Reporting Requirements: tampering and security breaches in your water system

In early 2022 the Water Quality Control Division published a Drinking Water Security Response Toolbox website designed to help water utilities plan for, prevent, and guide responses to security threats including threats of tampering, suspected tampering, general malevolent acts, cyberattacks, confirmed tampering, and violent acts. Physical security breaches and tampering events continue to pose a significant risk to Colorado’s public water systems and their ability to provide safe drinking water to their communities. The division would like to emphasize that it is critical for systems to: 

1. Take measures to prevent security incidents.
2. Plan their response to an attack.
3. Know what constitutes a tampering event or a suspected tampering event.
4. Understand the regulatory requirements for reporting tampering to the division. 

In response to recent tampering incidents and in an effort to clarify when it is required to report security events to the division, we have updated the Guidance: Report and Respond to Tampering Events or Security Threats. The guidance provides the following information for public water systems: 

• Regulatory details and requirements for reporting tampering or suspected tampering events. 
• Explanation of what constitutes an attempted, suspected, or confirmed tampering event.
• Simple actions to help prevent tampering events.

For the purposes of this article, we will focus on the requirements for reporting tampering or suspected tampering and examples of what constitutes an attempted, suspected, or confirmed tampering event. 

Reg 11 requires PWS to report tampering (suspected or confirmed) to the division

Per Regulation 11.2(1), tampering events, suspected tampering, or receipt of a tampering threat must be reported to the Colorado Department of Public Health and Environment (department). The supplier must notify the department as soon as possible but no later than 10 a.m. of the next calendar day and notify the Department in writing no later than 5 days after any attempted, confirmed, or suspected tampering, or receipt of a tampering threat. Failure to report attempted, suspected, or confirmed tampering in a timely manner may result in a violation of Regulation 11. The guidance offers information on what information to submit. For ease of reporting, the department has created the Tampering Threat and Incident Report Form. If you have issues accessing the form please fill out the pdf version of the form and submit it to cdphe.wqacutes@state.co.us.

It is really important to emphasize that attempted or suspected tampering is reportable even if the event is not successful or confirmed. When in doubt, please contact the department. The role of the department during actual or suspected tampering events is to: 

1. Help water system asses any possible impacts to water quality,
2. Support the system experiencing the event(s) by connecting them with state and federal agencies that specialize in tampering and security issues in the water sector. 
3. Support the industry and gather information to identify trends across the water sector. 

What constitutes an attempted, suspected, or confirmed tampering event?

What are some examples of tampering events?

• Introducing a contaminant into a public water system or drinking water.
• Interfering with drinking water or the operation of a public water system with the intent to harm people or the public water system infrastructure. 
• Vandalism that physically damages storage tanks, fire hydrants, locks on well buildings, wellheads, intake structures, pump stations, treatment plants, backflow devices, or any other part of the physical infrastructure of the drinking water system. 
• Any action that damages the integrity of a drinking water system or causes harm to the system including expending resources (staff’s time, funding to replace or repair damaged infrastructure, water loss, etc.).  
• Unapproved removal of critical records, equipment, or chemicals. 

What are some previous tampering events that required reporting to the department?

• Verbal threat of damaging the water system infrastructure. 
• Malicious damage to fire hydrants in the distribution system. This can create a cross connection or cause pressure loss. 
• Cybersecurity attack - ransomware attack that withheld SCADA system and billing system. 
• Tank hatch alarm sounding to indicate the tank hatch is opening frequently with no system staff in the area.
• Vandalism of security fencing and a well-house.
• Purposefully attempting to drain the distribution system or storage tank, opening and closing valves without permission, intentional damage. 

What does not constitute a tampering event?

• Any vandalism that poses no potential risk to public health, like non-destructive tagging which does not result in excessive costs to the system for removal/repair.
• Accidental damage to the system such as a car accident that results in damage to a hydrant. 
• Water theft is not considered tampering unless there is intent to damage or interfere with the system. Regardless of whether theft is tampering or not, please contact your local law enforcement. 

➽ Kyra Gregory Drinking Water Training Specialist