Water
Critical Infrastructure and Key Resources
Sector-Specific Plan as input to the
National Infrastructure Protection Plan
Executive Summary
May 2007
Homeland
± j.v^LJ.j.tAOJ.Jxi
                         Environmental
                         protection
                         Agency

-------

-------
Executive  Summary
We all rely on clean and safe water. Therefore, from the standpoints of public health and economic impacts, it is critical that we
protect the Nation's drinking water and wastewater infrastructure, collectively known as the Water Sector. For decades, Water
Sector utilities have been protecting human health and the environment. The U.S. Environmental Protection Agency (EPA)
has been working with its Water Sector security partners—public and private drinking water and wastewater utilities; the
Water Sector Coordinating Council (WSCC); Government Coordinating Council (GCC); national and State associations; State,
local, and tribal governments; research foundations; and other Federal agencies—to better secure critical infrastructure and
key resources (CI/KR) across the Nation. This work began prior to September 11, 2001, and many of EPA's ongoing programs
support security-related activities. All Water Sector security partners continue to collaborate to be better prepared to prevent,
detect, respond to, and recover from terrorist attacks and other intentional acts, natural disasters, and other hazards (this is the
"all-hazards" approach).

Under Homeland Security Presidential Directive (HSPD) 7, certain Federal agencies must identify and prioritize critical national
infrastructure and resources for protection from terrorist acts that could cause catastrophic health impacts or mass casualties;
undermine public confidence; or disrupt essential government functions, essential services, or the economy. In recognition of
the distinctive characteristics of different infrastructure assets, HSPD-7 divides the national infrastructure into 17 CI/KR sec-
tors and assigns CI/KR protection responsibilities for them to selected Federal agencies, called Sector-Specific Agencies (SSAs).
HSPD-7 designates EPA as the SSA for the Water Sector.

A key requirement of HSPD-7 is that the U.S. Department of Homeland Security (DHS) develop a strategy to protect all CI/KR;
that strategy is called the National Infrastructure Protection Plan (NIPP). It provides the unifying structure for integration of
current and future CI/KR protection efforts into a single national program to achieve the goal of a safer, more secure Nation.

The NIPP follows the  DHS risk management framework, which describes the processes for: (1) setting security goals for
CI/KR protection; (2) identifying CI/KR assets; (3) assessing the risks to CI/KR assets, based on three factors: (a) consequence
analysis, which is the SSAs' responsibility, with guidance from the DHS; (b)  vulnerability assessments, which are the respon-
sibility of the SSA and Water Sector; and (c) threat analysis, which is provided by the DHS, intelligence community, and law
enforcement. The risk management framework further describes processes for (4) prioritizing CI/KR (as a basis for resource
allocation); (5) implementing programs to protect CI/KR; and (6) measuring the effectiveness of CI/KR protection efforts. As
part of the implementing structure for the NIPP, each SSA is to develop a Sector-Specific Plan (SSP) that follows and supports
the framework. An  SSP is the implementation plan of the strategy in a specific sector. Pursuant to the guidelines in HSPD-7, the
NIPP focuses primarily on the terrorist threat to the Nation's infrastructure and resources. However, other hazards can affect
the Nation's CI/KR  as well, and are addressed in the NIPP and SSP.

The NIPP addresses relationship-building, information-sharing, resource allocation, research and development (R&D), and
other processes that support implementation of the risk management framework on the national level. As Figure ES-1 illus-
trates, physical, cyber, and human elements of the infrastructure must be considered when implementing the framework.
Executive Summary

