&EPA United States Environmental Protection Agency Baseline Information on Malevolent Acts for Community Water Systems Version 2.0 Office of Water (MC 140) EPA 817-F-21-004 February 2021 ------- Changes in Version 2.0 of Baseline Information on Malevolent Acts for Community Water Systems Version 2.0 of the Baseline Information on Malevolent Acts for Community Water Systems document contains only two significant changes from the original version of this document, which EPA published in August 2019. In Version 2.0, the default annual threat likelihood values for "Cyber-Attack on Business Enterprise Systems" and "Cyber-Attack on Process Control Systems" have both been changed to 1.0. In the original August 2019 version of the document, the default annual threat likelihood values for "Cyber- Attack on Business Enterprise Systems" and "Cyber-Attack Process Control Systems" were 0.3 and 0.1, respectively. The updated values are shown in Table 10 of this document. In both the original and the current version of this document, no differentiation was made between water and wastewater systems. EPA has chosen to increase these default threat likelihood values based on the increasing prevalence of reported cyber-attacks on critical infrastructure facilities, including water and wastewater systems. These attacks have targeted water and wastewater systems of all sizes and in all geographic locations, including both business enterprise and process control systems. Suspected perpetrators of cyber-attacks include criminal enterprises, malicious insiders, and sophisticated advanced persistent threat actors supported by nation-states. Due to increases in the use of Internet-connected devices, greater remote access practices, widespread third-party software and management solutions, and the growing sophistication of threat actors, cyber-attacks are expected to continue to increase in the future. The revised cyber-attack threat likelihood values also reflect input from water sector stakeholders and are in accordance with the updated ANSI/AWWA J100 Standard Risk and Resilience Management of Water and Wastewater Systems. Consistent with the J100 Standard, EPA recommends that every water and wastewater system should expect to be targeted by cyber-attacks. Consequently, all water and wastewater systems should adopt cybersecurity best practices that are designed to reduce vulnerabilities and manage consequences. Disclaimer The Water Security Division of the Office of Ground Water and Drinking Water has reviewed and approved this document for publication. This document does not impose legally binding requirements on any party. The information in this document is intended solely to recommend or suggest and does not imply any requirements. Neither the United States Government nor any of its employees, contractors or their employees make any warranty, expressed or implied, or assume any legal liability or responsibility for any third party's use of any information, product, or process discussed in this document, or represent that its use by such party would not infringe on privately owned rights. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. Questions concerning this document should be addressed to WQ_SRS0epa.gov or the following contact: Dan Schmelling U.S. EPA Water Security Division 1200 Pennsylvania Ave, NW Mail Code 4608T Washington, DC 20460 (202) 557-0683 Schmellinq.Dan0epa.qov ------- Table of Contents Changes in Version 2.0 i Disclaimer i List of Figures iii List of Tables iii Abbreviations iv Introduction 1 Section 1: AWIA Requirements 2 Section 2: Assessing Risk and Resilience 3 Section 3: Asset Categories 5 Section 4: Threat Categories and Likelihoods for Malevolent Acts 7 4.1 Threat Categories 7 4.2 Threat Likelihood 8 4.2.1 Factors for Estimating Threat Likelihood That Apply to Multiple Threat Categories 8 4.2.2 Factors for Estimating Threat Likelihood Values that Apply to Specific Threat Categories 10 Section 5: Resources for Additional Information 41 References 46 ii ------- List of Figures Figure 1: Critical Infrastructure Risk Management Framework 3 List of Tables Table 1: AWIA Requirements and Certification Deadlines by CWS Size 2 Table 2: Approach to Risk Management 4 Table 3: AWIA-ldentified Assets 5 Table 4: EPA Threat Categories for Malevolent Acts 7 Table 5: Factors for Threat Likelihood 8 Table 6: Threat Category: Assault on Utility - Physical 11 Table 7: Threat Category: Contamination of Finished Water - Accidental 14 Table 8: Threat Category: Contamination of Finished Water - Intentional 17 Table 9: Threat Category: Theft or Diversion - Physical 20 Table 10: Threat Category: Cyber Attack - Business Enterprise Systems and Process Control Systems 23 Table 11: Threat Category: Sabotage - Physical 28 Table 12: Threat Category: Contamination of Source Water - Accidental 31 Table 13: Threat Category: Contamination of Source Water - Intentional 36 Table 14: Threat Category Resource Descriptions 41 iii ------- Abbreviations AWIA America's Water Infrastructure Act of 2018 AWWA American Water Works Association CWS Community Water System DHS U.S. Department of Homeland Security EPA U.S. Environmental Protection Agency EPCRA Emergency Planning and Community Right-to-Know Act ERP Emergency Response Plan FBI Federal Bureau of Investigation IT Information Technology LEPC Local Emergency Planning Committee NIPP National Infrastructure Protection Plan NIST National Institute of Standards and Technology RAMCAP Risk Analysis and Management for Critical Asset Protection SDWA Safe Drinking Water Act SERC State Emergency Response Commission SLTT State, Local, Tribal, Territorial VSAT Vulnerability Self-Assessment Tool WaterlSAC Water Information Sharing & Analysis Center ------- Baseline Information on Malevolent Acts for Community Water Systems Introduction Dependable and safe water infrastructure is essential to human health and the nation's economy. Water systems, like other utilities, can face an array of threats from both natural hazards (e.g., floods, hurricanes) and malevolent acts (e.g., cyber-attacks, contamination). By using this document, systems can identify malevolent acts and take steps to reduce the risk that a specific system will experience if one occurs or potentially deter a threat from occurring. By assessing threats, systems across the country can identify, prepare for and manage any risks they may have by adopting an "all-hazards" approach that: • Identifies, deters, detects, and prepares for these threats. • Reduces vulnerabilities of critical assets. • Mitigates the potential consequences of incidents that do occur. Pursuant to the requirements of America's Water Infrastructure Act (AWIA) Section 2013(a), the U.S. Environmental Protection Agency (EPA), in consultation with federal, state, and local government partners, has developed this guidance document to provide baseline information regarding malevolent acts of relevance to Community Water Systems (CWSs).1 The information included in this document is not a threat analysis for a specific system and it should not be used as such. The values are intended to serve as a starting point for systems to consider when they are estimating the threat likelihood of malevolent acts as part of a risk and resilience assessment.2 When conducting site-specific assessments, systems may determine that lower or higher threat likelihood values are appropriate. The process systems will go through to identify their specific threats will account for their unique situations, which cannot be reflected in the baseline numbers. It is also important to note that threat likelihood is not an assessment of the risk that malevolent acts may have on public health. While the resources provided in this document are already publicly available, this is the first time EPA, or any other federal agency, has compiled this important information for systems across the country. The document contains the following sections: • Section 1: AWIA Requirements - Provides an overview of AWIA requirements pertaining to Risk and Resilience Assessments, Emergency Response Plans (ERPs), and baseline threat information. • Section 2: Assessing Risk and Resilience - Describes the basic elements of Risk and Resilience Assessments for CWSs. • Section 3: Asset Categories - Defines physical and cyber elements that CWSs are required to evaluate in conducting Risk and Resilience Assessments under AWIA. • Section 4: Threat Categories and Likelihoods for Malevolent Acts - Describes threat categories of relevance to CWSs. • Section 5: Resources for Additional Information - Contains a listing of other sources of information on malevolent acts relevant to CWSs. Water systems exhibit significant variability in assets, operations, system design, and other characteristics that influence the risk presented by different malevolent acts. Consequently, some information in this document may not be relevant to certain systems. 1A Community Water System (CWS) is a public water system that supplies water to the same population year-round. 