Resources to Complete Your Risk & Resilience Assessment and Emergency Response Plan

Drinking water utilities should be aware of the risk and resilience assessment (RRA) and emergency response plan (ERP) requirements mandated by section 2013 of the America’s Water and Infrastructure Act (AWIA) of 2018. Under section 2013, community water systems (CWS) serving populations of 3,300 people or more are required to perform a risk assessment using the results to develop or update their ERP. The due date to certify the completion of these requirements is dependent on the population served by the system. If a CWS provides water to a consecutive system, they must include the population of the consecutive system in the total population served. 

*After submitting the RRA, the ERP must be submitted and certified within six months. Community water systems will be required to review and revise, as necessary, their RRA and ERP every five years after the initial certification dates. 

These new AWIA requirements amend section 1433 of the Safe Drinking Water Act (SDWA), originally created from the Bioterrorism Act of 2002. The Act focused on incidents of terrorism and required CWS’s serving more than 3,300 people to conduct a vulnerability assessment (VA) and develop an ERP. The new AWIA requirements place an emphasis on the risks of malevolent acts, natural disasters, and cybersecurity. Since the vulnerability assessments from the Bioterrorism Act are now more than 10 years old, AWIA approved the destruction of these assessments. Utilities that want their VA returned instead can submit a request letter to the EPA before the due date of their risk assessment.

To assist in meeting the new requirements, the EPA has developed several resources designed specifically for AWIA. Resources and tools are uploaded on this EPA web page as they become available. The risk and resilience assessment is the first requirement due under section 2013 and necessary to develop your ERP. The assessment must include six criteria. Following the assessment, the ERP must include four criteria in addition to any state requirements. In this blog we will provide information about these AWIA resources in addition to other documents that can be useful to complete your RRA and ERP. 

EPA's AWIA Resources:

Resiliency and Risk Assessment:

• Vulnerability Self-Assessment Tool (VSAT) 2.0 
  U.S. EPA
  This downloadable tool was updated to help utilities conduct risk and resilience assessments under AWIA. The tool can estimate risks from malevolent threats and natural hazards while evaluating potential improvement strategies. 
  
  
• Baseline Information on Malevolent Acts for Community Water Systems 
  U.S. EPA
  AWIA requires that the RRA addresses risks to ‘malevolent acts’. The EPA provides baseline information on malevolent acts and how to assess their potential threats in this 51-page guide.

Emergency Response Plans:

• Community Water System Emergency Response Plan 
  U.S. EPA
  This 13-page document includes a emergency response plan template with instructions developed to assist systems in meeting the ERP requirements under AWIA.

Other Helpful Resources to Get Started:

Resiliency and Risk Assessment:

• CREAT Risk Assessment
  U.S. EPA
  CREAT is a risk assessment tool to help utilities to adapt to extreme weather events. New users will be required to fill out a registration form. While your account is processing, check out a more preliminary EPA climate adaptation tool, the Resilient Strategies Guide for Water Utilities.
  
  
• Reference Guide for Asset Management Inventory and Risk Analysis 
  Southwest Environmental Finance Center
  This 9-page guide acts as a starting point to inventory assets and consider potential failure risks. The table suggests the information that should be collected while taking an inventory of assets.
  
  
• Financial Planning: A Guide for Water and Wastewater Systems 
  Rural Community Assistance Corporation
  Utilities need to include a financial infrastructure assessment in their RRA. The 59-page guidebook provides a process for developing and monitoring a utility budget, evaluating rates, and developing a 5-year financial plan. 
  
  
• Simplified Vulnerability Assessment Tool for Drinking Water 
  Kansas Department of Health and Environment
  In this 24-page guide systems will learn about risk minimization, the probability of asset threats, consequences of threats, and threat deterrents. 

Emergency Response Plans:

• Flood Emergency Action Procedures: Preparation Guide for Small Communities 
  Midwest Assistance Program
  The 50-page document provides a flood preparedness planning methodology for small rural communities. 
  
  
• 15 Cybersecurity Fundamentals for Water and Wastewater Utilities 
  Water ISAC
  This updated 56-page guide explains the best practices water utilities can use to reduce security risks to their IT and OT systems.

To certify the completion of your RRA or ERP, the EPA has developed guidelines for certification submittals via their secure online portal, email, or mail. If your system needs any additional help to meet these requirements, the EPA will be hosting in-person and online training sessions for each region. If these document suggestions don’t meet your system needs, check out our document library to find a variety of resources on risk assessment and emergency response.

Data Protection and Cybersecurity for Small and Medium Systems

Many water utilities rely on online technology and computer systems to increase their working efficiency. In the office space, data management software, pay roll systems, customer billing programs, utility websites, and social media improve customer services and provide an organized method to retain and access utility information. On the operational side, employees may rely on remote access control systems such as SCADA or smart metering to monitor or control systems while performing maintenance in the field. These control systems allow for improved response times and monitoring.