-------
Figure ES-1: National Risk Management Framework
                                                    Assess
                                                     Risks
                                                  (Consequences
                                                  Vulnerabilities,
                                                   and Threats)
Identify Assets;
  Systems,
Networks, and
  Functions
Implement
Protective
Programs
  Measure
Effectiveness
                          Continuous improvement to enhance protection of CI/KR
The Water SSP follows and supports the risk management approach and key steps outlined in the NIPP. This consistent structure
facilitates DHS's cross-sector comparisons to foster coordination among security partners. The goal of the SSP is to describe and
develop the Water Sector's strategy and programs to protect identified CI/KR assets, identify priorities and goals based on risk
analysis, describe the resources needed to protect CI/KR, track progress, identify gaps, establish R&D priorities, identify best
practices, and work with the DHS to continuously improve the NIPP. The Water SSP describes the specific processes used to
identify, assess, prioritize, and protect CI/KR and to measure effectiveness. It also includes plans to implement these processes
and the status of any efforts  supporting implementation,  such as best practices identified, challenges encountered, and products
generated. The  Water SSP also helps define the roles and responsibilities of EPA as the Water Sector SSA, and of others involved
in securing the sector through implementation of the SSP. The processes and activities discussed in the SSP assist drinking water
and wastewater utilities to be better prepared to prevent,  detect, respond to, and recover from terrorist attacks,  other inten-
tional acts, natural disasters, and other hazards.
The NIPP and its SSP components provide the structure needed to coordinate, integrate, and synchronize activities derived
from various relevant statutes and national strategies, such as the National Response Plan (NRP) and presidential directives,
into the unified national approach to protect CI/KR. Relevant authorities include those that address the overarching homeland
security and CI/KR protection missions, as well as those that address a wide range of sector-specific CI/KR protection-related
functions, programs, and responsibilities. The connection between the NRP and NIPP is indicative of how these strategies work
in tandem. The Nation's CI/KR protection efforts are based on ongoing coordination, cooperation, and collaboration between
security partners for both steady-state activities under the NIPP and incident management activities under the NRP. The NIPP
establishes the overall risk-based construct that defines the unified approach to protecting the Nation's CI/KR in an all-hazards
context, and specifies the procedures and activities needed to reduce the risk to the Nation's CI/KR on a day-to-day basis. The
NIPP depends on supporting SSPs for full implementation of the risk management framework throughout each CI/KR sector.
Figure ES-2 illustrates how overarching homeland security legislation, strategies, HSPDs, and related initiatives work together.
                                                                                                   Water Sector-Specific Plan

-------
Figure ES-2: Organization of Homeland Security: Related Authorities
       Homeland
    Security Strategy
      & Legislation
       The National
       Strategy for
        Homeland
         Security
          (7102)
       Security Act
         (11/02)
       The National
      Strategy for the
         Physical
       Protection of
         Critical
      Infrastructures
      and Key Assets
          (2/03)
       The National
        Strategy to
         Secure
        Cyberspace
          (2/03)
Presidential
 Directives
  Homeland
   Security
 Presidential
  Directive 3
    (3/02)
  Homeland
   Security
 Presidential
  Directive 5
    (2/03)
  Homeland
   Security
 Presidential
  Directive 7
   (12/03)
  Homeland
   Security
 Presidential
  Directive 8
   (12/03)
  National
 Initiatives
   National
   Incident
 Management
   System
    (3/04)
   National
 Infrastructure
Protection Plan
                                                                     National
                                                                   Preparedness
                                                                      Goal
                                                                     (2006)
                                     Coordinated
                                     Approach to
                                      Homeland
                                       Security
The multiyear NIPP describes mechanisms for sustaining the Nation's steady-state protective posture. The NIPP and its com-
ponent SSPs include a process for annual reviews; periodic interim updates as required; and are to be reissued every three
years, or more frequently, if directed by the Secretary of Homeland Security. The DHS oversees the review and maintenance
process for the NIPP; the SSAs, in coordination with the GCCs and sector coordinating councils, will establish and operate the
mechanism(s)  necessary to coordinate these reviews for their respective SSPs. The NIPP and SSP revision processes will include
developing or updating any documents necessary to carry out NIPP activities.

There are approximately 160,000 public drinking water utilities and more than 16,000 wastewater utilities in the United States.
About 84 percent of the U.S. population receives its potable water from these drinking water utilities  and more than 75 percent
has its sanitary sewage treated by these wastewater utilities. The drinking water and wastewater sector (Water Sector) is vulner-
able to a variety of attacks, including contamination with deadly agents and physical and cyber attacks. If these attacks were to
occur, the result could be large numbers of illnesses or casualties or denial  of service that would also affect public health and
economic vitality.  Critical services such as firefighting and health care (hospitals), and other dependent and interdependent
sectors such as energy, transportation, and food and agriculture, would suffer negative impacts from a denial of Water Sector
service. In collaboration with the entire sector, a broad-based strategy to address security needs is being implemented. This
work includes providing support to utilities by preparing vulnerability assessment and emergency response tools, providing
technical  and financial assistance, and exchanging information. Each section of the Water SSP, as defined by the DHS in its 2006
SSP Guidance, is described below.
Executive Summary

-------
1. Sector Profile and Goals
This section of the SSP provides an overview of the Water Sector. Each drinking water or wastewater utility is considered an
asset that comprises many components. The discussion includes an explanation of the EPA's relationships, as the SSA, with the
private sector, State and local agencies,  other Federal departments and agencies, and the public; a description of the relevant
Water Sector authorities;  a summary of its vision and goals; and explanation of its value proposition.
Authorities. Implementation of the Safe Drinking Water Act (SDWA); Federal Water Pollution Control Act, or Clean Water Act
(CWA); and other environmental regulatory authorities builds on long-established protective programs in the Water Sector
to protect human health and the environment. A number of governing authorities pertain to the Water Sector;  most provide
broad environmental authority that may support security-related activities and initiatives. Other authorities directly address
homeland security and affect the Water Sector, such as the Public Health Security and Bioterrorism Preparedness and Response
Act of 2002 (Bioterrorism Act) and HSPDs 5, 7, 8, 9, and  10.

