Protect Your Water For Life Vulnerability Assessment Factsheet What is the Purpose of Vulnerability Assessments? Vulnerability assessments help water systems evaluate susceptibility to potential threats and identify corrective actions that can reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack, etc.). Such an assessment for a water system takes into account the vulnerability of the water supply (both ground and surface water), transmission, treatment, and distribution systems. It also considers risks posed to the surrounding community related to attacks on the water system. An effective vulnerability assessment serves as a guide to the water utility by providing a prioritized plan for security upgrades, modifications of operational procedures, and/or policy changes to mitigate the risks and vulnerabilities to the utility's critical assets. The vulnerability assessment provides a framework for developing risk reduction options and associated costs. Water systems should review their vulnerability assessments periodically to account for changing threats or additions to the system to ensure that security objectives are being met. Preferably, a vulnerability assessment is "performance-based," meaning that it evaluates the risk to the water system based on the effectiveness (performance) of existing and planned measures to counteract adversarial actions. What are the Basic Elements of Vulnerability Assessments? The following are common elements of vulnerability assessments. These elements are conceptual in nature and not intended to serve as a detailed methodology: 1. Characterization of the water system, including its mission and objectives; 2. Identification and prioritization of adverse consequences to avoid; 3. Determination of critical assets that might be subj ect to malevolent acts that could result in undesired consequences; 4. Assessment of the likelihood (qualitative probability) of such malevolent acts from adversaries; 5. Evaluation of existing countermeasures; and 6. Analysis of current risk and development of a prioritized plan for risk reduction. The vulnerability assessment process will range in complexity based on the design and operation of the water system itself. The nature and extent of the vulnerability assessment will differ among systems based on a number of factors, including system size, potential population affected, source water, treatment complexity, system infrastructure and other factors. Security and safety evaluations also vary based on knowledge and types of threats, available security technologies, and applicable local, state and federal regulations. ------- What are Some Points to Consider in a Vulnerability Assessments? Some points to consider related to the six basic elements are included in the following tables. The manner in which the vulnerability assessment is performed is determined by each individual water utility. It will be helpful to remember throughout the assessment process that the ultimate goal is twofold: to safeguard public health and safety, and to reduce the potential for disruption of a reliable supply of pressurized water. Basic Element Points to Consider 1. Characterization of the water system, including its mission and objectives (Answers to system-specific questions may be helpful in characterizing the water system.) What are the important missions of the system to be assessed? Define the highest priority services provided by the utility. Identify the utility's customers: General public • • Government • • Military Industrial • • Critical care Retail operations • • Firefighting What are the most important facilities, processes, and assets of the system for achieving the mission objectives and avoiding undesired consequences? Describe the: • • Utility facilities Operating procedures • • Management practices that are necessary to achieve the mission objectives How the utility operates (e.g., water source including ground and surface water) Treatment processes • • Storage methods and capacity Chemical use and storage • • Distribution system In assessing those assets that are critical, consider critical customers, dependence on other infrastructures (e.g., electricity, transportation, other water utilities), contractual obligations, single points of failure (e.g., critical aqueducts, transmission systems, aquifers etc.), chemical hazards and other aspects of the utility's operations, or availability of other utility capabilities that may increase or decrease the criticality of specific facilities, processes and assets. ------- Basic Element Points to Consider 2. Identification and prioritization of adverse consequences to avoid. Take into account the impacts that could substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water or otherwise present significant public health concerns to the surrounding community. Water systems should use the vulnerability assessment process to determine how to reduce risks associated with the consequences of significant concern. Ranges of consequences or impacts for each of these events should be identified and defined. Factors to be considered in assessing the consequences may include: Magnitude of service disruption • • Economic impact (such as replacement and installation costs for damaged critical assets or loss of revenue due to service outage) • • Number of illnesses or deaths resulting from an event • • Impact on public confidence in the water supply • • Chronic problems arising from specific events • • Other indicators of the impact of each event as determined by the water utility. Risk reduction recommendations at the conclusion of the vulnerability assessment should strive to prevent or reduce each of these consequences. ------- Basic Element Points to Consider 3. Determination of critical assets that might be subject to malevolent acts that could result in undesired consequences. What are the malevolent acts that could reasonably cause undesired consequences? Consider the operation of critical facilities, assets and/or processes and assess what an adversary could do to disrupt these operations. Such acts may include physical damage to or destruction of critical assets, contamination of water, intentional release of stored chemicals, interruption of electricity or other infrastructure interdependences. The "Public Health Security and Bioterrorism Preparedness and Response Act of 2002" (PL 107-188) states that a community water system which serves a population of greater than 3,300 people must review the vulnerability of its system to a terrorist attack or other intentional acts intended to substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water. The vulnerability assessment shall