2008 Annual Update to the Water Sector-Specific Plan ------- Office of Water (460 8 T) EPA817-K-08-002 July 2008 www. epa.gov/ safewater ------- Table of Contents Introduction 1 Update to Section 5 - Implementing Protective Programs 3 5.1.2 Description of Example Protective Programs 3 Goal 1 -Sustain Protection of Public Health and the Environment 3 Goal 2 - Recognize and Reduce Risks in the Water Sector 6 Goal 3-Maintain a Resilient Infrastructure 8 Goal 4: Increase Communication, Outreach, and Public Confidence 13 Update to Section 6 - Measure Progress 15 6.1 CIKR Performance Measurement 15 List of Acronyms 17 SSP Update - Water Sector July 1, 2008 ------- ------- 2008 Annual Update to the Water Sector-Specific Plan Introduction This report provides an update to the Water Critical Infrastructure and Key Resources (CIKR) Sector-Specific Plan (SSP)1, as input to the National Infrastructure Protection Plan (NIPP)2. This update, based on guidance issued by the U.S. Department of Homeland Security (DHS), provides a summary of advances in the processes set out in the SSP and the achievement of milestones. It is intended to inform Water Sector partners, stakeholders, and Federal, State, local governments, tribes, and other interested parties about updates to key CIKR protection efforts in the Water Sector. The U.S. Environmental Protection Agency (EPA) prepared this update in collaboration with the Water Sector Coordinating Council (WSCC) and the Government Coordinating Council (GCC), two critical vehicles that were established under the NIPP to provide a focal point of interaction respectively with the water industry and other Federal and State partners. The Water SSP provides an overview of the Water Sector and describes the vision statement and four goals for the Sector (see Table 1). In addition, it describes the protective programs, measures, and research and development ongoing in the sector. Since the Water SSP was published in May 2007, the Water Sector has continued to enhance CIKR protection from all hazards. This SSP update addresses several of the key activities that have been underway since that time, and is organized to be used as a cross reference to the SSP (see Table 2). As shown in Table 2, SSP Sections 5 and 6 are being updated. This update is not intended to address every change within the Water Sector since May 2007, but rather to highlight key efforts. In accordance with the NIPP, the Water Sector will evaluate the status of the SSP on an annual basis. Table 1. Water Sector Security Vision Statement and Security Goals Water Sector Security Vision Statement The Water Sector's Security Vision is a secure and resilient drinking water and wastewater infrastructure that provides clean and safe water as an integral part of daily life. This Vision assures the economic vitality of and public confidence in the Nation's drinking water and wastewater through a layered defense of effective preparedness and security practices in the sector. Sector Goal Goal 1 Goal 2 Goal 3 Goal 4 Sustain protection of public health and the environment Recognize and reduce risks in the Water Sector Maintain a resilient infrastructure Increase communication, outreach, and public confidence Source: SSP for the Water Sector. May 2007 1 U.S. DHS and U.S. EPA. Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan. May 2007. (http://www.epa.gov/safewater/watersecurity/pubs/plan_secu rity_watersectorspecificplan.pdf) 2 U.S. DHS. National Infrastructure Protection Plan. 2006. http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm SSP Update - Water Sector July 1, 2008 ------- Table 2. Cross Reference of Updates to May 2007 SSP SSP Section 1. 2. 3. 4. 5. 6. 7. 8. Sector Profile and Goals Identify Assets, Systems, Networks, and Functions Assess Risks Prioritize Infrastructure Implementing Protective Programs Measure Progress CIKR Protection Research and Development Managing and Coordinating SSA Responsibilities SSP Update No Update No Update See Section 5, Goal 2 for updates on risk assessment methodologies No Update Updates provided for key efforts under each of the four SSP goals Update provided for sector-specific metrics No Update No Update To prepare the sector for a secure future, the WSCC is setting an actionable path forward that addresses critical needs and gaps. Their commitment has helped to launch a strategic planning effort that will improve how limited resources are allocated to maximize benefits for utility members. In particular, the WSCC seeks to identify and document the "bottom line" security needs of Water Sector utilities and use this information to guide efforts that can deliver those needs or remove obstacles to satisfying those needs. The WSCC identified key trends, drivers, and high-level security needs of the Water Sector during a WSCC Strategic Planning Session held February 12, 2008 in Washington, DC. To develop a more comprehensive plan, the WSCC conducted a second workshop on May 13, 2008. The workshop was designed to identify the challenges to achieving the SSP goals and objectives and determine the most urgent security needs of the sector. The WSCC is currently finalizing a report of the May 13 meeting which will lay out the key