Cybersecurity: NIST's Updated Password Guidelines & Sector Resources

The water and wastewater sectors are essential to daily life, and safeguarding them from cyber threats is crucial. The newly updated National Institute of Standards and Technology’s (NIST) password guidelines, along with the range of resources offered by the EPA and CISA, provide a strong foundation for improving cybersecurity across the industry. We encourage you and your colleagues to implement these new password guidelines and general cyber hygiene. Here’s a breakdown of the key updates and additional cybersecurity resources that can help strengthen your system's defenses.

NIST’s Updated Password Guidelines: What’s New?

In September 2024, NIST introduced new password management guidelines aimed at improving both security and user experience. The changes reflect a shift towards longer, more memorable passwords, and away from overly complex password requirements.

Key Updates:

1. Password Length: NIST now recommends using passwords or passphrases that are at least 15 characters long. The focus has shifted from enforcing complexity (e.g., mixing uppercase, numbers, and symbols) to prioritizing longer passwords that are easier to remember.
2. Password Composition: Gone are the days of forcing users to include specific character types. The new focus is on allowing longer, memorable passwords, which reduces the chances of people creating easily guessable passwords. 
3. Fewer Password Changes: Unless there’s evidence of a security breach, mandatory password changes are no longer required. This policy change helps users avoid creating predictable patterns due to frequent password resets.
4. Password Managers: NIST now strongly encourages the use of password manager software, which can generate and store strong, unique passwords for each account. It’s a vital tool to prevent the risk of password reuse across different accounts.
5. Avoid Password Hints & Security Questions: To minimize the risk of social engineering attacks, NIST advises against using password hints or security questions that could easily be guessed.
6. Multi-Factor Authentication (MFA): MFA is a non-negotiable security measure. By requiring more than just a password to access sensitive systems, MFA adds an additional layer of protection.

These updated guidelines emphasize simplicity and practicality, reducing user frustration while enhancing security. In an industry like water and wastewater, where systems are critical to public health, these updates offer a crucial balance of usability and protection.

Additional Cybersecurity Resources for the Water & Wastewater Sector

Alongside these password updates, there are also significant resources available to bolster cybersecurity across water and wastewater systems.

On March 13, 2025, the EPA will host a cybersecurity briefing for the water and wastewater sector. The session will cover unclassified threats, along with available funding and technical resources from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA). Here are a few resources to explore:

• CDPHE Security Toolbox - Provides Colorado specific guidance for planning for and responding to cybersecurity and physical security attacks. 
• EPA Cybersecurity for the Water Sector - Get comprehensive guidance and tools to safeguard water systems against cyber threats.
• CISA Water and Wastewater Cybersecurity Toolkit - A practical set of tools to strengthen your water sector infrastructure against cyber threats.

By staying informed and adopting the latest cybersecurity practices, water and wastewater utilities can ensure a secure future, protecting critical infrastructure from evolving threats.

➽ Kyra Gregory, Drinking Water Training Specialists 

EPA PFAS Rule Update: What Colorado Water Systems Need to Know

The division is closely monitoring recent developments from the EPA regarding its 2024 drinking water PFAS Rule. While the EPA has signaled potential changes to the regulation, the official rulemaking timeline remains unchanged, with Colorado’s adoption scheduled for August 11, 2025. The division is committed to maintaining clarity for water systems and intends to highlight this federal uncertainty in its Statement of Basis and Purpose that is part of the rulemaking. The division is committed to communicating with water systems when federal action occurs and proposing revisions to Colorado’s PFAS rule to align with federal requirements before the Water Quality Control Commission.

Resources: 

• CDPHE - Regulating per- and polyfluoroalkyl substances (PFAS) in drinking water
• CDPHE - PFAS mapping (includes PFAS in treated drinking water map and data) 
• CDPHE - PFAS Grant program

EPA’s Announced Changes

In May 2025, the EPA announced that it may significantly revise the 2024 PFAS Rule. Proposed changes include:

• Removing and reconsidering regulations for four PFAS compounds: PFNA, PFHxS, HFPO-DA (GenX), and PFBS.
• Retaining Maximum Contaminant Levels (MCLs) and monitoring requirements for PFOA and PFOS only.
• Eliminating the Hazard Index concept and its associated MCL for PFAS mixtures.
• Extending the compliance deadline for PFOA and PFOS MCLs from 2029 to 2031.

