Embed Size (px)
Citation preview
1
2018 AWIA and SFPUC Risk Resilience Evaluation Update
Josh GaleSFPUC Emergency Planning and Security
2019 SFPUC Annual Water Quality & Technology WorkshopNovember 13, 2019
Services of the San Francisco Public Utilities Commission
EPA Requirements
Requires water systems to complete and update Risk and Resilience Assessments (RA’s) and Emergency Response Plans (ERP’s) every 5 years and to provide a certification to EPA that RA’s and ERP’s have been completed/updated.
Deadlines:
2
3
What must be assessed?
The Risk to, and Resilience of, its system considering:
• Malevolent acts and natural hazards• Resilience of piped and constructed conveyances, physical barriers,
source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems.
• Monitoring practices of system• Financial infrastructure of system• Use, storage, or handling of various chemicals by the system• Operation and maintenance of the system• May include an evaluation of capital and operational needs for risk
and resilience management.
What is your strategy?
4
5
6
AWWA Suggested Resources and Guidance Documents
*EPA will not require utilities use any particular methodology or tool, but will simply identify methodologies that utilities may find helpful.
• AWWA J100-10 Risk and Resilience Management Standard
• ANSI/AWWA G430-14, security Practices for Operation and Management
• ANSI/AWWA G440-17, Emergency Preparedness Practices• AWWA Process Control System Security Guidance for the
Water Sector• AWWA Manual of Water Supply Practice 19, Emergency
Planning for Water Utilities (M19)
Current SFPUC Strategy/Resources
• AWWA J100-10 Risk and Resilience Management standard• Risk Analysis and Management for Critical Asset Protection
(RAMCAP)
• Engage water operations staff to assist with RRA, based on J100• SFPUC Water Enterprise operating division liaisons, CISO,
Customer Service, Finance.• Assist with RAMCAP classification, help determine most critical
facilities, threats, risks and consequences.
• Consultant Support• Small TO open on open contract• Help with final RRA product, guide process
7
Practical Approach
• Leverage past studies/projects• Example: WSIP. Seismic resiliency, back up power.
• Cater RRA to SFPUC• Example: Assets should be critical to meeting LOS, integrate
internal risks/consequences.• Integrate PSPS as a hazard.
• Assets• 2018 SRWSR• 2002 Vulnerability Assessment• Maximo
Focus is on ability to sustain function and defined Levels of Service, or withstand event and quickly return to LOS
8
RAMCAP
9
Tools: Threat Asset Matrix
Assets vs. Threats• All assets vs. all threats• Determine rough magnitude of
consequences/impacts• small, significant, severe?• 1-10?
Select critical threat-asset pairs to be included in rest of process, or choose to evaluate all threat-asset pairs.
10
J-100 Appendix B Consequence Chart
11
J-100 Appendix B Vulnerability Chart
12
Analysis Example
13
Next Steps
• Narrow down Threat Asset pair focus:• Currently have over 500 TA pairs• Management/consultant review
• Financial, Cyber review• SCADA systems• Payment systems
• Choose a tool to assist in assigning ratings, RRA outputs• VSAT (Vulnerability Self Assessment Tool)• PARRE (Program to Assist Risk & Resilience Examination)
14
