America’s Water Infrastructure Act Brings New Emergency Response and Resilience Requirements
By Will Williams & Ahmet Ozman
Even those of us who were not Boy Scouts or Girl Scouts can recite the Scouting motto. “Be Prepared” originally meant to be watchful and ready for anything, which made Scouts invaluable for patrol and other service during World War I and World War II.
On Oct. 23, 2018, America’s Water Infrastructure Act (AWIA) of 2018 was signed into law, essentially requiring water utilities to be better prepared for a wide range of threats. It requires water utilities to thoroughly assess their vulnerabilities to all types of natural hazards and man-made disasters and develop a detailed plan to address them.
Preparing for Threats: The New Requirements
Section 2013 of AWIA, through an amendment to the Safe Drinking Water Act (SDWA), introduced a new requirement for every public water system that serves more than 3,300 people to conduct a Risk and Resilience Assessment (RRA) and prepare (or revise) an Emergency Response Plan (ERP). If multiple entities are involved in water supply, treatment and distribution – such as wholesale suppliers, treatment operators and (separately owned) distribution systems – all would need to separately conduct RRAs and develop ERPs for assets under their control. Utilities are required to certify to the U.S. Environmental Protection Agency (EPA) that both have been completed by established statutory deadlines.
Table 1: Deadlines
The RRA requirement replaces the previous requirement to perform vulnerability assessments established by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which was enacted following the 9/11 attacks. The AWIA broadens the assessment focus from “terrorism and intentional attack” to “malevolent acts and natural hazards.”
In addition to examining each system’s risk from these threats, RRAs must evaluate the resilience of all physical assets from source water to distribution systems, including monitoring practices, chemical storage and handling, and operations and maintenance practices. AWIA also requires utilities to evaluate the security of electronic, computer and automated systems and financial infrastructure in response to rising cybersecurity threats.
ERPs need to focus on more than merely being able to respond. They must include risk mitigation actions such as alternative source water, interconnections, redundancy improvements, asset hardening, and physical and cybersecurity countermeasures if and as justified through assessment.
From the glass half-full perspective, identifying, and evaluating a broader array of threats and preparing a plan to address them will help utilities that have not already done this become more resilient. But in the empty half of the glass is an unfunded mandate with rapidly approaching deadlines. Utilities are challenged to quickly interpret the guidelines and apply best-practice tools to ensure effective outcomes.
Utilities that serve a population of more than 100,000 must certify that they have completed RRAs by March 31, 2020, and ERPs by Sept. 30, 2020. Reports do not need to be submitted, but RRAs and ERPs must be updated and re-certified to EPA every five years. EPA does not require the use of specific standards, methods or tools for the risk and resilience assessment or emergency response plans but recommends the use of standards, including AWWAJ100-10 Risk and Resilience Management of Water and Wastewater Systems along with tools from EPA and other organizations.
In late July EPA simultaneously published Baseline Information on Malevolent Acts for Community Water Systems, the Emergency Response Plan Template and Instructions, and guidance for the certification process. EPA also updated the Vulnerability Self-Assessment Tool (VSAT) to be consistent with the new requirements. This additional guidance has been evolutionary rather than revolutionary, supplementing guidance and resources that the water industry has developed over many years.
Figure 1 – Key Industry Guidance Documents and Standards
Preparing for Compliance: What Now?
Despite the short timetable, some utilities are understandably hesitant to move forward with RRAs because of unplanned costs, uncertainty about how to get real value from the assessments, and questions about cybersecurity.
“The largest threat to financial, monitoring, and other computer systems is a cyber ransomware attack,” says Jacques Brados, Black & Veatch Senior I&C Manager for Water. “Many financial systems have periodic cyber assessments that may not meet the intent of AWIA, and SCADA systems are typically assessed less often and with less rigor. The unfunded AWIA mandate is a challenge, but it’s also an opportunity to standardize security assessments of electronic, computer, automated, and financial systems to determine risk and improve resilience.”
