2008 Annual Update to the
Water Sector-Specific Plan
-------�
Office of Water (460 8 T)
EPA817-K-08-002
July 2008
www. epa.gov/ safewater
-------�
Table of Contents
Introduction 1
Update to Section 5 - Implementing Protective Programs 3
5.1.2 Description of Example Protective Programs 3
Goal 1 -Sustain Protection of Public Health and the Environment 3
Goal 2 - Recognize and Reduce Risks in the Water Sector 6
Goal 3-Maintain a Resilient Infrastructure 8
Goal 4: Increase Communication, Outreach, and Public Confidence 13
Update to Section 6 - Measure Progress 15
6.1 CIKR Performance Measurement 15
List of Acronyms 17
SSP Update - Water Sector July 1, 2008
-------�
-------�
2008 Annual Update
to the Water Sector-Specific Plan
Introduction
This report provides an update to the Water Critical Infrastructure and Key Resources (CIKR)
Sector-Specific Plan (SSP)1, as input to the National Infrastructure Protection Plan (NIPP)2. This
update, based on guidance issued by the U.S. Department of Homeland Security (DHS),
provides a summary of advances in the processes set out in the SSP and the achievement of
milestones. It is intended to inform Water Sector partners, stakeholders, and Federal, State,
local governments, tribes, and other interested parties about updates to key CIKR protection
efforts in the Water Sector. The U.S. Environmental Protection Agency (EPA) prepared this
update in collaboration with the Water Sector Coordinating Council (WSCC) and the
Government Coordinating Council (GCC), two critical vehicles that were established under the
NIPP to provide a focal point of interaction respectively with the water industry and other
Federal and State partners.
The Water SSP provides an overview of the Water Sector and describes the vision statement
and four goals for the Sector (see Table 1). In addition, it describes the protective programs,
measures, and research and development ongoing in the sector. Since the Water SSP was
published in May 2007, the Water Sector has continued to enhance CIKR protection from all
hazards. This SSP update addresses several of the key activities that have been underway
since that time, and is organized to be used as a cross reference to the SSP (see Table 2). As
shown in Table 2, SSP Sections 5 and 6 are being updated. This update is not intended to
address every change within the Water Sector since May 2007, but rather to highlight key
efforts. In accordance with the NIPP, the Water Sector will evaluate the status of the SSP on an
annual basis.
Table 1. Water Sector Security Vision Statement and Security Goals
Water Sector Security Vision
Statement
The Water Sector's Security Vision is a secure and resilient drinking
water and wastewater infrastructure that provides clean and safe
water as an integral part of daily life. This Vision assures the
economic vitality of and public confidence in the Nation's drinking
water and wastewater through a layered defense of effective
preparedness and security practices in the sector.
Sector Goal
Goal 1
Goal 2
Goal 3
Goal 4
Sustain protection of public health and the environment
Recognize and reduce risks in the Water Sector
Maintain a resilient infrastructure
Increase communication, outreach, and public confidence
Source: SSP for the Water Sector. May 2007
1 U.S. DHS and U.S. EPA. Water Critical Infrastructure and Key Resources Sector-Specific Plan as input
to the National Infrastructure Protection Plan. May 2007.
(http://www.epa.gov/safewater/watersecurity/pubs/plan_secu rity_watersectorspecificplan.pdf)
2 U.S. DHS. National Infrastructure Protection Plan. 2006.
http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm
SSP Update - Water Sector July 1, 2008
-------�
Table 2. Cross Reference of Updates to May 2007 SSP
SSP Section
1.
2.
3.
4.
5.
6.
7.
8.
Sector Profile and Goals
Identify Assets, Systems, Networks, and
Functions
Assess Risks
Prioritize Infrastructure
Implementing Protective Programs
Measure Progress
CIKR Protection Research and Development
Managing and Coordinating SSA
Responsibilities
SSP Update
No Update
No Update
See Section 5, Goal 2 for updates on risk
assessment methodologies
No Update
Updates provided for key efforts under each of
the four SSP goals
Update provided for sector-specific metrics
No Update
No Update
To prepare the sector for a secure future, the WSCC is setting an actionable path forward that
addresses critical needs and gaps. Their commitment has helped to launch a strategic planning
effort that will improve how limited resources are allocated to maximize benefits for utility
members. In particular, the WSCC seeks to identify and document the "bottom line" security
needs of Water Sector utilities and use this information to guide efforts that can deliver those
needs or remove obstacles to satisfying those needs.