Water Sector Security Partners. A variety of entities—including all levels of government and the public and private sectors—
play roles in helping to secure  each of the Nation's CI/KR sectors. These entities often are referred to as Water Sector security
partners. As the SSA for the Water Sector, EPA will continue to collaborate and build upon existing relationships with all parties
in the sector: public and private drinking water and wastewater utilities; the WSCC; the GCC; national and State associations;
State, local, and tribal governments; research foundations; and other Federal agencies such as the DHS. This collaboration will
enable EPA to better understand dependencies and interdependencies within and across sectors, develop tools and training,
improve information-sharing and exchange mechanisms, and conduct research to make certain the owners and operators of
critical Water Sector infrastructure are better able to prevent, detect, respond to, and recover from terrorist attacks, other inten-
tional acts,  natural disasters, and other hazards.

Sector Security Vision and Goals. The Water Sector's security goals outline the comprehensive protective posture that the gov-
ernment and infrastructure owner/operators are striving toward. EPA and a joint working group of the WSCC and GCC have
collaborated to develop a vision statement and security goals that provide clear direction for CI/KR protection efforts.
From the vision statement, the Water Sector has developed four goals that will drive development of protective programs and
measures of success.  These goals are: (1) sustain protection of public health and the environment; (2) recognize and reduce
risks; (3) maintain a resilient infrastructure; and (4) increase communication, outreach, and public confidence.
Value Proposition. This section of the SSP identifies and discusses the benefits of efficiently and effectively securing the physi-
cal, human, and cyber elements  of the Water Sector.
                                       Vision Statement for the Water Sector
     The Water Sector's Security Vision is a secure and resilient drinking water and wastewater infrastructure that provides clean and
       safe water as an integral part of daily life. This Vision assures the economic vitality of and public confidence in the Nation's
        drinking water and wastewater  through a layered defense of effective preparedness and security practices in the sector.
2.  Identify Assets, Systems, Networks, and  Functions
This section of the SSP discusses ongoing efforts by government agencies and Water Sector security partners to help the DHS
identify, prioritize, and coordinate key sector resources and  assets that could, if compromised, result in economic or public health
impacts. The discussion includes a determination of the sector's relevant information parameters; an outline of data sources that
help it manage risk and protect infrastructure assets; an evaluation of methods for verifying infrastructure information; and a
                                                                                                   Water Sector-Specific Plan

-------
review of methods for updating that information. The section explores the distinct roles and responsibilities of EPA, the DHS, and
public and private sector owner/operators for risk assessment procedures and maintenance of asset databases.
Defining Information Parameters. The Water Sector is composed of a diverse set of drinking water and wastewater utilities.
Characteristics of these utilities that are useful for defining sector infrastructure information are available in databases that EPA
currently maintains. Drinking water and wastewater assets are defined as entire utilities for purposes of identification, prioriti-
zation, and coordination in the Water Sector. Owner/operators are responsible for conducting risk assessments of their utilities
to identify asset components, (e.g., pumps, generators, and supervisory control and data acquisition systems) loss or damage
of which, due to manmade or natural events, could adversely affect the utility's operation, threaten public health or the envi-
ronment, or have significant economic impacts. Also provided are drinking water and wastewater categories common to the
industry and that should be reflected in the DHS's National Asset Database (NADB).
Collecting Infrastructure Information. In coordination with the Water Sector, EPA maintains several databases that contain
general information on drinking water and wastewater utilities. These databases are important in identifying, describing, and
quantifying information about the sector. As part of its mission under the SDWA and CWA, EPA maintains general information
about its inventory of regulated utilities, which is regularly updated by the  States. This section also describes the Bioterrorism
Act and the requirement for drinking water utilities serving more than 3,300 persons to conduct vulnerability assessments and
provide this information to EPA. In addition, the DHS maintains and is enhancing  a comprehensive catalog that includes an
inventory and descriptive information about the assets and systems that comprise U.S. critical infrastructure. The NADB  allows
analysis of consequences, specific and common vulnerabilities, dependencies, and interdependencies within and across sectors
and geographic regions.
Verifying Infrastructure Information. Much of the existing data collected  by EPA  that pertains to the Water Sector are subject
to verification and validation protocols. EPA databases and surveys have well-established quality control and verification proce-
dures for data collection and entry, including data screening, double-key entry, and logic checks. EPA audits State data at  least
once every 4 years using a formal audit process  and data verification teams.

