Be Prepared for Public Notice

This article originally ran in the Fall 2014 Aqua Talk newsletter. Remember getting hard copies in the mail? We thought running it again now would be a good idea because starting in Fall 2024 Lead Action Level Exceedances will require Tier 1 public notice. 

Is your water system ready to notify the public? 

You do an excellent job running your water system and it never has any violations. You do not need to be prepared to rapidly notify your customers of an acute health risk or other health-based violations. Right? Wrong! We believe that all systems need to be prepared for the possibility of issuing a system-wide public notice for a variety of situations.

Through no fault of your own, due to flooding and the associated damage or if routine and repeat samples in the distribution system come back positive for E. coli, your system may face a situation that represents an acute public health risk. According to the Colorado Primary Drinking Water Regulations, you would need to issue a Tier 1 public notice as soon as practical, but no later than 24 hours after becoming aware of the situation. Remember, that by the time the results come back positive on the repeat samples, a couple of days have gone by since the initial samples were collected. Will your customers be satisfied with waiting another 24 hours before being told not to drink their water without boiling it?

Are you ready to do this? On a weekend? On a major holiday? How will you do this, Reverse 911 or other methods? This kind of public notice has a huge impact in the community. Operations at restaurants, businesses, grocery stores, hotels, schools, daycares and more are all significantly impacted. Are you ready to be in touch with all of these entities? There could be media interest. They will ask what did you know? When did you know it? When is the situation going to be fixed? There could be an explosion of social media interest via Facebook and X. Are you ready to engage in these communication methods? What if the event overwhelms your available resources? Are you a member of CoWARN? If so, you may be able to get help from other water systems.

If there is uncertainty about how you will accomplish a rapid notice or about the answers to any of these questions, then we suggest that planning for this kind of event would be a very beneficial activity. While we do not offer specific training at this point in time about Tier 1 public notice, we would be happy to assist your water system with planning for such an event. Please contact Kyra Gregory at kyra.gregory@state.co.us. 

Now, let’s switch gears to a lesser crisis. Suppose that due to an equipment malfunction followed by an alarm breakdown that does not alert you, your filtration system does not meet turbidity limits for a short time period. The drinking water acute team will evaluate the situation, and if there is not an acute risk, then tier 1 public notice would not be needed. However, this situation likely still represents a health-based violation of the Colorado Primary Drinking Water Regulations and triggers a tier 2 public notice. Tier 2 public notice must be issued as soon as practical, but no later than 30 days after the event. Again, will your customer be satisfied with finding out about a violation a month later? Will this generate media interest along the lines of “Why did you wait so long to tell people?” Again, planning for these situations in advance can help you meet not only regulatory requirements but also customer expectations. 

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager

Coaches' Classroom: How to secure your remote SCADA access

On September 5, 2024 The Federal Bureau of Investigation (FBI), in partnership with CISA, the National Security Agency (NSA), and other U.S. and international partners, released a joint Cybersecurity Advisory: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. This advisory provides overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, and procedures to protect critical infrastructure against the Russian military cyber actors and other international cyber criminals. This advisory highlights the increasing risk that cyberattacks pose to US critical infrastructure and, by extension, Colorado public drinking water systems and wastewater providers. 

Because of this continued rise in attacks, the department’s Drinking Water Coaches want to take a moment to discuss a crucial potential vulnerability in drinking water cybersecurity: remote SCADA. With the increasing reliance on operational technologies (OT) like smart phones, laptops, and tablets, it is crucial to ensure that these systems are protected from potential cybersecurity threats. 

What is remote SCADA?

Remote SCADA access allows operators to monitor and control water treatment and distribution systems even when they are not physically present at the plant. This tool provides real-time information on water quality, levels, pressure, and alarms, enabling quick action to be taken if needed.

How can you protect your remote SCADA?