The WSCC identified key trends, drivers, and high-level security needs of the Water Sector
during a WSCC Strategic Planning Session held February 12, 2008 in Washington, DC. To
develop a more comprehensive plan, the WSCC conducted a second workshop on May 13,
2008. The workshop was designed to identify the challenges to achieving the SSP goals and
objectives and determine the most urgent security needs of the sector. The WSCC is currently
finalizing a report of the May 13 meeting which will lay out the key challenges, needs, and
priority activities identified and discussed by session participants.
July 1,2008
SSP Update - Water Sector
-------�
Update to Section 5 - Implementing Protective Programs
5.1.2 Description of Example Protective Programs
The Water Sector's goals and objectives provide the framework to develop and implement
protective programs that help to realize a more secure and resilient sector against all hazards.
The Water Sector has identified strategic goals for improving its security posture. During this
review/update, we have identified the following new or changes to existing programs/protection
efforts to ensure our sector meets these goals.
Goal 1: Sustain Protection of Public Health and the Environment
Water Security Initiative
In response to Goal 1 and to Homeland Security Presidential Directive 9 (HSPD-9), the EPA
initiated its Water Security Initiative in Fiscal Year (FY) 2006. The overall goal of this initiative is
to design and demonstrate an effective contamination warning system for timely detection and
appropriate response to drinking water contamination threats and incidents that will have broad
application to the nation's drinking water utilities.
The first Water Security Initiative pilot was initiated in FY2006. The full deployment of the
monitoring and surveillance equipment and development of a consequence management plan
for this pilot were completed in July 2007. A draft plan to evaluate the operation, performance,
and sustainability of the pilot is under development in conjunction with stakeholders. EPA
intends to deploy up to four additional drinking water contamination warning system pilots
through cooperative agreements with local governments. EPA initiated deployment of the 2nd
and 3rd pilots in spring 2008, and work on the 4th and 5th pilots is expected to begin in fall 2008.
FY 2009-2011 will entail deploying, calibrating, and operating the pilot contaminant warning
systems, as well as conducting thorough evaluations of each pilot. EPA will then issue practical
guidance and conduct outreach to promote voluntary national adoption of effective and
sustainable drinking water contamination warning systems.
The EPA published an interim guidance document in May 2007, which is intended to assist
water utilities with implementing a contamination warning system, including site assessment,
system engineering, component design, consequence management, communications, and data
management3. Further, the EPA has drafted two additional interim guidance documents that are
currently undergoing stakeholder review. Interim Guidance on Developing an Operational
Strategy will assist water utilities with defining routine operational procedures for the monitoring
and surveillance components of a contamination warning system; Interim Guidance on
Developing a Consequence Management Plan will assist water utilities with establishing a
detailed plan for responding to possible contamination events. The Agency anticipates
publishing both of these documents in the summer of 2008. In addition to guidance documents,
the Agency has been conducting outreach to educate drinking water stakeholders about the
Water Security Initiative.
3 U.S. EPA. Water Security Initiative: Interim Guidance on Planning for Contamination Warning System
Deployment. EPA-817-R-07-002. May 2007.
http://www.epa.gov/safewater/watersecu rity/pubs/guide_watersecurity_securityinitiative_interimplanningp
df.pdf
SSP Update - Water Sector July 1, 2008
-------�
Water Laboratory Alliance
The EPA will address an additional requirement under HSPD-9 to enhance the security of
drinking water utilities through development of a laboratory network, known as the Water
Laboratory Alliance (WLA). The purpose of the WLA is to provide the Water Sector with an
integrated nationwide network of laboratories with the analytical capabilities and capacity to
support monitoring and surveillance, response, and remediation. The EPA is working to
establish a nationwide network of Federal, State, local, and commercial laboratories capable of
analyzing drinking water for chemical, biological, and radiological contaminants resulting from
terrorist attacks, other intentional acts, natural disasters, and other hazards. The Centers for
Disease Control and Prevention (CDC) is a critical partner in this effort given the potential
leveraging opportunities with CDC's existing Laboratory Response Network (LRN). In the first
step towards building the WLA, the EPA and its partners have established Regional Laboratory
Response Plans (RLRPs) in all ten EPA Regions. The plans provide each region with a
structure for joint response by laboratories (consisting of EPA regional and state public
health/environmental laboratories as well as the larger drinking water utility laboratories) within
the region. These plans will be consolidated into a nationwide response plan that will be used as
the foundation of the WLA. During FY 2008, each plan will undergo functional exercises using
live samples to test the effectiveness of each plan, to enhance coordination among member
laboratories, and to identify additional systems and mechanisms needed to improve sample
transport, data transfer, and analytical support during a drinking water contamination event.
