HomeMy WebLinkAboutDDW-2024-010353System CybersecurityPlan
Utah Department of Environmental
Quality
P R E P A R E D B Y Utah Division of Drinking Water
Utah Division of Water Quality
Public drinking water and wastewater systems in the United States,regardless of their size,are at
risk of cyberaacks with malicious intent.Unfortunately,these aacks are becoming more common,
with aackers aempting various pathways to gain unauthorized access to critical data files,
records,and operator technology control functions.
Cyberaacks on public drinking water and wastewater systems can have far-reaching
consequences beyond disrupting essential services.They can pose significant public health risks,
be extremely costly and impact various aspects of a community's well-being.To address these risks,
the Utah Department of Environmental Quality �DEQ�has developed a plan to assist public water
systems in preventing and responding to cyberaacks eectively.
Security of Public Drinking Water andWastewaterSystems
Security and emergency response is crucial for managing public drinking water and wastewater
systems.The Utah Department of Environmental Quality’s goal is to ensure all public drinking water
and wastewater systems thoroughly review their current cybersecurity procedures to find any major
vulnerabilities,implement strategies and controls to decrease cybersecurity risks where necessary,
and routinely practice plans to prepare and respond to cyberaacks.
The Division of Drinking Water and Division of Water Quality are partnering with the U.S.Department
of Homeland Security's Cybersecurity Infrastructure Security Agency �CISA�,and the Environmental
Protection Agency �EPA�to support public water and wastewater systems to improve cybersecurity
resilience.
Through collaborative eorts with public drinking water and wastewater systems and our partners,
we will enhance Utah's cybersecurity framework by facilitating essential information sharing with
public drinking water and wastewater systems.Our goal is to promote statewide preparedness and
provide support for preventing,responding to and recovering from all cyber incidents that may arise,
thus safeguarding our public drinking water and wastewater infrastructure against cyber threats for
the well-being and safety of Utah residents.
Cybersecurity Assessment
Every public drinking water and wastewater system,whether using simple or complex technology,
faces the risk of a cyberaack.To address this threat,DEQ,with support of our partners,the Division
of Technology Services �DTS�,CISA,and EPA,will regularly send updated information to high-risk
System CybersecurityPlan•UTAHDEPARTMENT OF ENVIRONMENTAL QUALITY 2 of 5
public drinking water and wastewater systems and maintain valuable resources and information
detailing how all public drinking water and wastewater systems can access support for conducting
cybersecurity assessments.These resources will oer guidance on identifying and addressing
cybersecurity vulnerabilities within public drinking water and wastewater systems,ensuring they are
equipped to mitigate risks and strengthen their defenses against potential cyber threats.
Utah's public drinking water and wastewater systems demonstrate varying degrees of technological
complexity,cybersecurity vulnerabilities,and protective measures.Understanding these nuances is
essential for eectively supporting these systems.To deliver the best possible assistance to public
drinking water and wastewater systems,the Division of Drinking Water and Division of Water Quality
will develop a specialized self-guided questionnaire tailored for public drinking water and
wastewater systems.This questionnaire will be designed to gather crucial data regarding
cybersecurity risk levels,with a particular emphasis on technological and operational controls such
as SCADA (Supervisory Control and Data Acquisition)systems.By gaining insights into the distinct
cybersecurity landscapes of each system,DEQ can customize support and response eorts to
strengthen cybersecurity resilience throughout Utah's public water and wastewater infrastructure.
Furthermore,the Division of Drinking Water will oer technical support to public water systems
during sanitary survey inspections to assist operators in identifying vulnerabilities and evaluate
adherence to cybersecurity best practices.The America’s Water Infrastructure Act �AWIA�Section
2013 requires all community public drinking water systems serving more than 3,300 people to
integrate cybersecurity into their risk and resilience assessments.The EPA oers complimentary
resources to assist public drinking water systems in meeting this requirement.As part of sanitary
survey inspections,the Division of Drinking Water will emphasize the importance of regularly
updating emergency response plans and exercising cybersecurity assessments and response
plans.