These changes are planned to occur via a revised PFAS Rule proposal in Fall 2025, and anticipated finalization in Spring 2026.

It’s important to note that, so far, EPA’s announcement has not indicated changes to the requirements for initial monitoring of six PFAS compounds by the April 2027 compliance deadline.

Colorado’s Approach

Colorado is moving forward with adopting the PFAS rule this summer to retain full Safe Drinking Water Act primacy. This ensures that the division, not EPA, will continue to oversee PFAS compliance, monitoring, and enforcement across Colorado systems.

To account for the evolving federal landscape, the division has included a “federal flexibility provision” in its rule language. This provision allows for the automatic extension or stay of any deadlines or requirements altered by the final federal PFAS Rule, minimizing disruption for water systems.

Why Primacy Matters

Colorado’s decision to adopt the rule in 2025 avoids a primacy extension agreement with EPA. Under such an agreement, EPA would have authority over PFAS compliance while the state catches up. This would fragment regulatory oversight, complicate compliance for Colorado’s water systems, and limit our decision-making authority during this period. We believe that the division can provide the best decisions for water systems and their customers in Colorado.

The division’s experience with the Lead and Copper Rule Revisions (LCRR) demonstrated the benefit of timely rule adoption. Being one of the few states to implement LCRR on schedule allowed the division to retain control and better support systems through technical and operational challenges. The same advantages apply here.

Operational Implications for Water Systems

Drinking water data across Colorado shows that PFOA and PFOS are the primary PFAS compounds detected in public water supplies in Colorado. The removal of other compounds from the federal rule should not change which systems require PFAS treatment in Colorado. However, there may be impacts to treatment plant design and operation, which the division will work to consider during rule implementation.

In the meantime, systems are encouraged to stay engaged and continue monitoring for PFAS to meet initial monitoring requirements. The division will provide ongoing updates and technical assistance throughout this evolving process.

Stay Informed

The division is committed to supporting Colorado’s water systems during this transition. As the revised federal rule develops, Colorado will adapt, but always with the goal of maintaining clarity, consistency, and strong public health protections.

➽ Haley Orahood, Regulatory Development and Implementation Specialist

New resource alert - W/WW Operator Resources Webpage

* While Aqua Talk is a safe drinking water information hub, the information below is also helpful to your wastewater friends, so please pass it along!

We encourage you to bookmark the Operator Resources webpage and visit regularly for updates and guidance tailored to your role as a certified operator. 

We are excited to announce that the Water Quality Control Division (Division) recently developed a new resource designed specifically for Colorado certified water and wastewater operators, or for those interested in entering the workforce. It is a single webpage that serves as a one-stop shop, bringing together all the essential information, tools, and resources operators need to know.

From certification, examination, and renewal details to information on training and funding opportunities, regulatory requirements, and guidance documents, everything you need is now conveniently located in one place. There is also a direct link to the CCWP Portal and contact information for CCWP, Division, and Board staff. Say goodbye to the hassle of navigating several sites to track down information!

If you have any questions about or issues with this webpage, please contact Jessica Morgan cdphe.facilityoperator@state.co.us.

➽ Jessica Morgan, Liaison to the Water & Wastewater Facility Operators Certification Board

Coordination with Public Water Systems on SCADA Vulnerabilities

In June 2025, the EPA’s Water Infrastructure and Cyber Resilience Division (WICRD) notified the Water Quality Control Division (WQCD) that they had identified potential cybersecurity vulnerabilities at four Colorado public water systems (PWSs). While scanning for vulnerable devices, EPA identified the specific TCP/IP addresses of four BIF3800 SCADA Control Systems that were internet-exposed and could potentially allow a remote user to access the device and disrupt the utility’s operations. WQCD Field Services immediately reached out to the four water systems to notify them of the potential vulnerability so they could take action to protect their systems. 

Many utilities installed SCADA BIF3800 units as early as the 1990s and were controlling ancillary processes in the distribution systems of the water systems. There was a common thought that hackers would not be interested in equipment that is so old, or that the older control systems would be less vulnerable to cyber attacks. Unfortunately, hackers can exploit any internet-exposed interfaces like these. The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) recently published this joint fact sheet, which highlights the risks posed by internet-exposed Human Machine Interfaces (HMIs), including how hackers can find and exploit HMIs with cybersecurity weaknesses easily. The EPA and CISA fact sheet includes recommended mitigations to secure HMIs, including:

• Conduct an inventory of all internet-exposed devices.
• If possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
• If it is not possible to disconnect the device, secure it by creating a username and a strong password to prevent a threat actor from easily viewing and accessing the device. Change factory default passwords.