2 In accordance with AWIA, natural hazards and dependency/proximity threats are outside the scope of this document but should be included in a risk and resilience assessment. ------- Baseline Information on Malevolent Acts for Community Water Systems Section 1: AWIA Requirements Enacted as Public Law No: 115-270 on October 23, 2018, America's Water Infrastructure Act (AWIA) (https://www.conqress.gov/ bill/115th-conqress/senate-bill/5021/text) establishes new risk and resiliency requirements for CWSs. Section 2013 of AWIA amends Section 1433 of the Safe Drinking Water Act (from the 2002 Public Health Security and Bioterrorism Response Act) and reguires all CWSs serving more than 3,300 people to conduct Risk and Resilience Assessments that consider the risk to the system from malevolent acts and natural hazards (i.e., an "all-hazards" approach). The law also reguires CWSs to update Emergency Response Plans (ERPs). AWIA specifies the components that the Risk and Resilience Assessments and ERPs must address and establishes the deadlines in Table 1 to certify completion to EPA. Table 1: AWIA Requirements and Certification Deadlines by CWS Size Population Served Risk Assessment Certification Deadlines Emergency Response Plan* Certification Deadlines >100,000 March 31, 2020 September 30, 2020 50,000-99,999 December 21,2020 June 30, 2021 3,301-49,999 June 30, 2021 December 30, 2021 *ERP certifications are due as soon as possible and no later than 6 months from the date of the risk assessment certification to EPA. The ERP dates shown are certification dates based on a utility submitting a risk assessment on the final due date. To assist utilities in identifying threats to be considered in Risk and Resilience Assessments, AWIA Section 2013 directs EPA to provide baseline information on malevolent acts that are relevant to CWSs, including acts that may either: • Substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water; or • Otherwise present significant public health or economic concerns to the community served by the system. This document provides baseline threat information related to malevolent acts, as reguired by AWIA, as well as an overview of how this information may be used in the risk assessment process. Natural hazards are not included in the scope of this document. Safeguarding Sensitive Information Risk and Resilience Assessments and Emergency Response Plans contain sensitive information that should be protected from inadvertent disclosure. Utilities should establish procedures to control sensitive information as they develop and update these documents. 5-Year Review and Revision AWIA requires each CWS serving more than 3,300 people to: • Review its Risk and Resilience Assessment at least every 5 years to determine if it should be revised. • Submit to EPA a certification that it has reviewed and, if necessary, revised its assessment. • Revise, as necessary, its ERP at least every 5 years after completing the Risk and Resilience Assessment review. • Submit to EPA a certification that it has reviewed and, if necessary, revised its ERP within 6 months after certifying the review of its Risk and Resilience Assessment. 2 ------- Baseline Information on Malevolent Acts for Community Water Systems Section 2: Assessing Risk and Resilience Under the 2013 National Infrastructure Protection Plan (NIPP), Critical Infrastructure Risk Management Framework,3 critical infrastructure risks can be assessed in terms of the following: • Threat - natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. • Vulnerability - physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. • Consequence - effect of an event, incident, or occurrence. Risk is the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood (a function of threats and vulnerabilities) and the associated consequences. Threat likelihood in this document does not refer to public health impacts, but rather the likelihood of a threat happening to a CWS. Risk assessments identify the most significant malevolent acts and natural hazards to a CWS's critical assets, systems, and networks. A risk assessment for a CWS accounts for threats to source water (ground and surface), treatment and distribution systems, and business enterprise systems. It also considers risks posed to the surrounding community related to attacks on the CWS. An effective risk assessment serves as a guide to facilitate a prioritized plan for security upgrades, modifications of operational procedures, and policy changes to mitigate the risks to the CWS's critical assets. This document is not a risk assessment tool. Instead, it presents an overview of the baseline threat posed by malevolent acts, which can be reviewed prior to and when conducting a Risk and Resilience Assessment. ("Baseline" in this context is an ongoing level, which may be elevated situationally.) CWSs may select any appropriate risk assessment standard, methodology, or tool that assists in meeting the requirements of AWIA Section 2013. Regardless of the use of any standard, methodology or tool, the CWS is responsible for ensuring that its Risk and Resilience Assessment and ERP fully address all applicable AWIA requirements. As described in the 2013 NIPP, a Risk and Resilience Assessment is one component of an overall Risk Management Framework, as shown in Figure 1 (from Figure 3 of the 2013 NIPP). The nature and extent of the risk assessment will differ among systems based on a range of factors, including system size, potential population affected, source water, treatment complexity, system infrastructure, and other factors. Regardless of these considerations, the results of the risk assessment should be incorporated into an overall risk management plan, such as the approach shown in Table 2. With a risk management plan, systems can use the results of the risk assessment to maximize short- and long-term risk reduction and resilience within available resources. 3 National Infrastructure Protection Plan 2013, Partnering for Critical Infrastructure Security and Resilience, U.S. Department of Homeland Security, https://www.cisa.gov/sites/default/files/publications/national-infrastructure-protection-plan-2015-508.pdf 3 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 2: Approach to Risk Management Step Purpose 1 Set Goals and Objectives Define specific outcomes, conditions, end points, or performance targets that collectively describe an effective and desired risk management posture. 2 Identify Infrastructure Identify assets, systems, and networks that contribute to critical functionality and collect information pertinent to risk management, including analysis of dependencies and interdependencies. 3 Assess and Analyze Risk Evaluate the risk, taking into consideration the potential direct and indirect consequences of an incident, known vulnerabilities to various potential threats or hazards, and general or specific threat information. 4 Implement Risk Management Activities Make decisions and implement risk management approaches to control, accept, transfer, or avoid risks. Approaches can include prevention, protection, mitigation, response, and recovery activities. 5 Measure Effectiveness Use metrics and other evaluation procedures to measure progress and assess the effectiveness of efforts to secure and strengthen the resilience of critical infrastructure. 4 ------- Baseline Information on Malevolent Acts for Community Water Systems Section 3: Asset Categories Under AWIA Section 2013, each CWS serving more than 3,300 people is required to assess the risk to the system from malevolent acts and natural hazards for the asset categories listed in Table 3.4 Note that the asset categories in Table 3 are taken directly from AWIA Section 2013(a).5 The EPA examples for each of the asset categories are offered as guidance only and will not apply to all systems. Each CWS must identify the critical assets to be assessed under AWIA based on system type and design. Table 3: AWIA-ldentified Assets Asset Categories EPA Examples Physical barriers Encompasses physical security in place at the CWS. Possible examples include fencing, bollards, and perimeter walls; gates and facility entrances; intrusion detection sensors and alarms; access control systems (e.g., locks, card reader systems); and hardened doors, security grilles, and equipment cages.6 Source water Encompasses all sources that supply water to a CWS. Possible examples include rivers, streams, lakes, source water reservoirs, groundwater, and purchased water. Pipes and constructed conveyances, water collection, and intake Encompasses the infrastructure that collects and transports water from a source water to treatment or distribution facilities. Possible examples include holding facilities, intake structures and associated pumps and pipes, aqueducts, and other conveyances. Pretreatment and treatment Encompasses all unit processes that a CWS uses to ensure water meets regulatory public health and aesthetic standards prior to distribution to customers. Possible examples include sedimentation, filtration, disinfection, and chemical treatment. For the risk assessment, individual treatment processes at a facility may be grouped together and analyzed as a single asset if they have a similar risk profile. Storage and distribution facilities Encompasses all infrastructure used to store water after treatment, maintain water quality, and distribute water to customers. Possible examples include residual disinfection, pumps, tanks, reservoirs, valves, pipes, and meters. Electronic, computer, or other automated systems (including the security of such systems) Encompasses all treatment and distribution process control systems, business enterprise information technology (IT) and communications systems (other than financial), and the processes used to secure such systems. Possible examples include the sensors, controls, monitors and other interfaces, plus related IT hardware and software and communications, used to control water collection, treatment, and distribution. Also includes IT hardware, software, and communications used in business enterprise operations. The assessment must account for the security of these systems (e.g., cybersecurity, information security). 4 Per AWIA, the Risk and Resilience Assessment may also include an evaluation of the capital and operational needs for risk and resilience management for the system. 5 See the AWIA's amended language for Section 1433(a)(1)(A) of the Safe Drinking Water Act. 6 In a risk assessment, physical barriers are usually treated as countermeasures, which reduce the risk of a threat to an asset, rather than analyzed as assets themselves. However, under AWIA, a CWS must assess the risks to and resilience of physical barriers. In this case, a CWS may consider increased risks to other system assets, along with economic impacts, if physical barriers were degraded. 