Meeting AWIA Deadlines
Window for Mid-Size Water Systems is Closing
Water utilities around the nation are pressing forward to meet imminent regulatory deadlines of the America’s Water Infrastructure Act.
In September 2018, AWIA’s Section 2013 replaced the Safe Drinking Water Act’s one-time vulnerability assessments with more rigorous planning requirements. Drinking water utilities are now required to conduct and certify Risk and Resilience Assessments, revise Emergency Response Plans and update these documents every five years.
The U.S. Environmental Protection Agency intends for utilities to identify and manage terror-related and natural-hazard risks, with ERPs providing strategies to enhance response and recovery following an event.
AWIA deadlines for RRA and ERP certification are fast approaching or have already passed, as shown in Figure 1 below. Completion certification dates are based on the water system size (defined by the population served, not the number of connections). Utilities that do not meet the certification letter deadlines will be subject to enforcement action by the EPA as dictated under Section 1414 of the SDWA and could face fines of up to $25,000 per day.
The RRA certification completion date for larger utilities (serving greater than 100,000 population) was March 2020. Medium-sized utilities (serving 50,000-100,000 population) are rushing to meet their deadline of December 2020. Smaller utilities (serving 3,300-50,000 population) if not already underway should start soon to meet their deadline of June 2021. Each ERP deadline is a short six months after the RRA.
What is Required?
Below is a summary of the 2018 AWIA assessment requirements compared to the 2002 SDWA assessment requirements.
The EPA has provided baseline information about malicious acts that could cause significant disruptions to utilities, but it will not require the use of specific methodologies, or mandate certification of personnel leading assessments or developing response plans. Compliance with AWIA will benefit from development by knowledgeable multidisciplinary teams well-versed in the guidance resources and technical aspects of drinking water systems, as well as physical and cybersecurity.
The process to perform both the RRA and ERP often involves a workshop approach to coordinate with multiple departments and stakeholders. For planning purposes, at least three months should be allocated to complete the RRA and accommodate workshops, perform the data-gathering sessions and field assessments, interview appropriate staff, and document the findings. Schedule is also driven by the water utility’s size, the number of critical assets, and the level of asset criticality and resiliency planning that has been done.
A notable exclusion is that small utilities serving fewer than 3,300 people are not required to meet AWIA requirements. Even though all agencies will benefit from understanding risk and building a resilience culture, AWIA recognizes that these systems may lack the resources to develop and implement this program. While it is uncertain at this time, additional grant funding opportunities may be made available to support this future effort for small drinking water systems.
How to Get It Done
The RRA begins with use of the J100 Standard, which was developed by American Water Works Association and American Society of Mechanical Engineers’ Innovative Technologies Institute to provide a method for assessing risks for water and wastewater utilities. It provides consistency across the various infrastructure types and enables the prioritization of improvements to reduce the identified risks.
AWIA states that the following risks must be assessed by drinking water utilities:
- Malevolent acts and natural hazards
- Monitoring practices of the system
- Financial infrastructure
- Use, storage, or handling of various chemicals
- Operation and maintenance of the system
- Capital and operational needs for risk and resilience management may also be evaluated
The J100 Standard consists of seven steps taking an all-hazards approach.
The RRA provides consistency and prioritizes improvements to reduce risks.
To streamline the process and share costs, some smaller utilities have partnered with a larger utility in the region to develop their RRAs concurrently, as many of the same natural-hazard risks apply. Others have joined forces with smaller utilities in their region to find similar efficiencies.
- Asset Characterization: Step 1 of the J100 Standard requires identification of critical assets. Only those identified as critical are addressed in the RRAs. A critical asset is one whose loss or failure significantly and seriously impacts the utility’s ability to operate, or has considerable financial or political consequences on the utility and its customers. As part of the critical asset characterization, all critical components must be considered including:
- Source water, treatment and chemicals
- Water collection, conveyance and distribution
- Physical barriers
- Control systems, network architecture, diagrams and data flow controls
- Financial infrastructure
- Operations, maintenance and monitoring practices:
- Policies, guidelines and procedures
- Network monitoring and intrusion detection systems
- Incident response plans
- Threat Characterization: All assets identified in Step 1 as critical are assigned a threat category as outlined by the AWWA and depicted in Figure 3. The goal is to select “asset-threat” pairs to be carried through the RRA analysis. The scoring of these pairs occurs in later steps.
- Consequence Analysis: Step 3 requires an estimation of the worst reasonable consequences facing a utility including:
- Number of fatalities/serious injuries
- Public perception
- Financial loss to water utility
- Economic losses to community (plant shutdowns, loss of business, or other losses)
- Environmental damage
- The pandemic planning of 2020 has further emphasized the need to elevate loss of staff as an important consideration
- Vulnerability Analysis: For a given critical asset, such as a treatment plant or influent pump station, Step 4 of the RRA must include evaluation of protective systems necessary to safeguard against each threat. This analysis includes measures that are already in place and any protective measures that may cover multiple vulnerabilities for the utility’s mission-critical assets.
- Threat Analysis: Step 5 focuses on analysis of the identified threats and considers the following:
- Number of occurrences per attack in U.S.
- Likelihood in the local area
- Likelihood for a water system occurrence per attack
- Likelihood of selecting your utility
- Risk/Resilience Analysis: Step 6 involves application of the J100 Risk Equation, which calculates risk as a function of threat likelihood, consequence, and vulnerability, as shown in Figure 4.
- Risk and Resilience Management: Lastly, Step 7 of the RRA is a consideration of the costs and benefits of the six previous steps. This final step is a balance of improving and promoting a utility’s risk and resilience with the effort required to certify compliance. Once an RRA is certified and the certification is submitted to the EPA, the utility has six months to complete an ERP. The ERP must include detection strategies and resources to improve the resilience of cybersecurity and physical assets. The ERP also summarizes the utility’s plans, procedures, and equipment to be utilized in response to those threats to critical assets identified in the RRA, and the actions and procedures to lessen the impact on public health. Completion of the RRA and ERP presents an opportunity to promote an integrated approach of master planning and system analysis with existing and/or improved asset management programs as depicted in Figure 5.
Given the number of these assessments that need to be performed around the country, it is generally recommended to start as soon as possible. Please contact us if you would like to learn more about AWIA’s requirements, key lessons learned from the water industry, and how we may assist you in your efforts towards becoming a more resilient utility and meeting the AWIA compliance deadlines.