An Update on Security and Emergency Preparedness Standards for Utilities

Similar documents
All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

The J100 RAMCAP Method

Business Continuity: How to Keep City Departments in Business after a Disaster

PERSPECTIVES ON A J100 VULNERABILITY ASSESSMENT OUTCOMES AND LESSONS LEARNED BY MINNEAPOLIS WATER AUGUST 2016

The Water Sector Approach to Cybersecurity

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Presented by Joe Burns Kentucky Rural Water Association July 19, 2005

The Office of Infrastructure Protection

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Chapter 1. Chapter 2. Chapter 3

CYBER SECURITY FOR WATER AND WASTEWATER UTILITIES PRESENTED BY: DAVID A. CHANDA, PE

Summary of Cyber Security Issues in the Electric Power Sector

Active and Effective Water Security Programs. Be Informed Be Alert Be Ready

Alternative Fuel Vehicles in State Energy Assurance Planning

Community-Based Water Resiliency

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Security Master Planning to Protect Water Resources Lara Kammereck John Saunders May 1, 2015

June 5, 2018 Independence, Ohio

Critical Infrastructure Resilience

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Emergency Management Response and Recovery. Mark Merritt, President September 2011

Features of an Active and Effective Protective Program for Water and Wastewater Utilities. Be Prepared Be Secure Be Resilient

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Statement for the Record

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Overview of the Federal Interagency Operational Plans

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Continuous protection to reduce risk and maintain production availability

Resiliency and the Need for Re-Thinking our Water Infrastructure. Andrew Bielanski U.S. Environmental Protection Agency June 25, 2015

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Developing a Holistic Strategy To Achieve Community Health Resilience

RESILIENT UTILITY COALITION OF SOUTH FLORIDA

Business continuity management and cyber resiliency

Department of Defense. Installation Energy Resilience

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Integrated Consortium of Laboratory Networks (ICLN) Brief to the NPDN National Meeting

Bradford J. Willke. 19 September 2007

Integration of Business Continuity, Emergency Preparedness, and Emergency Response

ipcgrid 2015 March 26, 2015 David Roop Director Electric Transmission Operations Dominion Virginia Power

Cyber Security What Do I Need to Do Now?

Advanced IT Risk, Security management and Cybercrime Prevention

Cyber Resilience. Think18. Felicity March IBM Corporation

BCM s Role in Effective Risk Management: A Risk Manager s Point of View

The Office of Infrastructure Protection

Chemical Facility Anti-Terrorism Standards

Cyber Risk in the Marine Transportation System

Resilient Energy Solutions for Community Needs

CIPMA CRITICAL INFRASTRUCTURE PROTECTION MODELLING & ANALYSIS. Overview of CIP in Australia

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Making plans. An integrated and holistic solution

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Presidential Documents

Strategic Foresight Initiative (SFI)

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Chapter X Security Performance Metrics

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Chapter X Security Performance Metrics

The Science and Technology Roadmap to Support the Implementation of the Sendai Framework for Disaster Risk Reduction

Continuity of Business

Introduction to the National Response Plan and National Incident Management System

Securing Industrial Control Systems

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

NATIONAL CAPITAL REGION HOMELAND SECURITY STRATEGIC PLAN SEPTEMBER 2010 WASHINGTON, DC

Security and resilience in Information Society: the European approach

European Union Agency for Network and Information Security

Presentation on the Community Resilience Program

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Regional Resilience: Prerequisite for Defense Industry Base Resilience

Cyber Security of Industrial Control Systems (ICSs)

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Control Systems Cyber Security Awareness

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

21ST OSCE ECONOMIC AND ENVIRONMENTAL FORUM

Small Business Storm Preparedness & Resiliency

The NIS Directive and Cybersecurity in

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

Operationalizing Cyber Security Risk Assessments for the Dams Sector

Energy Assurance Energy Assurance and Interdependency Workshop Fairmont Hotel, Washington D.C. December 2 3, 2013

Critical Information Infrastructure Protection Law

S&T Stakeholders Conference

Business Continuity Planning

Industry role moving forward

Private sector s engagement in the implementation of the Sendai Framework

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

How AlienVault ICS SIEM Supports Compliance with CFATS

Table of Contents. Sample

Don t Fail to Prepare for Failure Key Issues in Energy Assurance and Cybersecurity and Related NGA Center Activities

DISASTER RISK MANAGEMENT (DRM/DRR) TEAM

Railroad Infrastructure Security

Business Continuity Management Program Overview

PIPELINE SECURITY An Overview of TSA Programs

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Transcription:

An Update on Security and Emergency Preparedness Standards for Utilities Linda P. Warren, Launch! Consulting Safety and Security in the Workplace March 28, 2013

Overview 1 Review of AWWA Standards in Water Security and Preparedness 2 How the Standards Apply to Your Utility 3 How an Example Vulnerability Assessment can provide a baseline and improvement metrics

Disclaimer No sensitive information will be revealed during this presentation. BTW No animals were harmed in the making of this presentation.

