Recent Cyber Attacks: What is Phishing and Steps to Protect Your System

What is phishing?

Cybercriminals use various tools to commit crimes against the public and private sectors. One of the main avenues of cybercrime is through phishing. Phishing occurs when criminals try to get users to open harmful links, emails, or attachments that could request personal  information or infect devices. Phishing messages or “bait” usually come in the form of an email, text, direct message on social media, or phone call. These messages are often designed to look like they come from a trusted person or organization, to prompt a response. They use urgent, emotional, or threatening language to encourage recipients to take quick action 

- This paragraph adapted from CISA “Recognize and Report Phishing” webpage.

How have phishing attacks affected the water sector?

In recent the past year a cyber attack was attempted against a public water system through phishing messages. The cybercriminals pulled information from a state public health agency's public facing website that included water system operator's email addresses. The cybercriminal then created an email that appeared to come from the state health department claiming issues with the operator's license or public water system information. The attacker utilized state logos and health department titles in the email subject line and header to give the email the appearance of legitimacy. The recipients were urged to click on a link to "correct" the issue. Immediately upon discovery, the state issued communication that the email was a phishing attempt. The phishing attempt was not successful as nobody clicked the link. 

How can you avoid phishing attacks?

1. Train and Recognize. 

Take advantage of the various state and federal training resources to help your staff look for these common signs:

• Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
• Requests to send personal and financial information
• Untrusted, shortened URLs
• Incorrect email addresses or links, like “amazan.com”
• A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI), some emails will now have perfect grammar and spellings, so look out for the other signs.

Phishing Training Resources: 

• CISA - Teach Employees to Avoid Phishing 
• CISA - Anti-Phishing Training Program Support
• CIAC - Cyber Unit Information and Contact 

2. Resist

If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report via the “report spam” button in the toolbar or settings.

3. Delete

Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.

4. Report 

Reporting phishing if there is no action taken and/or no impact to the system

• Use reporting features that are built into Microsoft Outlook and other cloud email platforms, as well as report spam directly to Microsoft, Apple, and Google, as applicable. Reporting suspicious phishing activity is one of the most efficient methods for protecting organizations as it helps email service providers identify new or trending phishing attacks.
• Report any suspicious emails or emails from unknown addresses asking you to click on links to your IT group/person (as applicable).

Reporting phishing emails if employee clicks on link and your system experiences impact 

• CISA urges organizations to promptly report phishing incidents to CISA at report@cisa.gov or call the 24/7 response line at (888) 282-0870.
• To report spoofing or phishing attempts (or to report that you've been a victim), file a complaint with the FBI’s Internet Crime Complaint Center (IC3), or contact your local FBI Field Office to report an incident.
• State, local, tribal, and territorial (SLTT) government entities can report to the Multi-State Information Sharing and Analysis Center (MS-ISAC) by emailing SOC@cisecurity.org or calling (866) 787-4722
• Please note: if the phishing email results in a cyberattack that affects your water system’s ability to bill customers or operate. Please follow the division’s Guidance: Respond and Report Cyberattacks. 

How can you identify a CO state email?

The CDPHE wants to encourage you and your facility to engage in the above four actions to avoid phishing attempts. And the division wants to supply you with  information on how to recognize a real CO state email from a fake phishing email. 

➽ Kyra Gregory Drinking Water Training Specialist 

Spring Training: Stormwater Management, Protecting Our Source Waters

Image courtesy of EPA - Source Water Protection

The spring thaw is a perfect time to consider getting in shape for healthy drinking water sources through effective stormwater management. Stormwater runoff, generated from rain and snowmelt that flows over land or impervious surfaces, such as paved streets, parking lots, and building rooftops, does not soak into the ground. Runoff picks up and deposits harmful pollutants like trash, chemicals, and dirt/sediment into streams, lakes, and groundwater, that can pollute our drinking water sources if not properly managed. From construction and management professionals to municipalities to local communities to youth leadership, Colorado spring training has something for you.

