Disasters and Emergencies
- Disasters and
Emergencies Home - Radiological Emergencies
- Drinking Water Safety in Emergencies
- Food Supply Safety & Security
- Mass Feeding
- Emergency Contacts
Related Topics
- Climate and Health
- Emergency Preparedness, Response and Recovery
- Food Safety in Emergencies
- Natural Disasters and Severe Weather
- Radiation Control
Environmental Health Division
Assessing Security of Public Water Systems
Security and emergency response are essential in managing drinking water systems. Cyberattacks have become more common and public water supplies (PWSs) that utilize operational technology are required to assess their cyber security at least yearly. Attacks by foreign cyber hackers have occurred and homegrown terrorists and ordinary vandals are a threat to the safety of drinking water. The U.S. Environmental Protection Agency requires PWSs serving at least 3,300 people to conduct risk and resilience assessments which include assessing system security. MDH provides security evaluation assistance to all PWSs during sanitary surveys and various organizations offer security self-assessment tools.
- Cybersecurity and access to computer systems
- Access to facilities
- Risk & Resilience and Emergency Response Plans
- Coordination and communication
- Access to documents
- Monitoring
Cybersecurity and access to computer systems
Beginning in 2024, all community Public Water Systems (PWSs) in Minnesota that utilize Operational Technology (OT), such as Supervisory Control and Data Acquisition (SCADA), must conduct an annual cybersecurity assessment and certify the completion with MDH. These assessments can be self-performed by your PWS or conducted by a third party. This requirement is mandated by the August 2022 Executive Order 22-20 and recent EPA guidance to states.
During a Sanitary Survey of your PWS, you will be asked about the completion of the cybersecurity assessment and any issues identified. Issues that could impact the delivery of safe drinking water will be discussed, and timelines for resolution will be established.
Action steps required
Identify if your system uses Operational Technology (OT). If it does, an annual cybersecurity assessment is required. To help determine if your system uses OT, refer to this link: Assessing OT usage in water systems.
Complete one of the following assessment options:
- Cyber Self-Assessment
- EPA's user-friendly self-assessment (aligns with AWIA questions).
- Download spreadsheet & answer ~35 questions on cyber practices.
- Use drop-down menu to indicate answers: yes, no, or in-progress.
- Additional self-assessment options linked below.
- Cyber Third-Party Assessment
- The EPA offers a free third-party assessment.
- Alternatively, you may hire a cyber consultant to conduct the assessment.
- Assessment Outcomes
- Assessments aim to identify gaps or vulnerabilities in your cyber practices.
- A report will be generated, outlining any vulnerabilities.
- Address and strengthen identified vulnerabilities promptly.
- Complete certification form and email to health.cybercertification@state.mn.us
- MDH does not require a copy of your assessment findings, as this information is confidential and should not be shared.
- Annual Recertification Reminder
- Save and update your assessment throughout the year.
- Recertify by July 1 each year.
- Register PWS staff with the MN Fusion Center: Partners Registration Form / Minnesota Fusion Center (mn.gov)
- This registration allows you to receive email updates on ongoing security threats, including cyber.
Go to > top.
Access to facilities
- Restrict access with physical barriers to reservoirs, treatment systems, wells, and intakes. Prohibit parking or stopping on roadways near facilities.
- Fix all broken barriers, security fences, hatches, and manholes immediately.
- Lock all facilities. Do not leave keys in equipment.
- Evaluate the reliability and security status of current and former employees. Post “Employee Only” signs at entrances to restricted areas. Tell employees to question any strangers in restricted areas.
- Store chemicals in secure facilities. Require chemical suppliers to provide their personnel with photo-identification. Use only reliable and known suppliers and contractors. Only accept deliveries of intact containers of chemicals that have been ordered.
- Install security lighting, motion detectors, and surveillance cameras.
Go to > top.
