Objectives

To determine if the Department of Health (Department) is providing sufficient guidance and oversight to ensure that water system operators have completed and submitted updated emergency response plans timely, including vulnerability assessments, to the Department as required. An additional objective was to determine whether the Department and the Division of Homeland Security and Emergency Services (DHSES) are effectively collaborating to share relevant information regarding the vulnerability assessments and to ensure that any recommended follow-up actions occur. The audit covered the period January 2017 to January 2023 for the Department and April 2019 to November 2022 for DHSES.

About the Program

The Department is responsible for overseeing the delivery of drinking water to ensure that it is suitable for people to drink. Its Bureau of Water Supply Protection (Bureau) is responsible for providing regulatory oversight of the operation, design, and quality of public drinking water supplies. The Bureau also assists with water system security, emergency preparedness and response, and the protection of critical drinking water system infrastructure. Department officials explained that, although they cannot ensure water resources are protected from threats – and that not all threats can be mitigated – they work with water systems, through a multitude of programs, to identify potential threats to their water resources. Nearly 95% of all New Yorkers receive water from public water supply systems in New York State.

State Public Health Law §1125 (Law) requires community water systems that supply drinking water to more than 3,300 people (Water Systems) to prepare and submit a Water Supply Emergency Plan (Plan) to the Department for review at least once every 5 years. Plans must include both an Emergency Response Plan (ERP) and a Vulnerability Assessment (VA). In the VA, Water Systems identify any vulnerabilities that could be caused by non-intentional events, such as floods and power outages, as well as vulnerabilities to intentional events, such as vandalism and terrorism, along with an anticipated corrective action in place for any identified vulnerabilities. According to Department officials, the ERP is one of many tools that may be useful in responding to emergencies. The first ERPs were to be submitted to the Department by December 31, 1990. Prior to submission of its Plan, each Water System is required under the Law to publish a notice in the area it serves, stating that the proposed Plan is available for review and comment by the public. Information that a Water System determines could pose a security risk to its operation if publicly disclosed, such as the content of the VA, is exempt from this requirement.

DHSES’ Critical Infrastructure Protection Unit (Unit) works with government agencies and private entities to conduct assessments of the vulnerability of critical infrastructure to terrorist attack and other natural and man-made disasters and to develop strategies that may be used to protect the infrastructure from these threats. According to its website, the Unit defines critical infrastructure as physical and information technology systems vital to communities and whose incapacity or destruction would have a debilitating impact on physical or economic security, public health, or safety. Water and wastewater systems are among the 16 identified critical infrastructure sectors.

Subsequent amendments to the Law added a requirement that Water Systems include a Cybersecurity Vulnerability Assessment (CVA), identifying vulnerabilities to terrorist attack and cyberattack, in their VA, to be submitted to the Department by January 1, 2018. Pursuant to a 2016 Executive Law amendment, the Department must make a copy of the VA and CVA sections of each Plan (collectively referred to as an Assessment) available for DHSES’ review. Based on its review, DHSES may issue recommendations or general guidance to Water Systems to enhance protections against terrorist attack and cyberattack.

In recent years, Water Systems have become increasingly vulnerable to attack, including contamination with deadly agents, physical attacks with toxic chemicals, and cyberattacks. Results of such attacks could potentially cause large numbers of illnesses or casualties as well as denial of service, impacting public health and economic vitality. Several states – such as Florida, Nevada, Maine, and California – have been the target of hackers who attempted to gain access to controls over certain water treatment plants and, in some cases, succeeded.

There are nearly 9,000 public water systems in New York State, including more than 2,800 community water systems. As of December 2022, 318 of those systems were required to submit a Plan. (We did not include the New York City Water System in our audit work; the audit focuses on the remaining 317 Water Systems.)

Key Findings

• The Plans for most of the 317 Water Systems that were required to submit them were current and available at the Department. However, there were several instances where it had been more than 10 years since the last ERP or VA submission, and some Water Systems had never submitted a CVA. Further, the Department did little to follow up when Water Systems were late in submitting or didn’t submit the revisions to the Plan that Bureau and/or Local Health Department (LHD) staff requested.
• There has been limited participation by LHD staff in the calls and site visits where DHSES communicates recommendations to Water Systems. Further, there is little collaboration between the Department and DHSES to follow up on risks identified by DHSES’ reviews and the related recommendations communicated to Water Systems. This lack of collaboration represents a gap in Water System oversight.
• The Bureau does not verify whether Water Systems issue the required public notice of Plan availability, which provides a venue for public comment.

Key Recommendations

To the Department:

• Develop and implement a method to monitor the timeliness of Water Systems’ Plan submissions and to follow up on revisions that Bureau and/or LHD staff requested.
• Develop and communicate guidance regarding LHD participation at site visits and calls with Water Systems that incorporates consideration of the nature and extent of the risks identified.
• Take action to determine, on a sample basis, whether Water Systems issue the required public notice of Plan availability for review and comment.

To the Department and DHSES:

• Establish a method to strengthen the follow-up on recommendations that DHSES communicates to Water Systems.