MassDEP / Drinking Water Program One Winter Street – 5th Floor; Boston, MA 02108 Program.Director-DWP@mass.gov or 617-292-5770

In The Main - The Drinking Water Updates can be found online at: mass.gov/lists/communication-to-public-water-suppliers or at the Statehouse Archives at: https://archives.lib.state.ma.us/handle/2452/826119 which has a searchable data base.

Pixabay.com - xuuxuu

This In The Main newsletter has these topics of interest: 2021-07-01

1. PFAS Updates • PFAS Sampling • PFAS Loans • CDC PFAS Progress Newsletter

2. MA State Revolving Fund 2022 Solicitation 3. Water Sector Chemical Supply Chain Shortages 4. Cybersecurity Updates

• From the White House – Protect against the Threat of Ransomware • Protecting Yourself from Spoofing and Phishing Scams • Cybersecurity Awareness/Hygiene • VMware and Google Released Security Updates • Now’s a Good Time to Review your Phishing Defenses • Deploying Secure UC and VVoIP Communications Systems • More Cyber Resources from MITRE • Poster/Tips

5. Did You Know? • EPA’s ECHO Website • Calling the MassDEP Emergency Line

6. MA COVID-19 Information

• End of Emergency Declaration • MassDEP PWS Information • Future of Work Status for State Employees • Permit and Form Submittals • Joint Guidance on Permit Tolling Following the End of The State of Emergency • MassDEP Conference Calls

7. Training Calendar 8. Spam

PFAS Updates PFAS Free Sampling Reminder There is free PFAS testing for all public water systems including transient non-community (TNC) systems. Visit https://www.mass.gov/forms/pfas-free-sampling-initiative-notice-of-interest-form-for-public-water-systems to sign up for the Free PFAS Lab Analyses Program, or send a request with the information described in the survey (e.g., PWS name, PWS ID#, number of sources already tested, number of sources to be tested, and system population) to program.director-dwp@mass.gov, Subject: “Free PFAS Lab Analyses Program - Sampling questions.”

PFAS Loans The Clean Water Trust and MassDEP’s Division of Municipal Services now have a webpage devoted to the 0% interest loans available for PFAS mitigation. It explains the eligibility for the loans and lists the public water suppliers and projects that have already received them. https://www.mass.gov/service-details/zero-percent-interest-pfas-mitigation-loans

CDC PFAS Progress Newsletter The Centers for Disease Control and Prevention (CDC) has a monthly newsletter out on PFAS Progress. This month’s newsletter has updates covering the Alaska, Colorado and New York site participating in the Exposure Assessment Study which is includes over 2,000 people from eight national sites. The study is evaluating the biological, environmental, and questionnaire data to better understand exposure in each community. To learn more visit the PFAS EA website.

MA State Revolving Fund 2022 Solicitation MassDEP is pleased to announce that the solicitation period for new drinking water and wastewater projects seeking financing through the State Revolving Fund (SRF) Loan Program is now open.

MassDEP’s Division of Municipal Services will accept Project Evaluation Forms (PEFs) for the calendar year 2022 round of financing until 12:00 pm, August 20, 2021. There are no significant changes to the PEFs for 2022. The rating criteria remain the same. Please be aware of the following priorities for 2022 SRF proposals: Projects that address lead in drinking water are a high priority, including planning, lead service lines inventories, lead removal, corrosion control capital improvements and water main rehabilitation projects. The Drinking Water SRF (DWSRF) is planning to operate two programs to assist communities with lead mitigation and abatement. The Water Infrastructure Fund Transfer Act allows additional subsidy to be available for lead abatement projects for Disadvantaged Communities. Contingent on the availability of funds, qualifying communities may receive additional principal forgiveness (https://www.mass.gov/service-details/lead-abatement-loan-forgiveness-program) Projects that include full lead service connection removals (to the meter) are eligible for the DWSRF through the Incentivized Lead Service Line Replacement Program (https://www.mass.gov/service-details/incentivized-lead-service-line-replacement-program) Projects that reduce the concentration of per- and polyfluoroalkyl substances (PFAS) in drinking water to below the maximum contaminant level (MCL) of 20 parts per trillion. PFAS mitigation projects may be eligible to receive additional subsidy in the form of a 0% interest rate loan. The additional subsidy is contingent on the availability of funds and approval of the Massachusetts Clean Water Trust Board of Trustees (https://www.mass.gov/doc/massdep-fact-sheet-pfas-in-drinking-water-questions-and-answers-for-consumers) Stormwater Management Planning projects that help communities to comply with NPDES MS4 permits are eligible for financing under the CWSRF. Combined sewer overflows (CSO) projects that eliminate or abate CSO discharges are eligible for financing under the CWSRF. Projects that incorporate green elements and innovative technologies that result in reduced energy consumption, resource conservation, production of renewable energy, or climate resiliency are eligible for financing. The Massachusetts Clean Water Trust will make available $2 million to subsidize 60% of the project cost, up to $150,000, for existing infrastructure to plan and implement Asset Management Planning (AMP) programs. Cybersecurity risk assessments will be funded through the AMP Grant program as these activities are critical to service continuity. Activities are limited to planning and assessment only (https://www.mass.gov/service-details/asset-management-planning-grant-program)