challenges, needs, and priority activities identified and discussed by session participants. July 1,2008 SSP Update - Water Sector ------- Update to Section 5 - Implementing Protective Programs 5.1.2 Description of Example Protective Programs The Water Sector's goals and objectives provide the framework to develop and implement protective programs that help to realize a more secure and resilient sector against all hazards. The Water Sector has identified strategic goals for improving its security posture. During this review/update, we have identified the following new or changes to existing programs/protection efforts to ensure our sector meets these goals. Goal 1: Sustain Protection of Public Health and the Environment Water Security Initiative In response to Goal 1 and to Homeland Security Presidential Directive 9 (HSPD-9), the EPA initiated its Water Security Initiative in Fiscal Year (FY) 2006. The overall goal of this initiative is to design and demonstrate an effective contamination warning system for timely detection and appropriate response to drinking water contamination threats and incidents that will have broad application to the nation's drinking water utilities. The first Water Security Initiative pilot was initiated in FY2006. The full deployment of the monitoring and surveillance equipment and development of a consequence management plan for this pilot were completed in July 2007. A draft plan to evaluate the operation, performance, and sustainability of the pilot is under development in conjunction with stakeholders. EPA intends to deploy up to four additional drinking water contamination warning system pilots through cooperative agreements with local governments. EPA initiated deployment of the 2nd and 3rd pilots in spring 2008, and work on the 4th and 5th pilots is expected to begin in fall 2008. FY 2009-2011 will entail deploying, calibrating, and operating the pilot contaminant warning systems, as well as conducting thorough evaluations of each pilot. EPA will then issue practical guidance and conduct outreach to promote voluntary national adoption of effective and sustainable drinking water contamination warning systems. The EPA published an interim guidance document in May 2007, which is intended to assist water utilities with implementing a contamination warning system, including site assessment, system engineering, component design, consequence management, communications, and data management3. Further, the EPA has drafted two additional interim guidance documents that are currently undergoing stakeholder review. Interim Guidance on Developing an Operational Strategy will assist water utilities with defining routine operational procedures for the monitoring and surveillance components of a contamination warning system; Interim Guidance on Developing a Consequence Management Plan will assist water utilities with establishing a detailed plan for responding to possible contamination events. The Agency anticipates publishing both of these documents in the summer of 2008. In addition to guidance documents, the Agency has been conducting outreach to educate drinking water stakeholders about the Water Security Initiative. 3 U.S. EPA. Water Security Initiative: Interim Guidance on Planning for Contamination Warning System Deployment. EPA-817-R-07-002. May 2007. http://www.epa.gov/safewater/watersecu rity/pubs/guide_watersecurity_securityinitiative_interimplanningp df.pdf SSP Update - Water Sector July 1, 2008 ------- Water Laboratory Alliance The EPA will address an additional requirement under HSPD-9 to enhance the security of drinking water utilities through development of a laboratory network, known as the Water Laboratory Alliance (WLA). The purpose of the WLA is to provide the Water Sector with an integrated nationwide network of laboratories with the analytical capabilities and capacity to support monitoring and surveillance, response, and remediation. The EPA is working to establish a nationwide network of Federal, State, local, and commercial laboratories capable of analyzing drinking water for chemical, biological, and radiological contaminants resulting from terrorist attacks, other intentional acts, natural disasters, and other hazards. The Centers for Disease Control and Prevention (CDC) is a critical partner in this effort given the potential leveraging opportunities with CDC's existing Laboratory Response Network (LRN). In the first step towards building the WLA, the EPA and its partners have established Regional Laboratory Response Plans (RLRPs) in all ten EPA Regions. The plans provide each region with a structure for joint response by laboratories (consisting of EPA regional and state public health/environmental laboratories as well as the larger drinking water utility laboratories) within the region. These plans will be consolidated into a nationwide response plan that will be used as the foundation of the WLA. During FY 2008, each plan will undergo functional exercises using live samples to test the effectiveness of each plan, to enhance coordination among member laboratories, and to identify additional systems and mechanisms needed to improve sample transport, data transfer, and analytical support during a drinking