WIXLIB

NPDES Program –Old (Hound) Dog,New Tricks?ACWAAnnual MeetingAugust 2022

Meeting Agenda Environmental Justice & NPDES Permitting EPAQ&A session Cybersecurity EPAQ&A session Water Quality Trading/Market Based Approaches 8/12/2022EPAQ&A Session2

EJ & NPDESPermitting

Executive Orders EO 12898, “Federal Actions to Address Environmental Justice in Minority Populations andLow-Income Populations,” Identify & address adverse human health or environmental effects of their actions onminority and low-income populations, as permitted by law develop a strategy for implementing environmental justice. EO 13985: “Advancing Racial Equity and Support for Underserved Communities Throughthe Federal Government” calls on agencies to advance equity through identifying and addressing barriers toequal opportunity that underserved communities may face due to government policiesand programs. EO 14008: “Tackling the Climate Crisis at Home and Abroad directs federal agencies to develop programs, policies, and activities to address thedisproportionate health, environmental, economic, and climate impacts ondisadvantaged communities

Investments Bipartisan Infrastructure Law (BIL), EPA is making investments into communitiesoverburdened by pollution to solve many legacy EJ issues, such as toxic hotspots, access towater infrastructure, and ensuring safe drinking water. EPA received 100 million in American Rescue Plan funding for EJ issues. EPA launched a 20 million grant program from our air office to fund air quality monitoringprojects in communities across the United States. EPA is investing 1 billion to initiate cleanup and clear the backlog of 49 previously unfundedSuperfund sites and advance progress at dozens of other sites. BIL provides 50 billion to EPA’s water programso 15 Billion to replace lead pipeso 20 billion for safe drinking water infrastructure, upgrading aging systemso 12 Billion for clean water infrastructure (wastewater, stormwater, decentralized systems)8/12/20225

PRESENTATION TITLE68/12/2022

EJ in Permitting EPA Legal Tools to AdvanceEnvironmental Justice (EJ Legal Tools) Compilation of legal authorities availableto EPA to identify and address impacts ofpollution to underserved andoverburdened communities.The document does not provide actionspecific legal advice Addendum with more specific examples.MS 4 & PG P.Is intended to foster a dialogue amongEPA offices and programs to accelerateEPA efforts to advance environmentaljustice and equity.Plan EJ 2014: Legal Tools8/12/2022ACWA – August 20227

EJ in Permitting EPA EJ and Civil Rights in Permitting FAQs 8/12/2022The FAQs focus on the importance of EJ and civil rights in theenvironmental permitting processIncludes discussion of EJ and civil rights authorities andobligationsPotential approaches to screening for EJ and civil rights concerns,approaches to EJ and civil rights analysis, possible considerationsabout the mitigation of adverse and disproportionate impacts, andapproaches to community outreach and engagement.8

EJ and Permitting EffortsL es s ons L earned Public Involvement / Communication: Enhanced public participation by developing templates, best practices andchecklist for effective public outreach and notifications.Public notification outside of newspapers (aka the internet)Translations of documents into appropriate languagesDirect and targeted outreach to community organizations and institutionsSeeking ways to improve information flow from the facility, community andpermitting authority. Permit process: Developed permit checklist and process flowchartsIncreased training opportunities for EJScreen Technical Assistance Resources8/12/20229

EJ in NPDES PermittingWe want more Assessments:ooooUse of EJ Screen and other related toolsIntegrated PlanningPermit Quality ReviewsCumulative Impact Analysis Framework as part of a Chelsea, MApermit Compile EJ efforts in the Stateso Colorado example- Simplifiedfactsheet Compile Best Management practicesto share8/12/202210

Q&A Session What are some best practices your state is exploring or currently does toengage with disadvantage communities? Are there specific assessments and/or tools your permit writers are usingto look at impacted communities? Anything that EPA could do to help integrate EJ in NPDES permits?8/12/202211

Cybersecurity12

Actions to Take: Spearphishing personnel to delivermalicious payloads, includingransomware Personnel & lack of cyber awarenessOpen malicious attachments/links whichbypass filtering controls.Remote desktop protocols, whichincreased with COVID. Exploitation of unsupported oroutdated operating systems &software. Facilities are inconsistently resourcedwhich contribute to the use ofunsupported or outdated operatingsystems and software. Exploitation of control systemdevices with vulnerable firmwareversions.13

Cyber intrusions targeting U.S. facilities highlight vulnerabilities with the followingthreats: Insider threats from current or former employees who maintain improperly active credentials Ransomware attacksExamples: In August 2021, malicious cyber actors used Ghost variant ransomware against a California basedfacility. The ransomware variant had been in the system for about a month and was discovered whenthree SCADA servers displayed a ransomware message. In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-basedwastewater facility SCADA computer. The treatment system was run manually until the SCADAcomputer was restored. In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWSfacility. The SCADA system provides visibility and monitoring but is not a full industrial control system. In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makopransomware had compromised files within their system. In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted tothreaten drinking water safety by using his user credentials, which had not been revoked at the time ofhis resignation, to remotely access a facility computer.14