5 ------- Baseline Information on Malevolent Acts for Community Water Systems Asset Categories EPA Examples Monitoring practices Encompasses the processes and practices used to monitor source water and finished water quality, along with any monitoring systems not captured in other asset categories. Possible examples include sensors, laboratory resources, sampling capabilities, and data management equipment and systems. Examples are contamination warning systems for the source water or distribution system.7 Financial infrastructure Encompasses equipment and systems used to operate and manage utility finances. Possible examples include billing, payment, and accounting systems, along with third parties used for these services. This asset category is not intended to address the financial "health" of the water utility (e.g., credit rating, debt-to-equity ratios). The use, storage, or handling of chemicals Encompasses the chemicals and associated storage facilities and handling practices used for chemical disinfection and treatment. Assessments under this asset category should focus on the risk of uncontrolled release of a potentially dangerous chemical like chlorine where applicable. The operation and maintenance of the system Encompasses critical processes required for operation and maintenance of the water system that are not captured under other asset categories. Possible examples include equipment, supplies, and key personnel. Assessments may focus on the risk to operations associated with dependency threats like loss of utilities (e.g., power outage), loss of suppliers (e.g., interruption in chemical delivery), and loss of key employees (e.g., disease outbreak or employee displacement). 7 Monitoring associated with physical security should be addressed under Physical Barriers; monitoring associated with process controls and cybersecurity should be addressed under Electronic, computer or other automated systems; monitoring associated with financial systems should be addressed under Financial Infrastructure. 6 ------- Baseline Information on Malevolent Acts for Community Water Systems Section 4: Threat Categories and Likelihoods for Malevolent Acts This section provides baseline information on malevolent acts of relevance to CWSs.1 4.1 Threat Categories As guidance for AWIA compliance, EPA has identified threat categories for malevolent acts, as shown in Table 4. These threat categories encompass actions that could be taken by a malevolent actor to either (1) substantially disrupt the ability of a system to provide a safe and reliable supply of drinking water, or (2) cause significant public health or economic impacts in the community served by the CWS. EPA recommends that CWSs subject to the requirements of AWIA Section 2013 consider this information when conducting the Risk and Resilience Assessment. Table 4: EPA Threat Categories for Malevolent Acts EPA Threat Categories Assault on Utility - Physical Contamination of Finished Water - Accidental* Contamination of Finished Water - Intentional Theft or Diversion - Physical Cyber Attack on Business Enterprise Systems Cyber Attack on Process Control Systems Sabotage - Physical Contamination of Source Water - Accidental* Contamination of Source Water - Intentional EPA considered the larger body of Reference Threats from AWWA J100-10 Risk and Resilience Management of Water and Wastewater Systems when creating these broad Threat Categories (Table 4).8 The J100-10 Reference Threats were adapted for water systems from Risk Analysis and Management for Critical Asset Protection, which was developed by the American Society of Mechanical Engineers and endorsed by the Department of Homeland Security for critical infrastructure protection.9 EPA grouped the AWWA J100-10 Reference Threats into a smaller number of threat categories in order to simplify the Risk and Resilience Assessment process. Note that the threat categories are incorporated into VSAT Web, which can be used to comply with the AWIA Risk and Resilience Assessment requirements for CWSs.10 Malevolent acts may be perpetrated by individuals or groups operating outside or inside the CWS. *Accidental contamination threat categories are not malevolent acts but are included here due to similar potential consequences. Further, whether a contamination incident is intentional or accidental may not be known during initial response. These threat categories are also grouped with malevolent acts in EPA's Vulnerability Self-Assessment Tool (VSAT) Web. 8 American Water Works Association, J100-10 (R13) Risk and Resilience Management of Water and Wastewater Systems (Washington, DC, 2013) 9 2006 National Infrastructure Protection Plan, U.S. Department of Homeland Security https://www.dhs.gov/xlibrarv/assets/NIPP Plan noApps.pdf 10 https://vsat.epa.gov/vsat/ 7 ------- Baseline Information on Malevolent Acts for Community Water Systems 4.2 Threat Likelihood Threat likelihood can be impacted by many factors, such as adversary intent and capability; target visibility and potential impact; awareness, ease of discovery, and ease of exploitation of CWS vulnerabilities; and the probability of detection and intervention. Deriving an accurate quantitative estimate of threat likelihood for malevolent acts based on underlying risk factors is challenging and may be outside the capability of a CWS. Such an estimate may require information that is not available to the CWS, even with the engagement of law enforcement and intelligence agencies. To assist CWSs with conducting Risk and Resilience Assessments under AWIA, EPA has provided default threat likelihood values for each of the threat categories. These default values are general, order-of-magnitude estimates that are intended to serve as a starting point for the Risk and Resilience Assessment. They are not a threat level for a specific water system. EPA recommends that CWSs consider the applicability of the default values to their facilities and develop site-specific threat likelihood estimates as needed. Characteristics of the facility or system being assessed, along with information from local law enforcement, intelligence agencies, and other credible sources as described below, can support the development of site- specific threat likelihood values. Further, systems may choose to estimate threat likelihood using alternate methods, such as the Proxy Method described in the AWWA J100-10 Standard. 4.2.1 Factors for Estimating Threat Likelihood That Apply to Multiple Threat Categories Prior to showing the individual threat category tables, Table 5 presents factors for threat likelihood that apply to multiple threat categories. EPA recommends reviewing this list when assessing the likelihood that a malevolent actor would target your system or facility. These factors can be indicators of the general threat environment for a system or facility. They should be evaluated in combination with the factors for specific threat categories, as discussed in the next section, when making a site-specific threat likelihood estimate. Table 5: Factors for Threat Likelihood Factor Considerations Notes 1. Does the utility serve a major population center or prominent facility? • Utilities that serve large population centers or prominent facilities (e.g., large government installation) may have a greater likelihood of high consequence threats (e.g., intentional contamination, cyber process control attack, physical assault) by a sophisticated attacker due to increased public health and economic impacts and high visibility. • Smaller and medium utilities may have a higher likelihood of an unsophisticated threat (e.g., cyber business enterprise attack, sabotage) due to fewer security resources. 2. How difficult are the logistics of an attack on the utility infrastructure, and what measures are in place to deter an attack? • Ease of access (physical or electronic) to facilities, systems, and infrastructure can increase threat likelihood. • The presence of visible physical and electronic security can deter an attacker (reduced threat likelihood). 8 ------- Baseline Information on Malevolent Acts for Community Water Systems Factor Considerations Notes 3. Are there critical points in the utility infrastructure or operations where an attack could achieve complete disruption of the utility's capability to supply safe drinking water? • A single point of failure (e.g., single source of water, single water storage tank) for utility operations may increase the likelihood of an attack at that point. • Redundant systems that increase resilience may reduce threat likelihood. 4. Does the utility have protocols for responding to disgruntled or hostile employees and customers? • A utility culture that fails to resolve workplace complaints can increase the likelihood of an insider threat (e.g., sabotage, theft). • Similarly, unaddressed issues with upset customers could increase the likelihood of a physical attack, theft, or vandalism. 5. Are non-employees with access to systems or facilities properly vetted? • Rigorous background checks of third parties with access to utility facilities or systems (e.g., contractors, vendors, IT service providers) prior to authorizing access, can reduce threat likelihood of a third-party insider attack. 6. Do organizations with extremist political, social, or other ideologies operate in the vicinity of my utility? • Proximity to extremist organizations may increase the likelihood of external physical threats, such as intentional contamination, sabotage, or assaults. Intelligence and law enforcement information on the capabilities and intent of an organization should be evaluated. 7. Has the facility been the target of previous physical or cyberattacks? • Previous attacks may increase the threat likelihood of similar attacks in the future if they reveal security weaknesses or inspire copycat attacks. 8. Are senior managers at the utility, as well as other responsible personnel (e.g., water board, local government) actively engaged in threat assessments and risk management? • Commitment to establishing a culture of security by the utility and local government (e.g., resources, integration of security best practices) can achieve a broad reduction in the likelihood of malevolent acts. 9 ------- Baseline Information on Malevolent Acts for Community Water Systems 4.2.2 Factors for Estimating Threat Likelihood Values that Apply to Specific Threat Categories Tables 6-13 (threat categories) presented below include: • Corresponding reference threats from the AWWA J100-10 Standard • Basis for EPA default threat likelihood values • Factors for estimating site-specific threat likelihood values ° The factors are presented as yes/no questions for a CWS. As described further below, the responses of a CWS to these questions may indicate whether a site-specific threat likelihood estimate for the CWS would be higher or lower than the EPA default value. • Publicly available resources for additional information While AWIA Section 2013 is applicable only to drinking water systems, default threat likelihoods for wastewater systems, which are included in VSAT Web, are also shown in the tables. Completion of Threat Category Checklists and Interpretation of Results 1. The checklist questions in Tables 6-13 below are intended to help CWSs assess how their current capabilities and operating environment may either deter a malevolent actor and decrease threat likelihood or suggest a higher likelihood of attack. 