Thankfully, the four water systems quickly responded to remove the exposure and did not experience any cyber events due to this issue. The CISA team in Colorado also reached out to the water systems to provide technical support to mitigate the vulnerabilities.  

WQCD encourages water systems to continue to evaluate and protect their systems against cyber threats. Utilities that need support can contact the Colorado CISA Team, including Edward (Charlie) Marmon at edward.marmon@cisa.dhs.gov  or Kindra Brewer at kindra.brewer@cisa.dhs.gov, and the EPA’s Cybersecurity Technical Assistance Help Desk is also available for assistance. The WQCD Drinking Water Security Response Toolbox is a one-stop shop for security resources. 

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Naheem Noah, Field Services Section

Cyber Alert: Global Conflict Potential to Impact US Critical Infrastructure

EPA Cyber Alert: Iran Conflict is Increasing the Likelihood of Low-Level Cyberattacks Against US Networks

Note: The Water Quality Control Division is posting the following information out in partnership with the Environmental Protection Agency (EPA) .

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators of the need for increased vigilance for potential cyber activity in the United States due to the current geopolitical environment. The U.S. Department of Homeland Security (DHS) published a National Terrorism Advisory System Bulletin, indicating that low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian Government may conduct attacks against U.S. networks. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) published a fact sheet warning that Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.

Iranian-affiliated cyber actors have demonstrated the ability to exploit operational technology (OT) devices at U.S. water and wastewater systems, forcing many systems to revert to manual operations and resulting in operational impacts.

All drinking water and wastewater systems are strongly encouraged to implement the following mitigations immediately to enhance resilience against low-level cyberattacks:

• Reduce OT Exposure to the Public-Facing Internet
• Replace All Default Passwords on OT Devices with Strong, Unique Passwords
• Implement Multifactor Authentication for Remote Access to OT Devices

In addition to these immediate actions, drinking water and wastewater systems are encouraged to adopt the actions outlined in the CISA, EPA, and FBI Top Cyber Actions for Securing Water Systems Fact Sheet to further reduce cyber risk and improve resilience against malicious cyber activity.

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government

Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.

Water and wastewater system owners and operators should direct their IT/OT system

administrators to review this alert for further use and implementation. If you rely on third party vendors for technology support, then you are encouraged to contact them to confirm their awareness of this threat. Organizations are encouraged to report information concerning suspicious or criminal activity to FBI Internet Crime Complaint Center (IC3) at IC3.gov or to CISA via CISA’s Incident Reporting System. If you have questions about any of the information contained in this document, please contact the Water Infrastructure and Cyber Resilience Division, Cybersecurity Branch at watercyberta@epa.gov.

Stay Informed

If you are interested in subscribing to receive security alert notifications immediately upon release, please sign up using this form and select the topics that interest you. This topic is General - Security updates - Water and wastewater systems.

➽ WQCD Security Workgroup

Aqua Answers: Bag and Cartridge Filters in Surface Water Treatment

Dear Aqua Answers,

I’m the operator for a surface water treatment system that uses bag and cartridge filters, and I have a few questions!

___________________________________________________________________________

Question 1: What’s the difference between compliance filters and other bag or cartridge filters at my plant?

For suppliers of surface water or groundwater under the direct influence of surface water (SW/GWUDI), the treatment system must be designed to meet the requirements of Section 11.8 of Regulation 11, also known as the Surface Water Treatment Rule (SWTR). This rule requires the treatment process to remove specific levels of Giardia and Cryptosporidium to ensure public health protection.

One way to meet these requirements is by using bag or cartridge filtration. These filters use a straining process where water passes through a disposable bag or cartridge housed in a permanently installed filter housing. Each filter and housing combination used for compliance filtration must be approved by the Colorado Department of Public Health and Environment (the Department) through the alternative technology approval process. Typically, this approval is obtained by the filter manufacturer rather than through a site-specific approval.

Every installation of bag or cartridge filters at a public water system (PWS) must also be reviewed by the Department as part of a design submittal.

Additional filters, sometimes called “roughing filters” may be installed upstream of the compliance filters. These do not require separate Department alternative technology approval but usually still require review as part of the design submittal.