Know What You Have and What You Want To Do
Vulnerability studies developed soon after 9/11 focused on physical security and typically have limited value in meeting the new requirements. But many utilities have significantly invested in planning for long-term resilience, assessing and improving cybersecurity, and assessing risk as part of their asset management programs. These activities tend to be a fitting foundation for a response to the new requirements.
Although some utilities just want to meet basic requirements for financial or other reasons, utilities and communities can benefit by using the AWIA requirements as a platform for a more valuable and comprehensive program. One of the questions that utilities should ask themselves is whether they want to meet minimum requirements for compliance or want to derive sustainable business benefit from their investment. Do they only want to certify that they have RRAs and ERPs in place or do they want to move into the realm of effective risk management and best-practice asset management?
Structures and tools developed for RRAs can facilitate improved decision-making and launch a more formal risk-management program or expand an existing asset management program. Investing in a repeatable template makes it easier to update RRAs and to apply it to other systems and facilities in the future.
As one example, a county on the East Coast is well into Phase I of an RRA program. The county already had an asset management program that includes an asset inventory and consequence-of-failure analysis, so Black & Veatch is helping the county fill in the gaps and develop a template. The template will have additional value as the county ventures beyond current requirements to replicate this process in-house for the county’s other systems.
Figure 2 – Advancing to Industry Best Practice
More Questions
Most utilities have building blocks in place, so the first step is to compare the current level of resilience maturity with the desired level. Answering questions about where utilities now stand and what needs to be done to reach their desired destinations entails intermediate steps.
Cost-benefit analysis is useful in determining the appropriate level of investment. Utilities need to determine which of their assets carry the largest risks and how much risk is acceptable. For example, the ideal would be to ensure that no customer would ever be without access to safe drinking water. But the cost to ensure that outcome would be prohibitive, so the question becomes “What can I afford to do to minimize risk and enhance resilience?”
The Water Research Foundation (WRF) recently launched a research study. The goal of “Practical Framework for Water Infrastructure Resilience (WRF Project 5014)” is to help water utilities better understand the relationships among enterprise risk management, performance and level of service goals, and planning for organizational and infrastructure resilience. This work will synthesize and summarize existing knowledge, resources, and utility experience in this field and provide a practical framework to help utilities identify appropriate approaches, frameworks, and tools for their specific needs and priorities.
The RRA provides a list of things that can go wrong, and the ERP asks what we are going to do when that happens. For example, from an Operations viewpoint, the cybersecurity portion of the ERP comes down to a single instruction: Turn off your computer monitor and do your job. Plants need to be able to operate manually, and financial systems need to be able to process invoices, payments, and payroll manually.
Prepare to Be Prepared: The Sooner the Better
Approximately one year after AWIA was passed, water utilities that haven’t yet begun their RRAs would be wise to hasten the journey. Identifying and addressing what needs to be done and using that understanding to develop a program that will deliver business value beyond basic compliance takes time. What’s more, AWIA requires utilities to coordinate the risk and resilience assessments, as well as the emergency response plans, with local emergency planning committees. Involving the public as appropriate is also beneficial.
Waiting for something to happen given the impending deadlines, the knowledge of what’s involved, and the uncertainty of how long it will take is, well, like waiting until hazards materialize before planning an optimal response. The only way to sidestep such dangers is to be prepared.
Will Williams leads Black & Veatch’s AWIA Services. He has 29 years of experience in risk-based planning and asset management, is an IAM-endorsed assessor and is currently leading WRF research project 05014 focused on the development of a practical framework for risk and resilience assessment aimed at water, wastewater and stormwater agencies.
Ahmet Ozman is a senior planning and asset management consultant with Black & Veatch, and specializes in asset management, risk-based prioritization and capital planning, ISO55000, resilience assessments and planning and is an IAM-endorsed assessor for asset management program assessments.
