Risk and Resilience Assessments and Emergency Response Plans

While attending the annual conference of the Association of State Drinking Water Administrators (ASDWA), an organization consisting of my counterparts across the U.S. and including territories, presentations were given about drinking water emergencies that generated national attention. These included the train derailment in East Palestine, Ohio and boil water orders in Jackson, Mississippi. At a previous conference I gave a talk about the Marshall Wildfires. I am sure most of us are aware of the tragic Lahaina, Hawaii wildfire that struck Maui earlier this year.

Extreme events like these are exceedingly difficult to consider and plan/prepare for. But there are requirements in the Safe Drinking Water Act (SDWA) for utilities to assess their vulnerability and risks, and to develop emergency response plans. These requirements came in with America’s Water Infrastructure Act (AWIA) that was signed into law in October 2018. AWIA Section 2013 specifies that all Community Water Systems with populations greater than 3,300 must conduct Risk and Resilience Assessment (RRAs) and Emergency Response Plans (ERPs). These documents need to be reviewed and updated at least every five years. Since this provision of SDWA is directly implemented by EPA, water systems must certify directly to EPA every five years that they have completed these required activities. The initial RRA certifications were due to EPA from March 2020 to June 2021 depending on systems size, so the first five-year updates are due from March 2025 to June 2026. For more information about upcoming review deadlines and requirements please visit the EPA’s RRA/ERP website. The ERP is intended to be developed in a way that addresses system-specific elements based on its RRA, so these certifications are due six months after the RRA certifications.

The RRA needs to address the following components:

• Risks from malevolent acts and natural hazards
• Traditional water system infrastructure resilience including electronic, computer, or other automated systems (including the security of such systems) utilized by the system
• Financial infrastructure
• System monitoring, operations and maintenance
• Chemical use, storage and handling

Note that item two above essentially includes cybersecurity. EPA has a Vulnerability Self-Assessment Tool (VSAT) to help water systems complete their RRA. The Cybersecurity and Infrastructure Security Agency (CISA) and the Colorado Information Analysis Center (CIAC)also provide numerous tools to help systems address the cyber components of the RRA.

After completing the RRA, the ERP needs to be developed and describe strategies, resources, plans and procedures utilities will use to prepare for and respond to emergency incidents. The incidents can be natural or human-caused and range from line breaks to major disasters like floods or wildfires. The ERP needs to specifically address:

• Strategies and resources to improve resilience including physical security and cybersecurity.
• Emergency response strategies and resources
• Proactive approaches to lessen the impact of emergency incidents
• Strategies to help detect malevolent acts or natural hazards that could harm the system

Water systems should coordinate with local emergency planning agencies and must retain copies of their RRA and ERP.

This SDWA provision is not part of state primacy, but is overseen by EPA. To date, EPA has primarily overseen compliance with these requirements via ensuring that systems have submitted their certification. However, going forward EPA is conducting inspections at water systems across the U.S. and soon in Colorado to evaluate compliance with these requirements and help systems become better prepared to prevent emergencies, lessen their severity and respond.

We all know that emergency preparedness is the right thing to do, but it can be hard to prioritize in the face of day-to-day tasks and seeming crises. However, recent events like the emergencies at water systems that have gained national attention and cyberattacks that have involved ransomware and attempts to access control systems should raise our awareness of the value of these efforts. Maybe this information can help you gain support in your utility to keep up with risk assessment and emergency planning activities, especially with respect to cybersecurity. It’s clear that assessing cybersecurity risks and planning to address those risks is part of SDWA, even though EPA’s early 2023 memorandum about cybersecurity and sanitary surveys was rescinded. 

Cybersecurity threats appear to be ever-changing and more threatening. Our Drinking Water Security Response Toolbox is designed to help you meet these AWIA requirements and keep your water systems safe and protected. 

Thank you.

➽ Ron Falco, P.E. Safe Drinking Water Program Manager

Wellhead Deficiencies

In this article, we continue our discussion of the Top 10 most frequently cited significant deficiencies and violations to raise awareness and help operators identify and correct issues before they become a potential health threat or citations in a sanitary survey. At #2 in the Top 10, source construction deficiencies (S030) were cited 9% of the time during sanitary surveys for the 2022 inspection year and 9% in the 2023 inspection year. Groundwater wells are the most common sources of drinking water used in Colorado (70% of public water systems use groundwater wells) and are perhaps one of the most overlooked parts of water systems. Wells can go unnoticed for years since they are often located away from most activities and may only be noticed when the flow of water is altered. The most commonly discovered significant deficiencies with wells are related to electrical conduits, gaskets, vents and vaults.

