2008 Annual Update to the
Water Sector-Specific Plan

-------
Office of Water (460 8 T)
EPA817-K-08-002
July 2008
www. epa.gov/ safewater

-------
Table of Contents
Introduction	1

Update to Section 5 - Implementing Protective Programs	3
   5.1.2   Description of Example Protective Programs	3
          Goal 1 -Sustain Protection of Public Health and the Environment	3
          Goal 2 - Recognize and Reduce Risks in the Water Sector	6
          Goal 3-Maintain a Resilient Infrastructure	8
          Goal 4: Increase Communication, Outreach, and Public Confidence	13

Update to Section 6 - Measure Progress	15
   6.1   CIKR Performance Measurement	15

List of Acronyms	17
SSP Update - Water Sector                July 1, 2008

-------

-------
                         2008 Annual  Update
              to the Water Sector-Specific Plan
Introduction

This report provides an update to the Water Critical Infrastructure and Key Resources (CIKR)
Sector-Specific Plan (SSP)1, as input to the National Infrastructure Protection Plan (NIPP)2. This
update, based on guidance issued by the U.S. Department of Homeland Security (DHS),
provides a summary of advances in the processes set out in the SSP and the achievement of
milestones.  It is intended to inform Water Sector partners, stakeholders, and Federal, State,
local governments, tribes, and other interested parties about updates to key CIKR protection
efforts in the Water Sector. The U.S. Environmental Protection Agency (EPA) prepared this
update in collaboration with the  Water Sector Coordinating Council (WSCC) and the
Government Coordinating Council (GCC), two critical vehicles that were established under the
NIPP to provide a focal point of interaction respectively with the water industry and other
Federal and State partners.

The Water SSP provides an overview of the Water Sector and describes the vision statement
and four goals for the Sector (see Table  1). In addition, it describes the protective programs,
measures, and research and development ongoing in the sector. Since the Water SSP was
published in May 2007, the Water Sector has continued to enhance CIKR protection from all
hazards. This SSP update addresses several of the key activities that have been underway
since that time, and is organized to be used as a cross reference to the SSP (see Table 2). As
shown in Table 2, SSP Sections 5 and 6 are being updated. This update is not intended to
address every change within the Water Sector since May 2007, but rather to highlight key
efforts. In accordance with the NIPP, the Water Sector will evaluate the status of the SSP on an
annual basis.

             Table 1. Water Sector Security Vision Statement and Security Goals
Water Sector Security Vision
Statement
The Water Sector's Security Vision is a secure and resilient drinking
water and wastewater infrastructure that provides clean and safe
water as an integral part of daily life. This Vision assures the
economic vitality of and public confidence in the Nation's drinking
water and wastewater through a layered defense of effective
preparedness and security practices in the sector.
Sector Goal
Goal 1
Goal 2
Goal 3
Goal 4
Sustain protection of public health and the environment
Recognize and reduce risks in the Water Sector
Maintain a resilient infrastructure
Increase communication, outreach, and public confidence
 Source: SSP for the Water Sector.  May 2007


1 U.S. DHS and U.S. EPA. Water Critical Infrastructure and Key Resources Sector-Specific Plan as input
to the National Infrastructure Protection Plan. May 2007.
(http://www.epa.gov/safewater/watersecurity/pubs/plan_secu rity_watersectorspecificplan.pdf)

2 U.S. DHS. National Infrastructure Protection Plan.  2006.
http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm
SSP Update - Water Sector                 July 1, 2008

-------
                   Table 2. Cross Reference of Updates to May 2007 SSP
SSP Section
1.
2.
3.
4.
5.
6.
7.
8.
Sector Profile and Goals
Identify Assets, Systems, Networks, and
Functions
Assess Risks
Prioritize Infrastructure
Implementing Protective Programs
Measure Progress
CIKR Protection Research and Development
Managing and Coordinating SSA
Responsibilities
SSP Update
No Update
No Update
See Section 5, Goal 2 for updates on risk
assessment methodologies
No Update
Updates provided for key efforts under each of
the four SSP goals
Update provided for sector-specific metrics
No Update
No Update
To prepare the sector for a secure future, the WSCC is setting an actionable path forward that
addresses critical needs and gaps. Their commitment has helped to launch a strategic planning
effort that will improve how limited resources are allocated to maximize benefits for utility
members.  In particular, the WSCC seeks to identify and document the "bottom line" security
needs of Water Sector utilities and use this information to guide efforts that can deliver those
needs or remove obstacles to satisfying those needs.