2. Select "yes" or "no" for each question. A worksheet is provided after each checklist to allow CWSs to capture notes relevant to their current capabilities and operations for future reference when completing the Risk and Resilience Assessment and Emergency Response Plan. 3. If mostly "yes" answers are selected for an individual threat category, then a lower site-specific threat likelihood estimate may be warranted. Conversely, if mostly "no" answers are selected, then a higher site-specific threat likelihood may be appropriate. A mix of "yes" and "no" responses would support the applicability of the default threat likelihood value. CWSs should consult the resources listed for each threat category when evaluating modifications to threat likelihood values. 4. Further, "no" responses may inform actionable steps a CWS might consider for reducing risk by implementing additional countermeasures. Please note that this document does not provide a quantitative method to translate "yes" and "no" responses into a numerical decrease or increase in the threat likelihood estimate. Available information on the estimation of malevolent threat likelihood is insufficient to support a numerical method. Rather, a CWS should assess these responses qualitatively and holistically in combination with other available information when deciding how to adjust threat likelihood estimates. 10 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 6: Threat Category: Assault on Utility - Physical Threat Category Definition: A physical assault on utility infrastructure or staff with the intent of disabling infrastructure and/or terrorizing staff Crosslink to AWWA J100-10 Standard Reference Threat Scenarios • Aircraft: (A1) Helicopter, (A2) Small Plane, (A3) Regional Jet, (A4) Large Jet • Assault Team: (AT1) 1 Assailant; (AT2) 2-4 Assailants, (AT3) 5-8 Assailants; (AT4) 9-16 Assailants • Maritime: (M1) Small Boat, (M2) Fast Boat, (M3) Barge, (M4) Deep Draft Ship • Vehicle Borne Bomb: (V1) Car, (V2) Van, (V3) Midsize Truck, (V4) Large Truck • Directed: (AS) Active Shooter • Contamination of Product: C(E) Explosive Annual Default Annual Default Threat Likelihood Threat Likelihood Water Wastewater 10-6 10-6 Basis: • Estimate 100,000 potential water utility targets in the United States. • While this type of attack is possible, it has never been reported for a U.S. water utility. • Available intelligence (public) provides no basis to elevate this likelihood currently. • Conservative estimate of threat likelihood: One attack per 10 years among 100,000 water utilities. Factors for Modifying Default Threat Likelihood 1. Has strict access control been implemented at utility facilities (e.g., visitor restrictions and logging, electronic employee access systems with logging, locked windows, grates, doors, and other access points, intrusion alarms, video monitoring with recording, security personnel)? (J Yes M No 2. Are physical barriers in place at treatment facilities to impede unauthorized access (include waterway access if applicable)? (_) Yes (_) No 3. Are physical barriers in place in place at isolated assets such as storage tanks, well fields, and intakes to impede unauthorized access? O Yes (J No 4. Are intrusion detection devices (e.g., contact alarms, video monitoring) installed and monitored at distribution system facilities? M Yes M No 5. Are procedures in place for rapid response and investigation of alarms or other indicators of unauthorized entry? M Yes M No 6. Are intrusion detection devices properly maintained to avoid frequent false alarms resulting in "alarm fatigue"? O Yes (J No 7. Are alarm and electronic surveillance systems secure to avoid tampering? (_) Yes (_) No 11 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/Stormwater Utilities (57-10) https://ascelibrary.org/doi/book/10.1061/9780784411261 1 AWWA G430-14 Security Practices for Operation and Management https://www.awwa.org/Store/AWWA-G430-14- Security-Practices-for-Operation-and-Management-/ ProductDetail/45322774 2 Domestic Security Alliance Council https://www.dsac.qov/ 3 InfraGard https://www.infragard.org/ 4 Local Law Enforcement Agencies N/A 5 State and Major Urban Area Fusion Centers https://www.dhs.qov/state-and-maior-urban-area-fusion- centers 6 Water Information Sharing and Analysis Center https://www.waterisac.orq/ 7 12 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 13 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 7: Threat Category: Contamination of Finished Water - Accidental11 Threat Category Definition: An incident where contamination of finished water in the storage or distribution system occurs due to an unintentional operational, management, or design failure such as pressure loss, leaking infrastructure, or cross connection Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Contamination of Product: C(C) Chemical, C(P) Pathogen Annual Default Threat Likelihood Water 0.2 Annual Default Threat Likelihood Wastewater N/A Basis: • Accidental contamination of finished water occurs at U.S. water utilities. Most incidents are minor and do not have measurable public health or economic consequences. • Major incidents of accidental microbial or chemical contamination of finished water can occur with significant adverse impacts on the utility and surrounding community. • Potential causes of accidental contamination include cross- connections, backflow, breaches in the integrity of storage facilities, and infiltration during periods of low pressure. • Conservative estimate of threat likelihood: Utilities experience accidental contamination of finished water twice per year, and 10% of these incidents have significant public health or economic consequences. Factors for Modifying Default Threat Likelihood 1. Has the utility's distribution system management been effective in preventing accidental contamination events in the recent past (e.g., the past five years)? (J Yes (J No 2. Do operators receive regular training on procedures for distribution system monitoring and operations? (_) Yes (_) No 3. Are the personnel who conduct work in the distribution system (e.g., installing pipes, repairing broken water mains) properly trained to prevent contamination of drinking water infrastructure? Q Yes O No 4. Are storage tanks routinely inspected for possible damage/aging? (_) Yes (_) No 11 Accidental contamination of finished water is not a malevolent act but is included here due to similar potential consequences with intentional contamination. This threat category is also grouped with malevolent acts in EPA's Vulnerability Self-Assessment Tool (VSAT) Web. 14 ------- Baseline Information on Malevolent Acts for Community Water Systems 5. Does the utility have a backflow prevention program, stipulating the use and regular inspection of backflow prevention devices? (_.) Yes (_.) No 6. Are online water quality monitoring devices (e.g., chlorine residual, pressure monitoring, advanced metering) used in the distribution system to provide early detection of system integrity or operational problems? M Yes M No 7. If hazardous contaminants are produced or stored in the vicinity of the distribution system, has the utility communicated with the responsible party regarding proper containment of those contaminants (to avoid contaminant intrusion during low pressure events)? M Yes M No 8. Has the utility performed a sanitary survey that includes distribution system components within the last 3 years? M Yes M No 9. Has the utility performed a condition assessment of its distribution system assets within the last 5 years? M Yes M No Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 AWWA M-14 Backflow Prevention and Cross Connection Control: Recommended Practices https://www.awwa.org/Store/Product-Details/ productld/46494412 8 AWWA G200-15 Distribution Systems Operation and Management https://www.awwa.orq/Store/Product-Details/ productld/49065093 9 EPA Cross Connection Control Manual https://www.epa.gov/sites/production/files/2015-09/ documents/epa816r03002_0.pdf 10 EPA Online Water Quality Monitoring Resources https://www.epa.gov/waterqualitysurveillance/online- water-quality-monitoring-resources 11 National Academy of Sciences Drinking Water Distribution Systems: Assessing and Reducing Risks https://www.nap.edu/catalog/11728/drinking-water- distribution-systems-assessing-and-reducing-risks 12 15 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 7. 8. 16 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 8: Threat Category: Contamination of Finished Water - Intentional Threat Category Definition: An incident where a contaminant is deliberately introduced into the finished water storage or distribution system with the intent of poisoning consumers and/or contaminating infrastructure Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Contamination of Product: C(B) Biotoxin, C(C) Chemical, C(P) Pathogen, C(R) Radionuclide Annual Default Threat Likelihood Water 10"5 Annual Default Threat Likelihood Wastewater N/A Basis: • Estimate 100,000 potential water utility targets in the United States. • A few incidents of intentional finished water contamination have been reported in the United States and foreign countries over several decades. • Pilot studies and computer simulations have shown that this mode of attack can inflict very high consequences. • Available intelligence (public) indicates awareness and intent by terror groups to carry out this type of attack. • Conservative estimate of threat likelihood: One attack per year among 100,000 water utilities. Factors for Modifying Default Threat Likelihood12 1. Are physical barriers in place in place at isolated assets such as storage tanks, well fields, and intakes to impede unauthorized access? oYes oNo 2. Are intrusion detection devices (e.g., contact alarms, video monitoring) installed and monitored at distribution system facilities? (_') Yes (_) No 3. Are procedures in place for rapid response and investigation of alarms or other indicators of unauthorized entry? M Yes M No 4. Are intrusion detection devices properly maintained to avoid frequent false alarms resulting in "alarm fatigue"? o Yes Q No 5. Are alarm and electronic surveillance systems secure to avoid tampering? o Yes Q No 6. Does the utility have a backflow prevention program, stipulating the use and regular inspection of backflow prevention devices? o Yes O No 12 Questions 1 - 5 apply to distribution system facilities and are also included in the Threat Category: Assault on Utility - Physical, which addresses physical barriers, intrusion detection, and alarm response, maintenance, and security. Question 6 is also included in the Threat Category: Contamination of Finished Water - Accidental. 