To safeguard your drinking water systems, we recommend the following best management practices: 

1. Use a Separate Device and Minimal App Use: Utilize a dedicated device solely for accessing the SCADA system to minimize the risk of unauthorized access. Limit the installation of additional apps on this device to reduce vulnerabilities. 
2. Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access. This additional layer of protection can prevent unauthorized entry even if one factor is compromised. A common example is to use text and email verification.
3. Granular Access Controls: Restrict users' access within the SCADA system based on their roles and responsibilities. This ensures that each user can only modify controls relevant to their job function. Establish a process for users to request permission changes, which should be approved by authorized personnel. This segmentation of your SCADA controls will ensure that if one user’s remote access is compromised, the damage will be minimized. 
4. Robust Remote Access Program: Regularly evaluate the strength of your remote access program by ensuring that software and infrastructure are updated with the latest security patches and protocols. Conduct security audits and penetration testing to identify and address vulnerabilities. Consider using encryption technologies like Virtual Private Networks (VPNs) to secure data transmission. 
5. Limit network connectivity: Utilize only cellular data or private Wi-Fi connections. Turn off auto-connect to avoid automatically connecting to public Wi-Fi networks. If using a private Wi-Fi connection, ensure a key must be entered for access and the connection is encrypted.

By following these strategies, water systems can enhance the resilience and integrity of their infrastructure against cyber threats. Remember, protecting our drinking water resources is a shared responsibility that requires ongoing vigilance and adaptability to evolving cybersecurity challenges. Safeguarding our drinking water systems is essential for maintaining public health and public trust. Thank you for your dedication to ensuring the safety and quality of our water supply. 

We want to know - How do you protect your remote SCADA OT?  

The department and our state and federal cybersecurity partners continue to create new resources and tools to help you as you protect your systems from cyber attacks. If you have a robust Remote SCADA protection plan please email kyra.gregory@state.co.us. We are hoping to gather information and produce a best management practices guidance document.  

How can your system become more cyber literate?

Please see the below list of cybersecurity resources to help your system to better protect your IT/OT from cyber attacks: 

• CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents. 
• WQCD Guidance: Respond and Report Cyberattacks  can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
• Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
• Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance 
• EPA Cybersecurity Technical Assistance Program for the Water Sector
• EPA Cybersecurity Incident Action Checklist
• EPA collection and explanation of cybersecurity funding opportunities 

➽ Kyra Gregory Drinking Water Training Specialist

Program Manager Message: Water Sector Security and Resiliency Road Map

In January 2024 representatives from water and wastewater utilities and the professional organizations along with EPA and the Cybersecurity and Infrastructure Security Agency workgroup released an updated Roadmap to a Secure and Resilient Water and Wastewater Sector. The original roadmap was created in 2009 and then it was updated in 2013 and 2017. The workgroup identified key security threats and vulnerabilities to the water sector and assessed capability gaps in addressing them. The roadmap then identified a number of priority actions to help fill in those gaps. A key theme in this document related to physical, workforce and cyber security was the need to build the culture in the workplace to better understand and protect against threats. 

With respect to cybersecurity, some of the recommended actions include:

• Basic practices for responding to technology failures, being able to operate plants manually in times of need.
• Take basic cybersecurity steps and maintain them, such as password security including routines to change them periodically and removing credentials when employees leave or retire.
• Educate employees about cybersecurity and understand incident reporting requirements.
• Conduct training on how to spot ransomware emails.
• Hold cyber event exercises.
• Advocate for cybersecurity awareness and practices up and down and all across your water system.

We greatly encourage your utility and any associated technology resources that may be located in other agencies such as billing to take steps in these action areas. It’s important to assess the threats and vulnerabilities specific to your utility and its technology assets. After the vulnerabilities are identified and assessed for severity, it’s important to take action to close down those vulnerabilities. This is not necessarily easy, but we can connect you to resources for assistance. This threat is very serious. There have been successful cyberattacks on Colorado utilities over the last few years, including a successful ransomware attack in May 2024. At a minimum, a successful attack can create an immediate crisis at a utility that costs a great deal of time and money. But more serious problems that jeopardize drinking water quality and public health could happen too. We urge you to take steps now and into the future to both prevent attacks on your utility and be prepared to respond if an attack does occur.

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager