WQCD wants your input! - What does Excellence mean to the water sector?

Click here to take the survey!

Providing safe drinking water to the public has never been a simple task. While there are thousands of water systems, and operators that are working to install backflow devices to prevent contamination, maintaining and adjusting chlorine levels, sampling and managing all the documents to prove that the work is being done and safe water is being provided, seldom is there recognition for the work.

Continually improving a water system has never been so hard. As our scientific knowledge and discoveries of contaminants expand, so do the regulations and standards operators need to uphold. This increases the work and the amount of pressure that comes with operating an entire community drinking water system. While we are not physically present on a daily basis to observe and acknowledge the effort it takes to maintain such standards, we do appreciate and rely on the knowledge and passion it takes to maintain a culture of health - that is we look at our daily routines and emergencies through a lens of protecting people’s health. One way of showing our appreciation is through the Excellence Program Awards formerly known as the Pursuing Excellence Program. We intend on continuing and revitalizing the tradition of recognizing the wonderful public water systems that have been supplying safe and clean water by showing our gratitude and how much we value the work being done.

The Excellence Awards Program will distribute two recognition awards, the Outstanding Compliance Award and the Commitment Award. The Commitment Award will focus on recognizing entities that have been proactive in enhancing their water system by submitting a project they have done that embraces a continuous improvement approach. 

We understand that "excellence" is subjective and what is considered excellent in one system's circumstances may not be the same for another system in different circumstances.  Our aim is to understand what “excellence” means to you and ensure it reflects the achievements of water professionals who are delivering exceptional performance in our water systems. One entity might be putting in maximum effort in educational outreach for exposure of the industry to recruit new operators, while a different entity might find it more rewarding to assist smaller systems in bettering their water supply and process. 

We notice and value all the different ways operators are advancing the industry and want to make sure this Commitment Award is tailored to include the opinions of water systems. In order to take into account opinions of those working first-hand in the field, we have created a two-question excellence survey that includes different ways we believe a system can achieve excellence in the industry. There are various aspects of maintaining a water system included in this survey and we want to know which ones are valued the most within this community.

To customize this Commitment Award and reward projects that resonate with the survey results, we ask that you please take a couple seconds of your day to complete the survey. The link for the survey will be below. We appreciate every response and will make sure to take them into account when discussing what projects to award.

➽ Priscila Lopez, Drinking water coach- Excellence Program Manager 

Wildfire Planning and Recovery Playbook - 2025 Updates!

After a wet spring and variable monsoon season, wildfire season is again upon us in Colorado. As many of you are aware, our public water systems and local communities face a diverse and significant array of challenges when planning, responding, and recovering from wildfires. The best time to start planning for wildfires is right now, in advance of fires.

The Water Quality Control Division (WQCD), along with many state, federal, and local partners, have released a revised and updated version of our Wildfire Planning and Recovery Playbook, available on our Source Water Assessment and Protection website.  Several authors also hosted a webinar on July 25th, with the slide presentation and a recording available.

Pre-fire planning, response, and recovery is a team effort, and requires coordination across multiple jurisdictions, and administrative and physical boundaries. Each community wildfire event may present a unique set of circumstances that must be understood and conveyed to effectively navigate wildfire incidents. The centerpiece of the playbook is the comprehensive critical contacts list, outlining necessary points of contact along with each representative’s roles and responsibilities within the planning, response, and recovery process. Below is an example of the critical contacts list contained in the playbook.

The playbook also provides various actionable steps through each phase of the fire cycle, from planning through recovery.  Examples include identifying your values at risk, forming a recovery group and identifying partners, understanding prefire actions and resources, and roles and responsibilities of partners throughout the different phases of a wildfire incident. The playbook also includes 2 full pages of links to additional resources, including a list of funding programs and technical assistance partners.

The playbook is concise, usable, and accessible. The target audience for this playbook is public water systems, municipalities, counties, and tribes. The updated version reflects lessons learned from recent urban and suburban wildfires and the new Wildfire Ready Watersheds framework from the Colorado Water Conservation Board. Please contact the source water protection team at cdphe.wqswap@state.co.us with any questions or for more information.

➽ Robert Murphy, CPSS, Source Water Protection Program Coordinator

➽ Kristen Hughes, Source Water Protection Specialist

➽ John Duggan, Source Water & Emerging Contaminants Unit Manager

Upcoming EPA Cyber/Resilience Funding Cycle

EPA Announces Availability of $9 Million to Protect Drinking Water from Natural Hazards and Cybersecurity Threats

The U.S. Environmental Protection Agency (EPA) has announced over $9 million in grant funding through the new competitive Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability grant program, which will assist medium and large size public water systems with protecting drinking water sources from natural hazards, extreme weather events, and cybersecurity threats. The application period is open until October 6, 2025, and can be found on www.grants.gov under opportunity number EPA-OW-OGWDW-25-01, assistance listing number 66.488.

