Risk and Resilience Assessments and Emergency Response Plans

While attending the annual conference of the Association of State Drinking Water Administrators (ASDWA), an organization consisting of my counterparts across the U.S. and including territories, presentations were given about drinking water emergencies that generated national attention. These included the train derailment in East Palestine, Ohio and boil water orders in Jackson, Mississippi. At a previous conference I gave a talk about the Marshall Wildfires. I am sure most of us are aware of the tragic Lahaina, Hawaii wildfire that struck Maui earlier this year.

Extreme events like these are exceedingly difficult to consider and plan/prepare for. But there are requirements in the Safe Drinking Water Act (SDWA) for utilities to assess their vulnerability and risks, and to develop emergency response plans. These requirements came in with America’s Water Infrastructure Act (AWIA) that was signed into law in October 2018. AWIA Section 2013 specifies that all Community Water Systems with populations greater than 3,300 must conduct Risk and Resilience Assessment (RRAs) and Emergency Response Plans (ERPs). These documents need to be reviewed and updated at least every five years. Since this provision of SDWA is directly implemented by EPA, water systems must certify directly to EPA every five years that they have completed these required activities. The initial RRA certifications were due to EPA from March 2020 to June 2021 depending on systems size, so the first five-year updates are due from March 2025 to June 2026. For more information about upcoming review deadlines and requirements please visit the EPA’s RRA/ERP website. The ERP is intended to be developed in a way that addresses system-specific elements based on its RRA, so these certifications are due six months after the RRA certifications.

The RRA needs to address the following components:

• Risks from malevolent acts and natural hazards
• Traditional water system infrastructure resilience including electronic, computer, or other automated systems (including the security of such systems) utilized by the system
• Financial infrastructure
• System monitoring, operations and maintenance
• Chemical use, storage and handling

Note that item two above essentially includes cybersecurity. EPA has a Vulnerability Self-Assessment Tool (VSAT) to help water systems complete their RRA. The Cybersecurity and Infrastructure Security Agency (CISA) and the Colorado Information Analysis Center (CIAC)also provide numerous tools to help systems address the cyber components of the RRA.

After completing the RRA, the ERP needs to be developed and describe strategies, resources, plans and procedures utilities will use to prepare for and respond to emergency incidents. The incidents can be natural or human-caused and range from line breaks to major disasters like floods or wildfires. The ERP needs to specifically address:

• Strategies and resources to improve resilience including physical security and cybersecurity.
• Emergency response strategies and resources
• Proactive approaches to lessen the impact of emergency incidents
• Strategies to help detect malevolent acts or natural hazards that could harm the system

Water systems should coordinate with local emergency planning agencies and must retain copies of their RRA and ERP.

This SDWA provision is not part of state primacy, but is overseen by EPA. To date, EPA has primarily overseen compliance with these requirements via ensuring that systems have submitted their certification. However, going forward EPA is conducting inspections at water systems across the U.S. and soon in Colorado to evaluate compliance with these requirements and help systems become better prepared to prevent emergencies, lessen their severity and respond.

We all know that emergency preparedness is the right thing to do, but it can be hard to prioritize in the face of day-to-day tasks and seeming crises. However, recent events like the emergencies at water systems that have gained national attention and cyberattacks that have involved ransomware and attempts to access control systems should raise our awareness of the value of these efforts. Maybe this information can help you gain support in your utility to keep up with risk assessment and emergency planning activities, especially with respect to cybersecurity. It’s clear that assessing cybersecurity risks and planning to address those risks is part of SDWA, even though EPA’s early 2023 memorandum about cybersecurity and sanitary surveys was rescinded. 

Cybersecurity threats appear to be ever-changing and more threatening. Our Drinking Water Security Response Toolbox is designed to help you meet these AWIA requirements and keep your water systems safe and protected. 

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager

Wellhead Deficiencies

In this article, we continue our discussion of the Top 10 most frequently cited significant deficiencies and violations to raise awareness and help operators identify and correct issues before they become a potential health threat or citations in a sanitary survey. At #2 in the Top 10, source construction deficiencies (S030) were cited 9% of the time during sanitary surveys for the 2022 inspection year and 9% in the 2023 inspection year. Groundwater wells are the most common sources of drinking water used in Colorado (70% of public water systems use groundwater wells) and are perhaps one of the most overlooked parts of water systems. Wells can go unnoticed for years since they are often located away from most activities and may only be noticed when the flow of water is altered. The most commonly discovered significant deficiencies with wells are related to electrical conduits, gaskets, vents and vaults.

What are the minimum standards for a properly constructed well? In the “State of Colorado Design Criteria for Potable Water Systems” (Policy DW005), CDPHE actually primarily refers to the Colorado Division of Water Resources’ (DNR) latest edition of “2 CCR 402-2 Rules and Regulations for Water Well Construction, Pump Installation, Cistern Installation, and Monitoring and Observation Hole/Well Construction” (a.k.a. Colorado Well Driller Regulations). The purpose of these regulations is to ensure public health and the safety of groundwater resources. The regulation outlines minimum construction standards for all types of wells in all types of environments, and it defines minimum well height, screening, minimum distance from potential sources of contamination, grouting standards, pump installation and much more.

There are many variations to well heads, but the two primary ones that inspectors come across are the “split-cap” and the “well-cap” (see image below for reference). The “split-cap” has the discharge line, vent and electrical conduit all protruding from the wellhead. The well head is comprised of two metal plates with a rubber gasket in between. When installed, the two plates are compressed, the rubber gasket expands and creates a watertight seal. The “well-cap” has a pitless water connection (below frostline) and a designated female electrical connection, a set of gaskets and a built-in vent (which are typically screened).

*photo courtesy of Oregon State University https://wellwater.oregonstate.edu/well-water/wells/well-check-list

Well head

Well heads must be designed and constructed at the top of well casings to prevent the entry of contaminants into the well. The majority of the wells that the department inspects are located outdoors and are exposed to the elements. It is vital that the wells are constructed and maintained in a manner that will protect the raw water. Some common issues that inspectors observe are missing/damaged gaskets, missing bolts, broken or loose well caps (bolts are missing or not tightened), split-caps not seated on the well casing properly and a split-cap with a rope (used to hold the well pump in position or to assist in pulling the pump out) coming out of the well that is not properly sealed.

The split-cap well head was not properly sealed to the well casing. The supplier applied caulking between the split-cap and the well casing.

The bottom of the well head cap was broken and did not allow for a tight seal. A new well head was installed.

Well Vents

Vents are an integral part of a well as they permit air to freely enter and exit the well. Vents need to be located at a minimum of one foot above ground level, be turned down and be covered with a non-corrodible screen. Screens may not have openings that exceed 0.07 inches (typically 12 or 16 mesh screen). 

The two most common issues observed with vents on wells are that they are broken or missing.

The well-cap has a built-in vent that was broken/corroded. The supplier replaced the broken screen with an acceptable mesh screen.

Electrical Conduit

According to the Colorado Well Driller Regulation, electrical connections are to meet the standards of the NFPA 70: National Electric Code (2014). Some common electrical conduit issues that are observed during sanitary surveys are where the electrical conduit has separated from the well head or the junction box which can typically occur due to the ground settling. Another common finding is missing or partially attached cover plates on electrical junction boxes. Split-cap wells can also have electrical wires penetrating the well top without a properly constructed conduit or a proper seal between the wire and the rubber gasket. All of these situations present a pathway for contaminants to enter the well, which pose a health risk and are significant deficiencies that will be cited during a sanitary survey.

The electrical conduit separated from the electrical junction box, creating an opening. The supplier installed a conduit sleeve to provide a watertight junction.

The electrical junction box was missing a screw. The supplier sealed the hole with caulk.

Split-cap well had the electrical wire enter from an unsealed port. The supplier sealed the gap with caulk.

Well Vaults

Although well vaults are not a common practice these days, the department still observes wells located in vaults. Placing a well in a vault was a common practice to protect the well from the elements. However, having a well in a vault can subject the well to flooding. If a well is located in a vault, the vault cover or lid must be watertight and the vault must either drain to daylight or have a sump. Evidence of water accumulating in the vault and potentially submerging the wellhead is a significant deficiency.

Well vault was subject to flooding. Supplier installed a sump pump.

Concrete Pads

Inspectors are frequently asked if concrete pads are required? The Colorado Well Driller Regulation along with the department do not recommend that wells have concrete pads with the exception of hand-pumped wells. Well pads were commonly installed if well depths were less than 100 feet or to keep vegetation down around the well head. However, the department has observed that concrete pads tend to attract animals that burrow underneath the pad creating a source of contamination. Concrete pads also tend to crack and shift, which can create a funnel effect and divert surface water to the well casing. Minor cracks can be repaired; however, the department recommends that a supplier remove their existing concrete pad if they notice animals burrowing or if the concrete pad begins to divert surface water to the well casing. Evidence of burrows under a concrete pad or severely damaged pads capable of channeling surface water to the well casing are significant deficiencies that would be cited during a sanitary survey.

Burrow located under the concrete pad, the burrow was filled in and will be monitored in the future.

Drainage and Slope

According to the Colorado Well Driller Regulation, well locations should incorporate proper positive drainage from the well casing. As a rule of thumb, the department has historically viewed positive drainage 20 feet in all directions from the well if possible. Wells should not be located in depressions as surface water can pool around the well casing and be a source of contamination. If a well is built on a slope, a berm is recommended uphill to divert runoff and surface water away from the well casing. 