The WSCC identified key trends, drivers, and high-level security needs of the Water Sector
during a WSCC Strategic Planning Session held February 12, 2008 in Washington, DC. To
develop a more comprehensive plan, the WSCC conducted a second workshop on May 13,
2008. The workshop was designed to identify the challenges to achieving the SSP goals and
objectives  and  determine the most urgent security needs of the sector. The WSCC is currently
finalizing a report of the May 13 meeting which will lay out the key challenges, needs, and
priority activities identified and discussed by session participants.
                                  July 1,2008
SSP Update - Water Sector

-------
Update to Section 5 - Implementing Protective Programs

5.1.2  Description of Example Protective Programs

The Water Sector's goals and objectives provide the framework to develop and implement
protective programs that help to realize a more secure and resilient sector against all hazards.
The Water Sector has identified strategic goals for improving its security posture. During this
review/update, we have identified the following new or changes to existing programs/protection
efforts to ensure our sector meets these  goals.

Goal 1: Sustain Protection of Public Health and the Environment

Water Security Initiative

In response to Goal  1 and to Homeland Security Presidential Directive 9 (HSPD-9), the EPA
initiated its Water Security Initiative in Fiscal Year (FY) 2006. The overall goal of this initiative is
to design and demonstrate an effective contamination warning system for timely detection and
appropriate response to drinking water contamination threats and incidents that will have broad
application to the nation's drinking water utilities.

The first Water Security Initiative pilot was initiated in FY2006. The full deployment of the
monitoring and surveillance equipment and development of a consequence management plan
for this pilot were completed in July 2007. A draft plan to evaluate the operation, performance,
and sustainability of the pilot is under development in conjunction with stakeholders. EPA
intends to deploy up to four additional drinking water contamination warning system pilots
through cooperative agreements with local governments. EPA initiated deployment of the 2nd
and 3rd pilots in spring 2008, and work on the 4th and 5th  pilots is expected to begin in fall  2008.
FY 2009-2011 will entail deploying, calibrating, and operating the pilot contaminant warning
systems, as well as conducting thorough evaluations of each pilot. EPA will then issue practical
guidance and conduct outreach to promote voluntary national adoption of effective and
sustainable drinking water contamination warning systems.

The EPA published an interim guidance document in May 2007, which is intended to assist
water utilities with implementing a contamination warning system, including site assessment,
system engineering, component design,  consequence management, communications, and  data
management3. Further, the EPA has drafted two additional interim guidance documents that are
currently undergoing stakeholder review. Interim Guidance on Developing an Operational
Strategy will assist water utilities with defining routine operational  procedures for the monitoring
and surveillance components of a contamination warning system; Interim Guidance on
Developing a Consequence Management Plan will assist water utilities with establishing a
detailed plan for responding to possible contamination events. The Agency anticipates
publishing both of these documents in the summer of 2008. In addition to guidance documents,
the Agency has been conducting outreach to educate drinking water stakeholders about the
Water Security Initiative.
3 U.S. EPA.  Water Security Initiative: Interim Guidance on Planning for Contamination Warning System
Deployment. EPA-817-R-07-002.  May 2007.
http://www.epa.gov/safewater/watersecu rity/pubs/guide_watersecurity_securityinitiative_interimplanningp
df.pdf
SSP Update - Water Sector                 July 1, 2008

-------
Water Laboratory Alliance

The EPA will address an additional requirement under HSPD-9 to enhance the security of
drinking water utilities through development of a laboratory network, known as the Water
Laboratory Alliance (WLA). The purpose of the WLA is to provide the Water Sector with an
integrated nationwide network of laboratories with the analytical capabilities and capacity to
support monitoring and surveillance, response, and remediation. The EPA is working to
establish a nationwide network of Federal, State, local, and commercial laboratories capable of
analyzing drinking water for chemical, biological, and radiological contaminants resulting from
terrorist attacks, other intentional acts, natural disasters, and other hazards. The Centers for
Disease Control and Prevention (CDC) is a critical partner in this effort given the potential
leveraging opportunities with  CDC's existing Laboratory Response Network (LRN). In the first
step towards building the WLA, the EPA and its partners have established Regional Laboratory
Response Plans (RLRPs) in all ten EPA Regions. The plans provide each region with a
structure for joint response by laboratories (consisting of EPA regional and state public
health/environmental laboratories as well as the larger drinking water utility laboratories) within
the region. These plans will be consolidated into a nationwide response plan that will be used as
the foundation of the WLA. During FY 2008, each plan will undergo functional exercises using
live samples to test the effectiveness of each plan, to enhance coordination among member
laboratories, and to identify additional systems and mechanisms needed to improve sample
transport, data transfer, and analytical support during a drinking water contamination event.
Figure 1 shows the status of the functional exercises that will be  used to evaluate and optimize
the RLRPs.
       | Exercises Scheduled

