PERSPECTIVES ON A J100 VULNERABILITY ASSESSMENT OUTCOMES AND LESSONS LEARNED BY MINNEAPOLIS WATER AUGUST 2016

Transcription

1 PERSPECTIVES ON A J100 VULNERABILITY ASSESSMENT OUTCOMES AND LESSONS LEARNED BY MINNEAPOLIS WATER AUGUST 2016 Mr. Glen Gerads, Director of Minneapolis Water Mr. Andrew Ohrt, PE, Arcadis Agenda What is Resilience? What is a J100 Vulnerability Assessment? Who is Minneapolis Water? Why did Minneapolis Water decide to complete a J100 Vulnerability Assessment? What was the project approach? What are the lessons learned and conclusions? How does this effort fit within Minneapolis Arcadis Water s 2016 overall risk management program? 2 1

2 Resilience: One Definition Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience. 3 Rockefeller Foundation Resilience Cities Framework 4 2

3 The Many Facets of Resilience Cyber security Asset management Supply chain management Climate change/drought planning All hazards risk assessments Flood protection Emergency response planning and exercising Physical security design Green Infrastructure And more 5 Common Utility Risk Questions How many critical assets do I have? What is the most likely threat for my assets? Which threats have the biggest consequences? Do I need to worry about cyber-attacks? Should I protect my assets against a bomb? How do I set my utility up for compliance with future rules and laws? August 30,

4 Questions on Quantifying Risk How do I measure the risk associated with threats? What are the means to track risk reduction? How do I prioritize projects to increase resilience? What is the definition of resilience for my utility? August 30, What is a J100 Vulnerability Assessment? 4

5 What is J100? Historical Context Bioterrorism Act of 2002 Vulnerability Assessments Emergency Response Plans 2002: Department of Homeland Security (DHS) Established 2003: Homeland Security Presidential Directive 7 (HSPD-7) 17 (now 16) Critical Infrastructure Sectors established 9 What is J100? Historical Context Guns Guards Gates All Hazards Approach Response Recovery Resilience 10 5

6 Takes an All Hazards Approach 11 Who is using the J100 methodology? 12 6

7 What is the AWWA J100 Standard? AWWA J100 Standard (Risk and Resilience Management of Water and Wastewater Systems J100 ) Methodology to quantify risk ($) Down to the individual asset level Analyzing multiple threat types A way to compare apples to oranges August 30, J100 What Can J100 do? An All Hazards VA is a broad, holistic process that can address: Security and Safety Natural Hazards threats Cyber Security Operational and Financial Resilience Emergency Response Business Continuity Outcomes are not isolated but tied to organization s objectives: Dovetails with asset management Supports planning for population growth, maintaining water quality and quantity Inform capital expenditures across the organization 14 7

8 What is the J100 Process? 1) Asset Characterization 2) Threat Characterization 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Likelihood Analysis 6) Risk/Resilience Analysis Risk = C x V x T C V T = Consequences = Vulnerability = Threat Likelihood 7) Risk/Resilience Management August 30, Who is Minneapolis Water? 8

9 City of Minneapolis Water Treatment & Distribution Services Established in 1867 Provides drinking water and firefighting capabilities Sole water source is the Mississippi River Withdraws 21 billion gallons of water per year Produces an average of 57 MGD Softens water prior to distribution 1,000 miles of water mains 17 Customers ~38% is for institutional, commercial and industrial use ~22% goes to suburban customers 18 9

10 Why did Minneapolis Water Conduct a J100 Vulnerability Assessment? Better Understand Risks 20 10

11 Project Objectives Improve Minneapolis Water s ability to achieve its mission Improve Minneapolis Water s emergency preparedness posture & resilience Validate current actions Fine tune operations and performance 21 Expected Outcomes The final Vulnerability Assessment would: Improve resilience Reduce risks Outline concrete risk reduction projects Risk reduction projects would: Be phased Have associated estimated costs Prioritization based on risk distribution Integrate easily with capital planning Right-sizing of current physical security Validation of current actions 22 11