water contamination event. Figure 1 shows the status of the functional exercises that will be used to evaluate and optimize the RLRPs. | Exercises Scheduled ] Exercises Completed Figure 1. Status of Functional Exercises for RLRP as of June 2008 July 1,2008 SSP Update - Water Sector ------- Active and Effective Protective Program To further support protection of public health and the environment, WSCC and GCC members worked with EPA to update the features of an active and effective protective program (see discussion under Section 6 about metrics working group). The Water Sector revised the features to reflect an all-hazards approach as well as to align them with the SSP goals and objectives. Many utilities will be able to adopt some of the features with minimal, if any, capital investment. EPA, in collaboration with its sector security partners, will continue the ongoing promotion, use, and adoption of these features within the Water Sector. The current 10 features of an active and effective security program for Water Sector utilities are as follows: 1. Encourage awareness and integration of a comprehensive protective posture into daily business operations to foster a protective culture throughout the organization and ensure continuity of utility services. 2. Annually identify protective program priorities and resources needed; support priorities with utility-specific measures and self-assess using these measures to understand and document program progress. 3. Employ protocols for detection of contamination while recognizing limitations in current contaminant detection, monitoring, and public health surveillance methods. 4. Assess risks and periodically review (and update) vulnerability assessments to reflect changes in potential threats, vulnerabilities, and consequences. 5. Establish physical and procedural controls to restrict access to only authorized individuals and to detect unauthorized physical and cyber intrusions. 6. Incorporate protective program considerations into procurement, repair, maintenance, and replacement of physical infrastructure decisions. 7. Prepare emergency response, recovery, and business continuity plan(s); test and review plan(s) regularly, update plan(s) as necessary to ensure NIMS compliance and to reflect changes in potential threats, vulnerabilities, consequences, physical infrastructure, utility operations, critical interdependencies, and response protocols in partner organizations. 8. Forge reliable and collaborative partnerships with first responders, managers of critical interdependent infrastructure, other utilities, and response organizations to maintain a resilient infrastructure. 9. Develop and implement strategies for regular, ongoing communication about protective programs with employees, customers, and the general public to increase overall awareness and preparedness for response to an incident. 10. Monitor incidents and available threat-level information; escalate procedures in response to relevant threats and incidents. SSP Update - Water Sector July 1, 2008 ------- Goal 2: Recognize and Reduce Risks in the Water Sector Risk Assessment Methodologies In support of Goal 2, EPA, DHS, and its security partners will continue to encourage and participate in the conduct of risk assessments in the sector. Drinking water and wastewater utilities performed risk assessments based on several methodologies developed by sector security partners. Risk assessment tools such as the Risk Assessment Methodology - Water (RAM-W) and Vulnerability Self-Assessment Tool (VSAT) have been developed to facilitate utility risk assessments, thereby enabling targeted risk reduction efforts across the sector. The Security and Environmental Management System (SEMS) software program was developed by the National Rural Water Association (NRWA) and is based on a self-assessment guide for drinking water systems serving populations of between 3,300 and 10,000. The Water Sector is currently in the process of examining these existing risk assessment methodologies relative to DHS's NIPP baseline criteria for risk assessment methodologies (e.g., Risk Analysis and Management for Critical Asset Protection [RAMCAP] process). The Sector is developing an approach to effectively make RAMCAP-consistent risk assessment tools operational for water system owners and operators. The recommendation of the WSCC is that all three tools (RAM-W, VSAT and SEMS) be operationalized under the RAMCAP framework, as described in Chapter 4 of the SSP, to expedite the integration of risk assessment processes as defined in the NIPP and advance the sector's progress in supporting the primary objective in Goal 2. EPA and DHS are considering the WSCC's recommendation to develop RAMCAP consistent, automated versions of all three tools and will continue to work with the WSCC to enhance the risk assessment process for the sector. The WSCC has also developed the following Voluntary Risk Management Framework to help prioritize the water utility evaluation. This approach is consistent with the NIPP, SSP, other Sector efforts and ongoing efforts to enhance the security posture of the Sector. The Water Sector is very diverse in type, scope and scale of operations, thus risk