Learn More About The Grant Opportunity on EPA's Website

EPA will host a webinar on the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Grant Program on August 19th, from 2:00 to 3:00 PM ET. Please join us to learn more.

Register for EPA's August 19th Webinar

Cyber Alert EPA: Active Exploitation of Microsoft SharePoint Vulnerabilities

The U.S. EPA is issuing this alert to inform water and wastewater system owners and operators about the active exploitation of security vulnerabilities in Microsoft SharePoint that allows attackers to mislead the system into thinking they are a trusted user, also known as network spoofing, and remotely run malicious code, known as a remote code execution (RCE). This exploit enables unauthorized access specifically to Microsoft SharePoint servers, which are hosted and operated on-site. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity alert on this malicious activity, publicly reported as “ToolShell.” 

Mitigations

All drinking water and wastewater systems with Microsoft SharePoint servers are strongly encouraged to implement the following mitigations immediately to enhance resilience against this compromise:

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint servers.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the Internet Information Services (IIS) web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet.
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Monitor for malicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Update intrusion prevention system and web application firewall rules to block exploit patterns and anomalous behavior.
• Implement comprehensive logging to identify exploitation activity.
• Audit and minimize layout and admin privileges

For additional information on detection, prevention, and advanced threat hunting measures, drinking water and wastewater systems owners and operators are encouraged to visit Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory as well as CISA’s cybersecurity alert.

Conclusion

The U.S. EPA requests that the Water Sector Coordinating Council (WSCC)/Government Coordinating Council (GCC) review this advisory and pass it along to all water & wastewater entities that may be susceptible to this threat. Additionally, we encourage the EPA Regions share the advisory with the state primacy agencies and direct implementation utilities.

Cybersecurity: NIST's Updated Password Guidelines & Sector Resources

The water and wastewater sectors are essential to daily life, and safeguarding them from cyber threats is crucial. The newly updated National Institute of Standards and Technology’s (NIST) password guidelines, along with the range of resources offered by the EPA and CISA, provide a strong foundation for improving cybersecurity across the industry. We encourage you and your colleagues to implement these new password guidelines and general cyber hygiene. Here’s a breakdown of the key updates and additional cybersecurity resources that can help strengthen your system's defenses.

NIST’s Updated Password Guidelines: What’s New?

In September 2024, NIST introduced new password management guidelines aimed at improving both security and user experience. The changes reflect a shift towards longer, more memorable passwords, and away from overly complex password requirements.

Key Updates:

1. Password Length: NIST now recommends using passwords or passphrases that are at least 15 characters long. The focus has shifted from enforcing complexity (e.g., mixing uppercase, numbers, and symbols) to prioritizing longer passwords that are easier to remember.
2. Password Composition: Gone are the days of forcing users to include specific character types. The new focus is on allowing longer, memorable passwords, which reduces the chances of people creating easily guessable passwords. 
3. Fewer Password Changes: Unless there’s evidence of a security breach, mandatory password changes are no longer required. This policy change helps users avoid creating predictable patterns due to frequent password resets.
4. Password Managers: NIST now strongly encourages the use of password manager software, which can generate and store strong, unique passwords for each account. It’s a vital tool to prevent the risk of password reuse across different accounts.
5. Avoid Password Hints & Security Questions: To minimize the risk of social engineering attacks, NIST advises against using password hints or security questions that could easily be guessed.
6. Multi-Factor Authentication (MFA): MFA is a non-negotiable security measure. By requiring more than just a password to access sensitive systems, MFA adds an additional layer of protection.

These updated guidelines emphasize simplicity and practicality, reducing user frustration while enhancing security. In an industry like water and wastewater, where systems are critical to public health, these updates offer a crucial balance of usability and protection.

Additional Cybersecurity Resources for the Water & Wastewater Sector

Alongside these password updates, there are also significant resources available to bolster cybersecurity across water and wastewater systems.

On March 13, 2025, the EPA will host a cybersecurity briefing for the water and wastewater sector. The session will cover unclassified threats, along with available funding and technical resources from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA). Here are a few resources to explore:

• CDPHE Security Toolbox - Provides Colorado specific guidance for planning for and responding to cybersecurity and physical security attacks. 
• EPA Cybersecurity for the Water Sector - Get comprehensive guidance and tools to safeguard water systems against cyber threats.
• CISA Water and Wastewater Cybersecurity Toolkit - A practical set of tools to strengthen your water sector infrastructure against cyber threats.

By staying informed and adopting the latest cybersecurity practices, water and wastewater utilities can ensure a secure future, protecting critical infrastructure from evolving threats.

➽ Kyra Gregory, Drinking Water Training Specialists