Figure 1 shows the status of the functional exercises that will be used to evaluate and optimize
the RLRPs.
| Exercises Scheduled
] Exercises Completed
Figure 1. Status of Functional Exercises for RLRP as of June 2008
July 1,2008
SSP Update - Water Sector
-------�
Active and Effective Protective Program
To further support protection of public health and the environment, WSCC and GCC members
worked with EPA to update the features of an active and effective protective program (see
discussion under Section 6 about metrics working group). The Water Sector revised the
features to reflect an all-hazards approach as well as to align them with the SSP goals and
objectives. Many utilities will be able to adopt some of the features with minimal, if any, capital
investment. EPA, in collaboration with its sector security partners, will continue the ongoing
promotion, use, and adoption of these features within the Water Sector.
The current 10 features of an active and effective security program for Water Sector utilities are
as follows:
1. Encourage awareness and integration of a comprehensive protective posture into daily
business operations to foster a protective culture throughout the organization and ensure
continuity of utility services.
2. Annually identify protective program priorities and resources needed; support priorities
with utility-specific measures and self-assess using these measures to understand and
document program progress.
3. Employ protocols for detection of contamination while recognizing limitations in current
contaminant detection, monitoring, and public health surveillance methods.
4. Assess risks and periodically review (and update) vulnerability assessments to reflect
changes in potential threats, vulnerabilities, and consequences.
5. Establish physical and procedural controls to restrict access to only authorized
individuals and to detect unauthorized physical and cyber intrusions.
6. Incorporate protective program considerations into procurement, repair, maintenance,
and replacement of physical infrastructure decisions.
7. Prepare emergency response, recovery, and business continuity plan(s); test and review
plan(s) regularly, update plan(s) as necessary to ensure NIMS compliance and to reflect
changes in potential threats, vulnerabilities, consequences, physical infrastructure, utility
operations, critical interdependencies, and response protocols in partner organizations.
8. Forge reliable and collaborative partnerships with first responders, managers of critical
interdependent infrastructure, other utilities, and response organizations to maintain a
resilient infrastructure.
9. Develop and implement strategies for regular, ongoing communication about protective
programs with employees, customers, and the general public to increase overall
awareness and preparedness for response to an incident.
10. Monitor incidents and available threat-level information; escalate procedures in response
to relevant threats and incidents.
SSP Update - Water Sector July 1, 2008
-------�
Goal 2: Recognize and Reduce Risks in the Water Sector
Risk Assessment Methodologies
In support of Goal 2, EPA, DHS, and its security partners will continue to encourage and
participate in the conduct of risk assessments in the sector. Drinking water and wastewater
utilities performed risk assessments based on several methodologies developed by sector
security partners. Risk assessment tools such as the Risk Assessment Methodology - Water
(RAM-W) and Vulnerability Self-Assessment Tool (VSAT) have been developed to facilitate
utility risk assessments, thereby enabling targeted risk reduction efforts across the sector. The
Security and Environmental Management System (SEMS) software program was developed by
the National Rural Water Association (NRWA) and is based on a self-assessment guide for
drinking water systems serving populations of between 3,300 and 10,000.
The Water Sector is currently in the process of examining these existing risk assessment
methodologies relative to DHS's NIPP baseline criteria for risk assessment methodologies (e.g.,
Risk Analysis and Management for Critical Asset Protection [RAMCAP] process). The Sector is
developing an approach to effectively make RAMCAP-consistent risk assessment tools
operational for water system owners and operators. The recommendation of the WSCC is that
all three tools (RAM-W, VSAT and SEMS) be operationalized under the RAMCAP framework,
as described in Chapter 4 of the SSP, to expedite the integration of risk assessment processes
as defined in the NIPP and advance the sector's progress in supporting the primary objective in
Goal 2. EPA and DHS are considering the WSCC's recommendation to develop RAMCAP
consistent, automated versions of all three tools and will continue to work with the WSCC to
enhance the risk assessment process for the sector.
