Section 5-E.5 Cybersecurity vulnerability analysis
Effective Date
Section 5-E.5 Cybersecurity vulnerability analysis.
(a) All covered water systems shall conduct a CVA to meet the requirements for an analysis of vulnerability to cyber attack in accordance with subdivision 5-1.33(c) of this Subpart. The covered water system shall incorporate the findings of the CVA into the water system emergency plan submitted to the State in accordance with subdivision 5-1.33(e) of this Subpart.
(b) The CVA shall be approved by an authorized representative of the covered water system. For covered water systems serving a combined wholesale and retail population of greater than 50,000, the CVA shall be approved by the individual responsible for the covered water system’s cybersecurity program.
(c) The CVA shall assess risks of known cybersecurity vulnerabilities to cybersecurity incidents of all information technology, operational technology, and nonpublic information that may impact a covered water system’s ability to comply with the requirements of this Subpart. The assessment shall be based on the likelihood that the vulnerability will be exploited and the consequences to the covered water system’s normal operations that may occur if the vulnerability is exploited.
(d) The CVA shall evaluate the effectiveness of all controls associated with the source or sources of supply, water treatment plants, disinfection stations, pipes and valves, storage tanks, and system operations management to ensure the covered water system can comply with the requirements of this Subpart during a water supply emergency caused by a cybersecurity incident.
(e) Vulnerabilities identified in the CVA that may impact a covered water system’s ability to comply with the requirements of this Subpart, or any situation that may pose a risk to public health, shall be reported to the department within 48 hours of identification in accordance with section 5-1.77 of this Subpart.
(f) The CVA shall be reviewed and updated at least annually to respond to technological developments and evolving threats; such a review shall be performed within 30 days after major water facility infrastructure changes are made operational.
(g) The CVA shall identify the actions needed to mitigate or remediate identified vulnerabilities.
(h) The CVA shall follow a form approved by the department.