The NYS Department of Health, Bureau of Water Supply Protection, has released an approved spreadsheet template for use in documenting your water systems Lead Service Line Inventory (LSLI).  The bureau also released an approved spreadsheet template for small systems serving 500 or fewer service connections. All Community Water Systems and Non-Transient, Non-Community Water Systems are required to collect data, generally from records such as curb cards or as built maps, or from excavations, that will determine the type of service line material on both the water systems side and the customers side entering the home. NYRWA will be providing at least 10 training sessions over the next 12 months in conjunction with the NYS Dept. of Health, Bureau of Water Supply Protection that will have one segment dealing with this issue. If you need further assistance, please see the link to the template below, and please feel free to reach out to our Circuit Riders and Training Specialist for assistance. The initial Lead Service Line Inventory will need to be submitted by October 16, 2024. There is much more to this rule, this is merely a brief summary and a link to the spreadsheet. 

You can download the Inventory Template on the nyruralwater.org website under "Resources” where you will click the "Download” link and choose "Templates” and find NYS DOH Approved Lead Service Line Inventory Spreadsheet. (Once you click this link a pop up box should appear somewhere on your screen to download the spreadsheet.) 

Please save the dates for our 44th Annual Workshop in Lake Placid, May 22-24, 2023!

If you are interested in being a presenter, please complete the Call For Presentation request form and return by August 15, 2022 to be considered for next year's conference.

Sponsorship Opportunities are available, review the letter, if interested please complete the sponsorship form with your selection and email to our office nyrwa@nyruralwater.org 

Have you received water and/or wastewater technical assistance from NYRWA? Have you attended NYRWA in-person or web-based training? Has your system benefited from a Source Water Protection Plan or Energy Efficiency Assessment from NYRWA? If so, WE NEED YOUR HELP!  NYRWA is respectfully asking our system members to draft and submit letters of support for the services you have received. These letters are crucial so we can deliver your message to our elected representatives that more needs to be done to fund water and wastewater infrastructure. Please, we need as many members as possible to draft the support letters on your letterhead and mail to our office at:

NYRWA, Inc.
PO Box 487
Claverack, NY 12513

Let’s make this letter writing campaign a huge success, please participate. We thank you in advance for your consideration.

Don't have time to spend traveling to sit in a class all day? The best place to receive renewal web based training is at home or work, whichever your schedule allows. You can work at your own pace. SunCoast Learning Systems offers some great topics that will fit your certification requirement needs. Online courses are New York State approved and offer the flexibility and convenience you are looking for. For more information call 1-800-269-1181 or visit https://www.suncoastlearning.com/courses/ny.

Big or small, the importance of protection and security are the same

WaterISAC Staff

Jun 1, 2022

Image by Pete Linforth from Pixabay

Critical infrastructure is defined as an asset that is so essential and vital to the United States and the people of this country that any ripple, destruction, or incapacity to perform would have a significant impact on physical, economic, or public health and safety. National Critical Functions are defined as pieces of the government and private sector for which any disruption could crumble security ranging from economic to public health across the nation. Both water and wastewater fall under these categories — a lifeline and necessity to all.

Whether a utility serves 300 people or hundreds of thousands with water and wastewater service, the importance of protection and security are the same. What's important to remember is that while federal agencies like the Cybersecurity and Infrastructure Security Agency are keenly concerned about the impact of large water system outages and their effect on particular regions, a cyber-attack at the smaller system is just as damaging to life and the economy on a local scale.

To block or limit information technology (IT) or operational technology (OT) compromises, there are some basics that all water and wastewater utilities should follow and understand. WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities (http://www.waterisac.org/fundamentals) do not discriminate based on the size of the population served. Instead, "15 FUN" — our name for the fundamentals — is the foundation that can (and should) be implemented by all. However, because these are risk-based best practices, all of them may not apply to every system.

1. Perform Asset Inventories

Can you account for all your assets? In order to protect your environment, you must be aware of what you are protecting. If you have not already or recently done so, now is the time to take inventory and identify your assets. Know the items on your network and what they each do.

2. Assess Risks

This is the time and place to be risk-averse. Once you inventory your assets, it is time to identify vulnerabilities or security gaps. An assessment will help you know and prioritize the risks in your environment based on a likelihood of an attack or threat. In complying with America's Water Infrastructure Act, many systems used the U.S. Environmental Protection Agency's Vulnerability Self-Assessment Tool, but other options exist, offered by consultants or technical assistance providers.

3. Minimize Control System Exposure

What happens in your environment stays in your environment. One way to help protect your control system environment is to keep it isolated. However, what might be desirable and what is practical do not always align. There are steps that can be taken to minimize exposure such as network segmentation, traffic restrictions, and encrypted communications for starters.

4. Enforce User Access Controls

Not everyone can be a VIP. In this case, the more the merrier is not a good thing. Limiting control system access and privileges to only those necessary is technically an easy and valuable fundamental to implement. WaterISAC encourages utilities to also follow other related access restrictions such as requiring strong passwords, using multifactor authentication, and deploying secure remote access solutions.