Updating Infrastructure Information. By virtue of EPA's  approach to meeting its mission  under the SDWA and CWA, two basic
inventories for all Water Sector systems—the Safe Drinking Water Information System and Permit Compliance System—are
updated routinely, and other databases are updated at least every four years. Where deemed necessary for the security of the
homeland and critical infrastructure, and while recognizing resource and time constraints, EPA will work with the sector to
ensure more frequent updates of data or data elements.


3. Assess Risks  (Consequences, Vulnerabilities, and Threats)
This section of the SSP describes the Water Sector's  approach for assessing risk, which is the measure of potential harm due  to
threat, vulnerability, and consequence. Risk as it relates to the sector is a function of the likely consequences of a disruption
or successful attack; the likelihood and vulnerability of disruption or attack; and the vulnerability to a disruption or attack
on drinking water or wastewater utilities or their components. This section also provides information on risk assessment
methods that are unique to the sector; how these methodologies address DHS's Risk Analysis and Management for Critical
Asset Protection criteria; how risk assessments have been  implemented in the Water Sector; the  roles of the various partners in
conducting risk assessments; and the limitations on providing information on the outcome of assessments to the DHS.

Risk Assessment. The Water Sector was involved in development of a number of risk assessment tools to help drinking water
and wastewater utilities  be better prepared to prevent, detect, respond to, and recover from terrorist attacks, other intentional
acts, natural disasters, and other hazards. Because of the diversity of assets in the sector (e.g., size, treatment complexity,
disinfection practices), a number of risk assessment methodologies were created and are used. These methodologies address the
full range of utility components,  including the physical plant (physical),  employees (human), information technology (cyber),
Executive Summary

-------
communications, and customers. This section also discusses the limits on using findings from the assessments.

Screening Infrastructure. This section discusses these issues and avenues for proceeding forward in developing screening
mechanisms. In light of the large number of Water Sector utilities throughout the Nation and the limited resources available to
address their security, it is neither practical nor financially responsible to perform comprehensive risk assessments at all facili-
ties. Thus, as a precursor to in-depth risk assessments, the sector should explore the use of screening  methods and begin to
develop a process to define high-consequence assets.

Assessing Consequences. This section describes a number of consequences of concern and outlines a number of dependencies
and interdependencies in the Water Sector and across other CI/KR. Among the factors to consider in  assessing the consequences
of any disruption of a Water Sector asset are the: (1)  magnitude of service disruption; (2) number of illnesses or deaths result-
ing from an event; (3) impact on public confidence; (4) chronic problems arising from specific events; (5) economic impacts;
and (6) other indicators of the impact of each event, as determined by the utility. The consequences that are considered for the
national comparative risk assessment are based on the criteria in HSPD-7.

Assessing Vulnerabilities. This section discusses the various vulnerability  (risk) assessments developed for the Water Sector.
Vulnerabilities  are the characteristics of an asset's design, location, security posture, process, or operation that make it
susceptible to destruction, incapacitation, or exploitation by mechanical failures, natural hazards, and terrorist attacks or
other malicious acts. They are weaknesses that could result in consequences of concern, taking into account intrinsic struc-
tural weaknesses, protective measures, resiliency, and redundancies.

Assessing Threats. This section discusses the need for improved threat data and better coordination with the DHS and law
enforcement and intelligence agencies. The Water Sector views threat analysis broadly, encompassing natural events, crimi-
nal acts, insider threats, and foreign and domestic terrorism. In the context of risk assessment, the threat component of risk
analysis is based on the likelihood that an asset will be disrupted or attacked. To assist Water-Sector utilities in conducting risk
assessments, baseline threat documents have been developed.


4.  Prioritize Infrastructure
In this section of the SSP, the DHS requests that the Water Sector describe the process for risk-based prioritization of its assets.
As part of the national comparative risk assessment described in the National Infrastructure Protection Plan  (NIPP), prioritiza-
tion across  sectors (in support of national protective  efforts) is performed by the DHS. Sectors are being asked to provide risk
assessment information in a manner comparable with DHS risk management efforts to better support the national assessment.


