Section 5-E.6 Cybersecurity program requirements
Effective Date
Section 5-E.6 Cybersecurity program requirements.
(a) Each covered water system shall establish a cybersecurity program based on the findings of the covered water system’s CVA.
(b) For covered water systems that serve a combined wholesale and retail population of greater than 50,000, the individual responsible for the covered water system’s cybersecurity program, designated in accordance with section 5-E.4(a) of this Appendix, shall submit, as part of the water system emergency plan submission to the department required by 5-1.33(e) of this Subpart, a certification that the covered water system’s cybersecurity program complies with the requirements of subdivision (c) of this section. The certification shall follow a form approved by the department.
(c) The cybersecurity program shall be designed to perform the following functions:
(1) Fulfill applicable statutory and regulatory reporting obligations.
(2) Address identity and access management protocols:
(i) Multi-factor authentication shall be required for any individual accessing the covered water system’s operational technology from an external network, unless the covered water system’s authorized representative, or the individual responsible for the covered water system’s cybersecurity program designated in accordance with section 5-E.4 of this Appendix, has approved in writing the use of compensating controls.
(ii) Each covered water system shall limit user access privileges for operational technology and nonpublic information to those necessary to perform each user’s assigned tasks.
(iii) Each covered water system shall separate user accounts authorized to access operational technology from user accounts authorized to access information technology.
(iv) Each authorized user shall have unique credentials for accessing operational technology covered by this Appendix whenever unique user credentials can be supported by the operational technology. Operational technology that cannot support unique user credentials shall have compensating controls implemented. For covered water systems that serve a combined wholesale and retail population greater than 50,000, such compensating controls shall be documented in writing by the individual responsible for the covered water system’s cybersecurity program designated in accordance with section 5-E.4(a) of this Appendix.
(v) Each covered water system shall at least annually review all user access privileges and remove or disable accounts and access that are no longer necessary to perform the user’s job. Each covered water system shall immediately terminate access to user accounts following the user’s departure from the covered water system or following a change in the user’s role at the covered water system such that access is no longer required to perform the user’s job. Where group-based or shared credentials have been implemented instead of unique credentials for each user, the group-based or shared credentials shall immediately be changed, or compensating controls shall be implemented to prevent unauthorized access to operational technology.
(vi) Each covered water system shall disable all remote access to operational technology that is not necessary to monitor or operate the system.
(vii) Each covered water system shall limit the functionality of all remote access to operational technology to only those functions necessary to monitor or operate the system.
(viii) Each covered water system shall securely configure all protocols that permit remote access to operational technology or nonpublic information.
(ix) Each covered water system shall disallow default passwords in all operational technology. Operational technology with default passwords that are technologically incapable of being changed shall have compensating controls implemented.
(3) Maintain a cyber asset inventory.
(4) Use defensive architecture, controls, compensating controls, and policies and procedures to protect operational technology and nonpublic information from unauthorized disclosure, alteration, or destruction.
(5) Identify and assess operational technology and nonpublic information for internal and external cybersecurity risks that may threaten the covered water system’s ability to comply with the requirements of this Subpart.
(6) Each covered water system that serves a combined wholesale and retail population of greater than 50,000 shall monitor and log the covered water system’s network activity, and be prepared to produce such logs in the event of a cyber incident for investigative purposes. The requirements of this paragraph shall not apply if the covered water system, for the purpose of alarms, notifications, or communications, utilizes devices that only allow, and are only capable of allowing, data to travel unidirectionally from operational technology to either information technology or external networks.
(7) Respond to cybersecurity incidents to mitigate the impacts on the normal operations of the covered water system. The response shall also address any impacts that could affect the ability of the covered water system to comply with the requirements of this Subpart. Additionally, the response shall aim to limit any physical or structural damage to the covered water system or any of its components.
(8) Recover from cybersecurity incidents and restore normal operations and services.