An Update on Security and Emergency Preparedness Standards for Utilities Linda P. Warren, Launch! Consulting Safety and Security in the Workplace March 28, 2013
Overview 1 Review of AWWA Standards in Water Security and Preparedness 2 How the Standards Apply to Your Utility 3 How an Example Vulnerability Assessment can provide a baseline and improvement metrics
Disclaimer No sensitive information will be revealed during this presentation. BTW No animals were harmed in the making of this presentation.
ANSI/AWWA G430 09 Security Practices for Operation and Management, 2009 Purpose: defines the minimum requirements for a protective security program for W/WW utility to promote the protection of: employee safety public health public safety public confidence Builds on utilizing a multiple barrier approach
Recommendations of the NDWAC to EPA, 2005 Features of an Active and Effective Water Security Programs, 2006 ANSI/AWWA Standard G430, 2009
ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD a) Explicit Commitment to Security b) Security Culture c) Defined Security Roles and Employee Expectations d) Up To Date Assessment of Risk (Vulnerability)
ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD e) Resources Dedicated to Security and Security Implementation Priorities f) Access Control and Intrusion Detection g) Contamination, Detection, Monitoring and Surveillance h) Information Protection and Continuity i) Design and Construction
ANSI/AWWA G430 09 HIGHLIGHTS OF THE STANDARD j) Threat Level Based Protocols k) Emergency Response and Recovery Plans and Business Continuity Plan l) Internal and External Communications m) Partnerships n) Verification
PHYSICAL SECURITY GUIDANCE Water Infrastructure Security Enhancements (WISE) EPAsupported collaboration between ASCE/AWWA/WEF Guidelines for the Physical Security of Water Utilities Guidelines for the Physical Security of Wastewater/Stormwater Utilities EPA Security Product Guide Crime Prevention Through Environmental Design (CPTED)
CONTAMINATION SCENARIO GUIDANCE Water Security Initiative (EPA) Water Contamination Information Tool (EPA) Systems Study of Priority Threat Contaminants in Water Venues (LANL 2006) Preliminary Scoping & Assessment Study of the Potential Impacts from Community Wide Radiological Events & Subsequent Decontamination Activities on Drinking Water & Wastewater Systems (ANL 2007) Municipal Water Distribution System Security Study: Recommendations for Science and Technology Investments (DHS 2009) Water Sector Decontamination Priorities: Recommendations & Proposed Strategic Plan (CIPAC 2008)
CYBER SECURITY ROADMAP Purpose: develop a shared vision and strategy for improving the cyber security of water systems Future Trends Vision for Securing Control Systems Goals and Milestones Key Challenges Next Steps
ANSI/AWWA G440 11 Emergency Preparedness Practices, 2011 Purpose: defines the minimum requirements for emergency preparedness for a water or wastewater utility.
ANSI/AWWA G440 11 REQUIREMENTS Explicit Commitment to Emergency Preparedness Preparedness Culture Defined Preparedness Roles and Employee Expectations Risk Assessment Preparedness Plans Internal and External Communications Training Partnerships Verification
M19: Emergency Planning for Water Utilities Revised Guidance Coming in 2013 Preparedness Culture Risk Assessment Developing an Emergency Response Plan Internal and External Communications Training and Exercises Partnerships Mitigation Measures
Why perform the VA update? 1 2 3 4 G430 Standard: update VA at least every 5 years Changes at the water utility: Removed All Gas (Chlorine and Ammonia) from Water Treatment Plant Updated Cameras and Technology Backflow Program Procedural Changes Establish how best to protect the utility based on updated, real data Important for business operations, safety and security
What is J100 (RAMCAP)? ANSI/ASME ITI/AWWA J100 10 Risk Analysis and Management for Critical Asset Protection (RAMCAP) Standard for Risk and Resilience Management of Water and Wastewater Systems
What is J100 (RAMCAP)? RAMCAP was first identified as part of the National Infrastructure Protection Program (NIPP) The water sector embraced RAMCAP pushed for methodology for all hazards that also integrated resilience Led to partnership with ANSI and AWWA to develop a standard
The J100 RAMCAP Process What assets do I have that are critical to my operations? 1) Asset Characterization 2) Threat Characterization 3) Consequence Analysis 4) Vulnerability Analysis 5) Threat Likelihood Analysis 6) Risk / Resilience Likelihood 7) Risk / Resilience Management What reasonable worst case threat, natural hazard & supply chain scenarios should I consider? What happens to my assets & operations if attacked by terrorists, natural hazards or supply chain disruption? How much money lost, to me? fatalities? injuries? How much economic loss to the regional community? What vulnerabilities would allow a terrorist, natural disaster or supply chain problems to cause these consequences? Given the scenario, what is the likelihood it will result in these consequences? What is the likelihood that a terrorist natural disaster or supply chain disruption will strike my operations? Risk = Consequences x (Vulnerability x Threat Likelihood) Resilience = Service Outage x (Vulnerability x Threat Likelihood) What options do I have to reduce risks, increase resilience and value? How much will each benefit my organization? My region? How much will it cost? What is benefit/cost ratio of my options? How can I manage the chosen options?