17 ------- Baseline Information on Malevolent Acts for Community Water Systems 7. Does the utility have a program to secure exposed distribution system access points (e.g., locking hydrants)? O Yes M No 8. Are utility staff trained to observe for potential hazards at distribution system facilities and access points, such as unauthorized pumper trucks using hydrants or storage tanks, indicators of tampering, empty chemical containers or hardware from non-utility sources? O Yes O No Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/Stormwater Utilities (57-10) https://ascelibrary.org/doi/book/10.1061/9780784411261 1 AWWA G430-14 Security Practices for Operation and Management https://www.awwa.org/Store/AWWA-G430-14- Security-Practices-for-Operation-and-Manaqement-/ ProductDetail/45322774 2 Domestic Security Alliance Council https://www.dsac.qov/ 3 InfraGard https://www.infragard.org/ 4 Local Law Enforcement Agencies N/A 5 State and Major Urban Area Fusion Centers https://www.dhs.qov/state-and-maior-urban-area-fusion- centers 6 Water Information Sharing and Analysis Center https://www.waterisac.orq/ 7 AWWA M-14 Backflow Prevention and Cross Connection Control: Recommended Practices https://www.awwa.orq/Store/Product-Details/ productld/46494412 8 AWWA G200-15 Distribution Systems Operation and Management https://www.awwa.orq/Store/Product-Details/ productld/49065093 9 EPA Cross Connection Control Manual https://www.epa.qov/sites/production/files/2015-09/ documents/epa816r03002_0.pdf 10 EPA Online Water Quality Monitoring Resources https://www.epa.qov/waterqualitysurveillance/online- water-quality-monitorinq-resources 11 National Academy of Sciences Drinking Water Distribution Systems: Assessing and Reducing Risks https://www.nap.edu/cataloq/11728/drinkinq-water- distribution-systems-assessinq-and-reducinq-risks 12 18 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources (continued) Resource Web Link # in Section 5 EPA Resources to Design and Implement Enhanced Security Monitoring for Surveillance and Response Systems https://www.epa.gov/waterqualitysurveillance/resources- design-and-implement-enhanced-security-monitoring- surveillance 13 Notes 1. 2. 3. 4. 5. 6. 7. 19 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 9: Threat Category: Theft or Diversion - Physical Threat Category Definition: Any incident of physical theft or diversion of utility resources, supplies, and infrastructure materials Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Annual Default Threat Likelihood Water 0.2 Annual Default Threat Likelihood Wastewater 0.2 Theft or Diversion: T(PI) Physical- Insider, T(PU) Physical-Outsider Basis: • Theft/diversion is commonplace at water utilities, but most incidents do not have significant economic consequences. • Water utility theft incidents are not tracked nationally. • Conservative estimate of threat likelihood: Water utilities experience theft/diversion twice per year, and 10% of these incidents have significant economic consequences for the utility. No public health likelihood is projected. Factors for Modifying Default Threat Likelihood 1. Does the utility have an established process to ensure that thefts are investigated (by law enforcement or the utility), any security gaps that facilitated the theft are identified, and any such gaps are mitigated to reduce risk? O Yes O No 2. Are high-value utility supplies and materials physically secured on the premises and actively monitored to prevent theft? O Yes (_) No 3. Are contractors and suppliers vetted for security purposes prior to gaining site access? Q Yes (J No 4. Does the utility have the capability for rapid detection of theft or diversion, such as maintaining an updated inventory of materials and supplies? o Yes O No 20 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/Stormwater Utilities (57-10) https://ascelibrary.org/doi/book/10.1061/9780784411261 1 AWWA G430-14 Security Practices for Operation and Management https://www.awwa.org/Store/AWWA-G430-14- Security-Practices-for-Operation-and-Management-/ ProductDetail/45322774 2 Domestic Security Alliance Council https://www.dsac.qov/ 3 InfraGard https://www.infragard.org/ 4 Local Law Enforcement Agencies N/A 5 State and Major Urban Area Fusion Centers https://www.dhs.qov/state-and-maior-urban-area-fusion- centers 6 Water Information Sharing and Analysis Center https://www.waterisac.orq/ 7 Notes 1. 2. 3. 21 ------- Baseline Information on Malevolent Acts for Community Water Systems Threat Category: Cyber Attack For the purpose of AWIA Risk and Resilience Assessments, EPA has grouped cyber-attacks on water utilities into two threat categories. One is cyber-attack on business enterprise systems, which includes computer- based communications, financial, data and record keeping, and other related systems. The second is cyber- attack on process control systems, which includes electronic monitoring and control systems used for water collection, treatment, storage, and distribution across the utility. The default threat likelihood for a cyber-attack is 1.0 for both business enterprise systems and process control systems (for both water and wastewater systems). Hence, EPA recommends that CWSs prepare for information networks associated with both business enterprise and process control systems to be targeted by cyber threat actors every year. Further, the factors for modifying EPA's default threat likelihood values for both cyber threat categories are the same. Accordingly, this document provides one list of factors for both cyber threat categories. EPA has assigned cyber-attacks on business enterprise systems and process control systems to separate threat categories for AWIA Risk and Resilience Assessments because the vulnerabilities and consequences associated with them may differ, along with the countermeasures to reduce vulnerabilities and consequences. However, a discussion of vulnerabilities and consequences is outside the purview of this document. Recap of changes from Version 1.0 of this document: In Version 1.0 of the Baseline Information on Malevolent Acts for Community Water Systems, which EPA published in August 2019, the default annual threat likelihood values for "Cyber-Attack on Business Enterprise Systems" and "Cyber-Attack Process Control Systems" were 0.3 and 0.1, respectively. No differentiation was made between water and wastewater systems. EPA has chosen to increase these default threat likelihood values to 1.0 based on the increasing prevalence of reported cyber-attacks on critical infrastructure facilities, including water and wastewater systems. These attacks have targeted water and wastewater systems of all sizes and in all geographic locations, including both business enterprise and process control systems. Suspected perpetrators of cyber-attacks include criminal enterprises, malicious insiders, and sophisticated advanced persistent threat actors supported by nation-states. Due to increases in the use of Internet-connected devices, greater remote access practices, widespread third-party software and management solutions, and the growing sophistication of threat actors, cyber-attacks are expected to continue to increase in the future. The revised cyber-attack threat likelihood values also reflect input from water sector stakeholders and are in accordance with the updated ANSI/AWWA J100 Standard Risk and Resilience Management of Water and Wastewater Systems. Consistent with the J100 Standard, EPA recommends that every water and wastewater system should expect to be targeted by cyber threat actors. Consequently, all water and wastewater systems should adopt cybersecurity best practices that are designed to reduce vulnerabilities and manage consequences. 22 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 10: Threat Category: Cyber Attack - Business Enterprise Systems and Process Control Systems Business Enterprise Systems Threat Category Definition: A cyber-attack on utility billing, communications, data management or other information systems, which may disable affected systems and result in the loss of information resources, including personal, financial and other sensitive data, and other economic consequences for the utility Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Annual Default Threat Likelihood Water 1.0 Annual Default Threat Likelihood Wastewater 1.0 Theft or Diversion: T(CI) Cyber- Insider, T(CU) Cyber-Outsider Cyber Insider: C(I1) Insider, C(I2) Trusted Insider/Accidental Cyber Outsider: C(01) Cyber Outsider Attackers, C(02) Criminal Group, C(03) Terrorist, C(04) Foreign Intelligence Service Basis: Business enterprise systems, including those at water and wastewater facilities, are frequently targeted by cyber threat actors. Many successful cyber-attacks involving water and wastewater utility business enterprise systems have been reported, often with significant economic consequences for the utility. Cyber threat monitoring has shown a high rate of attempted intrusions. Conservative estimate of threat likelihood: Water and wastewater utilities experience an attempted cyber-attack on a business enterprise system at least once per year that has the potential for significant economic consequences. Process Control Systems Threat Category Definition: A cyber-attack on utility process control systems, including monitoring, operations, and centralized control. The attack may disable or manipulate utility infrastructure, potentially resulting in loss of service, the contamination of finished water and damage to utility infrastructure Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Annual Default Threat Likelihood Water 1.0 Annual Default Threat Likelihood Wastewater 1.0 • Cyber Insider: C(I1) Insider, C(I2) Trusted Insider/Accidental • Cyber Outsider: C(01) Cyber Outsider Attackers, C(02) Criminal Group, C(03) Terrorist, C(04) Foreign Intelligence Service Basis: • Water and wastewater utilities use communications and control systems that are common across critical infrastructure sectors, and these systems have been penetrated by cyber-attacks in other sectors. • Process control systems at water and wastewater utilities have been shown to be vulnerable through attacks on third-party software providers. • Available intelligence (public) indicates advanced persistent threat actors have established long-term presence in U.S. critical infrastructure control systems. • Conservative estimate of threat likelihood: Water and wastewater utilities experience an attempted cyber-attack on a process control system at least once per year that has the potential for significant economic consequences. 