What are the minimum standards for a properly constructed well? In the “State of Colorado Design Criteria for Potable Water Systems” (Policy DW005), CDPHE actually primarily refers to the Colorado Division of Water Resources’ (DNR) latest edition of “2 CCR 402-2 Rules and Regulations for Water Well Construction, Pump Installation, Cistern Installation, and Monitoring and Observation Hole/Well Construction” (a.k.a. Colorado Well Driller Regulations). The purpose of these regulations is to ensure public health and the safety of groundwater resources. The regulation outlines minimum construction standards for all types of wells in all types of environments, and it defines minimum well height, screening, minimum distance from potential sources of contamination, grouting standards, pump installation and much more.

There are many variations to well heads, but the two primary ones that inspectors come across are the “split-cap” and the “well-cap” (see image below for reference). The “split-cap” has the discharge line, vent and electrical conduit all protruding from the wellhead. The well head is comprised of two metal plates with a rubber gasket in between. When installed, the two plates are compressed, the rubber gasket expands and creates a watertight seal. The “well-cap” has a pitless water connection (below frostline) and a designated female electrical connection, a set of gaskets and a built-in vent (which are typically screened).

*photo courtesy of Oregon State University https://wellwater.oregonstate.edu/well-water/wells/well-check-list

Well head

Well heads must be designed and constructed at the top of well casings to prevent the entry of contaminants into the well. The majority of the wells that the department inspects are located outdoors and are exposed to the elements. It is vital that the wells are constructed and maintained in a manner that will protect the raw water. Some common issues that inspectors observe are missing/damaged gaskets, missing bolts, broken or loose well caps (bolts are missing or not tightened), split-caps not seated on the well casing properly and a split-cap with a rope (used to hold the well pump in position or to assist in pulling the pump out) coming out of the well that is not properly sealed.

The split-cap well head was not properly sealed to the well casing. The supplier applied caulking between the split-cap and the well casing.

The bottom of the well head cap was broken and did not allow for a tight seal. A new well head was installed.

Well Vents

Vents are an integral part of a well as they permit air to freely enter and exit the well. Vents need to be located at a minimum of one foot above ground level, be turned down and be covered with a non-corrodible screen. Screens may not have openings that exceed 0.07 inches (typically 12 or 16 mesh screen). 

The two most common issues observed with vents on wells are that they are broken or missing.

The well-cap has a built-in vent that was broken/corroded. The supplier replaced the broken screen with an acceptable mesh screen.

Electrical Conduit

According to the Colorado Well Driller Regulation, electrical connections are to meet the standards of the NFPA 70: National Electric Code (2014). Some common electrical conduit issues that are observed during sanitary surveys are where the electrical conduit has separated from the well head or the junction box which can typically occur due to the ground settling. Another common finding is missing or partially attached cover plates on electrical junction boxes. Split-cap wells can also have electrical wires penetrating the well top without a properly constructed conduit or a proper seal between the wire and the rubber gasket. All of these situations present a pathway for contaminants to enter the well, which pose a health risk and are significant deficiencies that will be cited during a sanitary survey.

The electrical conduit separated from the electrical junction box, creating an opening. The supplier installed a conduit sleeve to provide a watertight junction.

The electrical junction box was missing a screw. The supplier sealed the hole with caulk.

Split-cap well had the electrical wire enter from an unsealed port. The supplier sealed the gap with caulk.

Well Vaults

Although well vaults are not a common practice these days, the department still observes wells located in vaults. Placing a well in a vault was a common practice to protect the well from the elements. However, having a well in a vault can subject the well to flooding. If a well is located in a vault, the vault cover or lid must be watertight and the vault must either drain to daylight or have a sump. Evidence of water accumulating in the vault and potentially submerging the wellhead is a significant deficiency.

Well vault was subject to flooding. Supplier installed a sump pump.

