Be Prepared: Risk Assessment and Emergency Response Planning Under AWIA

By Bill Palifka

On Oct. 23, 2018, America’s Water Infrastructure Act (AWIA) of 2018 was signed into law, essentially requiring water utilities to be better prepared for a wide range of threats. It requires water utilities to thoroughly assess their vulnerabilities to all types of natural hazards and man-made disasters and develop a detailed plan to address them.
 
Section 2013 of AWIA, through an amendment to the Safe Drinking Water Act (SDWA), introduced a new requirement for every public water system that serves more than 3,300 people to conduct a Risk and Resilience Assessment (RRA) and prepare (or revise) an Emergency Response Plan (ERP). If multiple entities are involved in water supply, treatment and distribution – such as wholesale suppliers, treatment operators and (separately owned) distribution systems – all would need to separately conduct RRAs and develop ERPs for assets under their control. Utilities are required to certify to the U.S. Environmental Protection Agency (EPA) that both have been completed by established statutory deadlines.

Table 1: Deadlines

The RRA requirement replaces the previous requirement to perform vulnerability assessments established by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which was enacted following the 9/11 attacks. The AWIA broadens the assessment focus from “terrorism and intentional attack” to “malevolent acts and natural hazards.”

In addition to examining each system’s risk from these threats, RRAs must evaluate the resilience of all physical assets from source water to distribution systems, including monitoring practices, chemical storage and handling, and operations and maintenance practices. AWIA also requires utilities to evaluate the security of electronic, computer and automated systems and financial infrastructure in response to rising cybersecurity threats.

ERPs need to focus on more than merely being able to respond. They must include risk mitigation actions such as alternative source water, interconnections, redundancy improvements, asset hardening, and physical and cybersecurity countermeasures if and as justified through assessment.

Preparing for Compliance: What Now?
Despite the short timetable, some utilities are understandably hesitant to move forward with RRAs because of unplanned costs, uncertainty about how to get real value from the assessments, and questions about cybersecurity.

“The largest threat to financial, monitoring, and other computer systems is a cyber ransomware attack,” says Ken Jenkins, EmberSec. “Many financial systems have periodic cyber assessments that may not meet the intent of AWIA, and SCADA systems are typically assessed less often and with less rigor. The unfunded AWIA mandate is a challenge, but it’s also an opportunity to standardize security assessments of electronic, computer, automated, and financial systems to determine risk and improve resilience.”

Know What You Have and What You Want To Do Vulnerability
studies developed soon after 9/11 focused on physical security and typically have limited value in meeting the new requirements. But many utilities have significantly invested in planning for long-term resilience, assessing and improving cybersecurity, and assessing risk as part of their asset management programs. These activities tend to be a fitting foundation for a response to the new requirements.

Although some utilities just want to meet basic requirements for financial or other reasons, utilities and communities can benefit by using the AWIA requirements as a platform for a more valuable and comprehensive program. One of the questions that utilities should ask themselves is whether they want to meet minimum requirements for compliance or want to derive sustainable business benefit from their investment. Do they only want to certify that they have RRAs and ERPs in place or do they want to move into the realm of effective risk management and best-practice asset management?

Structures and tools developed for RRAs can facilitate improved decision-making and launch a more formal risk-management program or expand an existing asset management program. Investing in a repeatable template makes it easier to update RRAs and to apply it to other systems and facilities in the future.

​Risk and Resilience Assessments
Section 1433(a) of the Safe Drinking Water Act (SDWA) as amended by section 2013 of the AWIA outlines the requirements for risk and resilience assessments as follows: Each community water system serving a population greater than 3,300 persons must assess the risks to, and resilience of, its system. Such an assessment must include—The risk to the system from malevolent acts and natural hazards;
The resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;

• The monitoring practices of the system
• The financial infrastructure of the system
• The use, storage, or handling of various chemicals by the system
• The operation and maintenance of the system

Emergency Response Plans
No later than six months after certifying completion of its risk and resilience assessment, each system must prepare or revise, where necessary, an emergency response plan that incorporates the findings of the assessment. The plan shall include--
Strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system;

• Plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water;
• Actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers; and
• Strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system.

Community water systems must, to the extent possible, coordinate with local emergency planning committees established under the Emergency Planning and Community Right-To-Know Act of 1986 (42 U.S.C. 11001 et seq.) when preparing or revising a risk and resilience assessment or emergency response plan under the AWIA. Further, systems must maintain a copy of the assessment and emergency response plan (including any revised assessment or plan) for five years after certifying the plan to the EPA.
The assessment may also include an evaluation of capital and operational needs for risk and resilience management for the system.

To assist utilities, the AWIA directs the EPA to provide baseline information on malevolent acts of relevance to community water systems no later than August 1, 2019. This information must include consideration of acts that may— Substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water; or otherwise present significant public health or economic concerns to the community served by the system.

More Questions
Most utilities have building blocks in place, so the first step is to compare the current level of resilience maturity with the desired level. Answering questions about where utilities now stand and what needs to be done to reach their desired destinations entails intermediate steps.

Cost-benefit analysis is useful in determining the appropriate level of investment. Utilities need to determine which of their assets carry the largest risks and how much risk is acceptable. For example, the ideal would be to ensure that no customer would ever be without access to safe drinking water. But the cost to ensure that outcome would be prohibitive, so the question becomes “What can I afford to do to minimize risk and enhance resilience?”

The Water Research Foundation (WRF) recently launched a research study. The goal of “Practical Framework for Water Infrastructure Resilience (WRF Project 5014)” is to help water utilities better understand the relationships among enterprise risk management, performance and level of service goals, and planning for organizational and infrastructure resilience. This work will synthesize and summarize existing knowledge, resources, and utility experience in this field and provide a practical framework to help utilities identify appropriate approaches, frameworks, and tools for their specific needs and priorities.
SubmittingCommunity water systems can access https://www.epa.gov/waterresilience/americas-water-infrastructure-act-2018-risk-assessments-and-emergency-response-plans to get updated information on the implementation of this section of the law, as well as further details on how to submit risk and resilience assessment and emergency response plan certifications.

The EPA recommends that community water systems consider submitting risk and resilience assessment and emergency response plan certifications after publication of the baseline information on malevolent acts document, as well as updated risk assessment tools and other guidance. This timing will reduce the chances that a community water system will need to Start Printed Page 11538 make corrections to its risk and resilience assessment or emergency response plan after certification.

For More Information
EmberSec professionals are able to assist community water systems with the preparation of RRAs and ERPs and with the application for EPA grant funding.

For more information contact Bill Palifka at bill.palifka@embercybersecurity.com.
Follow us on Twitter @ember_sec