New Jersey Tightens Cybersecurity Rules For Water Systems

The recently passed legislation reinforces cybersecurity and reporting measures and requires water purveyors in the state to develop cybersecurity programs, policies, processes and procedures.

A recently enacted law in New Jersey promises to strengthen the cybersecurity and reporting measures that surround the state’s public water community systems.

The legislation, titled the “Water Quality Accountability Act,” would require water purveyors to develop a cybersecurity program that defines and implements organization accountabilities and responsibilities for cyber risk management activities.

They would also be required to establish policies, plans, processes and procedures to identify and mitigate cyber risks to public community water systems.

“The bill had broad support with all colleagues to move it forward,” Sen. Troy Singleton said. “We saw how important the state’s drinking water system is beyond making sure our water is clean but also that threats are mitigated.”

In September 2020, the Jersey City Municipal Utilities Authority (MUA) faced a cyber attack which, according to authority documents, blocked access to “vital” water and sewer information, causing a “public health crisis.”

To rectify the issue, the MUA spent nearly half a million dollars to restore the agency’s computer systems; however, they were still not operational three months after the attack.

One of the common security challenges regarding public community water systems is a lack of resources, said Michael Geraghty, the state’s chief information security officer.

“Like many municipalities and schools, public community water systems may not have the resources necessary to deal with emerging cyber threats and advanced adversaries,” Geraghty said via email. “And like many public- and private-sector organizations, public community water systems have implemented technologies to achieve efficiencies in carrying out their business goals and objectives, while not fully understanding the security risks of implementing those technologies.”

To address this, Geraghty pointed to doing risk assessments to understand the gaps that exist in systems.

“One aspect of the updated law that I really like is the fact that a public community water system’s cybersecurity program must conform to an industry-standard security framework like the NIST [Cybersecurity Framework] or the CIS Critical Security Controls,” he added. “Let’s start by assessing against those standards and then working with the public community water systems to address the most critical risks first, iterating through the rest over time.”

Original Article