Lessons Learned for Water Security Sector: One Size Does Not Fit All

1. Lessons Learned for Water Security Sector: One Size Does Not Fit All Urban Water Summit Albuquerque, NM September 30, 2005 Greg Merrill Chlorine Chemistry Council

2. Overview of Presentation • Nature & Source of Study – Water Security Working Group Findings • Themes & Findings • Measures of Progress • Similarities with chemical industry • Concerns • Next Steps

3. Nature & Source of Study • Context: • ‘Water Security Working Group’ … chartered by • National Drinking Water Advisory Council … advises • Environmental Protection Agency • Project objectives: • Stakeholder agreement elements of effective security system for water & wastewater systems • EPA use results for voluntary ‘guidelines’ for security programs & measures of success • Guidelines, no new regulatory requirements • Participants: water system managers, environmental groups, security experts • Produced – consensus report

4. Report contains • 18 findings: 8 Security 7 Incentives 3 Measures • 6 significant system failures, 4 key threats • 11 principles around which to build an ‘active & effective’ security program • 14 features of an ‘active & effective’ security program • 7 incentives – grant/loan program from Congress, EPA, DHS • 13 items for utility self-assessment & measurement • 3 measures of national, sector-wide aggregate progress

5. Themes & Findings Themes • Set expectations for specific outcomes, with substantial flexibility • Keep security programs ‘fresh’ and up- to-date • Create awareness and support for water security • Invest in water security • Form strong, durable partnerships

6. Themes & Findings • Goal to reduce risks to public health, safety and confidence • Security must include prevention, preparation, preparedness, response, consequence, management, mitigation and recovery • Identify priorities through updated vulnerability assessments • Apply escalating security procedures based on threat-level information • Create strong partnerships between facilities, security agencies, public health officials and response community

7. Themes & Findings Security (8) • What constitutes an ‘active and effective’ water sector security program – 14 features • Balance between consistent basis for moving forward & avoiding prescription • Focus on ‘what’ to do, not ‘how to’ Incentives (7) • EPA, DHS, state agencies, utility associations and others help develop and maintain security programs Measures (3) • Measures all utilities should use and consider • Sector-wide national aggregate measures*

8. Themes & Findings Security (8) • What constitutes an ‘active and effective’ water sector security program – 14 features • Senior leadership make visible commitment • Establish security expectations for all staff • Regular communications re security • Incorporate security into decisions about acquisition, repair, maintenance • Incorporate security into emergency response and recovery plans • Monitor threat-levels; escalate procedures accordingly • Develop utility-specific measures, self assess, document program progress

9. Measures of Progress Measures - to show national, sector-wide, aggregate progress Are ‘not intended to prejudge or prescribe specific security tactics or approaches’ • ‘Active & effective’ security programs measured by implementation of 14 program features with corresponding feature-specific measures • Reduction in security risks measured by number of assets determined to be high security risks and the number of former high security risk assets lowered to medium or low risk

10. Measures - continued • ‘Reduction in inherent risk potential of utility operations and number of utilities that convert from use of chlorine gas to other forms of chlorine or other treatment methods’

11. Similarities with chemical industry approach Differences Water sector vs. Chemical industry BioTerrorism Act No federal statute EPA key role DHS in lead Public/grants/loans Corporate 160,000 15,000+

12. Similarities with chemical industry approach Similarities • Designed to protect people, property, products and processes through enhancing security through chain • Review as relative ‘threat’ • Vulnerability assessment • Security plans based on assessments • Escalating security procedure based on threat-level information

13. Similarities Similarities – continued • Security of information • Prevention is key aspect of security • 3rd party verification • Shared responsibility with actions by companies, customers, suppliers, service providers, government officials and agencies • Commitment to ongoing improvement • One size does NOT fit all

14. Concerns Measure to reduce use of chlorine gas • Each facility identify steps that will reduce vulnerabilities & associated risks quickly, effectively and efficiently • Start with specific circumstances and operating conditions – define starting point and options • Look at all factors – not just use of chlorine gas • Might not be best way for utility to reduce overall risk • One size does not fit all

15. Next? • Water system managers review report Google: “Water Security Working Group” • Develop, implement, monitor and refine water security systems • Make decisions on best means to reduce overall risk to system • Remember ‘One Size’ • Share lessons with other portions of critical infrastructure • Communicate