analysis processes must be applied consistently and equitably across the sector to ensure that the primary risks are the first to be treated with mitigation controls. The conduct of risk assessments in the sector is recommended as best practice and is fundamental to the Sector Risk Management Performance Metrics effort recently concluded by the WSCC and the GCC. The Water Sector should utilize both qualified and quantified risk assessment processes to measure risk to an asset or system, prioritize investments and efforts to mitigate risk and to track risk management performance vs. investment over time. Due to the diversity in scale of operations in the sector, qualified risk screening should be conducted to determine the appropriate level of rigor that should be applied to an assessment thus matching the desired detail of the assessment to the front-side qualified risk screening. The application of Tier criteria will allow a utility owner/operator to quickly assess the qualified risks to their water system and determine the level of risk assessment to conduct. This process is derived from and consistent with the RAMCAP top-level screening process. The Tier framework and criteria below represent the WSCC RAMCAP working group's recommendations. The following types of impact potential, as recommended by the WSCC, should be taken into consideration when conducting risk assessments: Loss of life, economic impact, psychological effect/continuity of government, and critical customers. These impact categories were assessed by the working group and the following scenarios were found to be the minimum set that should July 1, 2008 SSP Update - Water Sector ------- be considered in order to prioritize risks to the customers and communities served by a water system as well as the regional economy. Loss of Life • Fatalities resulting from product contamination or the release of hazardous chemicals from treatment facilities Economic Impact • Direct impact to the utility from physical damage to assets, lost revenue, liability and fines • Indirect impact to the regional economy from service interruption Psychological Effect / Continuity of Government • Service interruption or product contamination that results in public health concerns and first responder service degradation (fire pressure) to the extent that mass evacuations are likely or required Critical Customers • Prolonged service interruption to Tier 1&2 assets in other CIKR sectors, such as but not limited to Health Care Sector assets, Critical Commercial Services Sector venues, or National Icons Table 3 shows the WSCC proposed tiers for the voluntary risk management framework. These impact categories were assessed by the working group as the minimum that should be considered to prioritize risks to the customers and communities served by a water system as well as the regional economy. The tier is determined by the highest single criteria threshold. EPA, DHS, and the GCC are considering the WSCC's proposed tiers for the risk management framework and will continue to work with the WSCC on this issue. Table 3. WSCC Proposed Tiers for Risk Management Framework Criterion Population Served (retail + wholesale) On-site Gaseous Chlorine Storage (average daily volume stored) Economic Impact (regional impact, not including value of statistical life) Critical Customers Served Tierl >1 million >40 tons >$100 billion Federal Government Defined Tier 2 25,000-999,999 20-39 tons $5-$99.9 billion Federal Government Defined TierS 3,300-24,999 1-1 9 tons $100 million-$4.9 billion Two or more of the following: • Level 1 Trauma • Venue that hold 1 0K + • National Icons • Key DoD facilities • Key Defense Industrial Base (DIB) asset Tier 4 <3,300 <1 ton <$100 million Not applicable SSP Update - Water Sector July 1,2008 ------- Cyber Security Roadmap The Cyber Security Roadmap4 was developed by the Cyber Security Working Group of the WSCC. The Roadmap is a unified security strategy to mitigate the risks associated with cyber systems. It provides a 10-year broad-based plan for improving security preparedness, resilience, and response/recovery of industrial control systems. The plan is divided into goals, milestones, and activities over the near (0-1 year), mid (1-3 years), and long term (3-10 years). The four main goals are: 1. Developing and deploying control system security programs 2. Assessing risk 3. Developing and implementing risk mitigation measures 4. Improving partnership and outreach. In support of attaining these goals, the Roadmap lists milestones. Selected near-term milestones include: isolating control systems from public switched networks and developing a cyber response protocol template. Selected mid-term milestones include: developing an operator control system security training program and adopting best practices for cyber security in the Water Sector. Selected long-term milestones include: integrating the Roadmap with the Water SSP and establishing life cycle investment and framework for cyber security. The Roadmap has also prescribed activities necessary to attain both the goals and milestones. DHS and Idaho National Laboratory (INL), in 2007, completed development of a control systems cyber security