23 ------- Baseline Information on Malevolent Acts for Community Water Systems Factors for Modifying Default Threat Likelihood Does the utility: 1. Keep an inventory of control system devices and ensure this equipment is not exposed to networks outside the utility? (J Yes (J No 2. Employ staff with primary responsibility for and allocate a dedicated budget to the security and resiliency of electronic networks? (_) Yes (_) No 3. Address the security of electronic networks in relevant contracts, and ensure that contract staff with access to utility electronic networks are vetted? (J Yes (J No 4. Segregate networks and apply firewalls? (J Yes O No 5. Use secure remote access methods? (J Yes O No 6. Establish roles to control access to different networks and log system users? (_) Yes (_) No 7. Require strong passwords and password management practices? Q Yes (J No 8. Stay aware of vulnerabilities and implement patches and updates when needed? (_) Yes (_J No 9. Enforce policies for the security of mobile devices? (_) Yes (_) No 10. Have an employee cybersecurity training program? O Yes (J No 11. Involve utility executives in cybersecurity? (_) Yes (_) No 12. Monitor for network intrusions and have a plan in place to respond? (_) Yes (_) No 13. Readily investigate possible network intrusions? (_) Yes (_) No 24 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 AWWA Process Control System Security Guidance for the Water Sector and Use- Case Tool https://www.awwa.orq/Resources-Tools/Resources/ Cybersecurity-Guidance 14 DHS Cybersecurity and Infrastructure Security Agency https://www.cisa.qov/cybersecurity 15 NIST Cybersecurity Framework https://www.nist.qov/cyberframework 16 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations https://csrc.nist.qov/publications/detail/sp/800-53/rev- 4/final 17 NIST SP 800-82 Revision 2, Guide to Industrial Control Systems Security https://csrc.nist.qov/publications/detail/sp/800-82/rev-2/ final 18 WaterlSAC 15 Cybersecurity Fundamentals for Water and Wastewater Utilities http://www.waterisac.orq/fundamentals 19 25 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 26 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 9. 10. 11. 12. 27 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 11: Threat Category: Sabotage - Physical Threat Category Definition: A malicious physical act that is carried out with the intention of causing adverse impacts on a utility process Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Annual Default Threat Likelihood Water 0.05 Annual Default Threat Likelihood Wastewater 0.05 Directed/Sabotage: S(PI) Physical-Insider, S(PU) Physical-Outsider Basis: • Malicious process sabotage is rarely reported at U.S. water utilities. However, incidents could have significant economic and public health consequences. • Conservative estimate of threat likelihood: Water utilities experience process sabotage once every ten years, and 50% of these incidents have significant economic consequences for the utility. Factors for Modifying Default Threat Likelihood13 1. Has strict access control been implemented at utility facilities (e.g., visitor restrictions and logging, electronic employee access systems with logging, locked windows, grates, doors, and other access points, intrusion alarms, video monitoring with recording, security personnel)? Q Yes ( J No 2. Are physical barriers in place at treatment facilities to impede unauthorized access (include waterway access if applicable)? o Yes O No 3. Are physical barriers in place in place at isolated assets such as storage tanks, well fields, and intakes to impede unauthorized access? O Yes (J No 4. Are intrusion detection devices (e.g., contact alarms, video monitoring) installed and monitored at distribution system facilities? (_) Yes (_) No 5. Are procedures in place for rapid response and investigation of alarms or other indicators of unauthorized entry? C Yes O No 6. Are intrusion detection devices properly maintained to avoid frequent false alarms resulting in "alarm fatigue"? M Yes M No 7. Are alarm and electronic surveillance systems secure to avoid tampering? M Yes M No 13 Questions 1 - 7 are also included in the Threat Category: Assault on Utility - Physical. 28 ------- Baseline Information on Malevolent Acts for Community Water Systems 8. Are contractors with knowledge of water utility operations and process control systems vetted prior to gaining access to utility property and assets? (_) Yes (_) No 9. Do critical utility process assets that could be subject to sabotage have built-in redundancies, such that the failure of a single process asset would not disrupt water service? O Yes O No 10. Does the utility take a proactive approach to address infrastructure damage or vandalism (e.g., graffiti at unmanned locations) that could indicate vulnerabilities? O Yes (J No Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/Stormwater Utilities (57-10) https://ascelibrary.org/doi/book/10.1061/9780784411261 1 AWWA G430-14 Security Practices for Operation and Management https://www.awwa.orq/Store/AWWA-G430-14- Security-Practices-for-Operation-and-Manaqement-/ ProductDetail/45322774 2 Domestic Security Alliance Council https://www.dsac.qov/ 3 InfraGard https://www.infraqard.orq/ 4 Local Law Enforcement Agencies N/A 5 State and Major Urban Area Fusion Centers https://www.dhs.qov/state-and-major-urban-area-fusion- centers 6 Water Information Sharing and Analysis Center https://www.waterisac.orq/ 7 29 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 7. 8. 9. 30 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 12: Threat Category: Contamination of Source Water - Accidental14 Threat Category Definition: An unintentional incident of contamination of a drinking water source that could result in contaminated water entering the utility. Applies to surface and groundwater sources (including purchased). The contamination may occur outside the control of the utility. Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Accidental contamination of source water is not included in the J100-10 Standard. Annual Default Threat Likelihood Water 0.05 Annual Default Threat Likelihood Wastewater N/A Basis: Accidental contamination of drinking water sources occurs regularly through spills, untreated discharges, infrastructure failures, and other causes. The contamination event is usually outside the control of the utility. Reported spill data (National Response Center, 2010 -2017) showed an average of 1,100 spills per year that impacted sources of drinking water. Occurrence varied widely based watershed characteristics. Upstream contamination typically does not cause significant economic or public health impacts for drinking water utilities due to dilution, natural attenuation and upstream mitigation actions. Utilities may be able to close affected intakes. If contaminated source water enters the treatment plant, it may damage infrastructure and affect public health. Conservative estimate of threat likelihood: On average, 5% of water utilities experience a source water contamination event that impacts water quality. Factors for Modifying Default Threat Likelihood Systems with a Surface Water Source 1. Has the utility avoided a source water contamination event in the recent past (e.g., the past 5 years) due to source water characteristics and management, intake operation, and other factors? (J Yes O No 2. Does the utility have multiple intakes positioned in a manner that could mitigate the impacts of a spill (e.g., on different reaches of a water body or at different depths)? O Yes O No 3. Is the utility's watershed relatively pristine and free of significant sources of potential contamination (e.g., storage reservoirs and tanks, railways, hazmat routes, dischargers, agricultural areas, hazardous waste site)? (3 Yes Q No 14 Accidental contamination of source water is not a malevolent act but is included here due to similar potential consequences with intentional contamination. This threat category is also grouped with malevolent acts in EPA's Vulnerability Self-Assessment Tool (VSAT) Web. 31 ------- Baseline Information on Malevolent Acts for Community Water Systems 4. Is the utility's source water free of watercraft and waterborne cargo? (J Yes (J No 5. Has the region impacting the utility's watershed taken steps to mitigate the risk of chronic water quality issues (e.g., nutrient loading) from turning into serious problems (e.g., harmful algal blooms)? O Yes M No 6. Has the utility coordinated with upstream authorities and facilities that are potential sources of contamination for timely notification in the event of a spill or release into the utility's source water? (J Yes (_) No 7. Does the utility have a source water monitoring program capable of providing timely detection of a change in water quality that could indicate a release has occurred? O Yes O No 8. Do authorities with responsibility for upstream contamination events have effective response plans to contain spills prior to contaminating the intake? (J Yes (J No Systems with a Groundwater Source 9. Does the utility have multiple sources of drinking water, such that if one were contaminated, the other(s) could be used to supply the system? (_) Yes (_) No 10. Is the utility's groundwater aquifer confined or protected