WELCOME! Vulnerability Assessment and Emergency Response Planning for Water Systems Serving less than 50,000 People Presented by the Florida Rural Water Association And made possible by a grant from the Department of Environmental Protection And the Environmental Protection Agency
INTRODUCTIONS • FRWA SECURITY STAFF • Coy Donaldson • Ken Klos • SPEAKER: • Ken Klos • ATTENDEES:
ADMINISTRATIVE INFORMATION • Restroom locations • Emergency exits • Sign attendance sheet • Security • Breaks • Lunch
Background Information • PDD-63 • PL 107-188 • EPA Overview • FRWA Training Booklet
PDD-63 “Protecting America’s Critical Infrastructure” • Signed by President Clinton in 1998 • “An attack on any of these (8) infrastructures (water & wastewater included) may significantly harm the health and economic well being of the United States.”
PL 107 – 188“BIOTERRORISM ACT” • Signed by President Bush in June, 2002 • Amended the Federal Safe Drinking Water Act • Conduct formal Vulnerability Assessments • Develop/revise Emergency Response Plans
US EPA • PDD-63 assigned responsibility to EPA (AMWA & AWWA) for developing plans to improve water infrastructure security. • EPA formed “Water Protection Task Force” with the mission to: • Conduct Security Training for utilities • Provide Technical & Financial assistance • Establish an Information Sharing System • Improve Security Technology thru research
(EPA Cont’d) • PL 107 – 188 appointed EPA as lead federal agency for Water Sector • EPA 810-R-02-001 “Guidance for Water Utility …...” April 2002 (p. 77) • EPA 810-B-02-001 “Instructions to assist CWS…….” January 2003 (p. 53)
FRWA TRAINING BOOK • Central Reference Document • Table of Contents
INTRODUCTION TOVULNERABILITY ASSESSMENT What is the Purpose of Vulnerability Assessment? “Vulnerability assessments help water systems evaluate susceptibility to potential threats and identify corrective actions that can reduce or mitigate the risk of serious consequences from adversarial actions.”EPA fact sheet:www.epa.gov/ogwdw/security/index.html
INTRODUCTION TOVULNERABILITY ASSESSMENTDefinition: • Vulnerability is the risk that a water utility will be damaged to some extent by a specific threat. • For example: The City's water utility is highly vulnerable to vandals painting graffiti on the ground storage tank because it is located in a secluded area of the community, and doesn't have a fence.
INTRODUCTION TOVULNERABILITY ASSESSMENTCritical Assets, Vulnerable? Pumps Storage WTP SCADA Distribution System Well Field & Pumps
INTRODUCTION TOVULNERABILITY ASSESSMENT • Are Threats to Water Utilities Real? • The history of terrorism has been to attack innocents where there is no security and trained assistance is distant. • Water/wastewater assets are easy targets and are not well protected, yet • Hazardous chemicals delivered, stored, used on site
INTRODUCTION TOVULNERABILITY ASSESSMENT • Distribution System provides access to EVERYONE • Water plants are upstream of significant economic activities • Our lives depend on a reliable supply of safe water
VULNERABILITY ASSESSMENT METHODS • SIX METHODS discussed briefly:
VULNERABILITY ASSESSMENT METHODS • NONE OF THE METHODS PROVIDE: • A utility-specific blueprint for a VA. • Specific threats for water utilities to protect against. • Specific security solutions for identified vulnerabilities. • THE RESULTS ARE CONTROLLED BY YOU, THE VA TEAM! • NO CERTIFICATION IS REQUIRED!
VULNERABILITY ASSESSMENT METHODS • Risk Assessment Methodology for Water Utilities: “RAM-W”. 3 days + tuition • Complex methodology, good for large utilities. • Labor intensive decision-making process. • Extensive terminology to be learned and applied correctly.