5.  Develop and Implement  Protective  Programs

This section of the SSP discusses how the Water Sector develops and implements protective programs that are used throughout
the sector, and focuses on efforts to  identify, assess, select, and implement protective programs and on EPA's role in facilitating
implementation of such programs. A protective program is defined as a coordinated plan to prevent,  deter, and mitigate ter-
rorist attacks on critical assets,  and to respond to and recover from such attacks as quickly and effectively as possible. Protective
programs guide infrastructure owner/operators on the most effective strategies for protecting their assets, including critical
components, given the general classes of threats applicable to their system and their specific vulnerabilities.
Overview of Sector Protective Programs. This section provides a brief history of protective programs in the Water Sector and
the impact  of various HSPDs and the Bioterrorism Act in helping identify and define protective programs. Several key protective
programs and initiatives that address the sector's vision and goals are  discussed, as well as collaborative processes within the
sector to identify gaps and develop programs.
                                                                                                  Water Sector-Specific Plan

-------
Determining Protective Program Needs. This section describes the process EPA uses to engage sector security partners to
identify and prioritize gaps and protective program needs.
Protective Program Implementation. This section describes the voluntary nature of protective programs in the Water Sector.
It also describes the historical approach to protection, which focused on natural disasters and emergencies, and how this
approach has been expanded to address security-related needs.
Protective Program Performance. This section describes how protective program performance changes and the need to focus
on Water Sector goals and the highest priority security needs.


6. Measure Progress
Measuring progress is part of the NIPP risk management framework. While the DHS focuses on using core metrics to measure
progress across all CI/KR sectors, EPA is responsible for measuring progress in the Water Sector using additional  sector-specific
metrics. In this section, the Water Sector describes how it will develop sector-specific metrics and how its partners will work
together to collect, verify,  and report requirements of the core NIPP metrics and of the sector-specific metrics. These metrics
will be used to measure risk assessment progress and support continuous improvement in the Water Sector.

CI/KR Performance Measurement. This section describes the different types of measures that will be developed and the
process EPA and its sector security partners will use to develop sector-specific metrics. It also discusses information collection
and reporting.
Implementation Actions. This section of the SSP provides a matrix of various planned security-related actions, and the roles of
sector security partners in development and implementation.

Challenges and Continuous Improvement. This section focuses not only on the challenges of measuring progress but also on
other challenges faced by the sector in effectively implementing and measuring protective programs.


7. CI/KR Protection  Research and Development

Many ongoing security-related R&D initiatives have direct impacts on the Water Sector; other initiatives, while not directly
related to the sector, can benefit its overall security posture. R&D initiatives are being conducted by educational institutions,
national research laboratories, public/private research foundations, the Federal Government, and other organizations. This sec-
tion of the SSP focuses mainly on the R&D initiatives being conducted by EPA's National Homeland Security Research Center,
and on the center's coordination and collaboration with sector R&D partners. Also depicted in this section are the management
process for implementing  and maintaining research activities and how the sector's vision, goals, and R&D efforts align with the
nine critical infrastructure protection (CIP) R&D themes and three CIP R&D goals outlined in the National CIP (NCIP) R&D
Plan.

Overview of Sector R&D. This section describes the sector's technology development decision-makers and the process used to
develop its R&D plan.
Sector R&D Requirements and R&D Plan. This section describes the sector's current R&D plan and identification of additional
security-related research needs.
R&D Management Process. This section describes how the Water Sector will pursue a focused, coordinated approach that: (1)
aligns the NCIP R&D Plan themes and goals with existing and future R&D initiatives and the sector's vision, goals, and objec-
tives; (2) initiates specific projects to address critical needs; and (3) provides a mechanism for collaboration, project manage-
ment, and oversight.  The aim of this approach is to accomplish clearly defined activities, projects, and initiatives  that contain
Executive Summary

-------
time-based deliverables tied to priority R&D requirements.


8. Managing and Coordinating SSA Responsibilities

This section of the SSP details many of the management and coordination activities that will be performed in order for the
Water Sector to better protect critical infrastructure.

Program Management Approach. This section describes how EPA coordinates security-related issues, its role as the Water SSA,
and how it coordinates and communicates with the sector.
Processes and Responsibilities. This section describes the process for updating and maintaining the SSP, requirements for
annual reporting to the DHS, resources and budget processes, and training and education.
Implementing the Sector Partnership Model. This section describes the NIPP sector partnership model, NIPP coordinating
structures,  and coordination with State and local government entities.
Information Sharing, Collection, and Protection. This section discusses the Water Sector's information-sharing mechanisms,
and how information is collected and protected.
                                To access the entire Water Sector-Specific Plan please visit:

                            http://cfpub.epa.gov/safewater/watersecuritv/legislation.cfm.
                                                                                                Water Sector-Specific Plan

-------

-------

-------