from infiltration? (_) Yes (_) No 11. Is the utility's groundwater protection area relatively pristine and free of significant sources of potential contamination (as listed in Question #3, above)? M Yes M No 12. In the event of a spill, release, or other source of contamination, are there procedures for timely removal of contaminated soil and other measures to prevent contamination of the utility's aquifer? (J Yes (J No Systems that Buy Water from Wholesaler Water Suppliers 13. Is information available from the supplier with respect to water source, potential contamination threats, and testing and monitoring? (J Yes O No 14. Does the supplier proactively manage potential risks to their water supply? (_) Yes (_) No 15. Is there a procedure for the utility to receive timely notification of potential contamination incidents in the purchased water? (J Yes (J No 32 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 EPA Online Water Quality Monitoring Resources https://www.epa.gov/waterqualitysurveillance/online- water-quality-monitoring-resources 11 Local Emergency Planning Committees (LEPC) and Local Emergency Management Agencies/Directors https://wwweDa.qov/eDcra 20 Envirofacts httDs://www3.eDa.qov/enviro/ 21 EPA Conducting Source Water Assessments httDs://www.eDa.qov/sourcewaterDrotection/conductinq- source-water-assessments 22 Drinking Water Mapping Application to Protect Source Water httDs://www.eDa.qov/sourcewaterDrotection/drinkinq- water-maDDinq-aDDlication-Drotect-source-waters- dwmaDS 23 EPA Toxics Release Inventory httDs://www.eDa.qov/toxics-release-inventory-tri-Droqram 24 National Response Center httDs://www.eDa.qov/emerqency-resDonse/national- resDonse-center 25 33 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 7. 34 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 10. 11. 12. 13. 14. 35 ------- Baseline Information on Malevolent Acts for Community Water Systems Table 13: Threat Category: Contamination of Source Water - Intentional Threat Category Definition: An intentional incident of contamination of a drinking water source that could result in contaminated water entering the utility. Applies to surface and groundwater sources (including purchased). The contamination may occur outside the control of the utility. Crosslink to AWWA J100-10 Standard Reference Threat Scenarios Intentional contamination of source water is not included in the J100-10 Standard. Annual Default Threat Likelihood Water 10"6 Annual Default Threat Likelihood Wastewater N/A Basis: • Estimate 100,000 utility targets in the United States. • A few incidents of intentional contamination of drinking water sources have been reported in the United States and foreign countries. • Available intelligence (public) indicates awareness and intent by terror groups and malicious individuals to carry out this type of attack. • No public health or economic impacts from this type of incident in the United States have been reported. Potential impacts would be mitigated by dilution, water treatment, and other factors. • Conservative estimate of threat likelihood: One attack per year among 100,000 water utilities, and 10% of attacks have the potential for significant public health or economic consequences. Factors for Modifying Default Threat Likelihood15 Systems with a Surface Water Source 1. Does the utility have multiple intakes at different locations that could be operated to prevent contamination at the site of any single intake from entering the treatment facility? (_) Yes (_) No 2. If a secured source water reservoir is used, does it have robust access control (e.g., fencing or other physical barriers) to deter or delay unauthorized access? O Yes O No 3. If a secured source water reservoir is used, is active monitoring (remote or onsite) conducted to detect unauthorized access? (_) Yes (_) No 4. Does the utility conduct real-time monitoring of source water intake locations to detect unauthorized access or tampering? C) Yes P) No 15 Questions 13 -15 are also included in the Threat Category: Contamination of Source Water - Accidental. 36 ------- Baseline Information on Malevolent Acts for Community Water Systems 5. Does the utility have procedures in place for responding when unauthorized access or tampering is detected at source water reservoirs or intakes (if applicable)? (_) Yes (_) No 6. Is the utility's source water reservoir or intake (as applicable) easily accessible by boat or land? Q Yes ( J No 7. Does the utility have a source water quality monitoring program capable of providing timely detection of a change in water quality that could indicate a contamination incident has occurred? M Yes M No Systems with a Groundwater Source 8. Does the utility have multiple wells at different locations that could be operated to prevent contamination at the site of any single well from entering the treatment or distribution facility? (_) Yes (_) No 9. Would the condition of the well impede the influx of a contaminant? (For example, well depth, well condition, and soil type could impact the flow of a contaminant into the well.) (_) Yes (_) No 10. Does the wellfield have robust access control (e.g., fencing or other physical barriers) to deter or delay unauthorized access? Q Yes ( J No 11. Is the wellfield monitored to detect unauthorized access or tampering? M Yes M No 12. Is a large-scale intentional release of contaminants in the vicinity of the wellfield feasible (e.g., are chemicals stored in proximity to an accessible wellfield)? (_) Yes (_) No Systems that Buy Water from Wholesaler Water Suppliers 13. Is information available from the supplier with respect to water source, potential contamination threats, and testing and monitoring? (_) Yes (_) No 14. Does the supplier proactively manage potential risks to their water supply? Q Yes ( J No 15. Is there a procedure for the utility to receive timely notification of potential contamination incidents in the purchased water? M Yes M No 37 ------- Baseline Information on Malevolent Acts for Community Water Systems Resources - see Section 5 for resource descriptions Resource Web Link # in Section 5 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/Stormwater Utilities (57-10) https://ascelibrary.org/doi/book/10.1061/9780784411261 1 AWWA G430-14 Security Practices for Operation and Management https://www.awwa.org/Store/AWWA-G430-14- Security-Practices-for-Operation-and-Management-/ ProductDetail/45322774 2 Domestic Security Alliance Council https://www.dsac.qov/ 3 InfraGard https://www.infragard.org/ 4 Local Law Enforcement Agencies N/A 5 State and Major Urban Area Fusion Centers https://www.dhs.qov/state-and-maior-urban-area-fusion- centers 6 Water Information Sharing and Analysis Center https://www.waterisac.orq/ 7 EPA Online Water Quality Monitoring Resources https://www.epa.qov/waterqualitysurveillance/online- water-quality-monitorinq-resources 11 EPA Resources to Design and Implement Enhanced Security Monitoring for Surveillance and Response Systems https://www.epa.qov/waterqualitysurveillance/resources- desiqn-and-implement-enhanced-security-monitorinq- surveillance 13 38 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 2. 3. 4. 5. 6. 7. 39 ------- Baseline Information on Malevolent Acts for Community Water Systems Notes 10. 11. 12. 13. 14. 40 ------- Baseline Information on Malevolent Acts for Community Water Systems Section 5: Resources for Additional Information Table 14 provides additional information about the resources listed earlier for each threat category. Table 14: Threat Category Resource Descriptions Listing # Resource Description Web Link 1 ASCE, Guidelines for the Physical Security of Water Utilities (56-10) and Guidelines for the Physical Security of Wastewater/ Stormwater Utilities (57-10) Guidelines apply to the physical security of facilities with potable water source, treatment, and distribution systems, as well as with wastewater collection and treatment systems and stormwater systems. Provides direction for utilities as they design or retrofit their infrastructure to ensure the physical security of water and wastewater/stormwater systems. Recommendations include the use of physical and electronic security measures, (requires purchase) https://ascelibrary.orq/doi/ book/10.1061/9780784411261 2 AWWA G430-14 Security Practices for Operation and Management Describes criteria for a security program for a water, wastewater, or reuse utility. Includes security culture, roles and employee expectations, vulnerability assessment, dedicated resources, access control and intrusion detection, contamination detection, monitoring and surveillance, and information protection. Additionally, the standard covers design and construction, threat level-based protocols, emergency response and recovery plans and business continuity plans, internal and external communications, partnerships, documentation, human resources, and equipment, (requires purchase) https://www.awwa. orq/Store/AWWA- G430-14-Security- Practices-for-Operation- and-Manaqement-/ ProductDetail/45322774 3 Domestic Security Alliance Council The Domestic Security Alliance Council is a partnership between the U.S. government and the U.S. private industry that promotes the timely exchange of security and intelligence information. DSAC advances the FBI's mission of detecting, preventing, and deterring criminal acts by facilitating relationships among its private sector member companies, FBI Headquarters, FBI field offices, DHS Headquarters and Fusion Centers, and other federal government entities. DSAC also expands the U.S. private sector's ability to protect its employees, assets, and information by providing access to security information and experts, as well as continuing education for security officers. https://www.dsac.qov/ 41 ------- Baseline Information on Malevolent Acts for Community Water Systems Listing # Resource Description Web Link 4 InfraGard InfraGard is a partnership between the FBI and members of the private sector that promotes information exchange relevant to the protection of critical infrastructure. InfraGard has 82 chapters and over 46,000 members nationwide. Chapter meetings are led by a local governing board and an FBI agent who serves as InfraGard coordinator. They provide an opportunity to share information on threats and best practices. https://www.infraqard.orq 