ซ>EPA
United States
Environmental Protection
Agency
Office of Water (4601M)
EPA817-F-08-005
www.epa.gov/watersecurity
October 2008
&EPA
United States
Environmental Protection
Agency
-------�
Does your utility receive screened, validated, and timely (e.g., in time
to inform decisions or take action) threat information from one or more
of the following sources (Y/N)?
WaterlSAC
FBI
Local police
DHS
Office of Water (4601M)
EPA817-F-08-005
www. epa.gov/watersecurity
October 2008
ฎ
9. Do you have a plan in place to increase utility security in response to a
threat (Y/N)?
10. Do you have a written business continuity plan (Y/N)?
11. Do you:
Have an emergency response plan (ERP) (Y/N)?
Conduct training on the ERP (Y/N)?
Carry out exercises on the ERP (Y/N)?
If so, which type:
Table top (Y/N)?
Functional (Y/N)?
Full field (Y/N)?
Review and update ERP on a periodic basis (Y/N)?
12. Has your utility adopted National Incident Management System (NIMS
as part of its emergency response plan?
Is the Incident Command System (ICS) being used in your organi-
zation to manage incidents and/or preplanned events?
13. Is your utility a signatory to written agreements for requesting aid or
assistance, such as an MOU for mutual aid and assistance or Water/
Wastewater Agency Response Network (WARN) membership (Y/N)?
If no, are you in the process of creating an agreement (Y/N)?
14. Has your utility responded to an emergency request to provide mutual
aid and assistance (Y/N)?
15. Do you have a crisis communication plan (Y/N)?
16. Do you engage in networking activities regarding emergency prepared-
ness and collaborative response in the event of an incident (Y/N)?
More information on the measures and additional risk reduction measures
for utilities, is available at: cfpub.epa.gov/safewater/watersecurity/mea-
sures.cfm.
Recycled/Recyclable Printed with Vegetable Oil Based Inks on
100% Postconsumer, Process Chlorine Free Recycled Paper
17
-------�
WaterlSAC, www.waterisac.ora
State and Local Fusion Centers,
www. dhs. aov/xinfoshare/proarams/ac_ 1156877184684. shtm
CDC Health Alert Network, www.phppo. cdc. qov/han/
Example Self-Assessment Measures
The Features establish the expectation that utilities should self-assess to mea-
sure progress and adjust their protective program based on performance data.
The water sector has developed measures of utility activities that roughly
correspond with the activities described in the Features. These measures
are provided as examples for utilities to consider as a starting point as they
develop their own self-assessment measures.
1. Have you integrated security and preparedness into budgeting, training,
and manpower responsibilities (Y/N)?
2. Have you incorporated security into planning and design protocols ap-
plying to all assets and facilities (Y/N)?
3. Do you routinely conduct supplemental monitoring or more in-depth
analysis beyond what is required to identify abnormal water quality
conditions (Y/N)?
4. Have you established relationships with public health networks to inter-
pret public health anomalies for the purposes of identifying waterborne
public health impacts (Y/N)?
5. Do you monitor and evaluate customer complaints for possible indica-
tions of water quality or other security threats (Y/N)?
6. Have you established protocols (i.e., consequence management plans)
for interpreting and responding to indications of water quality anoma-
lies (Y/N)?
7. Do you review your vulnerability assessment (VA) annually (Y/N)?
How frequently do you update your VA to adjust for changes in
your system that may alter the risk profile of your utility? (never
update; annually; every 2-3 years; every 3-5 years; every 5-10
years; no defined cycle)?
16
Features of an Active and Effective
Protective Program for Water and
Wastewater Utilities
Introduction
The water sector has developed the Features of an Active and Effective
Protective Program to assist owners and operators of drinking water and
wastewater utilities (water sector) in preventing, detecting, responding to,
and recovering from adverse effects of all hazards, including terrorist at-
tacks and natural disasters.
The Features originated as an outcome of a National Drinking Water Advi-
sory Council workgroup in 2005 and have been updated to reflect the goals
and objectives of the Sector Specific Plan for Water published in May 2007.