self-assessment tool (CS2SAT) for use by Water Sector utilities in collaboration with the Water Environment Research Foundation (WERF) and AWWA Research Foundation (AwwaRF). Discussions are currently underway to integrate the use of the above tool with the national recommended Roadmap implementation efforts to maximize the impact of cyber security self-awareness among the utilities. Goal 3: Maintain a Resilient Infrastructure WaterAA/astewater Agency Response Networks The Water Sector's professional associations, State primacy agencies, and EPA have been promoting a more resilient Water Sector. One approach the Water Sector has taken towards Water Sector resiliency includes the establishment of mutual aid and assistance agreements between utilities under the Water/Wastewater Agency Response Network (WARN) framework. A WARN is a network of "Utilities Helping Utilities" respond to and recover from emergencies. The WARN initiative also supports a key priority outlined in both the National Incident Management System (NIMS) and the National Preparedness Goal. The purpose of a WARN is to provide a method in which water/wastewater utilities that have sustained or anticipate damages from natural or manmade incidents can receive emergency aid and assistance in the form of personnel, equipment, materials, and other associated services as necessary from other water/wastewater utilities. The objective is to provide rapid, short-term 4 WSCC. Roadmap to Secure Control Systems in the Water Sector. Sponsored by AWWA and DHS. March 2008. http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf July 1, 2008 SSP Update - Water Sector ------- deployment of emergency services to restore the critical operations of the affected water/wastewater utility. The backbone of the WARN concept is the mutual aid and assistance agreement where provisions for network activation, reimbursement, liability and other issues are mutually agreed upon by participating utilities. Participation is voluntary; there is no obligation to respond, and there is no direct cost to become a member of the network. WARNs include both public and private drinking water and wastewater systems. The WARN framework provides a forum for establishing and maintaining emergency contacts, providing expedited access to specialized Water Sector resources needed to respond to and recovery from emergencies that disrupt water/wastewater services, and facilitating training that specifically focuses on the exchange of resources during an emergency. Events such as 9/11, the 1994 Northridge earthquake, the 1997 Red River flood, and more recently, Hurricanes Katrina and Rita, identified a need for water and wastewater utilities to create intrastate mutual aid and assistance programs. The tremendous progress of this initiative is shown on Figure 2 below. While it does receive support nationwide, the initiative owes its success to the proactive, bottom-up ownership of utilities that have recognized the need to develop additional preparedness capabilities and to help ensure the overall resiliency of the communities they serve. Currently, utilities in 29 states have signed agreements that follow the WARN model and utilities in all 50 states have been provided the opportunity to participate in a series of workshops conducted by the American Water Works Association (AWWA) under a grant provided by EPA. A Web site, http://www.NationalWARN.org, has been established to share information on WARN, including the current status of each program and contact information for each WARN Chair. Figure 2. Status of WARN programs as of June 2008 ' www.NationalWARN.org Agreement Signed Agreement Pending Steering Committee Workshop 2006/07/08 SSP Update - Water Sector July 1,2008 ------- The AWWA published a Resource Typing Manual6 to provide guidance to water and wastewater utilities when they request and provide resources during an emergency. The Resource Typing Manual follows the resource typing guidance issued by FEMA in March 20077, which provides categorized, capability based resource descriptions to ensure a consistent meaning to mutual aid resource requests. In the near future, the Water Sector will: • Continue to develop WARN outreach materials and facilitate meetings, workshops, training sessions, conference calls, webcasts, and other communications • Continue to provide administrative and technical support to assist in formation of new WARNs • Expand the online repository of WARN information located on EPA and Water Sector association Web sites • Provide an analysis of the economic benefits and cost savings from joining a WARN • Develop tabletop exercise materials and facilitate tabletop exercises • Provide information on how to develop a Mutual Aid and Assistance Operational Plan, which provides more detailed information than the initial agreement on how to implement and manage the WARN program As the development of intrastate mutual aid and assistance networks expands, the Water Sector will continue to pursue mechanisms to share mutual aid and assistance across state lines if local and statewide mutual aid and assistance resources are overwhelmed. Integration of WARNs with interstate mutual aid and assistance networks, such as the