Oversight of Evolving Threats to Drinking Water

Auditors in Utah, Washington, and New York State are responding to growing threats facing our drinking water. By identifying risks, evaluating efficiency regulations, and assessing cybersecurity vulnerabilities, they offer important recommendations for improvement.

Few public services are more tangible, more vital, or more frequently taken for granted than drinking water. Nine in ten Americans get their water from some form of a community water system, often turning on the tap or starting the dishwasher without too much concern for the infrastructure that makes it possible.

But our water systems are fragile. Underinvestment, system inefficiencies, and even foreign cyberthreats mean they grow more vulnerable with each passing year. This month on the SOA blog, we will review how auditors in Utah, Washington, and New York State have responded to these vulnerabilities. Each takes a different approach, but all aim to provide reliable, safe water service well into the future.

Utah

Last fall, the Legislative Auditor General in Utah (LAG) produced its High-Risk List. Created in the style of the federal Government Accountability Office’s list of the same name, the High-Risk List identifies state programs and operations with a high potential to cause injury or loss of life, impaired service delivery, or fiscal problems. The 2023 list includes issues as diverse as contract management, revenue diversification, housing affordability, and substance use. The first two items in the list of twelve are devoted to water resource management and water infrastructure.

“We became aware,” the report says, “of risks with Utah’s stormwater, wastewater, and drinking water systems. Diminishing water supply and increasing demands on these systems threaten water quality and drinking water.” A major concern identified in the report is the age of the state’s water infrastructure. Not only is much of the infrastructure reaching the end of its useful life, but it is under strain from growing population (with expected growth of 43% by 2050) and increasingly extreme weather conditions.

The report also points to water infrastructure “at risk of failure from seismic risks and delayed replacement.” Millions of Utahans rely on water from four major aqueducts that, without upgrades, could fail in an earthquake. At the same time, smaller water systems across Utah face their own problems with aging infrastructure but lack the necessary resources and expertise to plan for and make upgrades.

The Utah LAG’s High-Risk List offers not only a candid view of the challenges facing the state but lays the groundwork for further study and legislative solutions to address the issues it outlines. The report is, as Legislative Auditor General Kade Minchey says, “one of our efforts to be ‘a fence at the top of the hill’ instead of an ‘ambulance at the bottom of the hill.’”

Washington

Like Utah, Washington’s drinking water supply is facing challenges from population growth and climate change. In December of 2023, after a summer of drought and at the 20-year anniversary of the state’s Municipal Water Law, which addressed water use efficiency, the Office of the Washington State Auditor issued a performance audit: “Assessing the Effectiveness of Washington’s Water Use Efficiency Regulations.”

98% of Washingtonians receive their water from one of the state’s 2,065 municipal water systems, which can serve as few as fifteen residential customers. Under the 2003 Municipal Water Law, all those systems are required to have a detailed water use efficiency program, regularly report on their efficiency performance, and take action to keep leakage in their distribution systems below ten percent of the water they produce. The State Auditor set out to find the extent to which municipal water systems comply with the rules, and how the Department of Health (DOH) – which is responsible for efficiency rules – and water suppliers might improve efficiency.

The performance audit found that, while most municipal water suppliers kept up on their responsibility to report their water efficiency data to DOH, DOH did not collect all the information that its own rules required, did not use all the data it collected, and did not keep an accurate inventory of the state’s municipal water systems. Further, the data DOH calculated on water loss in the distribution system was inaccurate. That meant the resulting information on the efficiency of water distribution systems was unreliable, even though the calculations were used to determine whether a system complied with the law. The audit also found that the existing efficiency regulations were a disproportionate burden on the state’s small water systems, which lack the resources to comply with the rules.

Based on the audit findings, the report offered several recommendations to improve the way the state collects, manages, and responds to water efficiency data. The report pointed to separate regulatory models for smaller water systems, and even suggested that “the Legislature could reassign responsibility for water conservation from DOH to the Department of Ecology” which is better suited to address matters around conservation.

Twenty years after the passage of the Municipal Water Law, and facing a less certain future for natural resources, the report offers Washington State an important snapshot of its progress in conservation, and an even more important roadmap for how it can be improved.

New York State

Just last month, the White House issued a letter to the nation’s governors warning of cyberattacks by foreign actors on water and sewage systems and the resulting risk of disruptions to water service and significant financial costs. The issue is not new. Last November, several water utilities in multiple sates were hacked in related incidents, drawing attention to gaps in cybersecurity in America’s water systems.

95% of New Yorkers get their water from a public water system, and the Department of Health (DOH) and its Bureau of Water Supply Protection are responsible for regulating the state’s water suppliers and helping them identify and protect against potential threats to water resources. As part of those efforts, 318 of the state’s largest water systems must provide an Emergency Response Plan and a Vulnerability Assessment including a Cybersecurity Vulnerability Assessment to the Department of Health at least every five years.

Last summer, the New York State Comptroller released an audit to “determine if the Department of Health is providing sufficient guidance and oversight to ensure that water system operators have completed and submitted updated emergency response plans.” The audit examined 317 municipal water systems (the 318th, New York City’s massive water supply system, was not included in the audit).

The review found that 10% of water systems’ emergency response plans were out-of-date – fifteen were more than a decade old – and that 9% of water systems had never completed a cybersecurity vulnerability assessment at all. The review also found that, while DOH had sent letters to systems who were not up to date on their plans, they did little in the way of other enforcement. The Comptroller also found inadequate collaboration between state government agencies and levels of government with responsibilities related to keeping drinking water safe.

The Comptroller’s report offered a variety of recommendations to improve processes and communications. As the report acknowledged, not all threats to water resources can be completely mitigated. But the report and the recommendations it offers will help protect New Yorkers and their drinking water for years to come.

More Than Just Plumbing

Ensuring that Americans can have confidence in safe, reliable drinking water is more than a plumbing job. Managing threats to drinking water – be they in the form of natural disaster, inefficiency, climate change, or even cyberattack – requires thoughtful policy and implementation. And the candid view of the facts that oversight partners like auditors and comptrollers provide is critical to both.