       ] Exercises Completed
              Figure 1. Status of Functional Exercises for RLRP as of June 2008
                                   July 1,2008
SSP Update - Water Sector

-------
Active and Effective Protective Program

To further support protection of public health and the environment, WSCC and GCC members
worked with EPA to update the features of an active and effective protective program (see
discussion under Section 6 about metrics working group). The Water Sector revised the
features to reflect an all-hazards approach as well as to align them with the SSP goals and
objectives. Many utilities will  be able to adopt some of the features with minimal, if any, capital
investment. EPA, in collaboration with its sector security partners, will continue the ongoing
promotion, use, and adoption of these features within the Water Sector.

The current 10 features of an active and effective security program for Water Sector utilities are
as follows:

   1.  Encourage awareness and integration of a comprehensive protective posture into daily
       business operations to foster a protective culture throughout the organization and ensure
       continuity of utility services.

   2.  Annually identify protective program priorities and resources needed; support priorities
       with utility-specific measures and self-assess using these measures to understand and
       document program progress.

   3.  Employ  protocols for  detection of contamination while recognizing limitations in current
       contaminant detection, monitoring, and public health surveillance methods.

   4.  Assess risks and periodically review (and update) vulnerability assessments to reflect
       changes in potential threats, vulnerabilities, and consequences.

   5.  Establish physical and procedural controls to restrict access to  only authorized
       individuals and to detect unauthorized physical and cyber intrusions.

   6.  Incorporate protective program considerations into procurement, repair,  maintenance,
       and replacement of physical infrastructure decisions.

   7.  Prepare emergency response, recovery, and business continuity plan(s); test and review
       plan(s) regularly, update plan(s) as necessary to ensure NIMS  compliance and to reflect
       changes in potential threats, vulnerabilities, consequences, physical  infrastructure, utility
       operations, critical interdependencies, and response protocols in partner organizations.

   8.  Forge reliable and collaborative partnerships with first responders, managers of critical
       interdependent infrastructure, other utilities, and response organizations to maintain a
       resilient  infrastructure.

   9.  Develop and implement strategies for regular, ongoing communication about protective
       programs with employees, customers, and the general public to increase overall
       awareness and preparedness for response to an incident.

   10. Monitor  incidents and available threat-level  information; escalate procedures in response
       to relevant threats and incidents.
SSP Update - Water Sector                  July 1, 2008

-------
Goal 2: Recognize and Reduce Risks in the Water Sector

Risk Assessment Methodologies

In support of Goal 2, EPA, DHS, and its security partners will continue to encourage and
participate in the conduct of risk assessments in the sector. Drinking water and wastewater
utilities performed risk assessments based on several methodologies developed by sector
security partners. Risk assessment tools such as the Risk Assessment Methodology - Water
(RAM-W) and Vulnerability Self-Assessment Tool (VSAT) have been developed to facilitate
utility risk assessments, thereby enabling targeted risk reduction efforts across the sector. The
Security and Environmental Management System (SEMS) software program was developed by
the National Rural Water Association (NRWA) and is based on a self-assessment guide for
drinking water systems serving populations of between 3,300 and 10,000.

The Water Sector is currently in the process of examining these existing risk assessment
methodologies relative to DHS's NIPP baseline criteria for risk assessment methodologies (e.g.,
Risk Analysis and Management for Critical Asset Protection [RAMCAP] process). The Sector is
developing an approach to effectively make RAMCAP-consistent risk assessment tools
operational for water system owners and operators.  The recommendation of the WSCC is that
all three tools (RAM-W, VSAT and SEMS) be operationalized under the RAMCAP framework,
as described in Chapter 4 of the SSP, to expedite the integration of risk assessment processes
as defined in the NIPP and advance the sector's progress in supporting the  primary objective in
Goal 2. EPA and DHS are considering the WSCC's recommendation to develop RAMCAP
consistent, automated versions of all three tools and will  continue to work with the WSCC  to
enhance the risk assessment process for the sector.