Well was located in a depression that could allow for water to pool around the well casing. The supplier added pea gravel around the well head and created positive drainage away from the well casing.

For more information the department recommends that suppliers utilize DNR’s latest edition of “2 CCR 402-2 Rules and Regulations for Water Well Construction, Pump Installation, Cistern Installation, and Monitoring and Observation Hole/Well Construction” for proper well construction, maintenances and fixes. In addition, suppliers may email the Field Services team at cdphe_wqcd_fss_questions@state.co.us if they have any questions or concerns.

➽ Tom Valenta, CWP, Field Services Work Group Leader

Cybersecurity: simple steps to protect your system

Cyberattacks on critical infrastructure in the US continue to be a major concern and present a potential disruption to the critical work that water and wastewater systems provide for their communities. On October 12, 2023 the US EPA withdrew their Cybersecurity Rule citing legal challenges. However, cybersecurity planning and preventing attacks continues to be a central focus of the federal government. EPA and CISA continue to provide technical support to water systems. Regardless of federal requirements, the division wants to emphasize the significant financial and operational risks that cyberattacks pose to systems. The division continues to partner with state and federal entities to provide cybersecurity planning tools, resources, training opportunities, and self-evaluations.

Who is vulnerable?

According to a recent Waterfall Security Report, in 2022 the critical infrastructure sector experienced a 140% surge in cyberattacks resulting in more than 150 incidents. The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across Informational Technology (IT) networks. However, the attacks impacted operational technology (OT) as well. Any system that uses OT and or IT is vulnerable to cyberattacks. These attacks can negatively affect treatment, distribution, collections, administrative support, and financial/billing systems. These effects can impact your ability to protect public health and the environment and often cost large sums of money. Here are some examples of OT and IT:

• OT = Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs),Remote terminal units (RTUs), Internet of things (IoT) devices, Industrial internet of things (IIoT) devices, also known as Industry 4.0, building management systems, fire control systems, and physical access control mechanisms.
• IT = Laptops, Desktops, Tablets, servers, computer hardware, software, electronics, semiconductors, internet, telecom equipment, and e-commerce.

What are some basic steps you can take to protect your system?

Regardless of the size of your system or the scope of your technology use. please take the following basic cybersecurity steps at your facility to help prevent cyberattacks: 

1. Change passwords regularly (at least once every 3 months). 
2. Use multi-factor authentication for access.
3. Take away system access when staff leave the utility.
4. Implement regular staff training on cybersecurity fundamentals (especially how to recognize phishing attempts).
5. System maintenance
• Do frequent back-ups
• Keep up to date with software and install patches

According to EPA and CISA, taking these low-cost steps can prevent many cyberattacks.

In addition to the above basic preventive measures you and your system can explore the many available free cybersecurity tools and resources: 

• CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents. 
• WQCD Guidance: Respond and Report Cyberattacks  can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
• Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
• Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance 
• EPA Cybersecurity Technical Assistance Program for the Water Sector
• EPA Cybersecurity Incident Action Checklist
• EPA collection and explanation of cybersecurity funding opportunities 

Thank you for all that you and your system do to protect the public health and environment of Colorado’s communities! Please reach out to the division’s security contact kyra.gregory@state.co.us with any questions. 

➽ Heather Young Field Services Section Manager 

➽ Kyra Gregory Drinking Water Training Specialist 

Backflow Prevention and Cross Connection Control Regulation Updates

The updated Backflow Prevention and Cross Connection Control Program (BPCCC) rule (in Regulation 11 Section 11.39) was officially active as of October 15, 2023! The Division greatly appreciated all the stakeholder support in developing the updated BPCCC regulation and also the updated DW007 BPCCC Policy that accompanies the regulation changes. Major changes that were adopted with the BPCCC updates include: 

• Suppliers have 1 calendar year to test assemblies not tested in previous calendar year (must still test at least 90% each year)
• In specific situations, suppliers can self-issue extensions of the 120-day deadline for controlling discovered cross-connections (see section 4.11 of Policy 7) 
• Assemblies and methods are now one combined compliance ratio (see new annual report template)
• Cleaned up regulation to remove old dates and tables from delayed implementation schedules
• Updated Policy 7 to include more detail on permitting cross connections, surveying, self issued extensions, and more

The Division is currently working on major updates to the Backflow Guidance Documents to incorporate the new BPCCC regulation and policy update. The guidance document updates and associated templates will be posted to the CDPHE WQCD BPCCC Website. Please stay tuned for updates! If you have any questions in the meantime, please email us at cdphe_wqcd_fss_questions@state.co.us.

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Clayton Moores, PE, Field Unit I Manager