S647 SCS

An Act concerning cybersecurity and asset management at public water systems and amending and supplementing P.L.2017, c.133.

Be It Enacted by the Senate and General Assembly of the State of New Jersey:

1. Section 2 of P.L.2017, c.133 (C.58:31-2) is amended to read as follows:

2. As used in this act:

"Board" means the Board of Public Utilities.

“Cybersecurity incident” means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information residing thereon.

"Department" means the Department of Environmental Protection.

“Industrial control system” means an information system used to control industrial processes such as manufacturing, product handling, production, or distribution. “Industrial control system” includes supervisory control and data acquisition systems used to control geographically dispersed assets, and distributed control systems and smaller control systems using programmable logic controllers to control localized processes.

“Information resource” means information and related resources, such as personnel, equipment, funds, and information technology.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

"Public water system" means the same as the term is defined in section 3 of P.L.1977, c.224 (C.58:12A-3).

"Water purveyor" means any person that owns a public water system with more than 500 service connections.

(cf: P.L.2017, c.133, s.2)

2. Section 4 of P.L.2017, c.133 (C.58:31-4) is amended to read as follows:

4. a. Within 120 days after the effective date of [this act] P.L.2017, c.133 (C.58:31-1 et seq.), each water purveyor shall develop a cybersecurity program, in accordance with requirements established by the board, as rules and regulations adopted pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), that defines and implements organization accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public water system. As part of the program, a water purveyor shall conduct risk assessments and implement appropriate controls to mitigate identified risks to the public water system, maintain situational awareness of cyber threats and vulnerabilities to the public water system, and create and exercise incident response and recovery plans. No later than 120 days after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), a water purveyor shall update its cybersecurity program to conform to the requirements of section 3 of P.L. , c. (C. ) (pending before the Legislature as this bill).

A copy of the program developed pursuant to this subsection shall be provided to the New Jersey Cybersecurity and Communications Integration Cell, established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness.

b. Within 60 days after developing the program required pursuant to subsection a. of this section, each water purveyor shall join the New Jersey Cybersecurity and Communications Integration Cell, established pursuant to Executive Order No. 178 (2015), and create a cybersecurity incident reporting process.

[c. A water purveyor that does not have an internet-connected control system shall be exempt from the requirements of this section.] (Deleted by amendment, P.L. , c. (pending before the Legislature as this bill)

(cf: P.L.2017, c.133, s.4)

3. (New section) a. In addition to the requirements of section 4 of P.L.2017, c.133 (C.58:31-4), and the requirements established by the board pursuant thereto, no later than 120 days after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), each water purveyor shall update its cybersecurity program developed pursuant to section 4 of P.L.2017, c.133 (C.58:31-4) to apply to all of the public water system’s industrial control systems, and to reasonably conform to the most recent version of one or more of the following industry-recognized cybersecurity frameworks:

(1) the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology;

(2) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or

(3) the International Organization for Standardization and International Electrotechnical Commission 27000 family of standards for an information security management system.

b. Whenever a final revision to one or more of the frameworks listed in subsection a. of this section is published, a water purveyor whose cybersecurity program reasonably conformed to that framework shall revise its cybersecurity program to reasonably conform to the revised framework, no later than 120 days after publication of the revised framework.

c. No later than one year after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), and each year thereafter, each water purveyor shall submit to the department and to the New Jersey Cybersecurity and Communications Integration Cell, established pursuant to Executive Order No. 178 (2015), a certification demonstrating that the water purveyor is in compliance with the requirements of this section. The certification shall be made in the form and manner as determined by the department, in consultation with the New Jersey Cybersecurity and Communications Integration Cell.

d. A water purveyor shall, upon the request of the department or the New Jersey Cybersecurity and Communications Integration Cell, provide proof of compliance with the requirements of this section, in a form and manner as determined by the department or by the New Jersey Cybersecurity and Communications Integration Cell.

e. The board shall update any requirements it has established for cybersecurity programs pursuant to subsection a. of section 4 of P.L.2017, c.133 (C.58:31-4) to conform to the requirements of this section.

4. (New section) Beginning 90 days after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), each water purveyor shall immediately report to the New Jersey Cybersecurity and Communications Integration Cell, and in accordance with all applicable laws, rules and regulations:

a. any cybersecurity incident that results in the compromise of the confidentiality, integrity, availability, or privacy of the water purveyor’s utility billing, communications, data management, or business information systems, or the information thereon; and

b. any cybersecurity incident against the water purveyor’s industrial control system, including monitoring, operations, and centralized control systems, that adversely impact, disable, or manipulate infrastructure, resulting in loss of service, contamination of finished water, or damage to infrastructure.

5. Section 6 of P.L.2017, c.133 (C.58:31-6) is amended to read as follows:

6. In addition to any other certifications required pursuant to law, rule, or regulation, the responsible corporate officer of the public water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable, shall be required to certify in writing each year to the [Department of Environmental Protection] department and, if applicable, the Board of Public Utilities that the water purveyor complies with: all federal and State drinking water regulations, including water quality sampling, testing, and reporting requirements; the hydrant and valve requirements set forth in section 3 of [this act] P.L.2017, c.133 (C.58:31-3); the notice of violation mitigation plan requirements set forth in section 5 of [this act] P.L.2017, c.133 (C.58:31-5), if applicable; and the infrastructure improvement investment required pursuant to section 7 of [this act] P.L.2017, c.133 (C.58:31-7). A water purveyor shall post the annual certification required pursuant to this section on its Internet website, if applicable.