Risk and Resilience and Emergency Response Plans
The Safe Drinking Water Act (SDWA) Section 1433 requires CWSs serving greater than 3,3000 people to:
- Conduct a Risk and Resiliency Assessment (RRA);
- Update their Emergency Response Plan (ERP) based on what was learned in the RRA process;
- Certify to the U.S. Environmental Protection Agency (EPA) that both have been completed; and
- Update both the RRA and ERP every five years.
These plans include assessment of cybersecurity vulnerabilities.
EPA has taken over 100 SDWA enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first deadline for systems to develop and update their RRAs and ERPs. These enforcement actions have been based on various findings, including failure to certify and not addressing the statutorily required elements in the RRAs and ERPs, which include looking at cyber threats.
EPA intends to use enforcement authorities to address problems such as failure to prepare adequate RRAs and ERPs. MDH will discuss RRA and ERP completion during sanitary surveys.
For more information on the required RRAs and ERPs, visit the EPA webpage America's Water Infrastructure Act Section 2013: Risk and Resilience Assessments and Emergency Response Plans.
Resources
- Assessing if a Water & Wastewater System has Operational Technology (pdf) (366.1 KB, 03-15-2024, 810-F-23-031)
- EPA: Water Cybersecurity Assessment Tool and Risk Mitigation Template (xlsx) (101 KB)
- EPA: Water Cybersecurity Checklist Fact Sheet (pdf) (619.5 KB)
- CISA: Cyber Resilience Review
- CISA: Cross-Sector Cybersecurity Performance Goals
- CISA: Cybersecurity Evaluation Tool
- NIST: Cybersecurity Framework
- Critical Security Controls
- AWWA Cybersecurity and Guidance, including small system guidance.
- EPA: Water Sector Cybersecurity Evaluation Program
- Cybersecurity Evaluation Program Fact Sheet (pdf) (443.5 KB, February 2024, 810-F-24-001)
- CISA: CISA Cybersecurity Advisor
Cybersecurity reminders
- Implement security measures such as firewalls, anti-virus software, and intrusion detection systems.
- Restrict computer access to necessary personnel.
- Use strong password protection.
- Secure remote access and develop mobile device policies.
- Keep software and applications updated with a management cycle.
- Develop a cybersecurity response plan.
Go to > top.
Coordination and communication
- Ask your local law enforcement staff and public works/utility director to review your security measures.
- Ask your local emergency manager to review your response plans. Develop mutual aid agreements with neighboring communities for emergency water supplies. Join MNWARN.
- Train personnel in security awareness. Post the response actions for reporting threats or acts of terrorism. Call 911 or the local sheriff if suspicious activities occur.
- Plan for public notification.
- Practice response plans on a regular schedule.
- Develop capacity to communicate with local health care facilities. The Health Alert Network (HAN) is in use by most emergency health professionals.
- For drinking water emergencies, call the State Duty Officer at (800)422-0798.
Go to > top.
Access to documents
- Store all documents in a secure facility with controlled access.
- Control access to water distribution maps and plans of facilities.
- Require contractors and consultants to maintain security of their copies of maps and plans.
Go to > top.
Monitoring
- Physically check security at all facilities daily.
- Ask your local law enforcement officials to routinely patrol facilities and to strictly enforce parking restrictions.
- Develop and follow a water quality monitoring program.
- Check and record chemical usage daily.
- Keep good records to help quickly identify water quality issues and unusual events.
Go to > top.
Questions?
- The MDH main office (651-201-5000) or the Community Public Water Supply staff for your county found at MDH Drinking Water Protection Contacts.
- EPA Drinking Water and Wastewater Resilience
Technical Questions:
- MNIT Cyber Navigator Inbox: cn.mnit@state.mn.us
- EPA Technical Assistance Program: Cybersecurity Technical Assistance Program for the Water Sector
- CISA Technical Assistance: Technical Assistance (TA) Evaluation Form (PDF) (cisa.gov)
Certification Questions:
- Email: health.cybercertification@state.mn.us
- Or you can reach out to your District Engineer.
Go to > top.