ANSI/AWWA G430 09 Security Practices for Operation and Management, 2009 Purpose: defines the minimum requirements for a protective security program for W/WW utility to promote the protection of: employee safety public health public safety public confidence Builds on utilizing a multiple barrier approach

Recommendations of the NDWAC to EPA, 2005 Features of an Active and Effective Water Security Programs, 2006 ANSI/AWWA Standard G430, 2009

ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD a) Explicit Commitment to Security b) Security Culture c) Defined Security Roles and Employee Expectations d) Up To Date Assessment of Risk (Vulnerability)

ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD e) Resources Dedicated to Security and Security Implementation Priorities f) Access Control and Intrusion Detection g) Contamination, Detection, Monitoring and Surveillance h) Information Protection and Continuity i) Design and Construction

ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD j) Threat Level Based Protocols k) Emergency Response and Recovery Plans and Business Continuity Plan l) Internal and External Communications m) Partnerships n) Verification

PHYSICAL SECURITY GUIDANCE Water Infrastructure Security Enhancements (WISE) EPAsupported collaboration between ASCE/AWWA/WEF Guidelines for the Physical Security of Water Utilities Guidelines for the Physical Security of Wastewater/Stormwater Utilities EPA Security Product Guide Crime Prevention Through Environmental Design (CPTED)

CONTAMINATION SCENARIO GUIDANCE Water Security Initiative (EPA) Water Contamination Information Tool (EPA) Systems Study of Priority Threat Contaminants in Water Venues (LANL 2006) Preliminary Scoping & Assessment Study of the Potential Impacts from Community Wide Radiological Events & Subsequent Decontamination Activities on Drinking Water & Wastewater Systems (ANL 2007) Municipal Water Distribution System Security Study: Recommendations for Science and Technology Investments (DHS 2009) Water Sector Decontamination Priorities: Recommendations & Proposed Strategic Plan (CIPAC 2008)

CYBER SECURITY ROADMAP Purpose: develop a shared vision and strategy for improving the cyber security of water systems Future Trends Vision for Securing Control Systems Goals and Milestones Key Challenges Next Steps

ANSI/AWWA G440 11 Emergency Preparedness Practices, 2011 Purpose: defines the minimum requirements for emergency preparedness for a water or wastewater utility.

ANSI/AWWA G440 11 REQUIREMENTS Explicit Commitment to Emergency Preparedness Preparedness Culture Defined Preparedness Roles and Employee Expectations Risk Assessment Preparedness Plans Internal and External Communications Training Partnerships Verification

M19: Emergency Planning for Water Utilities Revised Guidance Coming in 2013 Preparedness Culture Risk Assessment Developing an Emergency Response Plan Internal and External Communications Training and Exercises Partnerships Mitigation Measures

Why perform the VA update? 1 2 3 4 G430 Standard: update VA at least every 5 years Changes at the water utility: Removed All Gas (Chlorine and Ammonia) from Water Treatment Plant Updated Cameras and Technology Backflow Program Procedural Changes Establish how best to protect the utility based on updated, real data Important for business operations, safety and security

What is J100 (RAMCAP)? ANSI/ASME ITI/AWWA J100 10 Risk Analysis and Management for Critical Asset Protection (RAMCAP) Standard for Risk and Resilience Management of Water and Wastewater Systems

What is J100 (RAMCAP)? RAMCAP was first identified as part of the National Infrastructure Protection Program (NIPP) The water sector embraced RAMCAP pushed for methodology for all hazards that also integrated resilience Led to partnership with ANSI and AWWA to develop a standard

The J100 RAMCAP Process What assets do I have that are critical to my operations? 1) Asset Characterization 2) Threat Characterization 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Likelihood Analysis 6) Risk / Resilience Likelihood 7) Risk / Resilience Management What reasonable worst case threat, natural hazard & supply chain scenarios should I consider? What happens to my assets & operations if attacked by terrorists, natural hazards or supply chain disruption? How much money lost, to me? fatalities? injuries? How much economic loss to the regional community? What vulnerabilities would allow a terrorist, natural disaster or supply chain problems to cause these consequences? Given the scenario, what is the likelihood it will result in these consequences? What is the likelihood that a terrorist natural disaster or supply chain disruption will strike my operations? Risk = Consequences x (Vulnerability x Threat Likelihood) Resilience = Service Outage x (Vulnerability x Threat Likelihood) What options do I have to reduce risks, increase resilience and value? How much will each benefit my organization? My region? How much will it cost? What is benefit/cost ratio of my options? How can I manage the chosen options?