Concrete Pads

Inspectors are frequently asked if concrete pads are required? The Colorado Well Driller Regulation along with the department do not recommend that wells have concrete pads with the exception of hand-pumped wells. Well pads were commonly installed if well depths were less than 100 feet or to keep vegetation down around the well head. However, the department has observed that concrete pads tend to attract animals that burrow underneath the pad creating a source of contamination. Concrete pads also tend to crack and shift, which can create a funnel effect and divert surface water to the well casing. Minor cracks can be repaired; however, the department recommends that a supplier remove their existing concrete pad if they notice animals burrowing or if the concrete pad begins to divert surface water to the well casing. Evidence of burrows under a concrete pad or severely damaged pads capable of channeling surface water to the well casing are significant deficiencies that would be cited during a sanitary survey.

Burrow located under the concrete pad, the burrow was filled in and will be monitored in the future.

Drainage and Slope

According to the Colorado Well Driller Regulation, well locations should incorporate proper positive drainage from the well casing. As a rule of thumb, the department has historically viewed positive drainage 20 feet in all directions from the well if possible. Wells should not be located in depressions as surface water can pool around the well casing and be a source of contamination. If a well is built on a slope, a berm is recommended uphill to divert runoff and surface water away from the well casing. 

Well was located in a depression that could allow for water to pool around the well casing. The supplier added pea gravel around the well head and created positive drainage away from the well casing.

For more information the department recommends that suppliers utilize DNR’s latest edition of “2 CCR 402-2 Rules and Regulations for Water Well Construction, Pump Installation, Cistern Installation, and Monitoring and Observation Hole/Well Construction” for proper well construction, maintenances and fixes. In addition, suppliers may email the Field Services team at cdphe_wqcd_fss_questions@state.co.us if they have any questions or concerns.

➽ Tom Valenta, CWP, Field Services Work Group Leader

Cybersecurity: simple steps to protect your system

Cyberattacks on critical infrastructure in the US continue to be a major concern and present a potential disruption to the critical work that water and wastewater systems provide for their communities. On October 12, 2023 the US EPA withdrew their Cybersecurity Rule citing legal challenges. However, cybersecurity planning and preventing attacks continues to be a central focus of the federal government. EPA and CISA continue to provide technical support to water systems. Regardless of federal requirements, the division wants to emphasize the significant financial and operational risks that cyberattacks pose to systems. The division continues to partner with state and federal entities to provide cybersecurity planning tools, resources, training opportunities, and self-evaluations.

Who is vulnerable?

According to a recent Waterfall Security Report, in 2022 the critical infrastructure sector experienced a 140% surge in cyberattacks resulting in more than 150 incidents. The majority of these assaults were in the form of ransomware, encrypting critical computer systems and invaluable data across Informational Technology (IT) networks. However, the attacks impacted operational technology (OT) as well. Any system that uses OT and or IT is vulnerable to cyberattacks. These attacks can negatively affect treatment, distribution, collections, administrative support, and financial/billing systems. These effects can impact your ability to protect public health and the environment and often cost large sums of money. Here are some examples of OT and IT:

• OT = Industrial Control System (ICS), Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controllers (PLCs),Remote terminal units (RTUs), Internet of things (IoT) devices, Industrial internet of things (IIoT) devices, also known as Industry 4.0, building management systems, fire control systems, and physical access control mechanisms.
• IT = Laptops, Desktops, Tablets, servers, computer hardware, software, electronics, semiconductors, internet, telecom equipment, and e-commerce.

What are some basic steps you can take to protect your system?

Regardless of the size of your system or the scope of your technology use. please take the following basic cybersecurity steps at your facility to help prevent cyberattacks: 

1. Change passwords regularly (at least once every 3 months). 
2. Use multi-factor authentication for access.
3. Take away system access when staff leave the utility.
4. Implement regular staff training on cybersecurity fundamentals (especially how to recognize phishing attempts).
5. System maintenance
• Do frequent back-ups
• Keep up to date with software and install patches

According to EPA and CISA, taking these low-cost steps can prevent many cyberattacks.