The WSCC has also developed the following Voluntary Risk Management Framework to help
prioritize the water utility evaluation. This approach is consistent with the NIPP, SSP, other
Sector efforts and ongoing efforts to enhance the security posture of the Sector. The Water
Sector is very diverse in type, scope and scale of operations, thus risk analysis processes must
be applied consistently and equitably across the sector to ensure that the primary risks are the
first to be treated with mitigation controls.
The conduct of risk assessments in the sector is recommended as best practice and is
fundamental to the Sector Risk Management Performance Metrics effort recently concluded by
the WSCC and the GCC. The Water Sector should utilize both qualified and quantified risk
assessment processes to measure risk to an asset or system, prioritize investments and efforts
to mitigate risk and to track risk management performance vs. investment over time. Due to the
diversity in scale of operations in the sector, qualified risk screening should be conducted to
determine the appropriate level of rigor that should be applied to an assessment thus matching
the desired detail of the assessment to the front-side qualified risk screening. The application of
Tier criteria will allow a utility owner/operator to quickly assess the qualified risks to their water
system and determine the level of risk assessment to conduct. This process is derived from
and consistent with the RAMCAP top-level screening process. The Tier framework and criteria
below represent the WSCC RAMCAP working group's recommendations.
The following types of impact potential, as recommended by the WSCC, should be taken into
consideration when conducting risk assessments: Loss of life, economic impact, psychological
effect/continuity of government, and critical customers. These impact categories were assessed
by the working group and the following scenarios were found to be the minimum set that should
July 1, 2008 SSP Update - Water Sector
-------�
be considered in order to prioritize risks to the customers and communities served by a water
system as well as the regional economy.
Loss of Life
• Fatalities resulting from product contamination or the release of hazardous chemicals
from treatment facilities
Economic Impact
• Direct impact to the utility from physical damage to assets, lost revenue, liability and
fines
• Indirect impact to the regional economy from service interruption
Psychological Effect / Continuity of Government
• Service interruption or product contamination that results in public health concerns and
first responder service degradation (fire pressure) to the extent that mass evacuations
are likely or required
Critical Customers
• Prolonged service interruption to Tier 1&2 assets in other CIKR sectors, such as but not
limited to Health Care Sector assets, Critical Commercial Services Sector venues, or
National Icons
Table 3 shows the WSCC proposed tiers for the voluntary risk management framework. These
impact categories were assessed by the working group as the minimum that should be
considered to prioritize risks to the customers and communities served by a water system as
well as the regional economy. The tier is determined by the highest single criteria threshold.
EPA, DHS, and the GCC are considering the WSCC's proposed tiers for the risk management
framework and will continue to work with the WSCC on this issue.
Table 3. WSCC Proposed Tiers for Risk Management Framework
Criterion
Population Served
(retail + wholesale)
On-site Gaseous
Chlorine Storage
(average daily
volume stored)
Economic Impact
(regional impact, not
including value of
statistical life)
Critical Customers
Served
Tierl
>1 million
>40 tons
>$100 billion
Federal
Government
Defined
Tier 2
25,000-999,999
20-39 tons
$5-$99.9 billion
Federal
Government
Defined
TierS
3,300-24,999
1-1 9 tons
$100 million-$4.9 billion
Two or more of the following:
• Level 1 Trauma
• Venue that hold 1 0K +
• National Icons
• Key DoD facilities
• Key Defense Industrial
Base (DIB) asset
Tier 4
<3,300
<1 ton
<$100 million
Not applicable
SSP Update - Water Sector
July 1,2008
-------�
Cyber Security Roadmap
The Cyber Security Roadmap4 was developed by the Cyber Security Working Group of the
WSCC. The Roadmap is a unified security strategy to mitigate the risks associated with cyber
systems. It provides a 10-year broad-based plan for improving security preparedness,
resilience, and response/recovery of industrial control systems. The plan is divided into goals,
milestones, and activities over the near (0-1 year), mid (1-3 years), and long term (3-10 years).
The four main goals are:
1. Developing and deploying control system security programs
2. Assessing risk
3. Developing and implementing risk mitigation measures
4. Improving partnership and outreach.
In support of attaining these goals, the Roadmap lists milestones. Selected near-term
milestones include: isolating control systems from public switched networks and developing a
cyber response protocol template. Selected mid-term milestones include: developing an
operator control system security training program and adopting best practices for cyber security
in the Water Sector. Selected long-term milestones include: integrating the Roadmap with the
Water SSP and establishing life cycle investment and framework for cyber security. The
Roadmap has also prescribed activities necessary to attain both the goals and milestones. DHS
and Idaho National Laboratory (INL), in 2007, completed development of a control systems
cyber security self-assessment tool (CS2SAT) for use by Water Sector utilities in collaboration
with the Water Environment Research Foundation (WERF) and AWWA Research Foundation
(AwwaRF). Discussions are currently underway to integrate the use of the above tool with the
national recommended Roadmap implementation efforts to maximize the impact of cyber
security self-awareness among the utilities.
