An EPA Guide for Climate Resiliency Planning

Many utilities are developing plans to increase short-term and long-term climate resiliency in response to extreme weather events, changing water availability, or the risk and resiliency assessment requirements set forth in the America’s Water Infrastructure Act of 2018 (AWIA). To assist in the early developmental stages of resiliency planning, the EPA's CRWU program designed the Resilient Strategies Guide for Water Utilities. This online application prompts utilities with a series of questions about their system and its resiliency concerns to provide recommend strategies that will decrease vulnerability. This web application was updated in August 2019 to allow utilities to specify their system size and find funding sources for the projects they want to pursue.

Both water and wastewater systems can use the tool. The foundation of the guide is built using the CRWU Adaptation Strategies for Climate Change and a funding list maintained by the Water Finance Clearinghouse. Completing the guide takes roughly 20 minutes. After answering a series of questions that identify your system type, size, location, assets, preferred resiliency strategies, and funding interests, the application will produce a report that can be used as a starting point to develop a more complex plan.

Once the guide is launched, you will start by answering questions about your facility and its resiliency priorities. The priorities indicate the concerns that your system wants to address. You can filter the list of priorities in the left hand menu to narrow your focus to topics such as drought preparation, flood protection, energy efficiency, etc. The ‘More Info’ button will elaborate on any option you're considering. Once you’ve selected your priorities, you’ll indicate what assets are present within your system. From there you can select your preferred planning strategies that have been suggested based on your previous answers. Filter the strategies with the left hand menu to narrow down your options by cost or category. For example, if you want to exclude strategies that require new construction, you could check the ‘repair & retrofit’ category instead. The last section recommends potential funding sources that might assist with the strategies you've selected earlier.

The strategies and funding sources will be used to generate the final report. Continue to the end and select ‘Generate Report’. This report will include a detailed summary of your answers, contact information for any funding sources you've selected, and case studies relevant to your utility. To save a copy of the report you will have to copy and paste the results into a Word document. If you have a CREAT account, you can select ‘Export CREAT File’ to download a file that can be imported into your CREAT account’s existing analysis. CREAT (Climate Resilience Evaluation and Awareness Tool) is a more in-depth risk assessment and planning tool that can be used once you've done your initial research. You can preview the CREAT tool framework with their guide here.

Data Protection and Cybersecurity for Small and Medium Systems

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.