(TRENTON) - An Assembly panel on Thursday approved legislation sponsored by Assembly Democrats Timothy Eustace, Robert Karabinchak, John McKeon, Valerie Vainieri Huttle and Daniel Benson to establish a proactive cybersecurity policy for all water purveyors in order to enhance the reliability and safety of the state's drinking water systems.
In March 2016, the BPU adopted cybersecurity requirements applicable to the electric, natural gas, water, and wastewater utilities that it regulates. This bill would apply those requirements to all water purveyors.
"We have seen many cybersecurity threats in recent years," said Eustace (D-Bergen, Passaic). "Whether it is attacking our personal information online or threatening critical resources, the state must take steps to protect residents from cybersecurity breaches. This legislation would codify present cybersecurity requirements established by the BPU and strengthen protections of our water resources by extending these requirements to all water suppliers. "
The bill would establish specific standards for testing of fire hydrants. It would also establish policy concerning certain testing, reporting, management, and infrastructure investment requirements for water purveyors.
"Cybersecurity threats to our water are a public safety and health risk," said Karabinchak (D-Middlesex). "Codifying and extending current regulations to all water purveyors will help to ensure preparedness in light of cybersecurity concerns."
Under the bill, within 120 days after enactment into law, each water purveyor would be required to develop a cybersecurity program, in accordance with requirements established by the BPU, which defines and implements organization accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to the public water system.
"Cybersecurity threats are a challenge to the safety of our water systems," said McKeon (D-Essex, Morris). "This bill encourages greater vigilance for potential threats against our water systems."
"Any danger to critical services is a threat to healthy and economically viable communities," said Vainieri Huttle (D-Bergen). "This legislation is a protective measure that can help reduce risks to critical infrastructure, and address the potential of cybersecurity threats before any harmful incident occurs."
"As upgrades are made to our water infrastructure, new technology will replace old systems and cybersecurity measures will become critical to protecting our water systems," said Benson (D-Mercer, Middlesex). "Our residents depend on the reliable functioning of water utilities every day. This is good, proactive legislation that would establish the state's policy on required cybersecurity measures for all water providers."
As part of the program, a water purveyor would be required to conduct risk assessments and implement appropriate controls to mitigate identified risks to the public water system, maintain situational awareness of cyber threats and vulnerabilities to the public water system, and create and exercise incident response and recovery plans.
In addition, within 60 days after developing the required program, each water purveyor would be required to join the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), established an Executive Order and create a cybersecurity.
The bill would also require, no later than one year after enactment, every water purveyor to implement an asset management plan designed to inspect, maintain, repair, and renew its infrastructure consistent with industry standard best practices, such as those used by the BPU and recommend by the American Water Works Association.
The legislation was advanced by the Assembly Appropriations Committee.