The WSCC has also developed the following Voluntary Risk Management Framework to help
prioritize the water utility evaluation. This approach is consistent with the NIPP, SSP, other
Sector efforts and ongoing efforts to enhance the security posture of the Sector.  The Water
Sector is very diverse in type, scope and scale of operations, thus risk analysis processes must
be applied consistently and equitably across the sector to ensure that the primary risks are the
first to be treated  with mitigation controls.

The conduct of risk assessments in the sector is recommended as best practice and is
fundamental to the Sector Risk Management Performance Metrics effort recently concluded by
the WSCC and the GCC. The Water Sector should utilize both qualified and quantified risk
assessment processes to measure risk to an asset or system,  prioritize investments and efforts
to mitigate risk and to track risk management performance vs.  investment over time.  Due to the
diversity in scale of operations in the sector, qualified risk screening should be conducted  to
determine the appropriate level of rigor that should be applied to an assessment thus matching
the desired detail of the assessment to  the front-side qualified risk screening. The application of
Tier criteria will allow a utility owner/operator to  quickly assess the qualified risks to their water
system and determine the level of risk assessment to conduct.  This process is derived  from
and consistent with the RAMCAP top-level screening process. The Tier framework and criteria
below represent the WSCC RAMCAP working group's recommendations.

The following types of impact potential,  as recommended by the WSCC, should be taken into
consideration when conducting risk assessments: Loss of life, economic impact, psychological
effect/continuity of government, and critical customers. These impact categories were assessed
by the working group and the following  scenarios were found to be the minimum set that should
                                  July 1, 2008                 SSP Update - Water Sector

-------
be considered in order to prioritize risks to the customers and communities served by a water
system as well as the regional economy.

Loss of Life

   •   Fatalities resulting from product contamination or the release of hazardous chemicals
       from treatment facilities

Economic Impact

   •   Direct impact to the utility from physical damage to assets, lost revenue, liability and
       fines

   •   Indirect impact to the regional economy from service interruption

Psychological Effect / Continuity of Government

   •   Service interruption or product contamination that results in public health concerns and
       first responder service degradation (fire pressure) to the extent that mass evacuations
       are likely or required

Critical Customers

   •   Prolonged service interruption to Tier 1&2 assets in other CIKR sectors, such as but not
       limited to Health  Care Sector assets, Critical Commercial Services Sector venues, or
       National Icons

Table 3 shows the WSCC proposed tiers  for the voluntary  risk management framework. These
impact categories were assessed by the working group as the minimum that should be
considered to prioritize risks to the customers and communities served by a water system as
well as the regional economy.  The tier is  determined by the highest single criteria threshold.
EPA, DHS, and the GCC are considering the WSCC's proposed tiers for the risk management
framework and will continue to work with the WSCC on this issue.

              Table 3. WSCC Proposed Tiers for Risk Management Framework
Criterion
Population Served
(retail + wholesale)
On-site Gaseous
Chlorine Storage
(average daily
volume stored)
Economic Impact
(regional impact, not
including value of
statistical life)
Critical Customers
Served
Tierl
>1 million
>40 tons
>$100 billion
Federal
Government
Defined
Tier 2
25,000-999,999
20-39 tons
$5-$99.9 billion
Federal
Government
Defined
TierS
3,300-24,999
1-1 9 tons
$100 million-$4.9 billion
Two or more of the following:
• Level 1 Trauma
• Venue that hold 1 0K +
• National Icons
• Key DoD facilities
• Key Defense Industrial
Base (DIB) asset
Tier 4
<3,300
<1 ton
<$100 million
Not applicable
SSP Update - Water Sector
July 1,2008

-------
Cyber Security Roadmap

The Cyber Security Roadmap4 was developed by the Cyber Security Working Group of the
WSCC. The Roadmap is a unified security strategy to mitigate the risks associated with cyber
systems. It provides a 10-year broad-based plan for improving security preparedness,
resilience, and response/recovery of industrial control systems. The plan is divided into goals,
milestones, and activities over the near (0-1 year),  mid (1-3 years), and long term (3-10 years).
The four main goals are:

   1. Developing and deploying control system security programs

   2. Assessing risk

   3. Developing and implementing risk mitigation measures

   4. Improving partnership and outreach.

In support of attaining these goals, the Roadmap lists milestones. Selected near-term
milestones include: isolating control systems from public switched networks and developing a
cyber response protocol template. Selected mid-term milestones include: developing an
operator control system security training program and adopting best practices for cyber security
in the Water Sector. Selected long-term  milestones include: integrating the Roadmap with the
Water SSP and establishing life cycle investment and framework for cyber security. The
Roadmap has also  prescribed activities necessary to attain both the goals and milestones. DHS
and Idaho National  Laboratory (INL), in 2007, completed development of a control systems
cyber security self-assessment tool (CS2SAT) for use by Water Sector utilities in collaboration
with the Water Environment Research Foundation (WERF) and AWWA Research Foundation
(AwwaRF).  Discussions are currently underway to  integrate the use of the above tool with the
national  recommended Roadmap implementation efforts to maximize  the impact of cyber
security self-awareness among the utilities.