Water Quality Improvement Fund (WQIF)

The Water Quality Improvement Fund (WQIF) is a Colorado state grant program funded by civil penalties collected for water quality violations. It is part of the Water Quality Control Commission’s Regulation 55 - State Funded Water and Wastewater Infrastructure Programs. The WQIF supports the Colorado Water Control Division’s (WQCD) culture of health by providing grant funds for water quality improvement projects and stormwater management training and best management practices (BMP). Projects offering stormwater management training and best management practices fall under Category 1. Over the years, grantees have offered educational opportunities for a variety of projects, including stormwater management training and experience for youth leadership for the South Platte by Lincoln Hill Cares. Both the Associated General Contractors of Colorado (AGC) and the Stormwater Center of Colorado State University (CSU) have been constants in providing training and certifications. Under the most recent 2022-2023 Request for Applications for Category 1, WQIF funding is supporting programs by AGC, CSU, and newcomer, the Home Builders Association of Metro Denver (HBA).

Stormwater Training Resources

American General Contractors, Colorado

• Colorado Stormwater Excellence Program (CSEP)
• CSEP class calendar
• Stormwater Risk Management

The Colorado Stormwater Excellence Program is a CDPHE partnership with AGC for compliance assistance and recognition of demonstrated excellence. It offers an agency recognized, industry  self-policing stormwater compliance management system. 

An integral part of the program, AGC’s Basic Stormwater Training and Advanced Stormwater Training courses are specifically designed for sediment and erosion control in Colorado and to meet CDPHE General Construction Management to prevent pollution of surface waters. AGC partners with Stormwater Risk Management to conduct the training classes each month.

The Basic Stormwater Course covers conventional topics while preparing trainees with a foundation of stormwater knowledge needed for the Advanced Stormwater managers course. The Advanced course teaches the Uniform Stormwater Management System (USMS) 6-Step Preplanning and Budgeting method, USMS Design and Jobsite Binder Set-up, and the USMS 4-Step Field Compliance method. The Advanced course also provides trainees with all of the standardized, step-by-step processes and forms that support these management systems, including Municipal separate storm sewer systems (MS4) permit requirements.

The Home Builders Association of Metro Denver (HBA)

• Home Builders Association Website 
• Home Builders Association - stormwater management committee

Proper training and education of stormwater compliance along with BMP during the homebuilding construction process assists in reducing the pollution of state waters.

HBA’s Home Building Stormwater Excellence Program (HSEP) offers the first residential homebuilding stormwater course ever implemented in Colorado. The training offered through the program focuses on stormwater compliance and Best Management Practices (BMPs) unique to each stage of the homebuilding construction process, from land development through vertical construction. Through examples and phasing of BMPs the program fosters relationship building between permit holders and regulators.

Topics include land sub phases 1-3, vertical sub phases, history of the Clean Water Act, state & local MS4s, land and vertical construction, and ponds and sediment basins.

Colorado State University - Colorado Stormwater Center

• CSU - Stormwater Center Website
• One Water Solutions Institute

The Colorado Stormwater Center is housed in the Department of Civil and Environmental Engineering at Colorado State University (CSU) under the One Water Solutions Institute. Education and training events are conducted by a variety of experienced professionals that work with non-profit organizations, private industry/consulting firms, and government agencies to bridge the gap between academia and practice. 

The most recent WQIF grant projects focus on the Colorado MS4 permits - Construction Stormwater Discharge Permit and the Statewide Standard MS4 General Permit. Permits are issued to reduce and eliminate the stormwater discharge of pollutants that occur from construction activities. Due to the acute risk for pollutant discharge that construction activities pose to receiving water bodies, the CDPHE MS4 permit requires local agencies to have a level of oversite for construction activities, especially as relating to municipal capital improvement projects. 

The Center is developing and implementing a  professional training course, Colorado Construction Stormwater permits Training and Certification Course. It will be offered online and translated and offered in Spanish, and in person at the 2024 Symposium.

The 2024 Symposium, a stormwater professionals meeting, focuses on water quality control in stormwater and MS4 systems. It will be hosted at the CSU spur campus and available via videoconferencing, and recorded in English and Spanish. All 2024 Colorado Stormwater Symposium presentations will be recorded and those recordings and presentation materials will be available on the Center website which is hosted and maintained by the CSU One Water Solutions Institute (OWSI).

Two other certification programs targeting industry professionals are offered through the Center -    Stormwater Control Measure Inspection and Maintenance Certification; and Stormwater Control Measure Design/Design Review Certification. The Stormwater Education Series has included community outreach and residential-scale stormwater control measures (English and Spanish) virtually and in person. 

