By Tyler Robinson, Burns & McDonnell

Few things are more vital to public health and economic stability than clean water from a reliable source. In today’s rapidly evolving physical and cyber threat environment, water has become a vulnerable target simply because it is so critical. 

What about wastewater utilities? Many threats applicable to drinking water distribution and treatment infrastructure – including electronic systems – are also applicable to its sister infrastructure on the wastewater side, even if the consequences look a little different.    

A law, enacted in 2018, set firm deadlines for completing risk and resiliency assessments (RRA) and updating emergency response plans (ERP) for drinking water utilities. Under Section 2013 of the America’s Water Infrastructure Act (AWIA), RRAs and ERPs must be completed by every water utility serving more than 3,300 people.

AWIA is designed to enhance the resiliency and continuity of community water systems and facilitate a framework necessary to deter, detect, delay, devalue and respond to a full range of naturally occurring and malevolent events. Reviews of physical security and cybersecurity measures are included for utilities to successfully address the full range of threats identified by the American Water Works Association, which could also be applicable to wastewater utilities. 

What AWIA Changes

In terms of security, the primary shift is a transition from assessments of potential intentional attacks to an ‘all hazards’ risk and resiliency assessment. This encompasses not just hostile acts but also acts of nature, such as damage caused by extreme weather events, and supply chain incidents. Under the U.S. Environmental Protection Agency’s (EPA) Baseline Information on Malevolent Acts for Community Water Systems document, specific threat categories are identified with starting points outlined for consideration of threat likelihood, including first-time requirements for cybersecurity measures.

The goal is to help utilities identify and characterize critical assets and prepare for associated threats. Vulnerable points at critical assets should be identified and steps for mitigating potential consequences of incidents should be documented and addressed in the system’s ERP. The overall objective is to use the exercise as a valuable planning tool that will broaden the utility’s perspective and increase its capabilities to respond to continuously evolving risks. 

The processes initially developed for water infrastructure are easily adaptable to wastewater infrastructure and, when applied across both systems, a municipality or utility can further streamline and prioritize funds and resources for implementation of risk mitigation measures across both utilities. Some utilities may even consider bringing in the third water system: stormwater.

Knowing Your
Infrastructure and Risks

The EPA doesn’t establish a specific methodology for conducting the RRA, so the most efficient and effective process for achieving resiliency is up to the utility. A good first step in performing risk assessments is to determine what assets are most critical from an infrastructure, physical security and cybersecurity standpoint. An accurate risk mitigation plan requires thorough knowledge of infrastructure and an awareness of the ‘downstream’ impact should single point-of-failure assets be damaged or destroyed.

While the final component of this process is an ERP, it all starts with a detailed understanding of the water and wastewater system infrastructure and threats that may yield significant consequences. While some utilities have asset management plans and a list of assets, some may have inherited a partial list (or none at all). Often, this information is stored inside an employee’s head rather than in a digitized, GIS-based system. 

As employees retire or leave for other reasons, this knowledge may not be captured in emergency documents, resulting in inefficiencies during an asset failure, indicating poor resiliency. Proper personnel training and crafting of important documents – such as standard operating procedures and an ERP – can increase a utility’s resilience.

Water and wastewater utilities should consider the worst-case scenario as a plausible occurrence. With the reality of today’s threat environment, worst-case scenarios can and do happen. Additionally, proper planning can assist with minimizing the ‘what if’ questions that can oftentimes burden the assessment process. Exploring these vulnerabilities and considering applicable solutions will form the foundation of the ERP.

Prioritizing to Build Resiliency

One of the most valuable aspects of creating an ERP will be prioritizing risks. This should begin by considering the largest potential impacts to the public or environment resulting from a malevolent act or natural event. The next step is to create a prioritized capital budget to fund necessary upgrades, implement training programs, or develop plans, procedures or processes. 

For example, if you lose power to a lift station, how long will it take to implement bypass pumping? Do you have service contracts in place or well-documented procedures and properly trained staff? The risk assessment identifies a utility’s most vital vulnerabilities and helps rank them for action.

The ERP is that action plan. While it is based on the results of the assessment, it also includes several other elements, including planning partnerships with other utility departments, coordination with local law enforcement and public health officials, and a public relations
and communications strategy for emergency situations.

It is helpful to walk through the scenarios and responses related to potential incident types, from a tornado or act of terrorism to a simple loss of power. The probability of the scenario helps determine the priority of the risk – and the budget that should be allocated to minimize the chances of negative effects.

Achieving Effective
Threat Management

The introduction of physical and cybersecurity elements from AWIA will help a utility better prepare for the possibility of hostile and natural-based threats. It presents an excellent opportunity to establish or build upon water and wastewater system resiliency and physical and cybersecurity programs. In summary, these steps should be followed:

1. Dust off past assessments, specifically any that were conducted in response to the Bioterrorism Act of 2002.

2. Take an all-hazard approach by identifying the range of threats specific to the unique environment
of each critical asset.

3. Secure executive sponsorship from
key utility and elected leadership,
as appropriate.

4. Avoid one-size-fits-all solutions. Water and wastewater infrastructure often pass through multiple jurisdictions, so it can be a challenge to identify local codes and site-specific requirements for security measures.

5. Look beyond technical solutions. Sometimes a change in policy or procedure can address a risk faster and at lower cost than implementing a technological solution.

6. Consider a layered approach that concentrates security measures around the most critical assets in a design intended to delay physical access by intruders for as long as possible.

7. Foster a security culture with staff
who understand security risks and best practices and take ownership
for solutions.

8. Proactively act on your ERP. With the evolution of technologies and heightened threat environment, acting on your plan is a must.

Utilities should view this compliance initiative as an opportunity to improve a number of processes while, most importantly, securing continued safe distribution of clean drinking water and collection and treatment of wastewater. 

Tyler Robinson, is a Burns & McDonnell employee-owner.