The Features use the terms "protective
program," "protection," and "protective"
to describe activities that enhance resil-
iency and promote continuity of service,
regardless of the exact type of hazard or
adverse effect a utility might experience.
The 10 features describe the basic
elements of a "protective program" for
owners/operators of utilities to consider
as they develop utility-specific approaches. They address the physical, cy-
ber, and human elements of prevention, detection, response, and recovery.
The 10 features:
Are sufficiently flexible to apply to all utilities, regardless of size.
Are consistent with the management philosophy of continuous im-
provement.
Water utilities can differ in many ways including:
Source of water (ground or surface)
Number of sources
Treatment capacity
-------�
Operational risk
Locational risk
Protective program budget
Spending priorities
Political and public support
Legal barriers
Public vs. private ownership
The goal in identifying common fea-
tures of active and effective protective
programs is to achieve consistency in
protective program outcomes among
water utilities, while allowing for,
and encouraging, utilities to develop
utility-specific protective program ap-
proaches and tactics. The Features are
based on an integrated approach that
incorporates a combination of public
involvement and awareness, partnerships, and physical, chemical, opera-
tional, and design controls to increase overall program performance.
The Features
Feature 1. Encourage awareness and integration of a comprehen-
sive protective posture into daily business operations to foster a
protective culture throughout the organization and ensure continuity
of utility services.
The objective of Feature 1 is to make protection a normal part of day-to-day
operations.
Utility-specific efforts that help incorporate protection concepts into organi-
zational culture might include:
Senior leadership makes an explicit, easily communicated commitment
to a program that incorporates the full spectrum of protection activities.
Foster attentiveness to protection among front line workers and encour-
age them to bring potential issues and concerns to the attention of oth-
ers; establish a process for employees to make suggestions for protec-
tion improvements.
Feature 10. Monitor incidents and available threat-level information;
escalate procedures in response to relevant threats and incidents.
Monitoring threat information should be a regular part of a protective pro-
gram manager's job, and utility-, facility- and region-specific threat levels
and information should be shared with those responsible for protective pro-
grams. As part of their planning efforts, utilities should develop systems to
assess threat information and procedures that will be followed in the event
of increased threat levels. Utilities should be prepared to put these proce-
dures in place immediately so that adjustments are seamless. Involving local
law enforcement and FBI is critical.
Utilities should investigate what
networks and information sources
might be available to them locally,
and at the state and regional level (e.g.
fusion centers). If a utility cannot gain
access to some information networks,
attempts should be made to align with
those who can and will provide ef-
fective information to the utility on a
timely basis.
Utility-specific efforts might include:
Develop standard operating procedures to identify and report incidents
in a timely way and establish incident reporting expectations.
O In the specific context of intentional threats and acts, ensure staff
can distinguish between normal and unusual activity (both on/off
site) and know how to notify management of suspicious activity.
Develop systems to access threat information, identify threat levels, and
determine the specific responses to take.
O Investigate available information sources locally, and at the state or
regional level (e.g., FBI Infraguard and Water ISAC).
O Where barriers to accessing information exist, make attempts to
align with those who can, and will, provide effective information
to the utility.
Make monitoring threat information a regular part of the protective
program designee's job and share threat levels and information with
key staff and those responsible for protection.
Feature 10 Resources
Guarding Against Terrorist and Security Threats: Suggested Measures
for Drinking Water and Wastewater Utilities, USEPA 2004
15
-------�
Feature 9. Develop and implement strategies for regular, ongoing
communication about protective programs with employees, cus-
tomers, and the general public to increase overall awareness and
preparedness for response to an incident.
Effective communication considers key messages; who is best equipped/
trusted to deliver the key messages; the need for message consistency.
particularly during an emergency; and the best mechanisms for delivering
messages and for receiving information and feedback from key partners.
The key audiences to consider are utility employees, response organizations.
and customers.
Utility specific efforts might include:
Establish public communications protocols, including prepared public
announcement templates.
