats. 

What is remote SCADA?

Remote SCADA access allows operators to monitor and control water treatment and distribution systems even when they are not physically present at the plant. This tool provides real-time information on water quality, levels, pressure, and alarms, enabling quick action to be taken if needed.

How can you protect your remote SCADA?

To safeguard your drinking water systems, we recommend the following best management practices: 

1. Use a Separate Device and Minimal App Use: Utilize a dedicated device solely for accessing the SCADA system to minimize the risk of unauthorized access. Limit the installation of additional apps on this device to reduce vulnerabilities. 
2. Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access. This additional layer of protection can prevent unauthorized entry even if one factor is compromised. A common example is to use text and email verification.
3. Granular Access Controls: Restrict users' access within the SCADA system based on their roles and responsibilities. This ensures that each user can only modify controls relevant to their job function. Establish a process for users to request permission changes, which should be approved by authorized personnel. This segmentation of your SCADA controls will ensure that if one user’s remote access is compromised, the damage will be minimized. 
4. Robust Remote Access Program: Regularly evaluate the strength of your remote access program by ensuring that software and infrastructure are updated with the latest security patches and protocols. Conduct security audits and penetration testing to identify and address vulnerabilities. Consider using encryption technologies like Virtual Private Networks (VPNs) to secure data transmission. 
5. Limit network connectivity: Utilize only cellular data or private Wi-Fi connections. Turn off auto-connect to avoid automatically connecting to public Wi-Fi networks. If using a private Wi-Fi connection, ensure a key must be entered for access and the connection is encrypted.

By following these strategies, water systems can enhance the resilience and integrity of their infrastructure against cyber threats. Remember, protecting our drinking water resources is a shared responsibility that requires ongoing vigilance and adaptability to evolving cybersecurity challenges. Safeguarding our drinking water systems is essential for maintaining public health and public trust. Thank you for your dedication to ensuring the safety and quality of our water supply. 

We want to know - How do you protect your remote SCADA OT?  

The department and our state and federal cybersecurity partners continue to create new resources and tools to help you as you protect your systems from cyber attacks. If you have a robust Remote SCADA protection plan please email kyra.gregory@state.co.us. We are hoping to gather information and produce a best management practices guidance document.  

How can your system become more cyber literate?

Please see the below list of cybersecurity resources to help your system to better protect your IT/OT from cyber attacks: 

• CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents. 
• WQCD Guidance: Respond and Report Cyberattacks  can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
• Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
• Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance 
• EPA Cybersecurity Technical Assistance Program for the Water Sector
• EPA Cybersecurity Incident Action Checklist
• EPA collection and explanation of cybersecurity funding opportunities 

➽ Kyra Gregory Drinking Water Training Specialist

Program Manager Message: Water Sector Security and Resiliency Road Map

In January 2024 representatives from water and wastewater utilities and the professional organizations along with EPA and the Cybersecurity and Infrastructure Security Agency workgroup released an updated Roadmap to a Secure and Resilient Water and Wastewater Sector. The original roadmap was created in 2009 and then it was updated in 2013 and 2017. The workgroup identified key security threats and vulnerabilities to the water sector and assessed capability gaps in addressing them. The roadmap then identified a number of priority actions to help fill in those gaps. A key theme in this document related to physical, workforce and cyber security was the need to build the culture in the workplace to better understand and protect against threats. 

With respect to cybersecurity, some of the recommended actions include:

• Basic practices for responding to technology failures, being able to operate plants manually in times of need.
• Take basic cybersecurity steps and maintain them, such as password security including routines to change them periodically and removing credentials when employees leave or retire.
• Educate employees about cybersecurity and understand incident reporting requirements.
• Conduct training on how to spot ransomware emails.
• Hold cyber event exercises.
• Advocate for cybersecurity awareness and practices up and down and all across your water system.