12 Project Approach Project Phasing J100 Phase 1 Scoping J100 VA Phase 2 Implementation Additional VA Focus Areas

13 J100 VA Phase I Scoping Facilitated workshops to focus scope and build consensus: Where Minneapolis Water wanted to focus the VA Where Minneapolis Water already had risk mitigation measures in place 25 J100 VA Phase I Conclusions Identified natural hazards for evaluation Floods Tornadoes Blizzards/ice storms Identified focal points for malicious adversary and cyber threats Identified relevant dependency hazards Identified additional focus areas 26 13

14 Additional Focus Areas Contaminant Warning System Gap Analysis Electrical System Analysis Emergency Response Planning Gap Assessment Grant Funding Opportunities Cyber Vulnerability Assessment 27 Cyber Vulnerability Assessment Attacks more publicized and frequent Critically important to Water/WW Ongoing convergence more data + faster to more people Lots of attention from the Feds and industry organization 28 14

15 Cyber Systems IT vs. OT (SCADA) Outage Impact Item IT SCADA Loss of service/ productivity Infrastructure damage, impact to public health, regulatory violation Availability Core Hardware Operator Impact 24/7, can be shutdown to retain system integrity Server Productivity 24/7, shutdowns have operation ramifications Logic Controller Real-time operator situational awareness, process knowledge 29 Phase II Implementation Harnessed momentum from Phase I: Leadership Team Alignment Focused Threat Characterization Understanding of the J100 Standard & Process 1) Asset Characterization 2) Threat Characterization 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Likelihood Analysis 6) Risk/Resilience Analysis 7) Risk/Resilience Management 30 15

16 Mission & Service Levels What is our Mission? What is our Service Level For the utility For each critical asset 31 Critical Asset Identification Do you know what your critical assets are? Something of importance that, if targeted, exploited, destroyed, or incapacitated could result in injury, death, economic damage to the owner or the community High Repair/Replacement Cost Long Outage Time/Service Denial Little/No Redundancy Single Point of Failure August 30,

17 Threat Identification Malevolent (Physical) Malevolent (Cyber) Critical Asset Natural Hazards Dependency / Proximity Hazards August 30, Threat Characterization Critical Assumptions Malicious Adversaries Criminal Adversary Attributes: 1. Intentions 2. Motivations 3. Capabilities 4. Expected Number 5. Police Response 6. Threat Level 7. Impacts Does the adversary have explosives? 34 17

18 Threat Characterization Cyber Insiders: Accidental/Intentional User/Privileged User Outsiders: Small-Scale Attackers Criminal groups Terrorists Foreign Intelligence Services 35 Threat Characterization Critical Dependencies Electrical Utilities Natural Gas Utilities Mississippi River Upper St. Anthony Falls Dam and Pool State Duty Officer for Notification of River Contamination 36 18

19 Threat Characterization Proximity Hazard Mississippi River Rail & Highway 37 Threat Characterization Mississippi River Rail and Highway Crossings 38 19

20 Threat Characterization Monticello Nuclear Generating Plant Located ~40 miles upriver Began operating in 1971 Strong operational record 39 Threat Characterization Mississippi River Hazardous Material Pipeline Crossings Mississippi River Pipeline Crossing Minneapolis WaterWorks 40 20

21 Threat Characterization Data Sources 41 Threat-Asset Pairs (TAPs) All Combinations of Threats + Critical Assets TAPs Organized by Asset Type or Geography Threat Asset Threat Asset August 30,

22 Data Management Data Summary Total Number of Facilities 38 Total Number of Critical Facilities 24 Approximate Total Number of Assets >1,000 Total Number of Critical Assets ~300 Total Number of Selected Threats 15 Total Number of Threat-Asset Pairs (TAPs) ~200 Total Number of TAPs (to focus on) ~70 43 Data Management Software Which is the right tool? What functionality did we need? Easily handle large datasets Automate natural hazard calculations Automate vulnerability calculations (event tree, path analysis, expert elicitation) Automate risk & resilience calculations Automate documentation of assumptions and inputs Arcadis selected: (Vulnerability Self Assessment Tool) (Program to Assist Risk & Resilience Examination) 44 22