5. Safeguard from Unauthorized Physical Access

Finders keepers. It may seem elementary to point out that physical access to your IT and OT environments should be limited but doing so is sometimes overlooked. Ensure there is a physical security defense in place around the buildings and rooms that contain your IT and OT equipment. These defenses can include security personnel, locked doors, fencing, and cameras. Grant physical access only to those who need it to successfully complete their job functions.

6. Install Independent Cyber-Physical Safety Systems

Think through it all. If you can think of a worst-case scenario for your utility that can be triggered by abuse of the control system, that means an adversary can probably do the same thing. To keep the imagined worst-case scenario at bay, WaterISAC encourages systems to protect their assets from cyber-physical threats. Take preventative steps from these blended attacks by installing non-digital engineering solutions to block or reduce consequences.

7. Embrace Vulnerability Management

It is never too late to address your flaws. WaterISAC advises catching flaws or vulnerabilities before they are exploited by others. This type of management is an ongoing effort to identify vulnerabilities and address them as appropriate with patches and other mitigations. Vulnerabilities never sleep and take many forms.

8. Create a Cybersecurity Culture

Don't have the weakest link. Every employee is responsible for the effectiveness of their utility's cybersecurity. Leadership needs to take charge to ensure all employees are aware, being supported, and are provided with ongoing training. A weak link when it comes to awareness can let threats go unnoticed and even unintentionally open the door to insider threats.

9. Develop and Enforce Cybersecurity Policies and Procedures

Know the rules, understand the rules, and follow the rules. Water systems should keep their cybersecurity policies and procedures clear, actionable, and updated. Known as "governance," policies and procedures evolve and conform to changing utility security needs. Once adopted, policies and procedures should be communicated, distributed, and understood by all staff.

10. Implement Threat Detection and Monitoring

This is a good time to look for red flags. You know your systems — their patterns, design, and normal activity. Threat detection and monitoring requires logging and having systems watch for malicious patterns or abnormal behavior that may indicate an active threat. Understand your baseline and ensure continuous logging.

11. Plan for Incidents, Emergencies, and Disasters

This isn't a drill. With the sector currently on high alert, utilities need to ensure there are plans in place for any incidents or emergencies that come your way. Keep continuity and resilience in mind when planning your cyber incident response or disaster recovery plans. Most effective plans are not done in a silo, they are done in collaboration with other members or departments to ensure a cohesive, unified response. Be sure to include a manual operations plan to maintain water and wastewater service if a control system fails for any reason.

12. Tackle Insider Threats

We can't all be perfect. Malicious or not, insider threats come down to the people. Insider threats can be the most innocent and unintentional action of a staff member, which adds to the importance of clear policies, procedures, and adoption of a cybersecurity culture. For those insider threats that come from a place of malice, staff should be aware of behavioral changes and have a safe place to share those observations and concerns.

13. Secure the Supply Chain

Keep it real and know your partners. Maintaining system operations requires consultants, vendors, contractors, suppliers, and others who you will need to lean on and trust. Remember attackers are aware that smaller businesses may not be as secure and may use a supply chain vulnerability as an entry point. It is important to include the people and items of your supply chain in your ongoing risk assessments and vulnerability testing.

14. Address All Smart Devices

Just assume your cellphone is listening. We all know that a moment away from our cellphone or tablet can feel like a lifetime. However, these devices that we all view as our safety nets present security challenges and risks. Devices that are connected to your network can act as a gateway for the exploitation of your industrial control systems. Don't forget that smart devices should be included in all training, asset inventory, vulnerability assessments, etc.

15. Participate in Information Sharing and Collaboration Communities

Learn to play in the sandbox together. We all have been taught sharing is caring. We cannot stress enough the importance of information sharing and collaboration — the good, the bad, and the ugly. We can all learn from each other and the more that is shared, the more the sector benefits. As we said in the beginning, size doesn't matter; we are all fighting the same cyber threats and we all provide a daily necessity. Sharing will make us stronger.

Contest aims to engage with the decentralized community and build excitement for the 10th anniversary of SepticSmart Week

Aug 2, 2022

WASHINGTON, D.C. — The U.S. EPA's Decentralized Wastewater Program has announced the launch of its first-ever photo challenge. As a lead-in to SepticSmart Week, the photo challenge aims to engage with the decentralized community and build excitement for the 10th anniversary of SepticSmart Week.

Submissions should be informative, educational, and creative depictions of septic systems. Some examples could be a photo of a water body that is protected from household sewage overflows, a drawing of a septic system, an illustration of Septic Sam, or a comic depicting steps to protect a household septic system.

The top three images will be featured on EPA's septic website and shared on EPA's Office of Water Twitter and/or Facebook pages.

Photos can be submitted to the Decentralized Wastewater Program (decentralized@epa.gov) from August 1 to September 16, 2022. The full announcement and guidelines can be found on EPA's septic website: https://www.epa.gov/septic/2022-septicsmart-photo-challenge.

• Skaneateles, Village of

BECOME A MEMBER OF THE NEW YORK RURAL WATER ASSOCIATION, INC.

Member Benefits

Membership Application