Communities with a current Housing Choice designation will receive a discount on their SRF interest rate of up to 0.50% from the standard rate of 2% (https://www.mass.gov/service-details/housing-choice-loan-program) Interested parties may submit Project Evaluation Forms (PEF) to MassDEP online at the following web site: https://www.mass.gov/lists/state-revolving-fund-applications-forms. MassDEP’s website also contains the Project Evaluation Form Guidance and Instructions. The online PEF submission will allow you to upload your supporting documentation files. If this presents a difficulty, please email the SRF Data Support Team at srfmadep@mass.gov for assistance.

Water Sector Chemical Supply Chain Shortages Due to production issues at several major manufacturers, some public water systems (PWSs) may experience a shortage or other serious supply chain issues for water treatment chemicals and supplies, in particular, chlorine. If this occurs, a PWS should first work with their current suppliers or identify other potential suppliers in their area. They should also consult their MassDEP Regional Office as there may be options during emergency situations for addressing the shortage while maintaining compliance. Relief Options for Water Utilities: If shortages cannot be resolved, PWSs may seek relief under section 1441 of the Safe Drinking Water Act (SDWA) or the Defense Production Act (DPA), as described below. USEPA’s Water Security Division has published information here: https://www.epa.gov/waterutilityresponse/water-sector-supply-chain-chemical-shortages-0. Resources: Frequently Asked Questions about Section 1441 of the Safe Drinking Water Act Link How to Use the Defense Production Act Link Download Fillable PDF Application here. Please read the attached document from EPA Administrator Michael Regan, in which he discusses that chemical manufacturers of critical water-treatment chemicals give prioritization to drinking water and wastewater facilities.

Cybersecurity Updates

From the White House – Protect against the Threat of Ransomware

Please review the attached memo from the White House. Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology discusses what your organization can do to protect yourself and your customers against ransomware threats.

FBI Tech Tuesday: Protecting Yourself from Spoofing and Phishing Scams The FBI Phoenix Field Office has published an article warning of phishing and spoofing scams by criminal actors and actions to take to help prevent becoming a victim. PWSs can access FBI suggested tips in this article. Victims of an online scam are encouraged to contact local FBI office and report the incident to the FBI’s Internet Crime Center .

Cybersecurity Awareness/Hygiene – Proofpoint Business Email Compromise (BEC) Taxonomy Series Proofpoint, a cybersecurity solutions researcher, published a blog post which focused on the theme of lures and tasks. PWSs can learn more about what are lures and tasks and the Email Fraud Taxonomy Framework here. The post is about how fraudulent emails use these lures to attempt to see if recipients are available to perform some simple tasks. PWS are encouraged to check out the series at Proofpoint and consider incorporating this series into current security awareness programming.

VMware and Google Released Security Updates VMware has released security updates to address vulnerabilities. An attacker could exploit these vulnerabilities to take control of an affected system. PWSs are recommended to review the CISA's webpage and apply necessary updates. Google has released a new Chrome version to address vulnerabilities that an attacker could exploit to take control of an affected system. PWS are recommended to review the CISA's webpage and apply necessary updates.

Security Awareness – Now’s a Good Time to Review your Phishing Defenses More than 90% of all cyber-attacks begin with phishing emails. Keeping the potential of phishing attacks in mind, organizations need to continuously review their in-depth strategies to combat phishing. Infosecurity Magazine reviewed three key elements of a good phishing defense approach that includes: policies, procedures, and documentation; technical defenses; and security awareness training. PWS are recommended to review this full article here.