Yet as we all learned from Spiderman, with great power comes great responsibility. Without sufficient cybersecurity measures, systems risk the health and security of their customers. Successful attackers can steal customer personal data such as credit cards, social security numbers, and contact information. They may attempt to deface utility websites compromising customer confidence. If your system uses online process control systems, hackers could lock out utility access, alter treatment processes, damage equipment, and override alarms. The American Water Works Association (AWWA) has listed a variety of cyberattacks and their consequences in its 2018 Cybersecurity Risk & Responsibility in the Water Sector Report. These attacks resulted in leaked customer information, considerable financial losses, altered chemical dosing, and even source water contamination. Just recently staring in May of 2019 the City of Baltimore has been held hostage by an ongoing three week cyberattack that demands $100,000 in Bitcoin to free city files and water billing data.

There are many types of cyberattacks including password hacking, the exploitation of software vulnerabilities, denial of service, and malware. Common malware includes ransomware, spyware, trojan horse, viruses, and key loggers. Attacks can even happen through opportunity theft, improper disposal of computer equipment, or phishing attempts where thieves pose as legitimate organizations requesting confidential information.

To prevent cyberattacks, start by identifying vulnerabilities, developing a multi-tier security plan, and actively enforcing that plan. The EPA has developed a guide explaining 10 key components for a cybersecurity plan that includes planning worksheets and information on how to respond in the event of an attack. Systems should plan to update software regularly and require strong passwords that are different for each account. Installing anti-virus software and firewalls is also effective. A security plan should include measures to educate employees on cybersecurity awareness and limit access to security information based on job function.

For an in-depth list of security practices, read through WaterISAC’s 2019 guide to reduce exploitable weaknesses or the EPA’s Incident Action Checklist. The AWWA’s guide on Process Control System Security Guidance for the Water Sector can aid systems using smart technology. To improve social media and website security, start with Hootsuite’s social media security tips and Sucuri’s website security tips.

If a data breech does occur, utilities will want to have and established protocol to resolve and mitigate potential damage. The Cyber Security Adviser Program with the Department of Homeland Security (DHS) offers regional affiliates that will assist systems in vulnerability assessments, plan development, and informational support. While the costs associated with response, forensics, and legal fees can be expensive, waiting to take action can incur an even greater cost. Remember to keep an active cybersecurity plan and, if incidents should occur, report them to local law enforcement, the DHS, and WaterISAC.

Disaster Management and Black Sky Events

Coming this October, AWWA will host a webinar entitled Water Sector Black Sky Resilience. A Black Sky event is a long-duration, widespread power outage that could, in turn, cause a whole host of additional catastrophes. 

According to The Electric Infrastructure Security Council, A Black Sky event can have many causes: high magnitude earthquakes, severe space weather, electromagnetic pulses or interferences in the upper atmosphere (the kind that a nuclear detonation might cause), hurricanes, cyber-terrorism, coordinated power grid assaults and more.

Hurricane Harvey has offered a glimpse of the impact a Black Sky event would have on water and wastewater systems and the communities they serve. Black Sky events would cause much longer-term outages than the typical hazard event, and help might not come as quickly, or as easily. Back-up generators might be able to provide a certain amount of power, as long as they are in working order, but what if the treatment chemicals you depend on run out and can't be delivered to you?

Last year, the National Infrastructure Advisory Council issued a 212-page report analyzing water sector disaster scenarios and these types of cascading failures - power losses that lead to water losses and the consequences of those losses. The report concluded that this was an area that needed more analysis and planning. The report also recommends that smaller systems be provided with training as well as assistance in partnering with larger utilities that have more resources. 

Clearly, the effects of a long-term water outage on public health could be devasting, and this is why it is important to incorporate Black Sky response and recovery considerations into disaster management plans. The good news is that if you have a disaster management plan in place, you are already heading in the right direction. Using tools such as this 2016 E-Pro Handbook II (Water), you can expand your plan to include even the most severe emergencies. And this resource form the U.S. Energy Information Administration can keep you updated with live energy disruption reports across the nation. 

The USEPA also has a whole host of tools to help your utility prepare for a Black Sky event including a Power Resilience Guide for Water and Wastewater Utilities, a Drinking Water and Wastewater Utility Generator Preparedness guide, and a video entitled "Power to Keep Water Moving" (click below to view). Finally, be sure to check out the U.S. Army Corps of Engineers' EPFAT tool, a secure web-based tool to input and store emergency power assessment data. Using this tool can help USACE provide temporary power faster, getting you the right generator at the right time.