Disasters and Emergencies
- Disasters and
Emergencies Home - Radiological Emergencies
- Drinking Water Safety in Emergencies
- Food Supply Safety & Security
- Mass Feeding
- Emergency Contacts
Related Topics
- Climate and Health
- Emergency Preparedness, Response and Recovery
- Food Safety in Emergencies
- Natural Disasters and Severe Weather
- Radiation Control
Environmental Health Division
Assessing Security of Public Water Systems
Security and emergency response are essential in managing drinking water systems. Cyberattacks have become more common and public water supplies (PWSs) that utilize operational technology are required to assess their cyber security at least yearly. Attacks by foreign cyber hackers have occurred and homegrown terrorists and ordinary vandals are a threat to the safety of drinking water. The U.S. Environmental Protection Agency requires PWSs serving at least 3,300 people to conduct risk and resilience assessments which include assessing system security. MDH provides security evaluation assistance to all PWSs during sanitary surveys and various organizations offer security self-assessment tools.
- Facility security
- Risk & Resilience and Emergency Response Plans
- Cybersecurity and access to computer systems
- Coordination and communication
- Access to documents
- Monitoring
Access to facilities
- Restrict access with physical barriers to reservoirs, treatment systems, wells, and intakes. Prohibit parking or stopping on roadways near facilities.
- Fix all broken barriers, security fences, hatches, and manholes immediately.
- Lock all facilities. Do not leave keys in equipment.
- Evaluate the reliability and security status of current and former employees. Post “Employee Only” signs at entrances to restricted areas. Tell employees to question any strangers in restricted areas.
- Store chemicals in secure facilities. Require chemical suppliers to provide their personnel with photo-identification. Use only reliable and known suppliers and contractors. Only accept deliveries of intact containers of chemicals that have been ordered.
- Install security lighting, motion detectors, and surveillance cameras.
Go to > top.
Risk and Resilience and Emergency Response Plans
The Safe Drinking Water Act (SDWA) Section 1433 requires CWSs serving greater than 3,3000 people to:
- Conduct a Risk and Resiliency Assessment (RRA);
- Update their Emergency Response Plan (ERP) based on what was learned in the RRA process;
- Certify to the U.S. Environmental Protection Agency (EPA) that both have been completed; and
- Update both the RRA and ERP every five years.
These plans include assessment of cybersecurity vulnerabilities.
EPA has taken over 100 SDWA enforcement actions nationally against CWSs for violations of Section 1433 since 2020, which was the first deadline for systems to develop and update their RRAs and ERPs. These enforcement actions have been based on various findings, including failure to certify and not addressing the statutorily required elements in the RRAs and ERPs, which include looking at cyber threats.
EPA intends to use enforcement authorities to address problems such as failure to prepare adequate RRAs and ERPs. MDH will discuss RRA and ERP completion during sanitary surveys.
For more information on the required RRAs and ERPs, visit the EPA webpage America's Water Infrastructure Act Section 2013: Risk and Resilience Assessments and Emergency Response Plans.
Go to > top.
Cybersecurity and access to computer systems
All community PWSs in Minnesota that utilize operational technology (OT), such as Supervisory Control and Data Acquisition (SCADA), are required to perform a cybersecurity assessment every year, beginning in 2024, and certify the completion to MDH. Cybersecurity Assessments may be self-assessments performed by your PWS or by a third party.
This requirement is part of a directive from the August 2022 Executive Order 22-20 and from recent EPA guidance to states.
During a Sanitary Survey of your PWS, you will be asked about cybersecurity assessment completion and what, if any, issues were discovered during the assessment. Issues that have potential to impact the delivery of safe drinking water will be discussed and timelines for fixing determined.
Go to > top.
Actions to take
- Contact the Minnesota Fusion Center and the State Duty Officer if your system has a cybersecurity breach that affects drinking water. The Fusion center will relay information to the FBI, CISA and EPA for assistance.
- Sign up for cybersecurity updates from the Minnesota Fusion Center to stay informed on treats to critical infrastructure.
- Register with Minnesota Fusion Center as a person and public water supply that provides a critical service in water and/or wastewater.
- Complete a cybersecurity assessment at least yearly. The initial deadline for PWSs to complete a cybersecurity assessment and submit certification to MDH was July 1st, 2024.
- Submit the cybersecurity assessment form (PDF) to MDH. Public water systems have until July 1st of the following calendar year to certify that they have completed their annual cybersecurity assessment.
Cybersecurity resources
- EPA Cybersecurity for the Water Sector, which includes the EPA Water Cybersecurity Assessment Tool (WCAT) (XLSX).
- CISA Cyber Resilience Review (CRR) and CPG Checklist (PDF)
- CISA Cyber Resource Hub
- CISA Top Cyber Actions for Securing Water Systems
- NIST Cybersecurity Framework
- AWWA Cybersecurity and Guidance, including small system guidance.
Recommended resources for third party assessments
Cybersecurity reminders
- Obtain technology security such as firewalls, anti-virus software, and intrusion detection software to protect computer systems.
- Limit computer access to personnel who need to know.
- Utilize strong password protection.
- Eliminate exposure to external networks and secure remote access. Develop and enforce mobile device policies.
- Keep all computers software and applications up to date. Implement an update management cycle.
- Develop a cybersecurity response plan.
- Conduct regular employee training related to cybersecurity.
Go to > top.
Coordination and communication
- Ask your local law enforcement staff and public works/utility director to review your security measures.
- Ask your local emergency manager to review your response plans. Develop mutual aid agreements with neighboring communities for emergency water supplies. Join MNWARN.
- Train personnel in security awareness. Post the response actions for reporting threats or acts of terrorism. Call 911 or the local sheriff if suspicious activities occur.
- Plan for public notification.
- Practice response plans on a regular schedule.
- Develop capacity to communicate with local health care facilities. The Health Alert Network (HAN) is in use by most emergency health professionals.
- For drinking water emergencies, call the State Duty Officer at (800)422-0798.
Go to > top.
Access to documents
- Store all documents in a secure facility with controlled access.
- Control access to water distribution maps and plans of facilities.
- Require contractors and consultants to maintain security of their copies of maps and plans.
Go to > top.
Monitoring
- Physically check security at all facilities daily.
- Ask your local law enforcement officials to routinely patrol facilities and to strictly enforce parking restrictions.
- Develop and follow a water quality monitoring program.
- Check and record chemical usage daily.
- Keep good records to help quickly identify water quality issues and unusual events.
Go to > top.
For more Information
- The MDH main office (651-201-5000) or the Community Public Water Supply staff for your county found at MDH Drinking Water Protection Contacts.
- EPA Drinking Water and Wastewater Resilience
Go to > top.