Following the September 11, 2001 attacks, the United States Environmental Protection Agency (USEPA) required all public water systems (PWS) to evaluate their susceptibility to terrorism. These reports, completed in the mid-2000s, were called Vulnerability Assessments.
In 2018, the USEPA passed America’s Water Infrastructure Act (AWIA), which requires all PWS serving populations over 3,300 to reassess what they would do if a disaster strikes. The intent is to help each PWS determine their water resilience and estimate risks from malevolent acts and natural hazards. AWIA 2018 has two requirements regarding these types of risks:
Risk & Resilience Assessment - Identify risks to the PWS
Emergency Response Plan - Identify how to respond to significant risks identified in the Risk & Resilience
The Risk & Resilience Assessment will replace the Vulnerability Assessments from the mid-2000s as they are intended to look beyond the scope of terrorism and identify additional risks, like accidental contamination or natural disaster. Other less obvious risks must be addressed, such as a physical assault on the utility, sabotage, and intentional contamination of source or finished water.
Since the time of Vulnerability Assessments, cybersecurity has emerged as a crucial component of resilient utilities. Each PWS needs to identify their process control systems and measure their susceptibility to a cyber-attack. Access to passwords, facilities, and digital systems should all be evaluated.
Once ready, the Risk & Resilience Assessment must be certified to USEPA online using the Vulnerability Self-Assessment Tool 2.0 (VSAT 2.0). The deadline to submit the assessment is dependent on the population served.
Emergency Response Plan: When Disaster Strikes
Within six months of submitting the Risk & Resilience Assessment, each PWS must submit an Emergency Response Plan that outlines the course of action for when disaster strikes. For each significant risk identified in the Risk & Resilience Assessment, the PWS must detail their plan of action to mitigate the risk by reducing its likelihood or impacts.
Most states have overlapping, and in some cases additional, requirements for the Emergency Response Plan, including specific formats, templates, and content. For example, Ohio requires specific, actionable details for each risk identified that goes more in-depth than USEPA requirements, and refers to the Emergency Response Plan as a Contingency Plan.
An Outside Perspective
Identifying risks and creating an Emergency Response Plan can be daunting tasks for PWS, especially when coupled with navigating the VSAT 2.0 and continuing regular system operations. B&N can guide you through this process and provide a valuable perspective for identifying risks and how to address them.
B&N offers assistance at every step of the AWIA 2018 submittal process. Our asset management and information technology (IT) experts can help identify risks to physical facilities and cybersecurity. To gather information to identify risks, the team interviews PWS staff, assesses critical access with site visits, and reviews existing emergency response or contingency plans.
Once risks are identified, our team can assist with the VSAT 2.0 submittal as well. We utilize password protection so that both the B&N team and client can securely enter or edit data before certifying it without needing to transfer information electronically. Because the information gathered from these reports is sensitive, our team takes additional precautions to make sure that all information is secure and confidential.
Finally, our team works with each PWS to identify ways to manage risks specific to their system. We work with clients to create an Emergency Response Plan that complies with both state and federal requirements.
Protect Your Community
If you have any questions about the AWIA 2018 requirements or how to create a plan that protects your PWS and community, please contact Kevin Campanella, PE.