(cf: P.L.2017, c.133, s.6)

6. Section 7 of P.L.2017, c.133 (C.58:31-7) is amended to read as follows:

7. a. Beginning no later than 18 months after the effective date of [this act] P.L.2017, c.133 (C.58:31-1 et seq.), every water purveyor shall implement an asset management plan designed to inspect, maintain, repair, and renew its infrastructure consistent with standards established by the American Water Works Association. The asset management plan shall include:

(1) a water main renewal program designed to achieve a 150-year replacement cycle, or other [appropriate] shorter replacement cycle as determined by a detailed engineering analysis of the asset condition and estimated service lives of the water mains serving the public water system , or by the department;

(2) a water supply and treatment program designed to inspect, maintain, repair, renew, and upgrade wells, intakes, pumps, and treatment facilities in accordance with all federal and State regulations, standards established by the American Water Works Association, and any mitigation plan required pursuant to section 5 of [this act] P.L.2017, c.133 (C.58:31-5); and

(3) any other programs, plans, or provisions as may be required by the department pursuant to rules and regulations adopted pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.).

Each water purveyor shall dedicate funds on an annual basis to address and remediate the highest priority projects as determined by its asset management plan.

All asset management plans and system condition reports shall be certified to by the licensed operator or professional engineer of the public water system and the responsible corporate officer of the public water system, if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable. The replacement cycle shall be determined by dividing the miles of water main located in the public water system by 150 or other appropriate demonstration set forth in the certified asset management plan prepared pursuant to this section.

b. [At least once every three years] No later than one year after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), and every three years thereafter, each water purveyor shall provide to the department and the board, if applicable, a report based on its asset management plan prepared pursuant to subsection a. of this section identifying [the infrastructure improvements to be undertaken in the coming year and the cost of those improvements, as well as identifying the infrastructure improvements completed in the past year and the cost of those improvements] : (1) the infrastructure improvements completed in the past three years and the cost of those improvements, including improvements funded by emergency and routine capital spending; (2) the infrastructure improvements planned to be undertaken in the next three years and the estimated cost of those improvements; and (3) the infrastructure improvements that will be required over the next 10 years and the estimated cost of those improvements. A municipal water department or municipal water authority shall also submit the report required pursuant to this subsection to the Division of Local Government Services in the Department of Community Affairs. A water purveyor shall, upon request, provide a copy of its asset management plan to the department, the board, or the Division of Local Government Services in the Department of Community Affairs.

c. The department, the board, and the Department of Community Affairs shall create a centralized portal allowing for electronic submittal of the report required pursuant to subsection b. of this section. The lack of a centralized portal pursuant to this subsection shall not negate the requirement for a water purveyor to submit a report pursuant to subsection b. of this section.

(cf: P.L.2017, c.133, s.7)

7. (New section) a. In addition to the requirements of section 7 of P.L.2017, c.133 (C.58:31-7), no later than 18 months after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), each water purveyor shall revise its asset management plan developed pursuant to section 7 of P.L.2017, c.133 (C.58:31-7) to include:

(1) a comprehensive inventory, mapping, and condition assessment of the public water system’s assets, including its pipes, lead service lines, valves, tanks, pumps, wells, treatment facilities, hydrants, and other components, and an assessment of the remaining useful life of each identified asset;

(2) level of service goals for the public water system, which may include, but need not be limited to, goals related to customer service and accountability, energy and water efficiency and conservation, water main breaks and service interruptions, and social and environmental considerations;

(3) a priority order in which the public water system’s assets, identified in the comprehensive inventory prepared pursuant to paragraph (1) of this subsection, will be repaired or replaced as part of the water purveyor’s asset management plan, based on each assets’ importance to the proper function of the public water system, or business risk exposure;

(4) the life cycle costs of the public water system’s assets, including a schedule for the maintenance, repair, or replacement of the assets, and for capital improvements to the public water system, informed by the priority order developed pursuant to paragraph (3) of this subsection; and

(5) a long-term funding strategy to implement the water purveyor’s asset management plan, including funding sources and estimated annual expenditures to address prioritized repairs, upgrades, and treatment.

b. The department shall, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), adopt rules and regulations to implement the requirements of this section.

8. (New section) Any person who violates the provisions of P.L.2017, c.133 (C.58:31-1 et seq.), or any rule or regulation adopted pursuant thereto, shall be subject to the penalties and other remedies set forth in section 10 of P.L.1977, c.224 (C.58:12A-10). No later than 180 days after the effective date of P.L. , c. (C. )(pending before the Legislature as this bill), the department shall adopt, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), a schedule of civil administrative penalties to be applied pursuant to this section for specific violations of P.L.2017, c.133 (C.58:31-1 et seq.).

9. (New section) No later than one year after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), and annually thereafter, the department shall develop and publish on its Internet website a report card for each water purveyor in the State, indicating the water purveyor’s compliance with federal and State drinking water quality standards, its compliance with the requirements of P.L.2017, c.133 (C.58:31-1 et seq.), and any other factors the department deems appropriate. The report card shall be designed to inform the public about the overall condition of a public water system, and the quality of water coming from the public water system.

10. (New section) No later than 18 months after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), and every three years thereafter, the department shall prepare and submit a report to the Governor and, pursuant to section 2 of P.L.1991, c.164 (C.52:14-19.1), the Legislature assessing:

a. the data submitted by public water systems pursuant to subsections b. and c. of section 7 of P.L.2017, c.133 (C.58:31-7). The assessment shall include, but need not be limited to, an analysis of the total estimated cost of infrastructure improvements to public water systems, Statewide, required over the next 10 years; and

b. the compliance of public water systems with the requirements of P.L.2017, c.133 (C.58:31-1 et seq.) and the rules and regulations adopted pursuant thereto.

11. (New section) The department and the board shall adopt, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations as are necessary to carry out the provisions of P.L.2017, c.133 (C.58:31-1 et seq.).

12. This act shall take effect immediately.