NSA Releases Guidance on Deploying Secure UC and VVoIP Communications Systems

The National Security Agency (NSA) released a Cybersecurity Technical Report that provides best practices and mitigations for securing Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems. PWSs can access the detailed report here. NSA also published an abridged Cybersecurity Information Sheet report to capture key takeaways and introduce the steps organizations should take when securing their UC/VVoIP systems. PWSs are recommended to review the cybersecurity information sheet here.

More Cyber Resources from MITRE The National Security Agency (NSA) has announced plans to fund the development of a new MITRE project called D3FEND. D3FEND is a knowledge base of defensive countermeasure for the most common techniques used by malicious hackers. PWSs can access more information here . MITRE has also released ATT&CK Workbench that allows organizations to explore, create, annotate, and share extensions of the MITRE ATT&CK knowledge base.

Posters MassDEP has posters with cybersecurity tips to help keep your system secure. PWSs are advised to print and post this information as a visual reminder of these important tips to protect your system from cyber-attacks. PWSs can find tips/posters here:

https://www.mass.gov/doc/cybersecurity-tips-for-public-water-systems https://www.mass.gov/doc/cybersecurity-tips-for-public-water-systems-passwords https://www.mass.gov/doc/cybersecurity-tips-for-public-water-systems-phishing https://www.mass.gov/doc/cybersecurity-tips-for-public-water-systems-outdated-software-and-operating-systems https://www.mass.gov/doc/cybersecurity-tips-for-public-water-systems-developing-a-cyber-incident-plan/download

Did You Know… EPA’s ECHO Website The Enforcement and Compliance History Online (ECHO) website is updated frequently based on Agency priorities and user requests. Over the past couple of months there have three upgrades. New ECHO features are:

• EPA EJSCREEN Data Highlighted on Facility Searches (June 2021) • Changes to Presentation of Drinking Water System Compliance Data Released (May 2021) • Updated Clean Water Dashboard Released (February 2021)

Remember you can register for upcoming ECHO Webinars and view recorded webinars anytime on the ECHO Training page. Check out the updated ECHO Tool Guide to find the best feature for your needs.

Calling the MassDEP Emergency Line MassDEP has set up an emergency phone line which is 888-304-1133. This should only be used for true emergencies after hours. It goes through MEMA/State police and can cause an alert situation. Please do not use this line for routine business that can wait until the next business day. Again, please only use this line to report emergencies.

MA COVID-19 Information End of Emergency Declaration Governor Baker ended the State of Emergency on June 15, 2021. The Baker-Polito Administration is working with legislative and municipal partners during this period to manage an orderly transition from the emergency measures adopted during the period of the State of Emergency. Governor Baker has filed legislation to extend certain emergency measures currently in place via executive orders that have been set to expire on June 15. To get the most up-to-date information go to: https://www.mass.gov/info-s/covid-19-state-of-emergency .

MassDEP PWS Information MassDEP has coordinated with the water supply industries, agencies, and organizations this past year to provide information about the impacts of COVID-19 in Massachusetts. All of the COVID-19 information can still be found at: https://www.mass.gov/info-details/massdep-covid-19-resources-for-water-suppliers-and-wastewater-operators#water-supplier-resources-

Future-of-Work Status for State Employees During the COVID-19 pandemic MassDEP staff have generally been working remotely. There is an understanding that most state government offices will be back in the office sometime in November on a hybrid basis. The Boston MassDEP office (and some select other state offices) may be changing locations and have a target date of April 2022 to move back into offices on a hybrid basis into an as yet unnamed site.

Permit and Form Submittals MassDEP-DWP cannot guarantee that posted hardcopy submittals will be delivered or received as expected. Therefore, we strongly encourage you to use eDEP, if available, for water quality monitoring reporting or if you mail in reports to also submit a PDF copy of the report by email to Program.Director-DWP@mass.gov. The subject line should include the PWSID, City/Town and type of report (e.g., 3035000 Boston Bacteria Report). Continue to mail the official hardcopy to the appropriate MassDEP Regional Office but indicate on the cover letter or similar enclosure that the report(s) was sent in via email and include the date of the email.