In addition to the above basic preventive measures you and your system can explore the many available free cybersecurity tools and resources: 

• CDPHE Security Toolbox: The department gathered resources to help your system prepare for and respond to cyber and physical security incidents. 
• WQCD Guidance: Respond and Report Cyberattacks  can be used when your water/wastewater facility experiences a cybersecurity event. It outlines what steps to take, the required steps to report the event, and what to expect after reporting the event.
• Self-Assessment: EPA self assessment resources and Water Cybersecurity Assessment Tool (WCAT)
• Third-Party Assessment: EPA’s Water Sector Cybersecurity Evaluation Program and Colorado Information Analysis Center Cyber Assistance 
• EPA Cybersecurity Technical Assistance Program for the Water Sector
• EPA Cybersecurity Incident Action Checklist
• EPA collection and explanation of cybersecurity funding opportunities 

Thank you for all that you and your system do to protect the public health and environment of Colorado’s communities! Please reach out to the division’s security contact kyra.gregory@state.co.us with any questions. 

➽ Heather Young Field Services Section Manager 

➽ Kyra Gregory Drinking Water Training Specialist 

Backflow Prevention and Cross Connection Control Regulation Updates

The updated Backflow Prevention and Cross Connection Control Program (BPCCC) rule (in Regulation 11 Section 11.39) was officially active as of October 15, 2023! The Division greatly appreciated all the stakeholder support in developing the updated BPCCC regulation and also the updated DW007 BPCCC Policy that accompanies the regulation changes. Major changes that were adopted with the BPCCC updates include: 

• Suppliers have 1 calendar year to test assemblies not tested in previous calendar year (must still test at least 90% each year)
• In specific situations, suppliers can self-issue extensions of the 120-day deadline for controlling discovered cross-connections (see section 4.11 of Policy 7) 
• Assemblies and methods are now one combined compliance ratio (see new annual report template)
• Cleaned up regulation to remove old dates and tables from delayed implementation schedules
• Updated Policy 7 to include more detail on permitting cross connections, surveying, self issued extensions, and more

The Division is currently working on major updates to the Backflow Guidance Documents to incorporate the new BPCCC regulation and policy update. The guidance document updates and associated templates will be posted to the CDPHE WQCD BPCCC Website. Please stay tuned for updates! If you have any questions in the meantime, please email us at cdphe_wqcd_fss_questions@state.co.us.

➽ Heather Young, PE, CWP, Field Services Section Manager

➽ Clayton Moores, PE, Field Unit I Manager

Reporting Requirements: tampering and security breaches in your water system

In early 2022 the Water Quality Control Division published a Drinking Water Security Response Toolbox website designed to help water utilities plan for, prevent, and guide responses to security threats including threats of tampering, suspected tampering, general malevolent acts, cyberattacks, confirmed tampering, and violent acts. Physical security breaches and tampering events continue to pose a significant risk to Colorado’s public water systems and their ability to provide safe drinking water to their communities. The division would like to emphasize that it is critical for systems to: 

1. Take measures to prevent security incidents.
2. Plan their response to an attack.
3. Know what constitutes a tampering event or a suspected tampering event.
4. Understand the regulatory requirements for reporting tampering to the division. 

In response to recent tampering incidents and in an effort to clarify when it is required to report security events to the division, we have updated the Guidance: Report and Respond to Tampering Events or Security Threats. The guidance provides the following information for public water systems: 

• Regulatory details and requirements for reporting tampering or suspected tampering events. 
• Explanation of what constitutes an attempted, suspected, or confirmed tampering event.
• Simple actions to help prevent tampering events.

For the purposes of this article, we will focus on the requirements for reporting tampering or suspected tampering and examples of what constitutes an attempted, suspected, or confirmed tampering event. 

Reg 11 requires PWS to report tampering (suspected or confirmed) to the division

Per Regulation 11.2(1), tampering events, suspected tampering, or receipt of a tampering threat must be reported to the Colorado Department of Public Health and Environment (department). The supplier must notify the department as soon as possible but no later than 10 a.m. of the next calendar day and notify the Department in writing no later than 5 days after any attempted, confirmed, or suspected tampering, or receipt of a tampering threat. Failure to report attempted, suspected, or confirmed tampering in a timely manner may result in a violation of Regulation 11. The guidance offers information on what information to submit. For ease of reporting, the department has created the Tampering Threat and Incident Report Form. If you have issues accessing the form please fill out the pdf version of the form and submit it to cdphe.wqacutes@state.co.us.