Public communication strategies should:
D Identify means to reach customers and the general public with
incident information;
Provide a mechanism for customers and the public to communicate
with appropriate personnel about unusual or suspicious events;
D Inform customers about appropriate actions to enhance their
preparedness for potential incidents that may impact services (e.g..
reverse 911); and
Internal communication strategies should:
Increase employee awareness of your protective program;
D Motivate staff to support your protective program;
D Provide ways for staff to notify appropriate personnel about un-
usual or suspicious activities;
D Inform employees about the nature of, and restrictions on, access
to security sensitive information and/or facilities; and
D Ensure employee safety during an event or incident and enable
effective employee participation during response and recovery ef-
forts.
Evaluate effectiveness of communication mechanisms over time.
Feature 9 Resources
Security Risk Communication Training,
www. epa. gov/safewater/dwa/course-aenint.html
m Effective Risk and Crisis Communication during Water Security Emer-
gencies, www. epa. qov/ordnhsrc/pubs/600r07027.pdf
Emergency Communications with your Local Government and Commu-
nity | WERF Project 03-CTS-5SCO, www.werf.org
14
Identify employees responsible for implementation of protection priori-
ties and establish expectations in job descriptions and annual perfor-
mance reviews.
Designate a single manager (even if it is not a full time duty) respon-
sible for protective programs. Establish this responsibility at a level to
ensure protection is given management attention and made a priority
for line supervisors and staff.
Keep current on improvements and good protective practices adopted
by other utilities.
Monitor incidents and available threat-level information; escalate pro-
cedures in response to relevant threats and incidents.
Feature 1 Resources
Seattle/King County Case Study, USEPA
Chicago/and Case Study, USEPA
Water Security Training Courses, Meetings, and WorkshopsAA/ebcasts,
USEPA, dpub, epa. gov/safewater/watersecuritv/outreach. cfm
Feature 2. Annually identify protective program priorities and re-
sources needed, support priorities with utility-specific measures,
and self-assess using these measures to understand and document
program progress.
Dedicated resources are important to ensure a sustained focus on protective
programs. Investment should be reasonable and consider utilities' specific
circumstances. In some circumstances, investment may be as simple as in-
creasing the amount of time and attention that executives and managers give
to protective programs. Where threat potential or potential consequences are
greater, increased financial investment is likely warranted.
This feature establishes the expectation that utilities should, through their
annual capital, operations and maintenance, and staff resources plans.
identify and set aside resources consistent with their specific identified
protective program needs. Priorities should be clearly documented and
reviewed with utility executives at least once per year as part of the budget-
ing process.
This feature also encourages utilities to use metrics to serf-assess and mea-
sure progress and to adjust their protective program based on performance
data. Metrics should measure progress in physical upgrades, as well as
personnel and process changes. Utilities are encouraged to develop utility-
specific metrics relevant to their specific protective programs. As a starting
-------�
point, utilities can consider metrics that were developed at the national
level, provided as examples in this brochure.
Utility specific efforts might include:
Annually identify and dedicate resources to protective programs in
capital, operations, and maintenance budgets; and/or staff resource
plans.
Tailor protective approaches and tactics to utility-specific circumstanc-
es and operating conditions; balance resource allocations and other
organizational priorities.
Annually review protection commitments and improvement priorities
with top executives, rate setters, and water boards/commissions.
Develop measures appropriate to utility-specific circumstances and
operating conditions.
Serf-assess against performance measures to understand program prog-
ress and make necessary changes to improve effectiveness.
Feature 2 Resources
Grants and Funding,
cfpub.epa. gov/safewater/watersecuritv/financeassist. cfm
National Metrics and Self Assessment Questions for Utilities,
cfpub.epa. aov/safewater/watersecuritv/measures. cfm
m VSAT Asset Management Module \ WERF Project 03-CTS-6S,
www.werf.org
national public health, county health agencies, and health-care providers,
such as hospitals.
Utility specific efforts might include:
Forging partnerships in advance of an emergency, ensuring utilities
and key partners are better prepared to work together if an emergency
should occur.
Join or help create a mutual aid and assistance network such as a Water
and Wastewater Agency Response Network (WARN).
Network with partners to stay aware of industry best practices and
available protective program-related tools and training.
Establish relationships with critical customers (hospitals, manufactur-
ing, etc.) to identify interdependency issues that may impact business
resiliency and continuity of business operations.
Participate in joint exercises with identified partners as appropriate.