Considerations in performing the VA update with J 100 1In house vs. consultant to save time and staff resources 2Expertise in J 100 RAMCAP, VAs and the utility 3Gives utility organization credibility when explaining CIP needs 4SAFETY Act designation (from DHS)of J 100 protects utilities
The U.S. SAFETY Act Support Anti terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) An incentive for the creation and deployment of technologies and services with anti terrorism capabilities Under the SAFETY Act, both the entity that creates the anti terrorism security measure and the entity that deploys the antiterrorism measure are eligible for liability protections (protects utilities and consultants). 1
Review of J100 Standard Avoids impossible detail, precision and cost Quantitative, objective and transparent Can be easily revised with changes Uses risk equation: Risk = Consequence Vulnerability Threat Likelihood V= likelihood that given threat occurs, so does the consequence
How a Virginia Utility used J 100 Standard Project Kickoff Workshop: Charter the project team (15 staff) Discuss changes at the utility since first vulnerability assessment Review 7 steps of J 100
How a Virginia Utility used J 100 Standard Step 1: Asset Characterization Listed ALL assets or groups of assets (started with old VA list and add/ delete) Developed general Consequences of losing the asset s functionality (A, B, C, D categories: high to low, none) Clear cutoff of 18 critical assets in A&B (high and medium) Worst case reigns
Consequence Table A= B= Category HIGH MEDIUM C= LOW D= NEGLIGIBLE Consequence level 4 3 2 1 0 Fatalities Any None None None None N/A None or does not apply None Offsite; Any Serious Injuries Any Offsite Onsite None None Regional Economic Loss >$250M $50M $250M $1M $50M <$1M None or does not apply None or does not apply Utility Economic Loss >10M $5M $10M $0.5M $5M <$0.5M None or does not apply Environmental Damage Irreparable Severe Moderate Negligible Service Denial (% of service denied x# days) >100 % days 10 100 %days 5 10 %days <5% days Loss of Service/ Do Boil Water or Not Use Conservation Water Restrictions Order Do Not Drink Order Order None None or does not apply None or does not apply None or does not apply
How a Virginia Utility used J 100 Standard Step 2: Threat Characterization Any relevant natural hazards, man made threats, proximity threats Used Multi Regional Haz Mit Plan Contamination threats all together as one Resulted in a uniform set of 15 threats applied to all assets
SCADA and Cyber Analysis CSET (Cyber Security Evaluation Tool) Analysis performed through DHS by Idaho National Lab staff during a 2 day workshop US CERT website (Computer Emergency Readiness Team)
How a Virginia Utility used J 100 Standard Step 3: Consequence Analysis Analyzed 15 threats x18 assets = 270 threat asset pairs Assigned each threat asset pair a consequence value: (high= 4 to none= 0) Each asset had at least one high value
How a Virginia Utility used J 100 Standard Step 4: Vulnerability Analysis Analyzed the ability of the assets to withstand each threat Mitigation measures decreased vulnerability
How a Virginia Utility used J 100 Standard Step 5: Threat Analysis Determined the likelihood that the threat will occur Normalized every event to likelihood of occurring in a 10 year period for comparability Example: loss of power = 1.00 hurricane = 0.883
How a Virginia Utility used J 100 Standard Step 6: Risk/Resilience R = C xv xt Compare Risk for each asset to focus mitigation on highest risk assets Used J 100 s Utility Resilience Index based on operational and financial resiliency how well utility is expected to cope Found some assets low risk because of existing mitigation
How a Virginia Utility used J 100 Standard Step 7: Risk/Resilience Management Simple cost benefit analysis: Loss of any critical asset with high consequence is more than $10 M to the Utility and $250 M to the region. Mitigation measures ranged from no cost to over $4 M
Then vs. now: RAM W to RAMCAP RAM W Considers human threats only Threat likelihood was typically 1.0 Pair wise comparisons Info from RAM W J 100 RAMCAP Considers all all hazards: threats from natural to human Realistic likelihood for each threat Threat asset pairs with risk calculated by spreadsheets Basis for J100 analysis
Lessons learned (Part 1) 1. Plan for several workshops for data collection and consensus. 2. Keep it simple don t get caught up in extensive calculations that don t significantly affect results. 3. If Threat is low, high Consequence can still result in high Risk.
Lessons learned (Part 2) 4. Spreadsheets are easy to use in analysis. 5. Median income lowers financial resilience index score. 6. Checking results with key staff during workshops provided crosseducation and good quality control. 7. One page summary sheets for each critical asset are helpful.
Benefits of J 100 Standard Accepted standard with SAFETY Act designation provides liability protection Considers both natural hazards and human caused threats in the analysis Focuses on utility resiliency Project was completed in 4 months
Questions: Linda P. Warren, P.E. Launch! Consulting, LLC Linda@Launch consulting.com Cell/Office: 509 539 7795