It is really important to emphasize that attempted or suspected tampering is reportable even if the event is not successful or confirmed. When in doubt, please contact the department. The role of the department during actual or suspected tampering events is to: 

1. Help water system asses any possible impacts to water quality,
2. Support the system experiencing the event(s) by connecting them with state and federal agencies that specialize in tampering and security issues in the water sector. 
3. Support the industry and gather information to identify trends across the water sector. 

What constitutes an attempted, suspected, or confirmed tampering event?

What are some examples of tampering events?

• Introducing a contaminant into a public water system or drinking water.
• Interfering with drinking water or the operation of a public water system with the intent to harm people or the public water system infrastructure. 
• Vandalism that physically damages storage tanks, fire hydrants, locks on well buildings, wellheads, intake structures, pump stations, treatment plants, backflow devices, or any other part of the physical infrastructure of the drinking water system. 
• Any action that damages the integrity of a drinking water system or causes harm to the system including expending resources (staff’s time, funding to replace or repair damaged infrastructure, water loss, etc.).  
• Unapproved removal of critical records, equipment, or chemicals. 

What are some previous tampering events that required reporting to the department?

• Verbal threat of damaging the water system infrastructure. 
• Malicious damage to fire hydrants in the distribution system. This can create a cross connection or cause pressure loss. 
• Cybersecurity attack - ransomware attack that withheld SCADA system and billing system. 
• Tank hatch alarm sounding to indicate the tank hatch is opening frequently with no system staff in the area.
• Vandalism of security fencing and a well-house.
• Purposefully attempting to drain the distribution system or storage tank, opening and closing valves without permission, intentional damage. 

What does not constitute a tampering event?

• Any vandalism that poses no potential risk to public health, like non-destructive tagging which does not result in excessive costs to the system for removal/repair.
• Accidental damage to the system such as a car accident that results in damage to a hydrant. 
• Water theft is not considered tampering unless there is intent to damage or interfere with the system. Regardless of whether theft is tampering or not, please contact your local law enforcement. 

➽ Kyra Gregory Drinking Water Training Specialist  

Asset Management - the Key to a System's Capacity

The Water Quality Control Division’s Local Assistance Unit is charged with assisting Colorado’s public water systems with building their capacity to provide safe drinking water to their communities now and into the future. Capacity can be defined  as the amount that something can hold or produce, whether it is applied to people, things or systems. In a public water system (PWS), capacity is an indicator of the overall health of a system. A PWS’s capacity is assessed using 3 criteria: Technical, Managerial, and Financial or T-M-F. Just 3 little letters, sounds simple, right?  

Don’t let the  simplicity of those letters fool you, they are powerful. The key to a successful and healthy water system is T-M-F capacity. Every part of a water system can be classified under one (or more) of these criteria areas. So, it makes sense that understanding your system's capacity is essential to running a successful water system. In fact, when applying for funding an in depth capacity assessment may be required, depending on the funding source.  Beyond funding however, it is a tool that helps you manage and assess your system’s needs both short and long term.  

How can you determine your system's capacity?  

CDPHE’s TMF capacity worksheet tool can assist you. This worksheet offers a condensed, quick-tool version of the more robust TMF assessment done when applying for funding. By completing each question you will generate an estimate of your capacity percentage for each criteria area TM & F.  Using this percentage you can determine which areas are in good shape and which areas require more focus. Good TMF capacity is often tied to good asset management.  Understanding your system as a whole is critical to short- and long-term planning. Assets are everything your system is composed of from the physical infrastructure, pipes, meters, tubing, valves, etc. to the people that work in your system. Asset management is a cumulative inventory of your system as a whole that allows you to critically assess each piece, its lifetime, cost, and to generate a prioritized needs assessment. There are a variety of tools available for developing your asset management plan:

• Asset inventory is a big part of asset management and the EPA’s Taking Stock of Your Water System: A Simple Asset Inventory for Very Small Drinking Water Systems is an easy to follow tool that will help you begin developing your asset inventory. 
• Asset Management: A Handbook for Small Water Systems offers a step by step guide to building a full asset management plan. A robust asset management plan facilitates high capacity and high capacity is directly tied to a systems success.  