City of Oldsmar Water Supply AttackVulnerabilities exploited: Unsecured remote access software(TeamViewer), Poor password security, Outdated operating systems (Windows 7)Lessons learned: Adopted multiple-factor authentication;use of strong passwords;auditing remote connection activity;close unused remote access connection ports;establish cyber awareness training for users;ensure anti-virus, spam filters, andfirewalls are properly configured and up to date

Ransomware In recent months there have been a significant number ofRansomware attacks against the U.S critical infrastructure to includetargeted attacks against the Water sector. In response to the pervasive ransomware threat, the White Houseissued a memo titled, What We Urge You to Do to Protect Againstthe Threat of Ransomware, which outlines the five bestcybersecurity practices to reduce the risk of a successfulransomware. CISA has launched a Stop Ransomware campaign that contains acollection of resources devoted to preventing and responding toransomware attacks: https://www.cisa.gov/ransomware

RansomwareEPA issued an alert to the Water sector on July 1st, urgingall water and wastewater facilities to adopt these five basicpractices:1. Backup your data, system images, configurations, andregularly test them, and keep the backups offline2. Update and Patch Systems Promptly3. Test your incident response plan4. Check Your Security Team’s Work5. Segment your network

MitigationStrategies Employee CybersecurityTraining program Keep inventory of controlsystems and devices Require strong passwords& password managementpractices. Monitor network intrusions& have a plan to respond.8/12/2022PRESENTATION TITLE18

Who are the cyber players? EPA is the sector-specific Agency lead for protecting critical infrastructurein the water sector. EPA works with DHS, CISA, FBI, utility and operators, industry reps, todevelop cyber protection and resilience strategies. Sector specific partners: NIST, AWWA, Water Research Foundation, WaterEnv Research Foundation, state and local agencies R3 & VA: Evaluation of 24 utilities varying in size & characteristic tounderstand their cyber practices CA formed a committed to promote awareness of cyber practices at PWS. AWWA released the Process Control System Security Guidance for theWater sector.19

Federal AssistanceEPA cybersecurity best practices for the water sector, including: The Water Sector Cybersecurity Brief for States, which can assist statetechnical assistance providers with assessing cybersecurity practices atwater systems and developing an improvement plan to reduce cyber risks;The Cybersecurity Incident Action Checklist, which suggests steps forwastewater systems to prepare for, respond to, and recover from acybersecurity incident; andThe Water Utility Tabletop Exercise Toolbox, which helps water systems toplan, conduct and evaluate tabletop exercises for all-hazards scenarios,including cybersecurity incidents.The Supporting Cybersecurity Measures with the Clean Water StateRevolving Fund, which provides information on how facilities can accessassistance through Clean Water State Revolving Fund (CWSRF) to fundinitial water infrastructure projects related to cybersecurity.The National Institute of Standards and Technology’s cybersecurityframework, which helps organizations to better improve their managementof cybersecurity risk.The Cybersecurity & Infrastructure Security Agency provides a NationalCyber Awareness System and a portal to report cyber incidents.Non-governmental organization cybersecurity resources: The Water Information Sharing and Analysis Center, which has developed15 Cybersecurity Fundamentals for Water and Wastewater Utilities. The Multi-State Information Sharing and Analysis Center. The American Water Works Association, which has developed a WaterSector Cybersecurity Risk Management Guidance & Cybersecurity Tool.20

Free Cybersecurity Assessment and Technical AssistanceEPA is providing free cybersecurity technical assistance to water and wastewater utilities to improvecyber incident preparation, response, and recovery in order to maintain critical operations and meetwater quality goals Technical Assistance Provider performs a cyber assessment with utility staff Utilities receive an overview of their vulnerabilities and suggested best practices to remediate ormitigate the risk A customized Cyber Action Plan will be provided to each utility to assist them withimplementing recommended best practices Two follow-ups to gauge progress and see if additional assistance is required To date, EPA has provided assistance to over 100 utilities Information remains confidential. Only anonymized, aggregated data is shared with EPA To register your utility: www.horsleywitten.com/cybersecurityutilities

Additional EPA Water Sector CyberResourcesCybersecurity Brief for StatesThis guide can assist utilities with assessing cybersecurity practices anddeveloping an improvement plan to reduce cyber risks.Vulnerability Self-Assessment Tool 2.0 (VSAT Web 2.0)This online tool leads water and wastewater systems through an all-hazardsrisk assessment, including risks from cybersecurity incidents, and theassessment of costs and benefitsWater Resilience Tabletop Exercise (TTX) ToolThis tool provides water and wastewater systems with the resources to plan,conduct and evaluate tabletop exercises for all-hazards scenarios, includingcybersecurity incidents.