-- Report. (1) As used in this section: (a) "Authorized employee" means an employee of a community water system authorized to access: (i) an operational technology; (ii) a control system; or (iii) a secure area. (b) (i) "Control system" means a physical or electronic system that implements a procedure or process for water treatment or water delivery at a community water system. (ii) "Control system" includes: (A) a computer system that monitors or controls water treatment or water delivery equipment in real time, including a supervisory control and data acquisition system; (B) a computer device that performs calculations or processes data related to water treatment or water delivery; and (C) a network device or server that allows an authorized employee to remotely access a computer system or computer device that monitors or controls water treatment or water delivery. (c) "Emergency response plan" means the plan described in Subsection (2) and 42 U.S.C. Sec. 300i-2(b). (d) "Operational technology" means a hardware, software, or firmware component of a control system. (e) "Secure area" means an area in a community water system that is not normally accessible by the public. (f) (i) "Security breach" means an incident that threatens the security of a community water system with the potential to impact the quality or quantity of delivered water. (ii) "Security breach" includes: (A) a breach of an operational technology or control system; or (B) an unauthorized attempt to delete, disable, destroy, or override data, an application, a device, or a computer network. (2) (a) By no later than December 31, 2026, and July 1 annually thereafter, a supplier of a community water system serving a population of 3,300 or greater shall complete an emergency response plan. (b) By no later than July 1, 2027, and annually thereafter, a supplier of a community water system serving a population less than 3,300 shall complete an emergency response plan. (c) A supplier of a community water system shall report to the division on or before July 1 of each year whether the supplier has completed an emergency response plan described in this Subsection (2). (d) An emergency response plan shall include a requirement to: (i) support and regularly update software used in a control system; (ii) deploy and maintain network protection for a control system, as needed; (iii) adopt best practices for secure authentication; (iv) provide annual cybersecurity training to an employee who has regular access to an operational technology or control system; (v) complete an internal assessment of the community water system's security vulnerabilities and implement corrective controls to address a security vulnerability; (vi) promptly remove access to all operational technology and control systems from an employee whose employment is terminated; (vii) prohibit an unauthorized copying of software and data; (viii) ensure that an automated operational technology or control system can be operated manually, as needed; (ix) report a security breach in accordance with Subsection (3); (x) adopt other security and records management requirements in conformity with state and federal requirements; and (xi) comply with a security directive by the director. (e) A supplier of a community water system shall make available for review to the director or the director's authorized representative, upon request: (i) the supplier's emergency response plan; (ii) an incident report; and (iii) any information related to an emergency response plan as requested by the director. (f) For resources not related to water treatment and delivery owned or managed by a supplier of a community water system, the supplier may: (i) create an alternative emergency response plan from the emergency response plan described in this Subsection (2); or (ii) incorporate the emergency response plan developed under this Subsection (2), or any part thereof, into the emergency response plan for the resource not related to water treatment and delivery. (3) (a) A supplier of a community water system shall report a security breach no later than two hours after the supplier discovers the security breach to the Utah Cyber Center created in Section 63A-16-1102. (b) The Utah Cyber Center shall notify the division of a reported security breach described in Subsection (3)(a) as soon as possible, but not later than one day after receiving the report from the supplier. (4) (a) By no later than October 31 of each year, the division shall submit a report on security at community water systems in the state to: (i) the Natural Resources, Agriculture, and Environment Interim Committee; and (ii) the Public Utilities, Energy, and Technology Interim Committee. (b) The report described in this Subsection (4) shall include: (i) information collected by the division regarding security incidents and emergency response plans at community water systems in the state; and (ii) recommendations from the division, if any, for legislative action and funding to improve physical and electronic security at community water systems. (5) The director shall provide information and technical resources to a community water system completing an emergency response plan described in Subsection (2).
‹ Prev All Utah sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.