5 Local Law Enforcement Agencies Local police, county /city sheriffs, and state police maintain crime databases and can provide situational awareness of the local threat environment. Local crime information may be relevant to assessing physical threats like assault, theft, or sabotage. Also, local law enforcement can collaborate with outside law enforcement agencies like the FBI. Search by locality 6 State and Major Urban Area Fusion Centers State and Major Urban Area Fusion Centers operate as state and major urban area focal points for the receipt, analysis, gathering, and sharing of threat-related information between federal; state, local, tribal, territorial (SLTT); and private sector partners. https://www.dhs.qov/state- and-maior-urban-area- fusion-centers 7 Water Information Sharing and Analysis Center (WaterlSAC) WaterlSAC is an all-threats security information source for the water and wastewater sector. It is the information sharing and operations arm of the Water Sector Coordinating Council, as authorized under the 2002 Bioterrorism Act, and provides comprehensive information on malevolent acts, including cybercrime. WaterlSAC is operated by the Association of Metropolitan Water Agencies and managed by water utility managers and state drinking water administrators. https://www.waterisac.orq/ 8 AWWA M-14 Backflow Prevention and Cross Connection Control: Recommended Practices Provides general guidance on developing, operating, and maintaining a cross-connection control and backflow prevention program. Includes discussions on assessing the risks and preventing backflow, as well as backflow prevention assembly, application, installation, and maintenance; health and legal concerns; and detailed information on potential and real hazards. https://www.awwa.orq/ Store/Product-Details/ productld/46494412 42 ------- Baseline Information on Malevolent Acts for Community Water Systems Listing # Resource Description Web Link 9 AWWA G200- 15 Distribution Systems Operation and Management Describes the operation and management of potable water distribution systems, including maintenance of water quality, system management programs, operation and maintenance of facilities, and verification. https://www.awwa.orq/ Store/Product-Details/ productld/49065093 10 EPA's Cross Connection Control Manual Provides guidance to drinking water utilities on designing, implementing, and managing a backflow prevention program in the distribution system. https://www.epa.gov/ sites/production/ files/2015-09/documents/ epa816r03002_0.pdf 11 EPA Online Water Quality Monitoring Resources Includes a series of guidance documents that cover the performance, design, installation, and operation of real-time water quality monitoring systems that can be used to optimize treatment processes, detect source water contamination incidents, and monitor threats to long-term water quality. https://www.epa.qov/ waterqualitysurveillance/ online-water-quality- monitorinq-resources 12 National Academy of Sciences Drinking Water Distribution Systems: Assessing and Reducing Risks Identifies strategies to reduce the risks posed by water-quality deteriorating events in distribution systems, including backflow events via cross connections, contamination during construction and repair, and maintenance of storage facilities. The report also identifies advances in detection, monitoring and modeling, and analytical methods, (requires purchase) https://www.nap.edu/ cataloq/11728/drinkinq- water-distribution-systems- assessinq-and-reducinq- risks 13 EPA Resources to Design and Implement Enhanced Security Monitoring for Surveillance and Response Systems These products support the design, implementation, and commissioning of Enhanced Security Monitoring at utility distribution system facilities that are determined to be at risk of intentional contamination. https://www.epa.qov/ waterqualitysurveillance/ resources-desiqn-and- implement-enhanced- security-monitorinq- surveillance 14 AWWA Process Control System Security Guidance for the Water Sector and Use- Case Tool Provides a water sector-specific approach to implementation of controls in the NIST Cybersecurity Framework, and aids water systems in their prioritization of controls necessary to manage cybersecurity risks. https://www.awwa.orq/ Resources-Tools/Resources/ Cybersecurity-Guidance 15 DHS Cybersecurity and Infrastructure Security Agency Has the lead responsibility within the federal government to assist all critical infrastructure sectors, including water, with cybersecurity. Provides threat alerts, offers tools and guidance to identify vulnerabilities, and assists with response and recovery. https://www.cisa.qov/ cybersecurity 43 ------- Baseline Information on Malevolent Acts for Community Water Systems Listing # Resource Description Web Link 16 NIST Cybersecurity Framework Consists of voluntary standards, guidelines, and best practices to manage cybersecurity- related risk. Focuses on using business drivers to guide cybersecurity activities and considers cybersecurity risks as part of an organization's risk management processes. https://www.nist.qov/ cyberframework 17 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations Describes security and privacy controls for information systems and organizations and a process for selecting controls to protect organizational operations and assets from cyber-attacks. These controls are applicable to non-federal networks as well. https://csrc.nist.gov/ publications/detail/sp/800- 53/rev-4/final 18 NIST SP 800-82 Revision 2, Guide to Industrial Control Systems Security Provides guidance on how to improve security in Industrial Control Systems, including Supervisory Control and Data Acquisition systems, Distributed Control Systems, and Programmable Logic Controllers, while addressing unique performance, reliability, and safety requirements. Offers an overview of typical system topologies, identifies threats and vulnerabilities, and recommends security controls. https://csrc.nist.qov/ publications/detail/sp/800- 82/rev-2/final 19 WaterlSAC 15 Cybersecurity Fundamentals for Water and Wastewater Utilities Identifies and explains the critical elements of cybersecurity at water sector facilities. Developed by WaterlSAC to address vulnerabilities identified in cybersecurity incidents and assessments. Recommentations link to corrresponding technical resources (also see Resource Listing #7). http://www.waterisac.orq/ fundamentals 20 Local Emergency Planning Committees (LEPC) and Local Emergency Management Agencies/Directors Under the Emergency Planning and Community Right-to-Know Act (EPCRA), Local Emergency Planning Committees (LEPCs) must develop an emergency response plan, review the plan at least annually, and provide information about chemicals in the community to citizens. There is one LEPC for each of the more than 3,000 designated local emergency planning districts. To find your LEPC, contact your local State Emergency Response Commission (SERC). AWIA requires the SERC to notify the drinking water primacy agency of any reportable releases and to provide community water systems with hazardous chemical inventory data. https://www.epa.qov/epcra 44 ------- Baseline Information on Malevolent Acts for Community Water Systems Listing # Resource Description Web Link 21 Enviro facts Envirofacts is a searchable compendium of databases for a variety of environmental monitoring programs related to air, water, and land. It allows users to search multiple environmental databases for facility information, including toxic chemical releases, water discharge permit compliance, hazardous waste handling processes, Superfund status, and air emission estimates. https://www3.epa.qov/ enviro/ 22 EPA Conducting Source Water Assessments Provides information on how to determine the vulnerability of the water supply to contamination. Source water assessments are reports developed by states to help local governments, water utilities, and others protect sources of drinking water. https://www.epa.gov/ sourcewaterprotection/ conductinq-source-water- assessments 23 Drinking Water Mapping Application to Protect Source Water This is an online mapping tool that helps states and drinking water utilities to update their source water assessments and protection plans. Provides locations of potential sources of contamination and polluted waterways, as well as information on protection projects and Source Water Collaborative initiatives. https://www.epa.qov/ sourcewaterprotection/ drinkinq-water-mappinq- application-protect-source- waters-dwmaps 24 EPA Toxics Release Inventory Provides a resource for learning about toxic chemical releases and pollution prevention activities reported by industrial and federal facilities. Utilities can review information in this system to evaluate the threat posed by an accidental toxic chemical release that could impact their source water. https://www.epa.qov/ toxics-release-inventory-tri- proqram 25 National Response Center The National Response Center is staffed 24 hours a day by the U.S. Coast Guard and is the designated federal point of contact for reporting all oil, chemical, radiological, biological and etiological discharges into the environment, anywhere in the United States and its territories. Reports to the NRC activate the National Contingency Plan and the federal government's response capabilities. Reports of all releases and spills are available in a national database. https://www.epa.qov/ emerqency-response/ national-response-center 45 ------- Baseline Information on Malevolent Acts for Community Water Systems References American Water Works Association. (2013). Risk and Resilience Management of Water and Wastewater Systems, J100-10 (R13) America's Water Infrastructure Act of 2018, Pub. L. No. 115-270, S. 3021,115th Cong. Brashear, Jerry & Jones, James. (2010). Risk Analysis and Management for Critical Asset Protection (RAMCAP Plus), in Wiley Handbook of Science and Technology for Homeland Security. Retrieved from https://onlinelibrarv.wilev.com/doi/abs/10.1002/9780470087923.hhsQ03 DHS. (2013). National Infrastructure Protection Plan 2013, Partnering for Critical Infrastructure Security and Resilience. Retrieved from https://www.cisa.gov/sites/default/files/publications/national-infrastructure- protection-plan-2013-508.pdf 46 ------- |