Cybersecurity and the New Jersey Water Quality Accountability Act

by Andrew Hildick-Smith, WaterISAC Advisor

In 2016, the New Jersey Board of Public Utilities (BPU) established Cyber Security Program requirements for the industrial control systems and the personally identifiable information systems of the electric, natural gas and water/wastewater utilities that it regulates. It laid out minimum requirements in the areas of Risk Management, Situational Awareness, Incident Reporting, Response and Recovery, and Security Awareness and Training, by identifying what was required to be done, but not the details of how to do it. BPU engaged the services of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) to collect sensitive utility information in order to provide appropriate protection. 

In 2017, the State of New Jersey enacted the Water Quality Accountability Act (WQAA), that extended the same BPU cybersecurity requirements to all water utilities that had both an internet-connected control system and more than 500 service connections. Despite NJCCIC advice to the contrary, some utilities did not comply with the Act if their control system “only” connected to their enterprise network. In November of 2021, the WQAA was updated to cover all public community water systems with more than 500 connections, to have the cybersecurity program requirements set by the NJCCIC, to require cybersecurity insurance, and to have reasonable conformance with either the NIST Cybersecurity Framework (CSF), the Center for Internet Security Critical Security (CIS) Controls, or the ISO/IEC 27000 family of information security standards. For more, check out Government Technology.