We greatly encourage your utility and any associated technology resources that may be located in other agencies such as billing to take steps in these action areas. It’s important to assess the threats and vulnerabilities specific to your utility and its technology assets. After the vulnerabilities are identified and assessed for severity, it’s important to take action to close down those vulnerabilities. This is not necessarily easy, but we can connect you to resources for assistance. This threat is very serious. There have been successful cyberattacks on Colorado utilities over the last few years, including a successful ransomware attack in May 2024. At a minimum, a successful attack can create an immediate crisis at a utility that costs a great deal of time and money. But more serious problems that jeopardize drinking water quality and public health could happen too. We urge you to take steps now and into the future to both prevent attacks on your utility and be prepared to respond if an attack does occur.

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager

PFAS: Upcoming Stakeholder Information and Answers to Common Questions

Stakeholder meeting for regulating per- and polyfluoroalkyl substances (PFAS) in drinking water

The Water Quality Control Division will host our kickoff meeting on Thursday, Aug. 22, 2024, from 1 to 2:30 p.m to discuss the statewide adoption of the EPA’s PFAS National Primary Drinking Water Regulation under the Water Quality Control Commission’s Regulation No. 11. 

• Register for the PFAS kickoff meeting 

We invite all interested individuals to participate in the process but strongly encourage community and non-transient, non-community public water systems to attend. 

• Sign up through the PFAS drinking water rule engagement form if you would like to continue to receive email correspondence regarding this process.

PFAS Questions

What just happened with the PFAS rule?

On April 10, 2024 the Environmental Protection Agency (EPA) set maximum contaminant levels (MCLs) for five individual PFAS: PFOA, PFOS, PFNA, PFHxS, and HFPO-DA (known as GenX). The EPA is also setting a Hazard Index level for two or more of four PFAS as a mixture: PFNA, PFHxS, HFPO-DA, and PFBS.

Chemical	Maximum Contaminant Level Goal (MCLG)	Maximum Contaminant Level (MCL)
PFOA	0	4.0 ppt
PFOS	0	4.0 ppt
PFHxS	10 ppt	10 ppt
HFPO-DA (GenX Chemicals)	10 ppt	10 ppt
PFNA	10 ppt	10 ppt
Mixture of two or more: PFHxS, PFNA, HFPO-DA, and PFBS	Hazard Index of 1 (unitless)	Hazard Index of 1 (unitless)

Table 1. New federal PFAS Regulatory Levels

Definitions

Maximum Contaminant Level Goal (MCLG): The level of a contaminant in drinking water below which there is no known or expected risk to health and allows for an adequate margin of safety. MCLGs are non-enforceable public health goals.  

Maximum Contaminant Level (MCL): The highest level of a contaminant that is allowed in drinking water. MCLs are set as close to MCLGs as feasible using the best available treatment technology and taking cost into consideration. MCLs are enforceable standards.   

Parts per trillion (ppt):  A ppt is a measurement of the quantity of a substance in the air, water or soil. A concentration of one part per trillion means that there is one part of that substance for every one trillion parts of either air, water or soil in which it is contained. One part per trillion is equivalent to one nanogram per kilogram ng/L.

Hazard Index (HI): The Hazard Index is a long-established approach that EPA regularly uses to understand health risk from chemical mixture. The HI is made up of a sum of fractions. Each fraction compares the level of each PFAS measured in the water to the highest level determined not to have risk of health.

What is a Hazard Index?

Research shows that mixtures of PFAS can have additive health effects. This means that low levels of multiple PFAS that individually would not likely result in adverse health effects may pose health concerns when combined in a mixture. EPA’s Hazard Index MCL is set at 1 and applies to any mixture containing two or more of PFNA, PFHxS, PFBS, and GenX. The Hazard Index is made up of a sum of fractions. Each fraction compares the level of each PFAS measured in the water to the highest level below which there is no risk of health effects.

Is this going to impact my water system?

Community Water Systems and Non-Transient Non-Community Water Systems must comply with the PFAS drinking water MCLs. Consecutive community systems and NTNC systems must comply with the MCLs as well but the requirements are less extensive.

When will I see this on my Monitoring Schedule? When do I need to start sampling? Am I going to need to install treatment?