Feature 8 Resources
Security Information Collaborates Guide,
www. epa. qov/nhsrc/pubs/brochureSIC051805.pdf
Waterand Wastewater Agency Response Networks (WARNs),
www. nationalwarn. ora
Mutual Aid and Assistance Resources, USEPA,
cfpub.epa. gov/safewater/watersecuritv/maa. cfm
13
-------�
Feature 7 Resources
Emergency Response Tabletop Exercises for Drinking Water and
Wastewater Systems,
cfpub.epa. gov/safewater/watersecuritv/trainincicd. cfm
Response Protocol Toolbox: Response Guidelines,
www.epa.qov/safewater/watersecuritv/pubs/rptb_response_quidelines.pdf
EPA guidance documents on how to develop an ERP,
cfpub.epa. gov/safewater/watersecuritv/home. cfm ?proaramjd=8
National Incident Management System (NIMS),
www. fema. qov/emerqencv/nims/
m 2007 National Fire Protection Association (NFPA) 1600 standard on
Standard on Management and Business Continuity Programs,
www. nfpa. om/assets/files/PDF/NFPA 1600. pdf
Feature 8. Forge reliable and collaborative partnerships with first
responders, managers of critical interdependent infrastructure, other
utilities, and response organizations to maintain a resilient infra-
structure.
Effective partnerships build collaborative working relationships and clearly
define roles and responsibilities so that people can work together seamlessly
if an emergency should occur. It is important for utilities within a region,
and within neighboring regions, to collaborate and establish a mutual aid
program with one another and with neighboring response organizations,
as well as, with interdependent sectors, such as the power sector, on which
utilities rely or which they impact. Mutual aid agreements provide for help
from other organizations that is prearranged and can be accessed quickly
and efficiently in the event of an emergency.
Developing reliable and collaborative partnerships involves reaching out
to managers and key staff in other organizations to build reciprocal under-
standing and to share information about the utility's concerns and planning.
Such efforts will maximize the efficiency and effectiveness of a mutual aid
program during an emergency response effort, as the organizations will be
familiar with each others' circumstances and therefore, will be better able to
serve each other.
Utilities and public health organizations should also establish formal
agreements on coordination to ensure the regular exchange of informa-
tion between utilities and public health organizations, and outline roles
and responsibilities during response to, and recovery from, an emergency.
Coordination is important at all levels of the public health community
12
Feature 3. Employ protocols for detection of contamination while
recognizing limitations in current contaminant detection, monitoring,
and public health surveillance methods.
Until progress can be made in development of practical and affordable
online contaminant monitoring and surveillance systems, most utilities
must use more traditional approaches, such as monitoring chlorine re-
sidual. Water quality monitoring, sampling and analysis, enhanced security
monitoring, consumer complaint surveillance, and public health syndromic
surveillance are different, but related, elements of an overall contamination
warning system.
Water quality monitoring include monitoring data of physical and chemi-
cal contamination surrogates, pressure change abnormalities, free and total
chlorine residual, temperature, dissolved oxygen, and conductivity. Many
utilities already measure these parameters on a regular basis to control plant
operations and confirm water quality. More closely monitoring these param-
eters may also create operational benefits for utilities that extend far beyond
protective programs, such as reducing operating costs and chemical usage.
Utilities also should thoughtfully monitor customer complaints and im-
prove connections with local public health networks to detect public health
anomalies ("public health syndromic surveillance"). Customer complaints
and public health anomalies are important ways to detect potential contami-
nation problems and other water quality concerns.
Utility specific efforts might include:
Establish sampling and testing protocols for events (and suspected
events) and understand availability of, and be prepared to access, spe-
-------�
cialized laboratory capabilities that can handle both typical and atypical
contaminants.
Track, characterize, and consider customer complaints to identify po-
tential contamination events.
Use security monitoring methods (e.g., intrusion detection devices such
as alarms or closed circuit television) to aid in determining whether a
suspected contamination event is the result of an intentional act (Also
see Feature 5).
Establish working relationship with local, state, and public health
communities to detect public health anomalies and evaluate them for
contamination implications.