Goal 3: Maintain a Resilient Infrastructure
WaterAA/astewater Agency Response Networks
The Water Sector's professional associations, State primacy agencies, and EPA have been
promoting a more resilient Water Sector. One approach the Water Sector has taken towards
Water Sector resiliency includes the establishment of mutual aid and assistance agreements
between utilities under the Water/Wastewater Agency Response Network (WARN) framework.
A WARN is a network of "Utilities Helping Utilities" respond to and recover from emergencies.
The WARN initiative also supports a key priority outlined in both the National Incident
Management System (NIMS) and the National Preparedness Goal.
The purpose of a WARN is to provide a method in which water/wastewater utilities that have
sustained or anticipate damages from natural or manmade incidents can receive emergency aid
and assistance in the form of personnel, equipment, materials, and other associated services as
necessary from other water/wastewater utilities. The objective is to provide rapid, short-term
4 WSCC. Roadmap to Secure Control Systems in the Water Sector. Sponsored by AWWA and DHS.
March 2008. http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf
July 1, 2008 SSP Update - Water Sector
-------�
deployment of emergency services to restore the critical operations of the affected
water/wastewater utility. The backbone of the WARN concept is the mutual aid and assistance
agreement where provisions for network activation, reimbursement, liability and other issues are
mutually agreed upon by participating utilities. Participation is voluntary; there is no obligation to
respond, and there is no direct cost to become a member of the network. WARNs include both
public and private drinking water and wastewater systems.
The WARN framework provides a forum for establishing and maintaining emergency contacts,
providing expedited access to specialized Water Sector resources needed to respond to and
recovery from emergencies that disrupt water/wastewater services, and facilitating training that
specifically focuses on the exchange of resources during an emergency. Events such as 9/11,
the 1994 Northridge earthquake, the 1997 Red River flood, and more recently, Hurricanes
Katrina and Rita, identified a need for water and wastewater utilities to create intrastate mutual
aid and assistance programs.
The tremendous progress of this initiative is shown on Figure 2 below. While it does receive
support nationwide, the initiative owes its success to the proactive, bottom-up ownership of
utilities that have recognized the need to develop additional preparedness capabilities and to
help ensure the overall resiliency of the communities they serve. Currently, utilities in 29 states
have signed agreements that follow the WARN model and utilities in all 50 states have been
provided the opportunity to participate in a series of workshops conducted by the American
Water Works Association (AWWA) under a grant provided by EPA. A Web site,
http://www.NationalWARN.org, has been established to share information on WARN, including
the current status of each program and contact information for each WARN Chair.
Figure 2. Status of WARN programs as of June 2008
' www.NationalWARN.org
Agreement
Signed
Agreement
Pending
Steering
Committee
Workshop
2006/07/08
SSP Update - Water Sector
July 1,2008
-------�
The AWWA published a Resource Typing Manual6 to provide guidance to water and wastewater
utilities when they request and provide resources during an emergency. The Resource Typing
Manual follows the resource typing guidance issued by FEMA in March 20077, which provides
categorized, capability based resource descriptions to ensure a consistent meaning to mutual
aid resource requests.
In the near future, the Water Sector will:
• Continue to develop WARN outreach materials and facilitate meetings, workshops,
training sessions, conference calls, webcasts, and other communications
• Continue to provide administrative and technical support to assist in formation of new
WARNs
• Expand the online repository of WARN information located on EPA and Water Sector
association Web sites
• Provide an analysis of the economic benefits and cost savings from joining a WARN
• Develop tabletop exercise materials and facilitate tabletop exercises
• Provide information on how to develop a Mutual Aid and Assistance Operational Plan,
which provides more detailed information than the initial agreement on how to implement
and manage the WARN program
As the development of intrastate mutual aid and assistance networks expands, the Water
Sector will continue to pursue mechanisms to share mutual aid and assistance across state
lines if local and statewide mutual aid and assistance resources are overwhelmed. Integration of
WARNs with interstate mutual aid and assistance networks, such as the Emergency
Management Assistance Compact (EMAC), will be evaluated. In collaboration with EMAC, EPA
published the EMAC Tips for the Water Sector fact sheet, which provides information on how
the Water Sector can use EMAC for interstate mutual aid and assistance. Additional analysis
will be undertaken to determine if the intrastate WARN agreements can be modified to allow
mutual aid and assistance to be provided across state lines.