MassDEP Conference Calls

MassDEP’s Commissioner Suuberg will now hold quarterly meetings to discuss pertinent drinking water topics. The next call will be September 14, 2021 at 2:00 pm. Please email any drinking water questions you wish discussed at the meeting to MassDEP at: program.director-dwp@mass.gov. Recordings of Commissioner Suuberg’s drinking water calls as well as FAQs for both drinking water and wastewater are published at:  https://www.mass.gov/lists/covid-19-information-for-drinking-water-and-wastewater-operators. Join Zoom Meeting https://zoom.us/j/550814507 Meeting ID: 550 814 507 One tap mobile +19294362866,,550814507# US (New York) +13126266799,,550814507# US (Chicago) Dial by your location         +1 929 436 2866 US (New York)         +1 312 626 6799 US (Chicago)         +1 301 715 8592 US         +1 346 248 7799 US (Houston)         +1 669 900 6833 US (San Jose)         +1 253 215 8782 US Meeting ID: 550 814 507 Find your local number: https://zoom.us/u/anAJCjR7G

Training Calendar When you need training please look at the training calendar located at: http://www.mass.gov/eea/agencies/massdep/water/drinking/drinking-water-training-class-schedules.html.

Board of Certification Training Page and List of Approved Courses You may also want to go the Board of Certification of Operators of Drinking Water Supply Facilities Operators training page and view the approved education courses to sit for examination. Go to: https://www.mass.gov/doc/drinking-water-board-approved-education-courses-updated-september-2020/download.

Some Newly Added Trainings on the Calendar • ASDWA Moonshot Missions webinar in helping struggling small systems

July 12, at 1:00pm ET. Click here to register.

• RuralMRW – VSS, D1, and T1 Certification Exam Preparatory Course: 3-Day Course

July 15, 22, and 29, 2021 at 8:00am EST. Click here for more information.

• Alliance for Water Efficiency - When in Drought: Lessons Learned July 20, 2021 at 2:00 pm ET. Click here for information.

• FEMA Webinar - NIMS Incident Complexity Guide July 27, 2021 FEMA will host a 60-minute webinar to discuss its recently released National Incident Management System (NIMS) Incident Complexity Guide: Planning, Preparedness and Training and answer questions. PWSs can register here.

Training Resources EPA Water Security Division is a good place to find information and resources for water systems. There are Vulnerability Assessments Tools, Water Health and Economic Analysis Tool, Water Quality Surveillance and Response Tool, Flood Resilience Guide, and more. Go here to see all that is available.

Training Refresher If you need a refresher on recently given trainings, you can review several training videos located at: https://www.youtube.com/playlist?list=PLJn2AKOcYr7lutGJB-UfDKtQPF_o_249m or click here:

Spam Remember when opening your emails that if an email is from MassDEP staff the naming convention will be firstname.lastname@mass.gov. Do not open emails that do not use this configuration and please do not click on any links from unknown users. MassDEP is sending this important drinking water information to all PWS responsible persons who are listed on the state database. If you are no longer the correct responsible person for the PWS please reply with the correct contact information. MassDEP needs one responsible contact person from each PWS. Operators, consultants, and others who are interested in Drinking Water Program updates are encouraged to request to be subscribed to this email list. You may also request to be unsubscribed by replying to this email. This MassDEP Program Director technical assistance email is funded by the Safe Drinking Water Act Assessment (Section 70) Program. The Assessment is paid by all consumers of public water in Massachusetts and is collected by public water systems. For more information about the Assessment Program, go to: https://www.mass.gov/service-details/safe-drinking-water-act-assessment-advisory-committee-section-70-committee.

TO: Corporate Executives and Business Leaders FROM: Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology SUBJECT: What We Urge You To Do To Protect Against The Threat of Ransomware DATE: June 2, 2021 The number and size of ransomware incidents have increased significantly, and strengthening our nation’s resilience from cyberattacks – both private and public sector – is a top priority of the President’s. Under President Biden’s leadership, the Federal Government is stepping up to do its’ part, working with like-minded partners around the world to disrupt and deter ransomware actors. These efforts include disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds. The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat. The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively. To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.

Below you will find the U.S. Government’s recommended best practices – we’ve selected a small number of highly impactful steps to help you focus and make rapid progress on driving down risk. What We Urge You To Do Now

Implement the five best practices from the President’s Executive Order: President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyber-attack. Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems. Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program. Test your incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline? Check Your Security Team’s Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors. Segment your networks: There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if

your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the U.K. The threats are serious and they are increasing. We urge you to take these critical steps to protect your organizations and the American public. The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices. Additional Resources FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks CISA - RANSOMWARE GUIDANCE AND RESOURCES