Feature 3 Resources
The State of the Science in Monitoring Drinking Water Quality,
www. epa. qov/ordnhsrc/pubs/reportEWS 120105.pdf
Water Security Initiative,
dpub, epa. gov/safewater/watersecuritv/initiative. cfm
Guidelines for Designing an Online Contaminant Monitoring System,
www. asce. ora/wise
Feature 4. Assess risks and periodically review (and update) vulner-
ability assessments to reflect changes in potential threats, vulner-
abilities, and consequences.
Utilities should maintain their understanding and assessment of vulnerabili-
ties as a "living document," and continually adjust their protective program
enhancement and maintenance priorities. Utilities should consider their
individual circumstances and establish and implement a schedule for review
of their vulnerabilities.
5
4 Evaluate
Identify/Prk
3
Analyze/
Reduce Risk
Assess Likelihood
Determine Critical Assets
)ritize
Characterize
Steps for reviewing vulnerability assessments
The emergency response and recovery plans should be reviewed annually
and updated as needed. Utilities should test or exercise their emergency
response and recovery plans regularly.
Utility specific efforts might include:
Understand the NfMS guidelines established by DHS (as well as com-
munity and state response plans and FEMA Public Assistance proce-
dures); and incident command systems (1CS). At a minimum, utility
response and recovery planning should be NDV1S compliant.
Coordinate emergency plans with community emergency management
partners:
O Establish interoperable communications systems, where feasible.
to maintain contact with police, fire, and other first responder enti-
ties.
Establish internal protocols to maintain communications with em-
ployees to ensure safety and to coordinate response activities.
Implement backup plans and strategies for critical operations, including
water supply and treatment (to mitigate potential public health, envi-
ronmental, and economic consequences of events), power, and other
key components.
Know how to run your system manually (without SCAD A).
Maintain plans that are exercised at least annually, identify circum-
stances that prompt implementation, and identify individuals respon-
sible for implementation.
D Provide employees with appropriate preparedness and response
training and education opportunities.
D At least annually, review plans and conduct exercises that address
a range of threats relevant to the utility.
D Update plans, as necessary, to incorporate lessons from training.
exercises, and incident responses.
Ensure plans identify critical and time sensitive applications, vital
records, processes, and functions that need to be maintained, and the
personnel and procedures necessary to do so until utility has recovered.
At a minimum, plans should include a business impact analysis and ad-
dress need for power, communication (internal and external), logistics
support, facilities, information technology, and finance and administra-
tion-related functions, including necessary redundancy and/or timely
access to backup systems and cash reserves.
11
-------�
Design and construction specifications should address both physical
hardening of sensitive infrastructure and adoption of inherently lower
risk technologies and approaches where feasible.
Design choices should consider ability to rapidly recover and continue
services following an incident.
Feature 6 Resources
EPA Security Product Guides, epa. gov/watersecuritv/auide
m VSAT Asset Management Module \ WERF Project 03-CTS-6S,
www. werf. orq
Physical Security Guidance for Drinking Water and Wastewater Utilities,
www. asce. ora/wise
Feature 7. Prepare emergency response, recovery, and business
continuity plan(s); test and review plan(s) regularly update plan(s) as
necessary to ensure NIMS compliance and to reflect changes in po-
tential threats, vulnerabilities, consequences, physical infrastructure,
utility operations, critical interdependencies, and response protocols
in partner organizations.
Utilities should maintain re-
sponse and recovery plans as
"living documents." In incor-
porating protective program
considerations into their emer-
gency response and recovery
plans, utilities also should be
aware of the National Incident
Management System (NIMS)
guidelines, established by the
Federal Emergency Management
Agency (FEMA) within the De-
partment of Homeland Security (DHS), and of regional and local incident
management commands and systems, which tend to flow from the national
guidelines. Adoption of NIMS is required to qualify for protective program
funds dispersed through EPA, FEMA and DHS.
Utilities should consider their individual circumstances and implement a
schedule for review of emergency response and recovery plans. Utility plans
should be thoroughly coordinated with emergency response and recovery
planning in the larger community.
10
Utility specific efforts might include:
Maintain current understanding and assessment of threats, vulnerabili-
ties, and consequences.
Adjust continually to respond to changes in threats, vulnerabilities, and
consequences.
