What makes water infrastructure essential is also what makes it a target: Clean, reliable water is vital for both human health and economic stability. As the threat environment in the United States continues to evolve, increased concerns about water security have bubbled to the surface.
WHAT AWIA CHANGES
With the signing of the AWIA into law in October 2018, community water systems (CWS) now have defined requirements — and approaching deadlines — for risk assessments and emergency response. Drinking water utilities serving more than 3,300 people must complete risk and resiliency assessment (RRA) and emergency response plan (ERP) certification requirements, including a review of physical security and cybersecurity measures.
*Emergency response plan certifications are due six months from the date of the risk assessment certification. The dates shown above are certification dates based on a utility submitting a risk assessment on the final due date.
The legislation also transitions from a terrorism or intentional act vulnerability assessment approach to an “all-hazards” risk and resiliency assessment approach. This encompasses not just malevolent acts but also natural or accidental hazards. The EPA recently released a Baseline Information on Malevolent Acts for Community Water Systems document, which identifies specific threat categories and establishes a starting point for the consideration of threat likelihood.
The EPA states these preparations are intended to help water utilities “identify, deter, detect and prepare for these threats; reduce vulnerabilities of critical assets; and mitigate the potential consequences of incidents that do occur.” Approached with gravity and strategy, the development process is a valuable tool, broadening an organization’s perspective and increasing its capabilities to respond to any risk.
Completing the assessment and emergency response plan, while necessary, may feel like an enormous challenge to a water utility already operating on a limited budget. But the cost of noncompliance is expensive, with fines of up to $25,000 per day when RRAs and ERPs are not certified by their respective deadlines. Even greater is the potential tangible and intangible costs of lack of preparation if a malevolent incident should occur.
Larger CWS may have regulatory-focused staff to handle the considerable compliance efforts. But medium- and small-sized utilities may struggle to manage the process. The American Water Works Association (AWWA) suggests supplementing internal resources with third-party support. Consultants — especially those with experience in water system infrastructure, other utility infrastructure, physical security and cybersecurity — can help guide utilities through each step.