Goal 3: Maintain a Resilient Infrastructure

WaterAA/astewater Agency Response Networks

The Water Sector's professional associations, State primacy agencies, and EPA have  been
promoting a more resilient Water Sector. One approach the Water Sector has taken towards
Water Sector resiliency includes the establishment of mutual aid and assistance agreements
between utilities under the Water/Wastewater Agency Response Network  (WARN) framework.
A WARN is a network of "Utilities Helping Utilities" respond to and recover from emergencies.
The WARN initiative also supports a key priority outlined in both the National Incident
Management System  (NIMS)  and the National Preparedness  Goal.

The purpose of a WARN is to provide a method  in which water/wastewater utilities that have
sustained or anticipate damages from natural or manmade incidents can receive emergency aid
and assistance in the form of personnel, equipment, materials, and other associated services as
necessary from other water/wastewater  utilities.  The objective is to provide rapid, short-term
4 WSCC. Roadmap to Secure Control Systems in the Water Sector.  Sponsored by AWWA and DHS.
March 2008. http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf
                                  July 1, 2008                 SSP Update - Water Sector

-------
deployment of emergency services to restore the critical operations of the affected
water/wastewater utility. The backbone of the WARN concept is the mutual aid and assistance
agreement where provisions for network activation, reimbursement, liability and other issues are
mutually agreed upon by participating utilities. Participation is voluntary; there is no obligation to
respond, and there is no direct cost to become a member of the network. WARNs include both
public and private drinking water and wastewater systems.

The WARN framework provides a forum for establishing and maintaining emergency contacts,
providing expedited access to specialized Water Sector resources needed to respond to and
recovery from emergencies that disrupt  water/wastewater services, and facilitating training that
specifically focuses on the exchange of  resources during an emergency. Events such as 9/11,
the 1994 Northridge earthquake, the 1997 Red River flood, and more recently, Hurricanes
Katrina and Rita, identified a need for water and wastewater utilities to create intrastate mutual
aid and assistance programs.
The tremendous progress of this initiative is shown on Figure 2 below. While it does receive
support nationwide, the initiative owes its success to the proactive, bottom-up ownership of
utilities that have recognized the need to develop additional preparedness capabilities and to
help ensure the overall resiliency of the communities they serve. Currently, utilities in 29 states
have signed agreements that follow the WARN model and utilities in all 50 states have been
provided the opportunity to participate in a series of workshops conducted by the American
Water Works Association (AWWA) under a grant provided by EPA. A Web site,
http://www.NationalWARN.org, has been established to share information on WARN, including
the current status of each program and contact information for each WARN Chair.
                    Figure 2. Status of WARN programs as of June 2008
' www.NationalWARN.org
                                                                    Agreement
                                                                     Signed
                                                                    Agreement
                                                                     Pending
                                                                     Steering
                                                                    Committee
                                                                    Workshop
                                                                    2006/07/08
SSP Update - Water Sector
July 1,2008

-------
The AWWA published a Resource Typing Manual6 to provide guidance to water and wastewater
utilities when they request and provide resources during an emergency. The Resource Typing
Manual follows the resource typing guidance issued by FEMA in March 20077, which provides
categorized, capability based  resource descriptions to ensure a consistent meaning to mutual
aid resource requests.

In the near future, the Water Sector will:

   •   Continue to develop WARN outreach materials and facilitate meetings, workshops,
       training sessions, conference calls, webcasts, and other communications

   •   Continue to provide administrative and technical support to assist in formation of new
       WARNs

   •   Expand the online repository of WARN information located on EPA and Water Sector
       association Web sites

   •   Provide an analysis of the economic benefits  and cost savings from joining a WARN

   •   Develop tabletop exercise materials and facilitate tabletop exercises

   •   Provide information on how to develop a Mutual Aid and Assistance Operational Plan,
       which provides more detailed information than the initial agreement on how to implement
       and manage the WARN program

As the development of intrastate mutual aid and assistance networks expands, the Water
Sector will continue to pursue mechanisms to share mutual aid and assistance across state
lines if local and statewide mutual aid and assistance resources are overwhelmed. Integration of
WARNs with interstate mutual aid and assistance networks, such as the Emergency
Management Assistance Compact (EMAC), will be evaluated. In collaboration with EMAC, EPA
published the EMAC Tips for the Water Sector fact sheet, which provides information on how
the Water Sector can use EMAC for interstate mutual aid and assistance. Additional analysis
will be undertaken to determine if the  intrastate WARN  agreements can be modified to  allow
mutual aid and assistance to be provided across state lines.

