What systems are impacted?
From the March 2023 EPA memorandum, cybersecurity evaluations must be included in the sanitary surveys for all PWSs that use industrial control system technology as part of the operation of the water system. In the EPA guidance document, “Evaluating Cybersecurity During Public Water System Sanitary Surveys” it states that industrial control systems include not only Supervisory Control and Data Acquisition (SCADA) systems, but also Programmable Logic Controllers (PLCs). Colorado does have some small transient water systems that are limited to a basic well and chlorinator, but the vast majority of PWSs in Colorado have industrial control systems in place.
What is being required?
In a nutshell, Colorado will be required to include cybersecurity as part of the sanitary survey process for all PWSs with industrial control system capabilities or establish a program outside of the sanitary surveys that is no less stringent than federal regulations and involves identifying and addressing significant deficiencies in cybersecurity. EPA outlined three options for conducting the assessments:
- PWS self assessments/third party assessments followed by a sanitary survey
- State conducted assessments during the sanitary survey
- An alternative program that meets the requirements.
EPA recognizes that flexibility will be needed and states may choose one or more options to best meet their needs. For cybersecurity, EPA considers significant deficiencies to include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water. The Colorado Primary Drinking Regulations (Regulation 11), Section 11.3(72) defines a significant deficiency as: any situation, practice, or condition in a public water system with respect to design, operation, maintenance, or administration, that the state determines may result in or have the potential to result in production of finished drinking water that poses an unacceptable risk to health and welfare of the public served by the water system. Water systems have to either fix significant deficiencies and violations no later than 120 days after the date of the inspection letter or request a corrective action plan (CAP). If the water system does not fix a significant deficiency by 120 days or an approved CAP schedule, a violation (type 45 violation) requiring Tier 2 public notice occurs.
When is this taking effect?
EPA has stated that the memorandum was effective as of the date of publication, however, states will need time to build the capacity to implement the requirements. Colorado does not have the capacity to implement these requirements as part of the sanitary survey process during this current inspection year or the upcoming inspection year starting in October 2023. Colorado is evaluating the best path forward for our state at this time in coordination with CDPHE leadership, other states and ASDWA.
What can systems do in the meantime?
All PWSs with industrial control system capabilities should assess their cybersecurity programs with an established method if they have not already done so. EPA guidance recommends that self assessments be conducted with established methods such as those from the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), National Institute of Standards and Technology (NIST), the American Water Works Association (AWWA), International Organization for Standardization (ISO), or International Society of Automation/International Electrotechnical Commission (ISA/IEC). The PWS should implement measures recommended from any assessment to ensure continued production and distribution of safe drinking water. Depending on the approach CDPHE takes, the self assessment reports may be required to be submitted to the inspector prior to the sanitary survey in the future for determination of potential significant deficiencies.
Additional resources can be found:
- EPA water sector Cybersecurity website
- EPA’s Water Security Assessment Tool
- EPA's Water Sector Cybersecurity Evaluation Program where PWSs can coordinate with EPA on cyber security assessments
- EPA’s cybersecurity training schedule
- CDPHE’s Water Security Toolbox
- CISA Cyber Threats to W/WW website
- CISA Free Cyber Hygiene Services (including assessments and evaluations)
- DHSEM Cyber Services Roadmap
Colorado recognizes that PWSs are among the targets of malicious cyber activity and is committed to partnering with water suppliers on this issue going forward. Many large utilities have robust cybersecurity programs in place. Many small to medium size systems will need to build cybersecurity capacity. If you have any questions or concerns as we determine the implementation path, we’d like to hear from you. Please contact either Heather Young at heather.young@state.co.us or Cameron Wilkins cameron.wilkins@state.co.us of the WQCD Field Services Section. For cybersecurity training resources, please contact Kyra Gregory at kyra.gregory@state.co.us.
➽ Heather Young, PE, CWP, Field Services Section Manager
➽ Cameron Wilkins, PE, Field Unit II Manager