Pages

Wednesday, April 19, 2023

EPA Requirement to Address Cybersecurity in Sanitary Surveys

The US EPA Office of Water issued a memorandum, “Addressing PWS Cybersecurity in Sanitary Surveys or an Alternate Process” on March 3, 2023 to all State Drinking Water Administrators requiring cybersecurity evaluations during each sanitary survey. The EPA definition of sanitary survey is “an onsite review of the water source, facilities, equipment, operation, and maintenance of a PWS for the purpose of evaluating the adequacy of such source, facilities, equipment, operation, and maintenance for producing and distributing safe drinking water.” In Colorado, CDPHE conducts sanitary surveys of all public water systems (PWS) every 3 years for community systems and every 5 years for non-community systems. Colorado has been engaged with the Association of State Drinking Water Administrators (ASDWA) over the last year and with EPA’s issuance of the Memo, we are reviewing the newly published requirements and the below information summarizes what we know so far.

What systems are impacted?  

From the March 2023 EPA memorandum, cybersecurity evaluations must be included in the sanitary surveys for all PWSs that use industrial control system technology as part of the operation of the water system. In the EPA guidance document, “Evaluating Cybersecurity During Public Water System Sanitary Surveys” it states that industrial control systems include not only Supervisory Control and Data Acquisition (SCADA) systems, but also Programmable Logic Controllers (PLCs). Colorado does have some small transient water systems that are limited to a basic well and chlorinator, but the vast majority of PWSs in Colorado have industrial control systems in place.

What is being required?

In a nutshell, Colorado will be required to include cybersecurity as part of the sanitary survey process for all PWSs with industrial control system capabilities or establish a program outside of the sanitary surveys that is no less stringent than federal regulations and involves identifying and addressing significant deficiencies in cybersecurity. EPA outlined three options for conducting the assessments:

  1. PWS self assessments/third party assessments followed by a sanitary survey
  2. State conducted assessments during the sanitary survey
  3. An alternative program that meets the requirements. 

EPA recognizes that flexibility will be needed and states may choose one or more options to best meet their needs. For cybersecurity, EPA considers significant deficiencies to include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water. The Colorado Primary Drinking Regulations (Regulation 11), Section 11.3(72) defines a significant deficiency as: any situation, practice, or condition in a public water system with respect to design, operation, maintenance, or administration, that the state determines may result in or have the potential to result in production of finished drinking water that poses an unacceptable risk to health and welfare of the public served by the water system. Water systems have to either fix significant deficiencies and violations no later than 120 days after the date of the inspection letter or request a corrective action plan (CAP). If the water system does not fix a significant deficiency by 120 days or an approved CAP schedule, a violation (type 45 violation) requiring Tier 2 public notice occurs. 

When is this taking effect?

EPA has stated that the memorandum was effective as of the date of publication, however, states will need time to build the capacity to implement the requirements. Colorado does not have the capacity to implement these requirements as part of the sanitary survey process during this current inspection year or the upcoming inspection year starting in October 2023. Colorado is evaluating the best path forward for our state at this time in coordination with CDPHE leadership, other states and ASDWA.

What can systems do in the meantime?

All PWSs with industrial control system capabilities should assess their cybersecurity programs with an established method if they have not already done so. EPA guidance recommends that self assessments be conducted with established methods such as those from the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), the American Water Works Association (AWWA), International Organization for Standardization (ISO), or International Society of Automation/International Electrotechnical Commission (ISA/IEC). The PWS should implement measures recommended from any assessment to ensure continued production and distribution of safe drinking water. Depending on the approach CDPHE takes, the self assessment reports may be required to be submitted to the inspector prior to the sanitary survey in the future for determination of potential significant deficiencies. 

Additional resources can be found: 

Colorado recognizes that PWSs are among the  targets of malicious cyber activity and is committed to partnering with water suppliers on this issue going forward. Many large utilities have robust cybersecurity programs in place. Many small to medium size systems will need to build cybersecurity capacity. If you have any questions or concerns as we determine the implementation path, we’d like to hear from you. Please contact either Heather Young at heather.young@state.co.us or Cameron Wilkins cameron.wilkins@state.co.us of the WQCD Field Services Section. For cybersecurity training resources, please contact Kyra Gregory at kyra.gregory@state.co.us.

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Cameron Wilkins, PE, Field Unit II Manager

Wednesday, April 5, 2023

Updates coming to the Backflow Prevention and Cross Connection Control Policy - Policy 7

Our October 26, 2022 posting on the Aqua Talk blog announced our stakeholder process for proposing updates to the Backflow Prevention and Cross Connection Control Rule within Regulation 11 - section 11.39 (BPCCC rule). 

From November 2022 to January 2023, stakeholders engaged with the Water Quality Control Division to develop a draft, updated BPCCC rule which will be considered by the Water Quality Control Commission in the August 2023 rulemaking hearing. A summary of the effort to date is located on our website. The division believes the proposed updates to the rule will equivalently protect public health while making the rule more implementable. The division would like to thank all the stakeholders that engaged during that process for the thoughtful feedback and helping to craft a better rule.

During the outreach, multiple comments were received both in December and January about needing to provide better clarity within the BPCCC policy (Policy 7) in order to make the proposed changes to the rule more optimal and to help water systems know how the division will interpret some of the language in the rule. The division agreed with stakeholders that Policy 7 needs to be updated concurrently with the proposed rule update as the rule and the policy work very closely together. 

Save the date: April 20, 2023 at 2:00 PM.

The division intends to continue the stakeholder engagement process with an initial stakeholder meeting outlining the potential updates needed to the BPCCC Policy 7. The meeting will be held on 4/20/23. The division intends to utilize working groups in several key topic areas to assist in writing the policy updates. We would like to complete most of this work prior to the August rulemaking hearing. 

The topic areas will include, but are not limited to: extension requests, expanding examples on eliminating cross connections, clarifying system surveying and rounding issues, and annual reporting templates, as well as other minor edits.  

We would like feedback from the stakeholder community whether there are other areas that need to be updated within the policy and are hopeful you can participate. The division will provide a comment form on our website in mid-April for stakeholders to submit BPCCC Policy update ideas to us. Also, if you know of other professionals that can contribute to this process, please share this article and our BPCCC website with them. Sign up for stakeholder updates here to be notified of all the latest developments. 

➽ Tyson Ingles, PE, Lead Drinking Water Engineer

➽ Clayton Moores, PE, Field Unit I Manager