There are two new regulatory requirements regarding cyber security that apply to public utilities.
1) The TN legislature passed a bill during the 2021-2022 session that requires water and wastewater utilities to develop a cyber security plan which is to be assessed and updated at least every two years.
- C.A. 7-51-2202 (a) By July 1, 2023, or within one (1) year after a utility is formed, whichever is later, a utility shall prepare and implement a cyber security plan to provide for the protection of the utility’s facilities from unauthorized use, alteration, ransom, or destruction of electronic data.
The TN Comptrollers Office is tasked with oversight and verification of the requirements. During the annual financial audit of your utility, the auditor will be required to verify that the plan has been completed and report it as part of the audit. To date, the Comptrollers office has not prescribed any specific framework or guidance for utilities to utilize in the development of a cyber security plan.
2) The Environmental Protection Agency has determined that during a sanitary survey, states (TDEC) must ..”review cybersecurity practices and controls needed to maintain the integrity and continued functioning of operational technology…..that could impact the supply or safety of the water provided to customers. “
- If the PWS uses an Industrial Control System or other Operational Technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.
- If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.
EPA has developed guidance documents and resources in conjunction with other agencies to assist utilities in assessing cyber vulnerabilities, building resilience and development of cyber response plans. Utilization of the EPA resources documents and services would assist utilities in complying with both the State and Federal expectations for such plans.
Resources
Environmental Protection Agency (EPA) links to resources for guidance documents, free technical assistance and financial resources to assist in cyber assessments, building resilience.
EPA Cybersecurity for the Water Sector | US EPA
Cybersecurity & Infrastructure Security Agency (CISA) links for resources and free vulnerability scanning services Cyber Resource Hub | CISA
CISA Free Cyber scanning service https://www.cisa.gov/cyber-hygiene-services
Download Tennessee Cyber Security Requirements and Resources