Training and Exercises

Also, EPA and  national Water Sector  associations have developed tools and extensive training
programs to help utilities enhance their emergency response preparedness and communicate
with local first-responders and public health providers during an incident response. EPA is
providing training on the Incident Command System (ICS) and  NIMS, which will enable
personnel to operate efficiently during an incident or event and assist the Water Sector with
NIMS compliance. ICS and NIMS are national standards used across the country for emergency
management and are used by the Water Sector's first response partners. An owner/operator's
6 AWWA. Water and Wastewater Mutual Aid and Assistance Resource Typing Manual. April 2008.
http://www.awwa.org/files/WARN/AWWA%20Resource%20Typing%20Manual%20Final%20-
%20April%202%2C%202008.pdf
7 FEMA. National Resource Typing Criteria. March 2007.
http://www.fema.gov/pdf/emergency/nims/ng_0001.pdf
10                                July 1,2008                 SSP Update - Water Sector

-------
ability to respond and coordinate a response with its partners will be greatly enhanced by this
training. In addition to the ICS and NIMS training, EPA also is providing emergency response
training to wastewater treatment systems and their community partners. The Emergency
Response to Threats of Contamination of Public Wastewater Systems training provides
information  and procedures to guide wastewater treatment systems when responding to a
contamination incident or threat. It addresses who to notify, what actions to take, how to
evaluate a threat, how to collect and analyze samples, how to communicate with the  public and
how to recover from an incident. The training is being held nationwide and will be followed by
the release  of a companion guidance document, The Wastewater Response Protocol Toolbox -
Planning for and Responding to Wastewater Contamination Incidents and Threats.

EPA, states, and national Water Sector associations continue to conduct tabletop exercises
using  EPA's Emergency Response Tabletop Exercises for Drinking Water and Wastewater
Systems CD-ROM that was published in 2005. During FY08,  this training tool will be  updated to
include additional scenarios and to make the materials compliant with DHS's Homeland Security
Exercise and Evaluation Program (HSEEP). These exercises bring together first response
partners in order to practice plans and procedures including how utilities will communicate and
coordinate with their first response partners.

National Response Framework

EPA, states, and national Water Sector associations provided comments and participated in
workgroups as part of DHS's efforts to update the National Response Plan (NRP),  now called
the National Response Framework (NRF), and NIMS. Wthin  the NRF, EPA has significant
support agency Water Sector roles and  responsibilities under Emergency Support  Function #3
(ESF#3) and the Critical Infrastructure and Key Resource Annex. To  better coordinate its
activities under ESF#3, the Agency has worked and will continue to work closely with the U.S.
Army Corps of Engineers and FEMA to  better define each agency's responsibilities and develop
procedures and mechanisms for activating and deploying EPA responders. To further enhance
EPA's capability to respond to water related incidents, the Agency is also is conducting water
emergency  response training in FY08 for EPA's On-Scene Coordinators, Criminal  Investigation
and Homeland Security Special Agents, and regional water team personnel. The Agency also
participates in national emergency response exercises in coordination with EPA, Federal, State,
local, WARN, and WaterlSAC partners.

Business Continuity with the Water Sector

An additional component of maintaining a resilient infrastructure is having a business continuity
plan (BCP)  in place. BCP is a risk management strategy or methodology that includes a variety
of utility operations plans that may be specifically tailored to certain operating condition, but
collectively define or characterize how a utility will continue critical business functions during
and after various incidents. Business continuity planning provides the basis for resiliency of a
utility's essential functions and critical resources, including key personnel  and financial
resources as well as the flexibility to  adapt human resources  policies  to meet the changing
needs of employees. The AWWA currently is in the process of providing updated guidance on
the development of business continuity plans for the Water Sector and is sponsoring  two-day
seminars in a series of modules that presents a step-by-step  approach to developing the core
elements of a BCP for a utility. In addition, as a standards development organization, AWWA is
currently in the process of drafting an Emergency Preparedness Standard for the Water Sector
in the context of National Fire Protection Association (NFPA 1600) relative to the specific
SSP Update - Water Sector                 July 1, 2008                                 11

-------
operational needs of the Water Sector. This standard is being developed under the American
National Standards Institute (ANSI) procedures for voluntary consensus-based standards.