Emergency Management Assistance Compact (EMAC), will be evaluated. In collaboration with EMAC, EPA published the EMAC Tips for the Water Sector fact sheet, which provides information on how the Water Sector can use EMAC for interstate mutual aid and assistance. Additional analysis will be undertaken to determine if the intrastate WARN agreements can be modified to allow mutual aid and assistance to be provided across state lines. Training and Exercises Also, EPA and national Water Sector associations have developed tools and extensive training programs to help utilities enhance their emergency response preparedness and communicate with local first-responders and public health providers during an incident response. EPA is providing training on the Incident Command System (ICS) and NIMS, which will enable personnel to operate efficiently during an incident or event and assist the Water Sector with NIMS compliance. ICS and NIMS are national standards used across the country for emergency management and are used by the Water Sector's first response partners. An owner/operator's 6 AWWA. Water and Wastewater Mutual Aid and Assistance Resource Typing Manual. April 2008. http://www.awwa.org/files/WARN/AWWA%20Resource%20Typing%20Manual%20Final%20- %20April%202%2C%202008.pdf 7 FEMA. National Resource Typing Criteria. March 2007. http://www.fema.gov/pdf/emergency/nims/ng_0001.pdf 10 July 1,2008 SSP Update - Water Sector ------- ability to respond and coordinate a response with its partners will be greatly enhanced by this training. In addition to the ICS and NIMS training, EPA also is providing emergency response training to wastewater treatment systems and their community partners. The Emergency Response to Threats of Contamination of Public Wastewater Systems training provides information and procedures to guide wastewater treatment systems when responding to a contamination incident or threat. It addresses who to notify, what actions to take, how to evaluate a threat, how to collect and analyze samples, how to communicate with the public and how to recover from an incident. The training is being held nationwide and will be followed by the release of a companion guidance document, The Wastewater Response Protocol Toolbox - Planning for and Responding to Wastewater Contamination Incidents and Threats. EPA, states, and national Water Sector associations continue to conduct tabletop exercises using EPA's Emergency Response Tabletop Exercises for Drinking Water and Wastewater Systems CD-ROM that was published in 2005. During FY08, this training tool will be updated to include additional scenarios and to make the materials compliant with DHS's Homeland Security Exercise and Evaluation Program (HSEEP). These exercises bring together first response partners in order to practice plans and procedures including how utilities will communicate and coordinate with their first response partners. National Response Framework EPA, states, and national Water Sector associations provided comments and participated in workgroups as part of DHS's efforts to update the National Response Plan (NRP), now called the National Response Framework (NRF), and NIMS. Wthin the NRF, EPA has significant support agency Water Sector roles and responsibilities under Emergency Support Function #3 (ESF#3) and the Critical Infrastructure and Key Resource Annex. To better coordinate its activities under ESF#3, the Agency has worked and will continue to work closely with the U.S. Army Corps of Engineers and FEMA to better define each agency's responsibilities and develop procedures and mechanisms for activating and deploying EPA responders. To further enhance EPA's capability to respond to water related incidents, the Agency is also is conducting water emergency response training in FY08 for EPA's On-Scene Coordinators, Criminal Investigation and Homeland Security Special Agents, and regional water team personnel. The Agency also participates in national emergency response exercises in coordination with EPA, Federal, State, local, WARN, and WaterlSAC partners. Business Continuity with the Water Sector An additional component of maintaining a resilient infrastructure is having a business continuity plan (BCP) in place. BCP is a risk management strategy or methodology that includes a variety of utility operations plans that may be specifically tailored to certain operating condition, but collectively define or characterize how a utility will continue critical business functions during and after various incidents. Business continuity planning provides the basis for resiliency of a utility's essential functions and critical resources, including key personnel and financial resources as well as the flexibility to adapt human resources policies to meet the changing needs of employees. The AWWA currently is in the process of providing updated guidance on the development of business continuity plans for the Water Sector and is sponsoring two-day seminars in a series of modules that presents a step-by-step approach to developing the core elements of a BCP for a utility. In addition, as a standards development organization, AWWA is currently in the process of drafting an Emergency Preparedness Standard for the