The first utility risk and resiliency assessments must be completed by March 2020. Are you prepared?
AWIA - What You Need to Know
America’s Water Infrastructure Act of 2018 establishes new statutory requirements for community water systems, which was signed into law Oct. 23, 2018. Section 2013 of AWIA requires community water systems serving a population of greater than 3,300 people to conduct a risk and resilience assessment (RRA) and prepare or revise an emergency response plan (ERP). Per the schedule below, a utility must submit a letter to the US Environmental Protection Agency (USEPA) certifying that both the RRA and ERP have been completed. They also need to be re-certified every five years thereafter. Failure to submit each certification is subject to direct enforcement by USEPA and a penalty of up to $25,000/day.
|Community Water System (population served)||Risk and Resilience Assessement||Emergency Response Plan|
|> 100,000||Mar. 31, 2020||Sept. 31, 2020|
|50,000 – 100,000||Dec. 31, 2020||June 20, 2021|
|3,300 – 50,000||June 31, 2021||Dec. 30, 2021|
This provision of AWIA is an update to the Bioterrorism Act of 2002 (BT Act). While the BT Act was focused on acts of terrorism, AWIA requires consideration of both malevolent acts and natural hazards that could compromise continuity of service. In addition to assets listed in the BT Act, AWIA places additional emphasis on the cybersecurity of SCADA and other monitoring systems, financial infrastructure (i.e., financial and customer billing systems), and associated systems such as metering. The corresponding ERP must consider plans and procedures that can be implemented to “obviate or significantly lessen the impact” on the health, safety, and supply of drinking water from malevolent acts or natural hazards.
AWIA does not specifically define how a utility must complete the RRA or ERP, but it does support the use of voluntary consensus standards recognized by USEPA for purposes of compliance. Contact EMA to discuss how our AWIA services can help your utility meet these regulatory mandates.
The Five Deadly Sins of SCADA-PCS Cybersecurity
EMA’s Bob Reilly published an article for the EMA Communicator entitled “The Five Deadly Sins of SCADA/PCS Cybersecurity.” It was written from the perspective of Utility managers who are rightfully concerned about the security of their production control systems. There are news stories that come out almost on a weekly basis of companies and even large corporations that are hacked or compromised. Security expertise is one of the fastest growing areas in the technology field and even many private sector companies struggle to fill these roles.
Bob wrote this article to create a simple conversation between Utility managers and those in charge of implementing, maintaining, and securing the SCADA/PCS network by breaking down complex security systems, servers, equipment, and components into five simple questions. If the answer is “yes” to any of these five areas detailed in the article, the Utility needs to further investigate if this is truly a need or just a simple convenience for staff or outside contractors. If the Utility is knowingly or unknowingly violating one these “sins,” they should put a plan in place to eliminate or mitigate the potential risk. The article also gives methods and alternatives to still meet these needs in a secure manner.
Here’s the link to the article. EMA Communicator Issue 1 2018 The Five Deadly Sins of SCADA-PCS Cybersecurity.
Please contact EMA to learn about how our AWIA services will assist your utility in complying with these regulatory mandates in all of your impacted automated systems.
What Goes into a Risk and Resiliency Assessment and Emergency Response Plan
America’s Water Infrastructure Act of 2018 states “In general – Each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system. Such an assessment –
(A) shall include an assessment of –
1. the risk to the system from malevolent acts and natural hazards;
2.) the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system;
3.) the monitoring practices of the system;
4.) the financial infrastructure of the system;
5.) the use, storage, or handling of various chemicals by the system; and
6.) the operation and maintenance of the system; and
(B) may include an evaluation of capital and operational needs for risk and resilience management for the system.”
Within the bill, the term ‘resilience’ is defined as,
“the ability of a community water system or an asset of a community water system to adapt to or withstand the effects of a malevolent act or natural hazard without interruption to the asset’s or system’s function, or if the function is interrupted, to rapidly return to a normal operating condition.”
The emphasis not only on the natural hazards but also any malevolent attempts to interrupt the assets system or function marks a first in making a specific distinction for outside threats to water infrastructure, including cyber threats. This also brings to light some of the cybersecurity challenges facing executives, asset owners, operators, IT, and security personnel in the water and wastewater industries today.
Each water system must conduct a Risk and Resiliency Assessment and submit a certification of the assessment to EPA. Within six months of the assessment deadline, water systems must develop an Emergency Response Plan that incorporates the findings of the Risk and Resiliency Assessment.
Water system owners will be required to review and update the assessment at least every five years.
EMA has developed a suite of AWIA services to help utilities comply with the RRA requirements for their automated systems, monitoring practices, and financial infrastructure. Contact us today to see how we can help you make compliance as painless as possible.
How EMA Can Help
EMA has compiled a comprehensive set of services to meet the RRA and ERP requirements to comply with AWIA for your automation, monitoring, and network technologies and related practices. These technologies include: SCADA, Control Systems, Office Systems, Lab Systems, Metering Systems, Work Management Systems, and their communications networks.
• IT Assessments, including interfaces to other utility systems, remote access and mobile, and policies and work practices. Technologies include LIMS, Asset and Work Management, Customer Service and Billing, AMR/AMI and the entire Meter-to-Cash cycle, Financial Systems/ERP, and PCI (Payment Card Industry).
• Operational Technology Assessments, including SCADA, Process Control, remote access and mobile, communications networks.
• Funding Review and Assistance, once grant funding is appropriated for the EPA, EMA can help you apply and secure available grants for the work needed to comply with AWIA requirements.