include, but not be limited to, a review of: • • Pipes and constructed conveyances • • Physical barriers • • Water collection, pretreatment and treatment facilities Storage and distribution facilities Electronic, computer or other automated systems which are utilized by the public water system (e.g., Supervisory Control and Data Acquisition (SCADA)) The use, storage, or handling of various chemicals • • The operation and maintenance of such systems ------- Basic Element Points to Consider 4. Assessment of the likelihood (qualitative probability) of such malevolent acts from adversaries (e.g., terrorists, vandals). Determine the possible modes of attack that might result in consequences of significant concern based on the critical assets of the water system. The objective of this step of the assessment is to move beyond what is merely possible and determine the likelihood of a particular attack scenario. This is a very difficult task as there is often insufficient information to determine the likelihood of a particular event with any degree of certainty. The threats (the kind of adversary and the mode of attack) selected for consideration during a vulnerability assessment will dictate, to a great extent, the risk reduction measures that should be designed to counter the threat(s). Some vulnerability assessment methodologies refer to this as a "Design Basis Threat" (DBT) where the threat serves as the basis for the design of countermeasures, as well as the benchmark against which vulnerabilities are assessed. It should be noted that there is no single DBT or threat profile for all water systems in the United States. Differences in geographic location, size of the utility, previous attacks in the local area and many other factors will influence the threat(s) that water systems should consider in their assessments. Water systems should consult with the local FBI and/or other law enforcement agencies, public officials, and others to determine the threats upon which their risk reduction measures should be based. Water systems should also refer to EPA's "Baseline Threat Information for Vulnerability Assessments of Community Water Systems" to help assess the most likely threats to their system. This document is available to community water systems serving populations greater than 3,300 people. If your system has not yet received instructions on how to receive a copy of this document, then contact your Regional EPA Office immediately. You will be sent instructions on how to securely access the document via the Water Information Sharing and Analysis Center (ISAC) website or obtain a hardcopy that can be mailed directly to you. Water systems may also want to review their incident reports to better understand past breaches of security. ------- Basic Element Points to Consider 5. Evaluation of existing countermeasures. (Depending on countermeasures already in place, some critical assets may already be sufficiently protected. This step will aid in identification of the areas of greatest concern, and help to focus priorities for risk reduction.) What capabilities does the system currently employ for detection, delay and response? • • Identify and evaluate current detection capabilities such as intrusion detection systems, water quality monitoring, operational alarms, guard post orders, and employee security awareness programs. • • Identify current delay mechanisms such as locks and key control, fencing, structure integrity of critical assets and vehicle access checkpoints. • • Identify existing policies and procedures for evaluation and response to intrusion and system malfunction alarms, adverse water quality indicators, and cyber system intrusions. It is important to determine the performance characteristics. Poorly operated and maintained security technologies provide little or no protection. What cyber protection system features does the utility have in place? Assess what protective measures are in-place for the SCADA and business-related computer information systems such as: • • Firewalls Modem access • • Internet and other external connections, including wireless data and voice communications • • Security policies and protocols It is important to identify whether vendors have access rights and/or "backdoors" to conduct system diagnostics remotely. What security policies and procedures exist, and what is the compliance record for them? Identify existing policies and procedures concerning: • • Personnel security Physical security • • Key and access badge control • • Control of system configuration and operational data • • Chemical and other vendor deliveries • • Security training and exercise records ------- Basic Element Points to Consider 6. Analysis of current risk and development of a prioritized plan for risk reduction. Information gathered on threat, critical assets, water utility operations, consequences, and existing countermeasures should be analyzed to determine the current level of risk. The utility should then determine whether current risks are acceptable or risk reduction measures should be pursued. Recommended actions should measurably reduce risks by reducing vulnerabilities and/or consequences through improved deterrence, delay, detection, and/or response capabilities or by improving operational policies or procedures. Selection of specific risk reduction actions should be completed prior to considering the cost of the recommended action(s). Utilities should carefully consider both short- and long-term solutions. An analysis of the cost of short- and long-term risk reduction actions may impact which actions the utility chooses to achieve its security goals. Utilities may also want to consider security improvements in light of other planned or needed improvements. Security and general infrastructure may provide significant multiple benefits. For example, improved treatment processes or system redundancies can both reduce vulnerabilities and enhance day-to-day operation. Generally, strategies for reducing vulnerabilities fall into three broad categories: • • Sound business practices - affect policies, procedures, and training to improve the overall security-related culture at the drinking water facility. For example, it is important to ensure rapid communication capabilities exist between public health authorities and local law enforcement and emergency responders. System upgrades - include changes in operations, equipment, processes, or infrastructure itself that make the system fundamentally safer. • • Security upgrades - improve capabilities for detection, delay, or response. ------- Office of Water (4601M) EPA 816-F-02-025 www.epa.gov/ogwdw/security/index.html November 2002 ------- |