By the end of 2026: 

• Systems must conduct initial monitoring or obtain approval to use previously collected monitoring data
• States must adopt PFAS rule into state regs

Starting in 2027: 

• Systems must start their ongoing compliance monitoring
• There are opportunities for reduced monitoring depending on the system’s initial monitoring results
• Systems must include results of their monitoring for the regulated PFAS in their Consumer Confidence Reports
• Systems must start issuing public notification for any monitoring and testing procedure violations

By the end of 2028:

• Systems that detect PFAS above the new standards must implement solutions that reduce PFAS in their drinking water to below the MCLs to remain in compliance with the rule

Starting in 2029: 

• Systems must comply with all regulated PFAS MCLs
• Systems must provide public notification for violations of the PFAS MCLs

What treatment methods will remove PFAS?

• Granular activated carbon (GAC), ion exchange and reverse osmosis are the most common methods of removing PFAS from drinking water. 
• Most conventional drinking water treatment methods will not remove PFAS.
• Powdered activated carbon (PAC) may remove some PFAS but testing is required to confirm.
• PFAS is not removed by boiling.

How do I deal with PFAS treatment residuals?

The EPA released an interim disposal guidance for PFAS media, backwash water, and RO concentrate. Their current recommended methods are:

• Underground injection
• Landfill
• Thermal treatment/incineration - this is the best option but isn’t widely available yet. Note that exhausted GAC media can be thermally regenerated for non potable use. 
• Interim storage for high PFAS content materials.

Are there labs to do this testing? Is it expensive?

• Testing costs vary from lab to lab and typically range from about $300 to $600 per sample. Systems must use an approved test method (EPA 533 or EPA 537.1) Be aware that there are lower cost PFAS tests available and while these may be good for applications like testing a private well, they may not be acceptable for compliance purposes. 
• Systems can sign up for CDPHE’s grant program for initial PFAS monitoring or reach out to cdphe_wqcd_pfas_grant@state.co.us.
• All labs on the EPA’s list of labs certified for PFAS testing are acceptable for compliance purposes.

Where can I find more information?

• CDPHE's Water Quality PFAS website
• EPA’s Water Quality PFAS Website
• CDPHE's PFAS testing results in public water systems in Colorado

➽ Chelsea Cotton, Lead Drinking Water Engineer

PFAS Wastewater/Biosolids Sampling - SB20-218

Image courtesy of Michigan Department of Environment, Great Lakes, and Energy

The Department of Public Health and Environment (CDPHE) is pleased to announce a new program offering wastewater and biosolids facilities free lab analysis of wastewater and biosolids samples for PFAS. The program will be available during fiscal year 2025 (July 1, 2024 thru June 30, 2025) and funding dependent moving forward. To request a sample kit, please complete the Wastewater/Biosolids PFAS Sampling Request form located on the PFAS grant program webpage. 

The division has been implementing a proactive approach to control PFAS contributions to the environment that includes measuring and trying to understand levels of PFAS in biosolids and wastewater. The concept is to identify and reduce significant sources of non-domestic PFAS entering wastewater treatment facilities.

For more information visit the CDPHE's PFAS website and PFAS and Biosolids website. 

➽ Sierra Mitchell, PFAS Program Coordinator

New Policy Addresses Enforcement Discretion Questions on HB24-1344

The Colorado State Plumbing Board convened an emergency meeting on Wednesday, July 17, 2024 in response to the Colorado Department of Public Health and Environment's request that the State Plumbing Board use its statutory discretion and not issue disciplinary actions until HB24-1344 has been fully implemented through Board rulemaking. During this meeting, the Board agreed and issued a policy stating that certified cross-connection control technicians would not be subject to discipline for inspecting, testing, and repairing backflow prevention devices through April 1, 2025.

This direction maintains public health protections, supports water utility compliance with drinking water regulations, and does not disrupt the lives of people and businesses operating under the prior status quo.

This timing also allows the General Assembly the ability to hear from all stakeholders and reconsider this issue and its implications for public health during the 2025 session. We hope to reach an agreement that allows technicians to do the critical work they were doing prior to the passage of HB24-1344.

To participate in rulemaking and stakeholder input opportunities with DORA, please sign up through this form.