Training and Exercises
Also, EPA and national Water Sector associations have developed tools and extensive training
programs to help utilities enhance their emergency response preparedness and communicate
with local first-responders and public health providers during an incident response. EPA is
providing training on the Incident Command System (ICS) and NIMS, which will enable
personnel to operate efficiently during an incident or event and assist the Water Sector with
NIMS compliance. ICS and NIMS are national standards used across the country for emergency
management and are used by the Water Sector's first response partners. An owner/operator's
6 AWWA. Water and Wastewater Mutual Aid and Assistance Resource Typing Manual. April 2008.
http://www.awwa.org/files/WARN/AWWA%20Resource%20Typing%20Manual%20Final%20-
%20April%202%2C%202008.pdf
7 FEMA. National Resource Typing Criteria. March 2007.
http://www.fema.gov/pdf/emergency/nims/ng_0001.pdf
10 July 1,2008 SSP Update - Water Sector
-------�
ability to respond and coordinate a response with its partners will be greatly enhanced by this
training. In addition to the ICS and NIMS training, EPA also is providing emergency response
training to wastewater treatment systems and their community partners. The Emergency
Response to Threats of Contamination of Public Wastewater Systems training provides
information and procedures to guide wastewater treatment systems when responding to a
contamination incident or threat. It addresses who to notify, what actions to take, how to
evaluate a threat, how to collect and analyze samples, how to communicate with the public and
how to recover from an incident. The training is being held nationwide and will be followed by
the release of a companion guidance document, The Wastewater Response Protocol Toolbox -
Planning for and Responding to Wastewater Contamination Incidents and Threats.
EPA, states, and national Water Sector associations continue to conduct tabletop exercises
using EPA's Emergency Response Tabletop Exercises for Drinking Water and Wastewater
Systems CD-ROM that was published in 2005. During FY08, this training tool will be updated to
include additional scenarios and to make the materials compliant with DHS's Homeland Security
Exercise and Evaluation Program (HSEEP). These exercises bring together first response
partners in order to practice plans and procedures including how utilities will communicate and
coordinate with their first response partners.
National Response Framework
EPA, states, and national Water Sector associations provided comments and participated in
workgroups as part of DHS's efforts to update the National Response Plan (NRP), now called
the National Response Framework (NRF), and NIMS. Wthin the NRF, EPA has significant
support agency Water Sector roles and responsibilities under Emergency Support Function #3
(ESF#3) and the Critical Infrastructure and Key Resource Annex. To better coordinate its
activities under ESF#3, the Agency has worked and will continue to work closely with the U.S.
Army Corps of Engineers and FEMA to better define each agency's responsibilities and develop
procedures and mechanisms for activating and deploying EPA responders. To further enhance
EPA's capability to respond to water related incidents, the Agency is also is conducting water
emergency response training in FY08 for EPA's On-Scene Coordinators, Criminal Investigation
and Homeland Security Special Agents, and regional water team personnel. The Agency also
participates in national emergency response exercises in coordination with EPA, Federal, State,
local, WARN, and WaterlSAC partners.
Business Continuity with the Water Sector
An additional component of maintaining a resilient infrastructure is having a business continuity
plan (BCP) in place. BCP is a risk management strategy or methodology that includes a variety
of utility operations plans that may be specifically tailored to certain operating condition, but
collectively define or characterize how a utility will continue critical business functions during
and after various incidents. Business continuity planning provides the basis for resiliency of a
utility's essential functions and critical resources, including key personnel and financial
resources as well as the flexibility to adapt human resources policies to meet the changing
needs of employees. The AWWA currently is in the process of providing updated guidance on
the development of business continuity plans for the Water Sector and is sponsoring two-day
seminars in a series of modules that presents a step-by-step approach to developing the core
elements of a BCP for a utility. In addition, as a standards development organization, AWWA is
currently in the process of drafting an Emergency Preparedness Standard for the Water Sector
in the context of National Fire Protection Association (NFPA 1600) relative to the specific
SSP Update - Water Sector July 1, 2008 11
-------�
operational needs of the Water Sector. This standard is being developed under the American
National Standards Institute (ANSI) procedures for voluntary consensus-based standards.