Interdependencies

The Water Environment Federation (WEF), under a cooperative agreement with DHS' Federal
Emergency Management Agency (FEMA), is providing a cross-sector emergency response
training program for Water Sector utilities. The primary objective of this training is to assist
Water Sector utilities in building sustained, resilient local and regional partnerships across other
CIKR sectors. These partnerships will align closely with the National Preparedness Framework
and with other federal, state, and local guidelines in an effort to provide a comprehensive,
consistent response to all hazards and reduce impacts and recovery times.

The data substantiating the  need to address Water Sector interdependencies is noteworthy as
approximately 54,000 publicly owned community water systems (CWS) and 16,000 publicly
owned treatment works (POTWs) (Water Sector utilities) provide critical services to
communities, including ensuring a  safe potable water supply and the availability of water
resources that can support recreation, fishing, and agriculture. Additionally these utilities provide
services essential to other sectors  during emergency response efforts, including providing an
adequate water supply for fire protection as well as services essential to the recovery of areas
impacted by natural disasters or terrorist events.

While the Water Sector has made significant improvements in the area of security and
emergency response prior to, and particularly since,  the events of September 11, 2001, many
utilities still lack coherent local and regional partnerships across multiple sectors in order to
prepare for, and effectively respond to, manmade threats and natural disasters. Building on
accomplishments from both inside and outside the Water Sector, this training program will
leverage expertise from and provide information to Water Sector utility executives, as well as
key leaders in other sectors, on existing resources related to Water Sector interdependencies.
Course materials for the national cross-sector training series will include a brief overview of the
critical  infrastructures interdependencies with the Water Sector, as well as a tabletop exercise
that will highlight Water Sector interdependencies.

Recently, EPA and the Chicago  Manufacturing Center's Great Lakes Partnership Program
launched the Chicago/and Water and Wastewater Preparedness and Business Resiliency Pilot,
which focused on understanding the interdependencies of critical infrastructures and how an
interruption in the Water Sector would impact business resiliency and the economic viability of
the broader community.

Pandemic Planning

EPA will assist DHS in planning  a Sector-Specific Pandemic Influenza Workshop in 2008. EPA
will also support the Department of Health  and Human Services by providing Water Sector input
on pandemic vaccine and antiviral  prioritization guidance. EPA will continue to support these
and other efforts to prepare and  assist the  nation's drinking water and wastewater systems in
maintaining operations in the event of an avian or pandemic influenza outbreak.

Decontamination Strategy

The Water Sector is in the process of developing a strategy to guide future decontamination
activities for the sector. The Water Sector established a Critical Infrastructure Protection
12                                 July 1,2008                  SSP Update - Water Sector

-------
Advisory Council (CIPAC) Water Sector Decontamination Working Group to develop a 3-5-year
decontamination strategy. The strategy responds to the Water Sector's needs for information,
tools, and resources enabling the timely recovery and "return to service"  of utility operations
from all hazards contamination incidents and supporting other decontamination-related issues. It
will address a range of contamination scenarios related to the type of system (drinking water,
wastewater), type of contaminant (chemical, biological,  radiological), type of media (including
water, infrastructure and equipment used to store and treat, distribution and collection systems,
household plumbing, and environmental media), type of incident (natural or manmade,
accidental or intentional), and extent of contamination (concentrations, spatial and temporal
variations). Expected to be completed in the summer of 2008, the strategy will also help meet
requirements for EPA under HSPD-10, which charges EPA with developing strategies,
guidelines, and plans for decontamination.

Goal 4:  Increase Communication. Outreach, and Public Confidence

NIPP Partnership Model

In support of Goal 4, EPA and its Water Sector security partners are committed to implementing
the NIPP Partnership Model. The WSCC and GCC, established under this model, were
established in 2004 and 2005, respectively. The WSCC and GCC meet three to four times per
year to engage in information sharing and address  an array of communication and
programmatic issues.

WaterlSAC

WaterlSAC is the Water Sector's Information Sharing and Analysis Center. Designed for
utilities, by utilities, WaterlSAC is an effective information sharing mechanism that serves as a
liaison between the sector's public and private security partners, WaterlSAC provides America's
drinking water and wastewater utilities with  secure risk,  threat, and security information on all-
hazard incidents and events, including physical attacks, contamination, cyber threats, and
natural disasters. Managed by the Association of Metropolitan Water Agencies  (AMWA), the
WaterlSAC is an independent entity able to secure data from unauthorized disclosure.
WaterlSAC is funded in part through an EPA grant  and  subscriber fees.
SSP Update - Water Sector                 July 1, 2008                                13

-------

-------
Update to Section 6 - Measure Progress

6.1    CIKR Performance Measurement

To further support protection of public health and the environment, the WSCC and the GCC,
chaired by EPA, formed a joint CIPAC Metrics Workgroup to develop sector-specific security
and preparedness metrics. The metrics, which are voluntary, are based on the NIPP and the
Water SSP and designed to help evaluate progress made towards the goals and objectives set
forth by the sector.

As part of their final report, the CIPAC Metrics Workgroup recommended to the WSCC that the
voluntary national measures for utilities should be collected by a third party (i.e., other than EPA
or DHS).  The WSCC identified the WaterlSAC as the preferred third party for the secure
collection and aggregation of utility measures data.

WaterlSAC will be developing a reporting tool that includes a series of questions for utilities that
correspond to the national measures. The main access portal to the reporting  questions will be
located on the WaterlSAC Web site. Data will be collected from utilities and stored in a secure
database. A PIN code system will be used to protect utility identity, but allow for quality control
of the data submitted.

The Workgroup recommendations prescribed focusing initial data collection on a subset of
"core" metrics, with the remaining measures proposed for optional, utility self-assessment
purposes. The self-assessment measures will  be available for utility internal use through the
WaterlSAC, but will not be connected to national reporting.

The reporting tool will also use a  series of data aggregation  protocols, governing how the
collected data may be aggregated and reported nationally to other interested parties, including
EPA and DHS. The data aggregation protocols will be designed to ensure that the identity of
individual utilities cannot be revealed through the combination  of data (such as by combining
utility size and state locator data).

As a benefit for utilities who voluntarily report on the core measures, the Workgroup proposed
that utility participants who submit data be automatically enrolled in the basic WaterlSAC
service. The Workgroup believed this benefit will be a valuable incentive to improve participation
rates. This benefit would be renewed annually for participants  in subsequent reporting cycles.

Initial outreach will focus on acquiring data from small, medium, and large size systems.
WaterlSAC will promote the survey questions to utilities in conjunction with other Water Sector
associations, such as AMWA, AWWA, NACWA, NRWA, and WEF.

Initial data collection will take place in 2008, with a report on the data available by no later than
the end of the year.
SSP Update - Water Sector                 July 1, 2008                                 15

-------

-------
List of Acronyms
AMWA
ANSI
AWWA
BCP
CDC
CIKR
CIPAC
CS2SAT
CWS
DHS
EMAC
ESF
EPA
FEMA
FY
GCC
HSEEP
HSPD
ICS
INL
NACWA
LRN
NFPA
NIMS
NRF
NRP
NRWA
PIN
POTW
RAMCAP
RAM-W
RLRP
SEMS
SSP
NIPP
VSAT
WARN
WaterlSAC
WEF
WSCC
WSI
Association of Metropolitan Water Agencies
American National Standards Institute
American Water Works Association
Business Continuity Plan
U.S. Centers for Disease Control and Prevention
Critical Infrastructure and Key Resources
Critical Infrastructure Partnership Advisory Council
Control Systems Cyber Security Self-Assessment Tool
Community Water System
U.S. Department of Homeland Security
Emergency Management Assistance Compact
Emergency Support Function
U.S. Environmental Protection Agency
Federal Emergency Management Agency
Fiscal Year
Government Coordinating Council
Homeland Security Exercise and Evaluation Program
Homeland Security Presidential Directive
Incident Command System
Idaho National Laboratory
National  Association of Clean Water Agencies
Laboratory Response Network
National  Fire Protection Association
National  Incident Management System
National  Response Framework
National  Response Plan
National  Rural Water Association
Personal  Identification Number
Publicly Owned Treatment Works
Risk Analysis and  Management for Critical Asset Protection
Risk Assessment Methodology - Water
Regional  Laboratory Response Plan
Security  and Environmental Management System
Sector-Specific  Plan
National  Infrastructure Protection Plan
Vulnerability Self-Assessment Tool
Water/Wastewater Agency Response Network
Water Information Sharing and Analysis Center
Water Environment Federation
Water Sector Coordinating Council
Water Security Initiative
SSP Update - Water Sector
                    July 1,2008
17

-------

-------

-------

-------