Water Sector in the context of National Fire Protection Association (NFPA 1600) relative to the specific SSP Update - Water Sector July 1, 2008 11 ------- operational needs of the Water Sector. This standard is being developed under the American National Standards Institute (ANSI) procedures for voluntary consensus-based standards. Interdependencies The Water Environment Federation (WEF), under a cooperative agreement with DHS' Federal Emergency Management Agency (FEMA), is providing a cross-sector emergency response training program for Water Sector utilities. The primary objective of this training is to assist Water Sector utilities in building sustained, resilient local and regional partnerships across other CIKR sectors. These partnerships will align closely with the National Preparedness Framework and with other federal, state, and local guidelines in an effort to provide a comprehensive, consistent response to all hazards and reduce impacts and recovery times. The data substantiating the need to address Water Sector interdependencies is noteworthy as approximately 54,000 publicly owned community water systems (CWS) and 16,000 publicly owned treatment works (POTWs) (Water Sector utilities) provide critical services to communities, including ensuring a safe potable water supply and the availability of water resources that can support recreation, fishing, and agriculture. Additionally these utilities provide services essential to other sectors during emergency response efforts, including providing an adequate water supply for fire protection as well as services essential to the recovery of areas impacted by natural disasters or terrorist events. While the Water Sector has made significant improvements in the area of security and emergency response prior to, and particularly since, the events of September 11, 2001, many utilities still lack coherent local and regional partnerships across multiple sectors in order to prepare for, and effectively respond to, manmade threats and natural disasters. Building on accomplishments from both inside and outside the Water Sector, this training program will leverage expertise from and provide information to Water Sector utility executives, as well as key leaders in other sectors, on existing resources related to Water Sector interdependencies. Course materials for the national cross-sector training series will include a brief overview of the critical infrastructures interdependencies with the Water Sector, as well as a tabletop exercise that will highlight Water Sector interdependencies. Recently, EPA and the Chicago Manufacturing Center's Great Lakes Partnership Program launched the Chicago/and Water and Wastewater Preparedness and Business Resiliency Pilot, which focused on understanding the interdependencies of critical infrastructures and how an interruption in the Water Sector would impact business resiliency and the economic viability of the broader community. Pandemic Planning EPA will assist DHS in planning a Sector-Specific Pandemic Influenza Workshop in 2008. EPA will also support the Department of Health and Human Services by providing Water Sector input on pandemic vaccine and antiviral prioritization guidance. EPA will continue to support these and other efforts to prepare and assist the nation's drinking water and wastewater systems in maintaining operations in the event of an avian or pandemic influenza outbreak. Decontamination Strategy The Water Sector is in the process of developing a strategy to guide future decontamination activities for the sector. The Water Sector established a Critical Infrastructure Protection 12 July 1,2008 SSP Update - Water Sector ------- Advisory Council (CIPAC) Water Sector Decontamination Working Group to develop a 3-5-year decontamination strategy. The strategy responds to the Water Sector's needs for information, tools, and resources enabling the timely recovery and "return to service" of utility operations from all hazards contamination incidents and supporting other decontamination-related issues. It will address a range of contamination scenarios related to the type of system (drinking water, wastewater), type of contaminant (chemical, biological, radiological), type of media (including water, infrastructure and equipment used to store and treat, distribution and collection systems, household plumbing, and environmental media), type of incident (natural or manmade, accidental or intentional), and extent of contamination (concentrations, spatial and temporal variations). Expected to be completed in the summer of 2008, the strategy will also help meet requirements for EPA under HSPD-10, which charges EPA with developing strategies, guidelines, and plans for decontamination. Goal 4: Increase Communication. Outreach, and Public Confidence NIPP Partnership Model In support of Goal 4, EPA and its Water Sector security partners are committed to implementing the NIPP Partnership Model. The WSCC and GCC, established under this model, were established in 2004 and 2005, respectively. The WSCC and GCC meet three to four times per year to engage in information sharing and address an array of communication and programmatic issues. WaterlSAC WaterlSAC is the Water Sector's