Updated: Mar 30, 2020
A document was passed to me from an industry resource regarding state-mandated Cybersecurity program requirements. The document is from 2016, and outlines the move made by the state of New Jersey Board of Public Utilities to mandate Cybersecurity for all utilities including water and wastewater. By comparison the federal side has attempted to make an impact with law as well driving regulation like that contained in The American Water Infrastructure Act of 2018, or AWIA as it is more commonly referred. Sections 2013 (a) and (b) define minimum requirements for drinking water utility providers nationwide. Those minimum requirements are (a) Risk and Resilience Assessment and (b) Emergency Response Plan. Both of these need to be completed by hard deadlines and compliance certified (via honor system) by the EPA for all but the smallest producers. These are great initial steps from the federal side but fall short of providing significant actionable information to considerably move the Cybersecurity posture of these industries inline with their utility peers. Add to this that wastewater is not included in the AWIA requirements other than the gap analysis tools having a wastewater tract for selection to accommodate voluntary use. That, at least from my perspective, seems to make the New Jersey move all the more significant and positively noteworthy in the way they chose to include water and wastewater equally in the mandate. Good stuff! Curious if anyone has seen something similar in another state that would be worth sharing.