Considerations in performing the VA update with J 100 1In house vs. consultant to save time and staff resources 2Expertise in J 100 RAMCAP, VAs and the utility 3Gives utility organization credibility when explaining CIP needs 4SAFETY Act designation (from DHS)of J 100 protects utilities

The U.S. SAFETY Act Support Anti terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) An incentive for the creation and deployment of technologies and services with anti terrorism capabilities Under the SAFETY Act, both the entity that creates the anti terrorism security measure and the entity that deploys the antiterrorism measure are eligible for liability protections (protects utilities and consultants). 1

Review of J100 Standard Avoids impossible detail, precision and cost Quantitative, objective and transparent Can be easily revised with changes Uses risk equation: Risk = Consequence Vulnerability Threat Likelihood V= likelihood that given threat occurs, so does the consequence

How a Virginia Utility used J 100 Standard Project Kickoff Workshop: Charter the project team (15 staff) Discuss changes at the utility since first vulnerability assessment Review 7 steps of J 100

How a Virginia Utility used J 100 Standard Step 1: Asset Characterization Listed ALL assets or groups of assets (started with old VA list and add/ delete) Developed general Consequences of losing the asset s functionality (A, B, C, D categories: high to low, none) Clear cutoff of 18 critical assets in A&B (high and medium) Worst case reigns

Consequence Table A= B= Category HIGH MEDIUM C= LOW D= NEGLIGIBLE Consequence level 4 3 2 1 0 Fatalities Any None None None None N/A None or does not apply None Offsite; Any Serious Injuries Any Offsite Onsite None None Regional Economic Loss >$250M $50M $250M $1M $50M <$1M None or does not apply None or does not apply Utility Economic Loss >10M $5M $10M $0.5M $5M <$0.5M None or does not apply Environmental Damage Irreparable Severe Moderate Negligible Service Denial (% of service denied x# days) >100 % days 10 100 %days 5 10 %days <5% days Loss of Service/ Do Boil Water or Not Use Conservation Water Restrictions Order Do Not Drink Order Order None None or does not apply None or does not apply None or does not apply

How a Virginia Utility used J 100 Standard Step 2: Threat Characterization Any relevant natural hazards, man made threats, proximity threats Used Multi Regional Haz Mit Plan Contamination threats all together as one Resulted in a uniform set of 15 threats applied to all assets

SCADA and Cyber Analysis CSET (Cyber Security Evaluation Tool) Analysis performed through DHS by Idaho National Lab staff during a 2 day workshop US CERT website (Computer Emergency Readiness Team)

How a Virginia Utility used J 100 Standard Step 3: Consequence Analysis Analyzed 15 threats x18 assets = 270 threat asset pairs Assigned each threat asset pair a consequence value: (high= 4 to none= 0) Each asset had at least one high value

How a Virginia Utility used J 100 Standard Step 4: Vulnerability Analysis Analyzed the ability of the assets to withstand each threat Mitigation measures decreased vulnerability

How a Virginia Utility used J 100 Standard Step 5: Threat Analysis Determined the likelihood that the threat will occur Normalized every event to likelihood of occurring in a 10 year period for comparability Example: loss of power = 1.00 hurricane = 0.883

How a Virginia Utility used J 100 Standard Step 6: Risk/Resilience R = C xv xt Compare Risk for each asset to focus mitigation on highest risk assets Used J 100 s Utility Resilience Index based on operational and financial resiliency how well utility is expected to cope Found some assets low risk because of existing mitigation

How a Virginia Utility used J 100 Standard Step 7: Risk/Resilience Management Simple cost benefit analysis: Loss of any critical asset with high consequence is more than $10 M to the Utility and $250 M to the region. Mitigation measures ranged from no cost to over $4 M

Then vs. now: RAM W to RAMCAP RAM W Considers human threats only Threat likelihood was typically 1.0 Pair wise comparisons Info from RAM W J 100 RAMCAP Considers all all hazards: threats from natural to human Realistic likelihood for each threat Threat asset pairs with risk calculated by spreadsheets Basis for J100 analysis

Lessons learned (Part 1) 1. Plan for several workshops for data collection and consensus. 2. Keep it simple don t get caught up in extensive calculations that don t significantly affect results. 3. If Threat is low, high Consequence can still result in high Risk.

Lessons learned (Part 2) 4. Spreadsheets are easy to use in analysis. 5. Median income lowers financial resilience index score. 6. Checking results with key staff during workshops provided crosseducation and good quality control. 7. One page summary sheets for each critical asset are helpful.

Benefits of J 100 Standard Accepted standard with SAFETY Act designation provides liability protection Considers both natural hazards and human caused threats in the analysis Focuses on utility resiliency Project was completed in 4 months

Questions: Linda P. Warren, P.E. Launch! Consulting, LLC Linda@Launch consulting.com Cell/Office: 509 539 7795

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback