By Bill Palifka
As defined by the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), there are 16 “critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” One of these sectors is the Waste and Wastewater Systems sector. Recent, Federal legislation was passed into law to help bolster the safety and security of this sector.
On October 23, 2018, America's Water Infrastructure Act (AWIA) was signed into law. Under this new Act, community (drinking) water systems serving more than 3,300 people are required to develop or update risk assessments and emergency response plans (ERPs); more specifically, community water systems are required to conduct and report on a comprehensive water system risk and resilience assessment. They must also develop an emergency response plan that addresses both physical and cybersecurity threats. The law defines the components that the risk assessments and ERPs must address, establishes deadlines by which water systems must certify to EPA completion of the risk assessment and ERPs, and created a grant program to assist community water systems with the funding necessary for improving their operational resilience.
Here are a few things you should know about securing community wastewater systems and the AWIA:
AWIA vs. Bioterrorism Act
The AWIA features a set of requirements different than the regulations enacted under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (i.e., Bioterrorism Act). Specifically, you must complete a risk and resilience assessment that evaluates all hazards to a given water utility. This includes:
Under the Bioterrorism Act, water systems are required to complete vulnerability assessments, which focus on terrorism threats. The results from these assessments can be helpful in preparing your risk and resilience assessment.
Risk and Resilience Assessments: 6 Things You Need to Do
Risk and resilience assessments are the first step towards compliance with the AWIA.
They must take place before developing or updating your ERP, as findings from these assessments are incorporated into the ERP. These assessments are intended to evaluate the risks to and resilience of your water utility. They includes:
1.Assessing risks to the water system from malevolent acts and natural hazards.
2.Assessing resilience of the pipes and constructed conveyances; physical barriers; source water; water collection and intake; pretreatment, treatment, storage and distribution facilities; as well as electronic, computer and/or other automated systems (including the security of such systems) that are utilized by the system.
3.Assessing the monitoring practices of the water system.
4.Evaluating the financial infrastructure of the water system.
5.Evaluating the use, storage and/or handling of various chemicals by the water system.
6.Assessing the operation and maintenance practices of the water system.
It’s important to remember that your water utility must review the risk and resilience assessment and submit a recertification to the EPA every five years – showcasing that the assessment has been reviewed and, if necessary, revised.
What If You Fail to Comply with the AWIA?
There are consequences if you do not complete a risk and resilience assessment, update or develop your ERP, and/or certify that you have complied with the AWIA. In fact, the EPA can fine water utilities up to $25,000 per day for non-compliance.
With deadlines that vary based on population size and flexible accommodations granted regarding development of the final documents, meeting the AWIA’s risk and resilience requirements might make you wonder where to begin.
Fortunately, we’ve come up with a recommended approach. Here are the basic steps for the Risk and Resilience Assessment:
1.Characterize Utility Assets
2. Characterize Threats
3. Consequence Analysis (C) - Level of damage expected if the hazardous event occurs
4. Vulnerability Analysis (V) – Likelihood of damage occurring if the hazardous event occurs
5. Threat analysis (T) – Likelihood of the hazardous event occurring
6. Risk and Resilience Analysis (R=C*V*T)
7. Manage Risk and Resilience
8. Submit Compliance Certification to EPA
The AWIA builds upon the risk and resilience assessment requirement by further requiring community water systems to prepare or revise, as necessary, an emergency response plan that incorporates the findings from the risk assessment. This emergency response plan is due no later than six months after completion of the risk assessment.
Notably, the emergency response plan “shall include…strategies and resources to improve the resilience of the system, including the physical and cybersecurity of the system.” While cybersecurity threats have been steadily increasing for the water and wastewater industries, the AWIA will require community water systems to assess their cybersecurity vulnerabilities in a comprehensive fashion. The requirement to include cybersecurity in a system’s emergency response plan will also help drinking system operators prepare for and position themselves against any cybersecurity attacks they will face in the future.
The deadline is looming for medium-sized utilities to begin risk and resiliency assessments, and those in the small category are encouraged to budget and begin work by the end of the year. The EmberSec Team, along with our network of partners, are poised to help you succeed in your path to compliance with the AWIA.