Pages

Wednesday, May 1, 2024

Dear Aqua Answers - Help Update My Risk and Resilience Assessments and Emergency Response Plans

Water Resilience Framework
Dear Aqua Answers,

When I prepared the Risk and Resilience Assessments and Emergency Response Plans for our water system back in 2021 cybersecurity was less of a concern, but now it’s a real big deal. How can I incorporate cybersecurity into my updated documents that are due in 2026? 

Please help. Thanks,

Cy Bersafe

                                                                                                                                                                                

Dear Cy,

You are correct! Cybersecurity is a big concern today. But you don’t need to wait until 2026 to update your Risk and Resilience Assessment (RRA) and Emergency Response Plan (ERP). Cybersecurity threats appear to be ever-changing and more threatening. The RRA and ERP are meant to be living documents that are periodically updated and reviewed. But let’s take a step back for a moment, and review the requirements. 

The RRA and ERP requirements were incorporated into the Safe Drinking Water Act in October 2018. All Community Water Systems with populations greater than 3,300 must conduct Risk and Resilience Assessment (RRAs) and develop Emergency Response Plans (ERPs). These documents need to be reviewed and updated at least every five years. The initial RRA certifications were due to EPA from March 2020 to June 2021 depending on systems size, so the first five-year updates are due from March 2025 to June 2026. In general, the idea is to conduct a risk assessment first (the RRA) and then develop an ERP specific to your system. 

Cybersecurity risks fall under the RRA requirements to address risks from malevolent acts and involve the traditional water system infrastructure that involves electronic, computer, or other automated systems (including the security of such systems). One area that has been targeted by cybercriminals is the billing system for water systems. So, cybersecurity also crosses into the financial infrastructure as well. EPA has a Vulnerability Self-Assessment Tool (VSAT) to help water systems complete their RRA. The Cybersecurity and Infrastructure Security Agency (CISA) and the Colorado Information Analysis Center (CIAC) also provide numerous tools to help systems address the cyber components of the RRA. 

Once you follow those steps to complete the cybersecurity portion of the RRA, then the ERP needs to be developed describing the strategies, resources, plans and procedures utilities will use to reduce the risk of cyberattacks and respond to incidents. Our Drinking Water Security Response Toolbox is designed to help you meet these AWIA requirements and keep your water systems safe and protected, including against cybersecurity threats. Specifically, at the bottom of this website, you will see a list of activities that can be part of your ERP. For example, you could launch and implement a policy that specifies how frequently your water system backs up data and start a multi-factor authentication process for all system access. These activities would be part of your ERP. It is recommended to then keep records of system back-ups, etc. Additionally, you could begin an employee training program on how to recognize and respond to phishing emails that can lead to a ransomware attack. This would be a great strategy to include in your ERP, and again remember to establish a method to track and document that the employee training is happening on an ongoing basis. These are examples of low cast actions your water system can take to reduce the risk of cyberattacks. Perhaps a longer-term action to plan for would be to ensure that financial/billing computer systems are separated from the operating system involved with water treatment and delivery.

These are good steps to reduce risks and hopefully prevent a cyberattack. But the ERP also needs to describe how your system would respond to attack. Again the Drinking Water Security Response Toolbox provides helpful tools and guidance. One early action after an attack occurs is reporting. We have reporting guidance to help with that. Reporting the incident will also lead to getting help from state and federal agencies to help you recover from the incident. 

We hope this information helps you get on your way with updating your RRA and ERP.

Sincerely,

➽ Aqua Answers