Establish and implement a schedule for review of threats, vulnerabili-
ties, consequences, and their impact on the vulnerability assessment,
at least every three to five years to account for factors such as facility
expansion/upgrades and community growth.
Reassess threats, vulnerabilities, and consequences after incidents and
incorporate lessons into protective practices.
Ensure individuals who are knowledgeable about utility operations con-
duct the reviews. Include an executive in the review process to provide
an ongoing conduit of information to/from management.
Use a methodology that best suits utility-specific circumstances and
operating conditions; however, ensure the selected method supports the
criteria outlined in the National Infrastructure Protection Plan (NIPP).
Feature 4 Resources
EPA Vulnerability Assessment Tools,
dpub, epa. gov/safewater/watersecuritv/home. cfm ?proaramjd= 11
m VSAT Asset Management Module \ WERF Project 03-CTS-6S,
www.werf.org
Feature 5. Establish physical and procedural controls to restrict ac-
cess only to authorized individuals and to detect unauthorized physi-
cal and cyber intrusions.
Physical access controls include fencing critical areas, locking gates and
doors, and installing barriers at site access points. Monitoring for physical
intrusion can include maintaining well-lighted facility perimeters, installing
motion detectors, and utilizing intrusion alarms. Neighborhood watches,
regular employee rounds, and arrangements with local police and fire de-
partments can support identifying unusual activity in the vicinity of facili-
ties.
Procedural access controls include inventorying keys, changing access
codes regularly, and requiring security passes to access gates and sensitive
areas. In addition, utilities should establish the means to readily identify all
employees, including contractors and temporary workers, with unescorted
access to facilities.
-------�
Protecting cyber systems involves using physical hardening and proce-
dural steps to limit the number of individuals with authorized access and
prevent access by unauthorized individuals. Examples of physical steps to
harden Supervisory Control and Data Aquisition (SCADA) and IT networks
include installing and maintaining fire walls, and screening the network for
viruses. Examples of procedural steps include restricting remote access to
data networks and safeguarding critical data through backups and storage in
safe places.
Utility specific efforts might include:
Identify and protect critical facilities, operations, components, and
cyber systems (such as SCAD A).
Develop and implement physical and cyber intrusion detection and
access control tactics that enable timely and effective detection and
response.
Utilize both physical and procedural means to restrict access to sensi-
tive facilities, operations, and components including treatment facilities
and supply/distribution/collection networks.
Define, identify, and restrict access to security-sensitive information
(both electronic and hard copy) on utility operations and technical
details.
Establish means to readily identify all employees (e.g., ID badges).
Verify identity of all employees, contractors and temporary workers
with access to facilities through background checks, as appropriate, per
local/state law and/or labor contract and other agreements.
Test physical and procedural access controls to ensure performance.
Feature 5 Resources
EPA Security Product Guides,
epa. qov/watersecuritv/quide
Protecting Water System Security Information,
www.epa.aov/safewater/watersecuritv/pubs/ncsl_foia_sept03.pdf
Physical Security Guidance for Drinking Water and Wastewater Utilities,
www. asce. orq/wise
Control System Self Assessment Tool for Water Utilities \ WERF Project
03-CTS-3SCO, www.werf.org
Feature 6. Incorporate protective program considerations into pro-
curement, repair, maintenance, and replacement of physical infra-
structure decisions.
Prevention is a key aspect of
enhancing protective programs.
Consideration of protective
issues should begin as early as
possible in facility construc-
tion (i.e., it should be a factor
in facility plans and designs).
However, to incorporate protec-
tive considerations into design
choices, utilities need informa-
tion about the types of protective
design approaches and equip-
ment that are available and the
performance of these designs
and equipment. For example,
utilities should evaluate not just
the way a particular design might contribute to protection, but also would
look at how that design would affect the efficiency of day-to-day plant
operations and worker safety. Numerous resources are available to provide
information for designers and owners/operators of water utilities on design
approaches and upgrades that improve protection and reduce vulnerability.
Utility specific efforts might include:
Raise protective program considerations early in the design, planning,
and budgeting processes to mitigate vulnerability and/or potential con-
sequences and improve resiliency over time.
-------� |