23 Consequences Risk = C x V x T Worst Reasonable Case: most severe but reasonable and credible consequences C is expressed as cost ($) Caution: Somewhat subjective. Utilize same team members for consistent analysis. August 30, Vulnerability Risk = C x V x T Assume threat occurs. V = Probability Of Consequences Occurring August 30,

24 Threat Likelihood Risk = C x V x T What is the likelihood the threat will strike my operation? T = Probability Undesirable Event Occurs August 30, Risk Calculation Revisited Risk = C x V x T C V T = Consequences = Vulnerability = Threat Likelihood August 30,

25 Risk/Resilience Analysis R = C x V x T Risk Flood Tornado Drought Malicious Adversary Utility Dependence Distribution Contamination Source Water Contamination 49 Setting the Bar Why wouldn t you want to target a Risk = $ Zero? Considerations: Resources (Man-power, $) Physical constraints Regulatory Social/customer influence Time Where should we start? August 30,

26 Target Risks R = C x V x T Flood Tornado Drought Malicious Adversary Utility Dependence Distribution Contamination Source Water Contamination Risk Reduction Target Risk 51 Trending TAP Risk What projects reduce risk? Can a single project benefit multiple TAPs? Iterative process August 30,

27 Risk/Resilience Management R&R Analysis provided baseline level of risk Develop Risk Mitigation Measures (RMMs) Scope with conceptual designs Cost Estimate Recalculate Risk assuming RMM implemented Executed Benefit-Cost Analysis (BCA) BCA = Risk Reduction ($) Cost ($) Cost ($) 53 Risk Mitigation Measure Projects Training/exercising program enhancements Conceptual design projects Physical security experts, Water engineer, Structural engineer, Architect, Cyber security expert, Emergency response expert Packages included: Project descriptions Schematics Capital costs O&M costs 54 27

28 Risk Mitigation Measure Project Profile Project Name Project No. Priority Relevant Threats and Assets Duration Description Pump Station A Upgrade X Medium Tornado Pump Station A 1 year Upgrade description. Impacted Stakeholders Maintenance staff Operations staff Cost Estimate CAPITAL COST RANGE $90,000 - $120,000 ANNUAL O&M COSTS $10,000 PROJECT USEFUL LIFE 10 years 55 Capital Planning Ready RMM projects identified (20-25 total) 5-Year-Capital Plan Ready Prioritization: Short-term/Long-Term Benefit-Cost Analysis Capital Cost % Risk Reduction Year 1 Project 1 Project 2 Year 2 Project 3 Project 4 Year 3 Project 5 Project 6 Year 4 Project 7 Project 8 Year 5 Project 9 Project

29 RMM Cost Estimates Association for the Advancement of Cost Engineering International (AACE) Level 4 Feasibility Project Definition: 1-15% Purpose of Estimate: Feasibility Accuracy: -30% to +50% cost range Assumed annual O&M costs Assumed average project useful life 57 Summary of RMMs RMM Threat Type Critical Assets Project Name 1 All All Emergency Response Plan and Multi-Year Training and Exercise Plan Development 2 Natural Hazard - Tornadoes Pump Station A Tornado Protection 3 Natural Hazard - Floods Pump Station B Flood Protection 4 Malevolent Threat - Sabotage Treatment Building Physical Security Upgrades (Access Control) Insider/Outsider 5 Malevolent Threat - Sabotage Pump Station C Physical Security (Cameras) Insider/Outsider 6 Dependence - Utilities Pump Station D Backup Power Installation 7 Natural Hazard - Floods Pump Station E Flood-proofing and Response Exercising 8 Malevolent Threat - Sabotage Pump Station F SCADA Cabinet Upgrade (Cyber VA) Insider/Outsider 9 Malevolent Threat - Sabotage All Cabinet Physical Security Policy (Cyber VA) Insider/Outsider 10 Natural Hazard - Tornadoes All Facility Connectivity (Cyber VA) 58 29