Interdependencies
The Water Environment Federation (WEF), under a cooperative agreement with DHS' Federal
Emergency Management Agency (FEMA), is providing a cross-sector emergency response
training program for Water Sector utilities. The primary objective of this training is to assist
Water Sector utilities in building sustained, resilient local and regional partnerships across other
CIKR sectors. These partnerships will align closely with the National Preparedness Framework
and with other federal, state, and local guidelines in an effort to provide a comprehensive,
consistent response to all hazards and reduce impacts and recovery times.
The data substantiating the need to address Water Sector interdependencies is noteworthy as
approximately 54,000 publicly owned community water systems (CWS) and 16,000 publicly
owned treatment works (POTWs) (Water Sector utilities) provide critical services to
communities, including ensuring a safe potable water supply and the availability of water
resources that can support recreation, fishing, and agriculture. Additionally these utilities provide
services essential to other sectors during emergency response efforts, including providing an
adequate water supply for fire protection as well as services essential to the recovery of areas
impacted by natural disasters or terrorist events.
While the Water Sector has made significant improvements in the area of security and
emergency response prior to, and particularly since, the events of September 11, 2001, many
utilities still lack coherent local and regional partnerships across multiple sectors in order to
prepare for, and effectively respond to, manmade threats and natural disasters. Building on
accomplishments from both inside and outside the Water Sector, this training program will
leverage expertise from and provide information to Water Sector utility executives, as well as
key leaders in other sectors, on existing resources related to Water Sector interdependencies.
Course materials for the national cross-sector training series will include a brief overview of the
critical infrastructures interdependencies with the Water Sector, as well as a tabletop exercise
that will highlight Water Sector interdependencies.
Recently, EPA and the Chicago Manufacturing Center's Great Lakes Partnership Program
launched the Chicago/and Water and Wastewater Preparedness and Business Resiliency Pilot,
which focused on understanding the interdependencies of critical infrastructures and how an
interruption in the Water Sector would impact business resiliency and the economic viability of
the broader community.
Pandemic Planning
EPA will assist DHS in planning a Sector-Specific Pandemic Influenza Workshop in 2008. EPA
will also support the Department of Health and Human Services by providing Water Sector input
on pandemic vaccine and antiviral prioritization guidance. EPA will continue to support these
and other efforts to prepare and assist the nation's drinking water and wastewater systems in
maintaining operations in the event of an avian or pandemic influenza outbreak.
Decontamination Strategy
The Water Sector is in the process of developing a strategy to guide future decontamination
activities for the sector. The Water Sector established a Critical Infrastructure Protection
12 July 1,2008 SSP Update - Water Sector
-------�
Advisory Council (CIPAC) Water Sector Decontamination Working Group to develop a 3-5-year
decontamination strategy. The strategy responds to the Water Sector's needs for information,
tools, and resources enabling the timely recovery and "return to service" of utility operations
from all hazards contamination incidents and supporting other decontamination-related issues. It
will address a range of contamination scenarios related to the type of system (drinking water,
wastewater), type of contaminant (chemical, biological, radiological), type of media (including
water, infrastructure and equipment used to store and treat, distribution and collection systems,
household plumbing, and environmental media), type of incident (natural or manmade,
accidental or intentional), and extent of contamination (concentrations, spatial and temporal
variations). Expected to be completed in the summer of 2008, the strategy will also help meet
requirements for EPA under HSPD-10, which charges EPA with developing strategies,
guidelines, and plans for decontamination.
Goal 4: Increase Communication. Outreach, and Public Confidence
NIPP Partnership Model
In support of Goal 4, EPA and its Water Sector security partners are committed to implementing
the NIPP Partnership Model. The WSCC and GCC, established under this model, were
established in 2004 and 2005, respectively. The WSCC and GCC meet three to four times per
year to engage in information sharing and address an array of communication and
programmatic issues.
WaterlSAC
WaterlSAC is the Water Sector's Information Sharing and Analysis Center. Designed for
utilities, by utilities, WaterlSAC is an effective information sharing mechanism that serves as a
liaison between the sector's public and private security partners, WaterlSAC provides America's
drinking water and wastewater utilities with secure risk, threat, and security information on all-
hazard incidents and events, including physical attacks, contamination, cyber threats, and
natural disasters. Managed by the Association of Metropolitan Water Agencies (AMWA), the
WaterlSAC is an independent entity able to secure data from unauthorized disclosure.