Additional Resources

• WQCD Water quality grants
• WQCD Water Quality construction compliance assistance and guidance
• WQCD Water quality municipal MS4 permits
• Colorado Stormwater Council
• Youth engagement and leadership with Lincoln Hills Cares
• South Platte Advisory Youth Council, Spray
• EPA Stormwater Smart Outreach Tools

➽ Margaret Bauer, Project Manager CDPHE WQCD Local Assistance Unit

Coming Down the Pipe: Lead and Copper Rule Revisions Components Effective October 2024

Image: lead goosenecks 

We recently published this article about the proposed Lead and Copper Rule Improvements (LCRI). In general, LCRI is intended to improve upon the requirements promulgated in early 2021 in the Lead and Copper Rule Revisions (LCRR). EPA is planning to finalize the LCRI in October 2024 and extend the compliance dates for most of the requirements that were initially placed in LCRR. However, EPA plans to retain the October 16, 2024 compliance date for several requirements associated including: submitting the initial Lead Service Line Inventory (LSLI), Tier 1 public notice after a lead Action Level Exceedance (ALE), and notification of service line material. Let’s take a closer look at what is Coming Down the Pipe (pardon the pun) in 2024 with respect to these key provisions.

Colorado is one of just a handful of states that adopted LCRR into its primary drinking water regulations. Collectively, the department and stakeholders learned a lot about the rule during that process, so we are well-positioned to tackle LCRI after it becomes final later this year. The Water Quality Control Commission replaced the Lead and Copper Rule in Section 11.26 with the Lead and Copper Rule Revisions in Section 11.17 in the Colorado Primary Drinking Water Regulations (Regulation 11). The department carefully structured LCRR so that different elements of the rule will have effective dates that align with LCRI. The requirement to complete an initial lead service line inventory by October 16, 2024 will go into effect immediately, whereas requirements that may be modified by LCRI, such as tap sampling requirements, could have a delayed effective date.

The requirements associated with the initial LSLI can be found in Section 11.17(2) and these cover inventory development, public availability, and consumer notification and reporting. The LCRI includes enhanced requirements for the LSLI including more regular updates and adding service line connectors (e.g., pigtails and goosenecks) to the inventory, plus additional requirements to confirm non-lead status. These enhanced requirements will likely need to be included in a “baseline inventory” due in 2027. Water systems can still complete their initial LSLI under the requirements specified in LCRR.  To help water systems meet LSLI requirements, the department (in consultation with stakeholders and the help of contract support) developed drinking water Policy 018 to guide that process. Additionally, the department has a grant program in place to help larger systems serving 7,500 people or more with inventory efforts and has already awarded about $550,000 to help water systems. Systems serving 15,000 people or less can request LSLI technical assistance from the department's contractor, WSP and Sunrise Engineering, at no cost to the system.. While the LCRI is not fully effective, we recommend that systems keep the draft rule in mind as they develop their inventories. If opportunities arise to collect information on connectors, for example, we believe that it would be a good idea to gather and retain that information.

A key aspect of LCRR that will become effective in October 2024 is the requirement for 24-hour Tier 1 public notification of a lead ALE, outlined in section 11.17(3)(k). Water systems must notify the department of the exceedance as soon as possible but no later than 24 hours after the exceedance occurs, and distribute Tier 1 public notice as specified in 11.33. The LCRI is also proposing to reduce the lead action level from 15 to 10 parts per billion (ppb), but it is not entirely certain when the effective date for that change will be. However, the provision in 11.17(3)(k) will apply to whatever action level is in effect at the time of the exceedance. We recommend that systems prepare for this possibility even if they do not have lead service lines as about half of the ALEs in Colorado occur at systems without lead service lines. Additionally, taking steps to improve corrosion control can improve public health protection and lower the risk of an ALE. Talk to your compliance specialist to determine if any planned modifications necessitate a design review by the department. 

Another element of the LCRR that will become effective in October 2024 is the requirement for water systems to notify consumers with a lead, galvanized requiring replacement, or unknown service line of the material type, ways to reduce lead exposure from drinking water, and opportunities for replacement or identification of the line (see section 11.17(2)(c)). The department encourages water systems to notify consumers of their service line material as soon as possible after the material is identified. 

Navigating the complicated landscape established by LCRR and then LCRI will be challenging for all of us. By working together, we can do our best to protect public health by lowering lead levels in tap water. 

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager 

➽ Haley Orahood Regulatory Development and Implementation Specialist