VULNERABILITY ASSESSMENT METHODS • Vulnerability Self-Assessment Tool: “VSAT” • 1 or 2 days optional training; TREEO offers 1 day training • Software “limited” – only method that requires use of a computer • Very flexible to fit needs of large or small utility
VULNERABILITY ASSESSMENT METHODS • NRWA/ASDWA TEMPLATE Security Vulnerability Self-Assessment Guide for Small Drinking Water Systems Serving Populations Between 3,300 and 10,000 www.vulnerabilityassessment.org
VULNERABILITY ASSESSMENT METHODS • NETCSC – National Environmental Training Center for Small Water Systems • Preparing for the Unexpected: Security for Small Water Systems www.netc.wvu.edu • “Addresses the unique security needs of small water systems (those serving fewer than 10,000 people).”
VULNERABILITY ASSESSMENT METHODS • KDHE – Kansas Department of Health and Environment method • Available at: http://www.ruralwater.org/ksva.pdf • Uses a simple matrix to evaluate vulnerability. • “User friendly” – with or without a computer • Not fully “stand-alone”
VULNERABILITY ASSESSMENT METHODS • FRWA METHOD: • Focuses on accomplishing PL 107-188’s 6 required elements of a vulnerability assessment. • Uses best of RAM-W, NRWA/ASDWA, and KDHE methods. • Intended for use by water utilities serving less than 50,000 people.
VULNERABILITY ASSESSMENT METHODS • FRWA METHOD relies on your team’s ability to agree on (a consultant will also): • Your utility’s mission and to prioritize its objectives. • The threats that should be protected against. • The methods to be used to protect your utility.
SECURITY ISSUES • “Culture of Security” • All employees aware that Security is an important part of THEIR job • Include in Performance Review • Operational security practices • Facility physical security • Increase Community Awareness of Security • Community Watchdogs in Rural/Isolated areas • Work with Sheriff/Police and Fire Dept.
CONFIDENTIAL – FOR OFFICIAL USE ONLY SECURITY ISSUES cont’d • Classification of Vulnerability Assessment Documents • “CONFIDENTIAL – FOR OFFICIAL USE ONLY” • BOLD, RED LETTERS • Upper Left & Lower Right of each page • Pages numbered 1 of 1, 1 of 2, etc. CONFIDENTIAL – FOR OFFICIAL USE ONLY
SECURITY ISSUES cont’d • Control & Accountability of VA Documents • Should Be Serialized (Copy 1 of 2, etc.) • Issue Sheet (Record recipients of document) • Record of Changes • Safekeeping (safe or vault)
SIX ELEMENTS OF VULNERABILITY ASSESSMENTS REQUIRED BY PL 107-188: • Characterize the water system, including its mission and objectives • Determine malevolent acts • Assess likelihood of malevolent acts • Identify and prioritize adverse consequences • Evaluate existing countermeasures • Develop prioritized plan for risk reduction
SIX ELEMENTS OF VULNERABILITY ASSESSMENTS REQUIRED BY PL 107-188: • Characterize the watersystem, including its mission and objectives • Determine malevolent acts • Assess likelihood of malevolent acts • Identify and prioritize adverse consequences • Evaluate existing countermeasures • Develop prioritized plan for risk reduction
CHARACTERIZE THE UTILITYTHE VA TEAM • Performs the VA • Involves/uses senior management for some decisions • Has a variety of education and experience • Is trusted with sensitive information • Communicates effectively • Documents decisions and entire VA process.
CHARACTERIZE THE UTILITY • POTENTIAL TEAM MEMBERS (5-8 is ideal): • Utilities Director/Superintendent • Chief/Lead Water Plant Operator • Distribution System Manager • Law Enforcement Representative • City/County Engineer • Maintenance Manager • Emergency Management Representative • Human Resources Manager • Secretary
CHARACTERIZE THE UTILITY • ADDITIONAL SPECIALIZED TEAM RESOURCES (provide specific information as needed) • Mayor or City/County Manager • OIT staff and/or a SCADA expert • City/County budget/accounting staff • Security Equipment Suppliers • Human Resources Manager • City/County Attorney
CHARACTERIZE THE UTILITYPRODUCE A MISSION STATEMENT & PRIORITIZED OBJECTIVES MISSION OBJECTIVES OVERALL MISSION FOCUS ON CRITICAL ASSETS
CHARACTERIZE THE UTILITYPRODUCE A MISSION STATEMENT & PRIORITIZED OBJECTIVES • Mission Statement is CRUCIAL for good VA: • What’s most critical function of the water utility? • Which assets must be protected first? • Which assets can be lost and still achieve the mission? • What do we do in a time of crisis?