WaterlSAC is funded in part through an EPA grant and subscriber fees.
SSP Update - Water Sector July 1, 2008 13
-------�
-------�
Update to Section 6 - Measure Progress
6.1 CIKR Performance Measurement
To further support protection of public health and the environment, the WSCC and the GCC,
chaired by EPA, formed a joint CIPAC Metrics Workgroup to develop sector-specific security
and preparedness metrics. The metrics, which are voluntary, are based on the NIPP and the
Water SSP and designed to help evaluate progress made towards the goals and objectives set
forth by the sector.
As part of their final report, the CIPAC Metrics Workgroup recommended to the WSCC that the
voluntary national measures for utilities should be collected by a third party (i.e., other than EPA
or DHS). The WSCC identified the WaterlSAC as the preferred third party for the secure
collection and aggregation of utility measures data.
WaterlSAC will be developing a reporting tool that includes a series of questions for utilities that
correspond to the national measures. The main access portal to the reporting questions will be
located on the WaterlSAC Web site. Data will be collected from utilities and stored in a secure
database. A PIN code system will be used to protect utility identity, but allow for quality control
of the data submitted.
The Workgroup recommendations prescribed focusing initial data collection on a subset of
"core" metrics, with the remaining measures proposed for optional, utility self-assessment
purposes. The self-assessment measures will be available for utility internal use through the
WaterlSAC, but will not be connected to national reporting.
The reporting tool will also use a series of data aggregation protocols, governing how the
collected data may be aggregated and reported nationally to other interested parties, including
EPA and DHS. The data aggregation protocols will be designed to ensure that the identity of
individual utilities cannot be revealed through the combination of data (such as by combining
utility size and state locator data).
As a benefit for utilities who voluntarily report on the core measures, the Workgroup proposed
that utility participants who submit data be automatically enrolled in the basic WaterlSAC
service. The Workgroup believed this benefit will be a valuable incentive to improve participation
rates. This benefit would be renewed annually for participants in subsequent reporting cycles.
Initial outreach will focus on acquiring data from small, medium, and large size systems.
WaterlSAC will promote the survey questions to utilities in conjunction with other Water Sector
associations, such as AMWA, AWWA, NACWA, NRWA, and WEF.
Initial data collection will take place in 2008, with a report on the data available by no later than
the end of the year.
SSP Update - Water Sector July 1, 2008 15
-------�
-------�
List of Acronyms
AMWA
ANSI
AWWA
BCP
CDC
CIKR
CIPAC
CS2SAT
CWS
DHS
EMAC
ESF
EPA
FEMA
FY
GCC
HSEEP
HSPD
ICS
INL
NACWA
LRN
NFPA
NIMS
NRF
NRP
NRWA
PIN
POTW
RAMCAP
RAM-W
RLRP
SEMS
SSP
NIPP
VSAT
WARN
WaterlSAC
WEF
WSCC
WSI
Association of Metropolitan Water Agencies
American National Standards Institute
American Water Works Association
Business Continuity Plan
U.S. Centers for Disease Control and Prevention
Critical Infrastructure and Key Resources
Critical Infrastructure Partnership Advisory Council
Control Systems Cyber Security Self-Assessment Tool
Community Water System
U.S. Department of Homeland Security
Emergency Management Assistance Compact
Emergency Support Function
U.S. Environmental Protection Agency
Federal Emergency Management Agency
Fiscal Year
Government Coordinating Council
Homeland Security Exercise and Evaluation Program
Homeland Security Presidential Directive
Incident Command System
Idaho National Laboratory
National Association of Clean Water Agencies
Laboratory Response Network
National Fire Protection Association
National Incident Management System
National Response Framework
National Response Plan
National Rural Water Association
Personal Identification Number
Publicly Owned Treatment Works
Risk Analysis and Management for Critical Asset Protection
Risk Assessment Methodology - Water
Regional Laboratory Response Plan
Security and Environmental Management System
Sector-Specific Plan
National Infrastructure Protection Plan
Vulnerability Self-Assessment Tool
Water/Wastewater Agency Response Network
Water Information Sharing and Analysis Center
Water Environment Federation
Water Sector Coordinating Council
Water Security Initiative
SSP Update - Water Sector
July 1,2008
17
-------�
-------�
-------�
-------� |