For more details on design requirements, see the State of Colorado Design Criteria for Potable Water Systems (DCPWS), Section 4.3.9.

Question 2: How do I know which cartridges or bags I should use in my compliance filters?

Many SW/GWUDI suppliers have been issued a Record of Approved Waterworks (RAW) that lists all the supplier’s approved treatment and storage facilities and water sources. To find your facility’s RAW, visit the Department’s RAW webpage and enter your PWSID or facility name.

If you don’t have a RAW, you can find this information in the approval letter issued by the Department for your filtration system, or you can contact the Engineering Section for assistance.

Your RAW (or approval letter) will specify the approved filter manufacturer, model number, and the Department’s alternative technology acceptance letter. You can find the acceptance letter on our drinking water alternative technology website.

Important: Many bag and cartridge filters on the market have not been approved by the Department. Using unapproved filters or filter/housing combinations for compliance filtration can result in a treatment technique violation or a significant deficiency noted during a sanitary survey—both of which would require the supplier to issue a public notice.

Question 3: I have a sanitary survey coming up. Is there anything I should know about my bag or cartridge filters?

Yes! Suppliers using alternative filtration technology must continuously meet the design, performance, and operation and maintenance requirements in Sections 4.3.9.6 – 4.3.9.8 of the DCPWS and in the Department’s acceptance letter for the specific filtration technology.

For bag and cartridge filtration systems, this typically includes:

• Not exceeding the maximum specified pressure differential.
• Keeping daily records of pressure differentials and filter change-outs. These records will be reviewed during the sanitary survey.
• Maintaining specific spare parts on-site, which may also be checked during the survey.

Be sure to review your RAW and acceptance letter to understand all conditions of approval and ensure you’re keeping the required records. Both your RAW conditions and site-specific records will be evaluated during the sanitary survey.

Question 4: I’m a contract operator managing multiple public water systems. Do the requirements for bag and cartridge filters differ by system type?

Yes, the requirements can vary based on system size and type (e.g., community, non-community, or transient systems). These differences may include NSF 61 certification, the number of redundant filters required, and other system-specific considerations. The DCPWS outlines these requirements in detail, but if you have any questions, please reach out to the Department’s Engineering Section for assistance.

Sincerely,

Aqua Answers

Being prepared for toxic algae season

As climate conditions continue to shift, Colorado has seen increasingly warm and nutrient-rich waters during the summer months — conditions that remain ideal for toxic algae to form in standing or slow-moving water. Toxic algae or harmful algae blooms (HABs) are made up of cyanobacteria, commonly known as blue-green algae. Although these organisms naturally occur in Colorado waters, they become a problem when they multiply rapidly, resulting in a dense cyanobacteria concentration or “bloom.” In drinking water sources, cyanobacteria blooms can cause the water to taste or smell bad. Taste and odor in drinking water is not regulated but creates customer concerns about water quality and safety. Most complaints that water utilities receive are about taste and odor, and these issues can last for prolonged periods. In addition to taste and odor problems, the blooms can become harmful and create a public health risk when they produce toxins. Removing toxins in a safe and cost-effective way can be a challenge for treatment facilities, and not all water providers are equipped to do so. 

Drinking water providers can contact the Water Quality Control Division at 303-692-3500 with questions about toxic algae. We can help water providers who experience taste and odor problems and toxins. This includes ideas about customer communication and steps that utilities can take to monitor and manage toxic algae and best treat their drinking water. If you detect microcystins above 0.3 μg/L and/or cylindrospermopsin above 0.7 μg/L (EPA’s cyanotoxin health advisory values), call the CDPHE 24-hour incident reporting hotline at 1-877-518-5608 so the division can provide you with immediate assistance.

We have resources to help drinking water providers and recreational water managers with toxic algae monitoring, response and public education and created a map to show recent toxic algae conditions for select waterbodies in the state. 

This 2019 AquaTalk article remains especially relevant today as cyanotoxins still pose a public health concern, even without being formally regulated. While EPA is continuing to evaluate the need for national regulation, the core takeaways from past events like Salem, Oregon’s microcystin advisory remain vital reminders for proactive communication, monitoring, and response. Whether you manage a public drinking water system or recreate on Colorado lakes and reservoirs, this piece offers timeless lessons for navigating toxic algae season safely.