Need assistance with asset management or capacity development?

The Colorado Department of Public Health (CDPHE) Water Quality Control Division (WQCD) has capacity coaching available for free through the Local Assistance Unit (LAU). A PWS can request assistance by filling out the Coaching Assistance Form. Please welcome the newest member of our capacity development team Angela Green Garcia. Angela will be focusing on asset management and financial readiness.  

➽ Angela Green Garcia - Drinking Water Training Specialist

Lead and Copper Rule Revisions and Service Line Inventories

On August 14, 2023, the Water Quality Control Commission adopted the Lead and Copper Rule Revisions into Regulation 11. The changes to Regulation 11 are effective as of October 15, 2023, but the Lead and Copper Rule Revisions have a delayed start date and won’t take effect until October 16, 2024. The Lead and Copper Rule Revisions are a comprehensive update to the EPA’s 1991 Lead and Copper Rule.

Prior to adoption the division conducted an extensive stakeholder process with 26 meetings that provided opportunities for public feedback about the proposed changes. Overall, the division gained stakeholder consensus on adopting the Lead and Copper Rule Revisions into Regulation 11 within two years after promulgation of the revisions, and many of the stakeholder comments related to clarity of the rule requirements. The division reorganized the structure of the Lead and Copper Rule Revisions and incorporated stakeholder comments into the draft rule, where possible, to increase readability and clarity.

The Lead and Copper Rule Revisions affect more than 1,050 community and non-transient, non-community public water systems in Colorado, serving nearly 6.5 million people. A key requirement due by October 16, 2024 is that all systems subject to the rule must complete an initial lead service line inventory to classify the material of each service line entering a building, regardless of ownership.

To aid systems, the division has made many resources available to systems. First, we have posted EPA and state guidance for systems on how to complete a lead service inventory and reporting forms to submit to the division once completed. Second, the division contracted with Corona Engineering and worked with stakeholders to develop an initial lead service line inventory development policy that details the expectations for completion of an inventory and clarifies many lingering issues that remained unanswered in EPA guidance. Some examples include: 

• When can galvanized pipe be considered non-lead versus galvanized requiring replacement?
• How does a system use predictive modeling to complete their inventory?
• When can a system indicate all service lines installed after 1959 are non-lead?

Third, we are contracting with WSP USA Inc to provide no-cost technical assistance to systems serving less than or equal to 15,000 people and allowing systems serving 7,500 or more people to apply for grants to assist with completing their service line inventory and service line replacement planning. This money cannot be used for physical replacement of lead service lines. Grants will be awarded on a first-come, first-serve basis to eligible applicants over several application periods. 

It’s important to note that with less than one year left to complete an initial lead service line inventory and recognizing the resources necessary to diligently complete an inventory, water systems may categorize service lines as “lead status unknown” when they cannot determine the material through an evidence-based approach. However, additional requirements, including customer outreach and planning, are triggered under the new rule if any service lines are listed as “lead status unknown.”

• Other key changes under the LCRR include, but are not limited to:
• Compliance with a new lead “trigger level” set at 10 parts per billion (ppb).
• Tap sampling requirements that target lead service lines.
• Testing water for lead in schools and childcare facilities.
• Strengthened corrosion control treatment, lead service line replacement, and public education requirements.

Please note that these key requirements (e.g., lead trigger level and sampling changes) may be revised under another new rule, the Lead and Copper Rule Improvements (LCRI). The EPA plans to finalize the LCRI by October 2024. The department is awaiting more information about the LCRI in late 2023 or early 2024. Therefore, the department will provide communication and resources related to these requirements once more is known about the LCRI.

Resources:

• LCRR guidance, FAQs, and forms are available on the department’s Lead and Copper Rule & Revisions webpage.
• Review the department’s initial service line inventory development policy.
• To request no-cost technical assistance (Systems ≤ 15,000), complete the online form.
• To apply for grant funding (Systems ≥ 7,500, visit the Water Quality Grants webpage.
• Visit the department's drinking water training and assistance website to register for upcoming Lead and Copper Rule courses (online and in-person options available) and other free training opportunities.

➽ Bryan Pilson Technical & Regulatory Implementation & Coordination Unit Manager