CHARACTERIZE THE UTILITYPRODUCE A MISSION STATEMENT & PRIORITIZED OBJECTIVES • Mission Statement: Brief and Clear Example: water utility’s mission is to provide an ample supply of safe drinking water with good pressure to all customers.
CHARACTERIZE THE UTILITYPRODUCE A MISSION STATEMENT & PRIORITIZED OBJECTIVES We will accomplish our mission by achieving the following prioritized objectives: 1. Protect public health by distributing safe, potable water to all customers. 2. Maintain adequate pressure and volume to meet fire protection requirements. 3. Keep utility system costs as low as possible while complying with all applicable regulations. (use p. 14 to draft mission stmts)
CHARACTERIZE THE UTILITYDESCRIBE YOUR EXISTING ASSETS • VA REPORT should include a listing of all of the following: • All physical facilities (see pages 65 & 66) • Computer equipment and software • Position descriptions and responsibilities • Existing security equipment • Customers, some more critical than others • Plans, record drawings, files, etc.
CHARACTERIZE THE UTILITYDESCRIBE YOUR EXISTING ASSETS • INCLUDE INTERDEPENDENCIES • Electrical Power • Natural Gas • Fuels, diesel and gasoline • SCADA • Communications • Transportation
CHARACTERIZE THE UTILITYDESCRIBE YOUR EXISTING ASSETS • Evaluate CRITICAL assets for vulnerability: • Describe, list location, & note where shown on drawings and process diagram, as appropriate. • List each asset’s vulnerability to attack. Examples: ASSETSCAPACITIESLOCATIONVULNERABLTS Pump/motor 800 gpm 229 Palm Ave electrical power make/model # 25 hp Sheet B3 physical damage SCADA control Chlorine gas 2000 lbs 229 Palm Ave physical damage tanks Sheet C7 Well # 1 1000 gpm 416 River Way electrical power Sheet B1 physical damage SCADA control
SIX ELEMENTS OF VULNERABILITY ASSESSMENTS REQUIRED BY PL 107-188: • Characterize the water system, including its mission and objectives • Determine malevolent acts (threats) • Assess likelihood of malevolent acts • ID and prioritize adverse consequences • Evaluate existing countermeasures • Develop prioritized plan for risk reduction
THREAT ASSESSMENT • Is a JUDGMENT, based on available intelligence, law enforcement, and open source information, of the actual or potential threats to your utility. • Local law enforcement is your best resource for outsider information. • See “Security Information Websites”, p. 50, item 9, for additional outsider information.
THREAT ASSESSMENT • Identify potential adversaries: • Insiders – employees, present, former and future; anyone with approved access. • Outsiders – everyone else from vandals to criminals and terrorists (see p. 17-20). • Document assessment of both insiders and outsiders in VA report.
THREAT ASSESSMENT • INSIDERS ARE SPECIAL AND COMMON THREATS • Potential for active or passive roles in planning and/or carrying out an attack. • Trusted access to critical assets, as well as the SCADA and security systems. • They know what’s critical & how to disable it.
THREAT ASSESSMENT • SOURCES OF INFORMATION REGARDING INSIDERS • Personnel policies and practices • Staff morale/personal knowledge • Human resources staff • Employee background checks, prior to employment
THREAT ASSESSMENT • Prepare List of POTENTIAL Threats:
THREAT ASSESSMENT Threat list continued:
SIX ELEMENTS OF VULNERABILITY ASSESSMENTS REQUIRED BY PL 107-188: • Characterize the water system, including its mission and objectives • Determine malevolent acts (threats) • Assess likelihood of malevolent acts (Probability of occurrence) • ID and prioritize adverse consequences • Evaluate existing countermeasures • Develop prioritized plan for risk reduction
Risk Equation The following equation determines relative risk of each threat actually being carried out: Risk = Probability of occurrence, P times Consequence severity, C times Effectiveness of deterrents, E