The Division of Water Quality will review facility emergency response plans to cybersecurity aacks
during Compliance Evaluation Inspections.The Division of Water Quality recommends that
wastewater service providers report all cyberaacks to the Division of Water Quality.
By proactively promoting cybersecurity awareness and providing accessible support resources,DEQ
aims to enhance the overall cybersecurity posture of public drinking water and wastewater systems
across Utah.This proactive approach empowers water systems to safeguard their critical
infrastructure and ensure the delivery of safe and reliable drinking water to communities.
System Cybersecurity Plan•UTAHDEPARTMENT OF ENVIRONMENTAL QUALITY 3 of 5
Cyber Incident Response
Cyberaacks are considered a public water and wastewater system emergency incident.Utah’s
public water systems have experienced various cyber incidents,such as unauthorized access and
ransomware aacks.Understanding the magnitude or extent of a cyberaack can be challenging
for a water system.Swift and eective response to any cyberaack is crucial for minimizing potential
damage to water systems.
Upon suspecting a cyberaack,it is imperative for a public drinking water or wastewater system to
promptly initiate incident response measures.Persistent compromises or failures within water or
wastewater system technology could have cascading impacts across critical infrastructure.
Responding immediately and eectively to a cyberaack is essential for minimizing potential
damage to water and wastewater systems.
Per Utah Administrative Code �UAC�R309�105�18,public drinking water systems need to contact
the Division of Drinking Water within eight hours if an emergency situation exists.
R309�105�18(e)defines a threat or evidence of vandalism or sabotage that may aect the quality of
delivered water as an emergency incident.By contacting the Division of Drinking Water as soon as a
cyberaack is suspected or confirmed,our team will assist the water system with contacting State
and Federal cybersecurity experts to immediately provide support.
Utah Pollutant Discharge Elimination System �UPDES�permit holders (wastewater service
provider)are required under UAC R317�8�4 to report any noncompliance that may endanger
health or the environment.UAC R317�801 requires sanitary sewer collection system owners
(wastewater service provider)to report sanitary sewer overflows in accordance with the
requirements of R317�801�4.If the wastewater service provider has prior knowledge of a potential
non-compliance event,such as one caused by cybersecurity aacks,the entity must report
anticipated noncompliance to the Division of Water Quality in accordance with the requirements of
their permit.By contacting the Division of Water Quality immediately when a cyberaack is
suspected or confirmed,the team will assist the wastewater service provider with contacting state
and federal cybersecurity experts to immediately provide support.
Our objective is to assist all public drinking water and wastewater systems in immediate
response,investigation,and isolation of cyberaacks by connecting them with top state and
federal cybersecurity experts and providing technical support during the incident.
System CybersecurityPlan•UTAH DEPARTMENT OF ENVIRONMENTAL QUALITY 4 of 5
Contacts
Department of Environmental Quality �DEQ�
Report an Incident 24/7 response line
�801�536�4123
hps://deq.utah.gov/general/report-an-incident
The Division of Technology Services �DTS�
DTS�SOC@utah.gov
24/7 response line �801�538�3011
Division of Drinking Water �DDW�
24/7 Emergency response line
�801�560�8456
Rural Water Association of Utah �RWAU�
emergencyresponse@rwau.net
Cybersecurity &Infrastructure Security
Agency �CISA�
24/7 report@cisa.gov
�888�282�0870
Resources
EPA EPA Cybersecurity for the Water Sector,which includes the EPA Water Cybersecurity
Assessment Tool �WCAT��XLSX�.CISA Cyber Resilience Review �CRR�and CPG Checklist �PDF�CISA Cyber Resource Hub
CISA Top Cyber Actions for Securing Water Systems
NIST Cybersecurity FrameworkAWWACybersecurityandGuidance,including small system guidance.DEQ Cybersecurity and Incident Response Resources
Kim Shelley,Executive DirectorUtahDepartmentofEnvironmental Quality
System Cybersecurity Plan•UTAHDEPARTMENT OF ENVIRONMENTAL QUALITY 5 of 5