Information Sharing and Analysis Center. Designed for utilities, by utilities, WaterlSAC is an effective information sharing mechanism that serves as a liaison between the sector's public and private security partners, WaterlSAC provides America's drinking water and wastewater utilities with secure risk, threat, and security information on all- hazard incidents and events, including physical attacks, contamination, cyber threats, and natural disasters. Managed by the Association of Metropolitan Water Agencies (AMWA), the WaterlSAC is an independent entity able to secure data from unauthorized disclosure. WaterlSAC is funded in part through an EPA grant and subscriber fees. SSP Update - Water Sector July 1, 2008 13 ------- ------- Update to Section 6 - Measure Progress 6.1 CIKR Performance Measurement To further support protection of public health and the environment, the WSCC and the GCC, chaired by EPA, formed a joint CIPAC Metrics Workgroup to develop sector-specific security and preparedness metrics. The metrics, which are voluntary, are based on the NIPP and the Water SSP and designed to help evaluate progress made towards the goals and objectives set forth by the sector. As part of their final report, the CIPAC Metrics Workgroup recommended to the WSCC that the voluntary national measures for utilities should be collected by a third party (i.e., other than EPA or DHS). The WSCC identified the WaterlSAC as the preferred third party for the secure collection and aggregation of utility measures data. WaterlSAC will be developing a reporting tool that includes a series of questions for utilities that correspond to the national measures. The main access portal to the reporting questions will be located on the WaterlSAC Web site. Data will be collected from utilities and stored in a secure database. A PIN code system will be used to protect utility identity, but allow for quality control of the data submitted. The Workgroup recommendations prescribed focusing initial data collection on a subset of "core" metrics, with the remaining measures proposed for optional, utility self-assessment purposes. The self-assessment measures will be available for utility internal use through the WaterlSAC, but will not be connected to national reporting. The reporting tool will also use a series of data aggregation protocols, governing how the collected data may be aggregated and reported nationally to other interested parties, including EPA and DHS. The data aggregation protocols will be designed to ensure that the identity of individual utilities cannot be revealed through the combination of data (such as by combining utility size and state locator data). As a benefit for utilities who voluntarily report on the core measures, the Workgroup proposed that utility participants who submit data be automatically enrolled in the basic WaterlSAC service. The Workgroup believed this benefit will be a valuable incentive to improve participation rates. This benefit would be renewed annually for participants in subsequent reporting cycles. Initial outreach will focus on acquiring data from small, medium, and large size systems. WaterlSAC will promote the survey questions to utilities in conjunction with other Water Sector associations, such as AMWA, AWWA, NACWA, NRWA, and WEF. Initial data collection will take place in 2008, with a report on the data available by no later than the end of the year. SSP Update - Water Sector July 1, 2008 15 ------- ------- List of Acronyms AMWA ANSI AWWA BCP CDC CIKR CIPAC CS2SAT CWS DHS EMAC ESF EPA FEMA FY GCC HSEEP HSPD ICS INL NACWA LRN NFPA NIMS NRF NRP NRWA PIN POTW RAMCAP RAM-W RLRP SEMS SSP NIPP VSAT WARN WaterlSAC WEF WSCC WSI Association of Metropolitan Water Agencies American National Standards Institute American Water Works Association Business Continuity Plan U.S. Centers for Disease Control and Prevention Critical Infrastructure and Key Resources Critical Infrastructure Partnership Advisory Council Control Systems Cyber Security Self-Assessment Tool Community Water System U.S. Department of Homeland Security Emergency Management Assistance Compact Emergency Support Function U.S. Environmental Protection Agency Federal Emergency Management Agency Fiscal Year Government Coordinating Council Homeland Security Exercise and Evaluation Program Homeland Security Presidential Directive Incident Command System Idaho National Laboratory National Association of Clean Water Agencies Laboratory Response Network National Fire Protection Association National Incident Management System National Response Framework National Response Plan National Rural Water Association Personal Identification Number Publicly Owned Treatment Works Risk Analysis and Management for Critical Asset Protection Risk Assessment Methodology - Water Regional Laboratory Response Plan Security and Environmental Management System Sector-Specific Plan National Infrastructure Protection Plan Vulnerability Self-Assessment Tool Water/Wastewater Agency Response Network Water Information Sharing and Analysis Center Water Environment Federation Water Sector Coordinating Council Water Security Initiative SSP Update - Water Sector July 1,2008 17 ------- ------- ------- ------- |