30 Risk Reduction Summary RMM No. Priority Cost Estimate 1 All Emergency Response Planning, Training and Exercising High $200,000 2 Pump Station A Tornado Protection Low $400,000 3 Pump Station B Flood Protection Low $20,000 4 Treatment Building Sabotage Low $300,000 5 Pump Station C Sabotage Low $40,000 6 Pump Station D Sabotage High $30,000 7 Pump Station E Floods Medium $100,000 8 Pump Station F Backup Power Medium $500,000 9 All Sabotage Security Policy High $1, Communications System Tornadoes High $50, RMM Prioritization RMM No. Priority Cost Estimate 1 All Emergency Response Planning, Training and Exercising High $200,000 9 All Sabotage Security Policy High $1, Communications System Tornadoes High $50,000 6 Pump Station D Sabotage High $30,000 TOTAL $281,000 7 Pump Station E Floods Medium $100,000 8 Pump Station F Backup Power Medium $500,000 TOTAL $600,000 2 Pump Station A Tornado Protection Low $400,000 3 Pump Station B Flood Protection Low $20,000 4 Treatment Building Sabotage Low $300,000 5 Pump Station C Sabotage Low $40,000 TOTAL $760,

31 Conclusions Additional Benefits of Vulnerability Assessment Workshops Encouraged: Engagement Information sharing across departments Staff Learned How to Assess Risk Improved Risk Culture Risk Mitigation Projects Support Capital Improvement Planning 62 31

32 VA Conclusions Identified areas for improvement Documented capabilities Informed the CIP Informed the overall risk management process 63 Acknowledgements Bob Ervin, PE, Minneapolis Water Annika Bankston, PE, Minneapolis Water Minneapolis Water Staff! Shannon Spence, PE, Arcadis 64 32

33 THANK YOU! August 29, 2016 Mr. Glen Gerads Director Minneapolis WaterWorks Mr. Andrew Ohrt, PE Senior Consultant Arcadis U.S., Inc

34 Presentation Handout Perspectives on a J100 Vulnerability Assessment Lessons Learned by Minneapolis Water Mr. Glen Gerads & Mr. Andrew Ohrt August 29th, 2016 Resilience One Definition Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience. Common Questions Regarding Risk How many critical assets do I have? What is the most likely threat for my assets? Which threats have the biggest consequences? Do I need to worry about cyber-attacks? Should I protect my assets against a bomb? How do I set my utility up for compliance with future rules and laws? How do I measure the risk associated with threats? What are the means to track risk reduction? How do I prioritize projects to increase resilience? What is the definition of resilience for my utility? What is the American Water Works Association J100 Standard for Risk and Resilience Management of Water and Wastewater Systems? Methodology to quantify risk ($) to the individual asset level. Provides a way to evaluate multiple threat types. A way to compare apples to oranges for both asset and threat/hazard types. AUGUST 29, 2016

35 Presentation Handout Perspectives on a J100 Vulnerability Assessment Lessons Learned by Minneapolis Water Mr. Glen Gerads & Mr. Andrew Ohrt August 29th, 2016 Steps to perform a VA using the J100 Standard are: 1) Asset Characterization What assets do I have that are critical to my operations? 2) Threat Characterization What reasonable worst case man-made threat, natural hazard & supply chain scenarios should I consider? 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Likelihood Analysis What happens to my assets & operations if attacked by terrorists, natural hazards or supply chain disruption? How much money lost, to me? fatalities? injuries? How much economic loss to the regional community? What vulnerabilities would allow a terrorist, natural disaster or supply chain problems to cause these consequences? Given the scenario, what is the likelihood it will result in these consequences? What is the likelihood that a terrorist natural disaster or supply chain disruption will strike my operations? 6) Risk/Resilience Analysis Risk = Consequences x Vulnerability x Threat Likelihood Resilience = Service Outage x (Vulnerability x Threat Likelihood) 7) Risk/Resilience Management What options do I have to reduce risks & increase resilience? How much will each benefit in reduced risks and Increased resilience? How much will it cost? What is the net benefit & benefit/cost ratio of my options? How can I manage the chosen options? AUGUST 29, 2016