Extreme events like these are exceedingly difficult to consider and plan/prepare for. But there are requirements in the Safe Drinking Water Act (SDWA) for utilities to assess their vulnerability and risks, and to develop emergency response plans. These requirements came in with America’s Water Infrastructure Act (AWIA) that was signed into law in October 2018. AWIA Section 2013 specifies that all Community Water Systems with populations greater than 3,300 must conduct Risk and Resilience Assessment (RRAs) and Emergency Response Plans (ERPs). These documents need to be reviewed and updated at least every five years. Since this provision of SDWA is directly implemented by EPA, water systems must certify directly to EPA every five years that they have completed these required activities. The initial RRA certifications were due to EPA from March 2020 to June 2021 depending on systems size, so the first five-year updates are due from March 2025 to June 2026. For more information about upcoming review deadlines and requirements please visit the EPA’s RRA/ERP website. The ERP is intended to be developed in a way that addresses system-specific elements based on its RRA, so these certifications are due six months after the RRA certifications.
The RRA needs to address the following components:
- Risks from malevolent acts and natural hazards
- Traditional water system infrastructure resilience including electronic, computer, or other automated systems (including the security of such systems) utilized by the system
- Financial infrastructure
- System monitoring, operations and maintenance
- Chemical use, storage and handling
Note that item two above essentially includes cybersecurity. EPA has a Vulnerability Self-Assessment Tool (VSAT) to help water systems complete their RRA. The Cybersecurity and Infrastructure Security Agency (CISA) and the Colorado Information Analysis Center (CIAC)also provide numerous tools to help systems address the cyber components of the RRA.
After completing the RRA, the ERP needs to be developed and describe strategies, resources, plans and procedures utilities will use to prepare for and respond to emergency incidents. The incidents can be natural or human-caused and range from line breaks to major disasters like floods or wildfires. The ERP needs to specifically address:
- Strategies and resources to improve resilience including physical security and cybersecurity.
- Emergency response strategies and resources
- Proactive approaches to lessen the impact of emergency incidents
- Strategies to help detect malevolent acts or natural hazards that could harm the system
Water systems should coordinate with local emergency planning agencies and must retain copies of their RRA and ERP.
This SDWA provision is not part of state primacy, but is overseen by EPA. To date, EPA has primarily overseen compliance with these requirements via ensuring that systems have submitted their certification. However, going forward EPA is conducting inspections at water systems across the U.S. and soon in Colorado to evaluate compliance with these requirements and help systems become better prepared to prevent emergencies, lessen their severity and respond.
We all know that emergency preparedness is the right thing to do, but it can be hard to prioritize in the face of day-to-day tasks and seeming crises. However, recent events like the emergencies at water systems that have gained national attention and cyberattacks that have involved ransomware and attempts to access control systems should raise our awareness of the value of these efforts. Maybe this information can help you gain support in your utility to keep up with risk assessment and emergency planning activities, especially with respect to cybersecurity. It’s clear that assessing cybersecurity risks and planning to address those risks is part of SDWA, even though EPA’s early 2023 memorandum about cybersecurity and sanitary surveys was rescinded.
Cybersecurity threats appear to be ever-changing and more threatening. Our Drinking Water Security Response Toolbox is designed to help you meet these AWIA requirements and keep your water systems safe and protected.
Thank you.
➽ Ron Falco, P.E. Safe Drinking Water Program Manager
