Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
WaterISAC
April 29, 2020 @ 2PM ET
HOW TO DEVELOP AN EMERGENCY RESPONSE PLAN
SUPERCHARGE YOUR SECURITY
About WaterISAC
• Non-profit established by the water sector
• 3,000 members across several hundred utilities and other organizations
• WaterISAC provides members: – Physical and cyber security threat information
– Resilience and mitigation resources
– Pandemic resources
– Education and training through webinars
– Reports on physical and cyber incidents
– Twice-weekly newsletter
• Free 2-month Trial Membership: waterisac.org/membership
SUPERCHARGE YOUR SECURITY
Housekeeping
This webinar is being
recorded.
The recording and slide deck
will be available by tomorrow
at waterisac.org/webcasts.
Download the slide deck from
the Handouts tab on the
GoToWebinar control panel.
There will be a Q&A session
at the end.
SUPERCHARGE YOUR SECURITY
Upcoming ERP Webinars (WaterISAC members only)
• Tuesday, May 26: Part 2 - Building Blocks of Your ERP
• Tuesday, June 23: Part 3 - Capstone & Best Practices
Register:
waterisac.org/events
SUPERCHARGE YOUR SECURITY
Type and send
and your question
How to Ask a Question
© Arcadis 2019
Presenter Information
Sarah Moore, CEM
Senior Resilience Consultant
Long Island City, NY
614.985.9139
Susan Wyatt
Senior Resilience Consultant
Columbus, OH
614.985.9171
Webinar #1 Agenda: How to Develop an ERP
Introductions
AWIA 101
Build a Planning Team
ERP Resources
Planning Process
Q & A Session
Next Webinar
Water Sector Resilience Evolution
Guns
Guards
Gates
All Hazards Approach
Response
Recovery
Resilience
Bioterrorism
Act of 2002
Enterprise Risk &
Resilience Management
AWIA of 2018
Regulatory Compliance
Return on Investment
Best Practice
Proactive vs. Reactive
Water Industry Resilience Challenges
Source: 2018 AWWA State of the Water Industry
If you fail to prepare you
are preparing to fail”
- origin unknown “
© Arcadis 2019
10
Resilience
Investments
Why? Increase Resilience - Bounce Back
Time
Wate
r S
yste
m P
erf
orm
an
ce
Fully Recovered
Partially Recovered
Permanently Disrupted
Hazard
Event
Normal
Operation
Adapted from: Klise, 2016. Richards Et al., 2009.
Goal: Identify & Mitigate the Most Significant Risks
Due Diligence
© Arcadis 2019
State Regulatory Trends – Moving Towards Resilience
• Requires Asset Management Plans to Evaluate:
Power supply (primary and auxiliary)
Communication
Equipment and Supplies
Personnel Capabilities
Security
Emergency Procedures
Treatment Processes Capabilities
Conveyance/Distribution Capabilities
Vulnerability Assessment for criticality
New Jersey Ohio & Indiana
• Requires Asset Management & Emergency Preparedness Programs
Michigan – AM only
California – AWIA
More to come?
America's Water Infrastructure Act
Requires an Emergency Response Plan for any utility serving more than 3,300 customers
America’s Water Infrastructure Act of 2018
• Mandates water systems
serving >3,300 to:
Conduct Risk and Resilience
Assessment
Update RRA & Emergency
Response Plans every five
years
Certification Letter to EPA
Pipes
Infrastructure
Monitoring
Financial
Infrastructure
Chemicals O&M
Capital
Needs
Natural
Hazards
Cyber
Malevolent
Acts
AWIA
2018
Targeted
Risks
AWIA Deadlines to EPA
POPULATION SERVED
100k+
50K+<100k
3,300 < 50k
RISK & RESILIENCE ASSESSMENT DEADLINE
EMERGENCY RESPONSE PLAN DEADLINE
03/31/2020
12/31/2020
06/30/2021
09/30/2020
06/30/2021
12/30/2021
Certification letter required for each deadline. EPA penalty is up to $57,317/day.
EPA Deadline Extension?
• EPA Memo March 26
• “Will exercise enforcement discretion [penalties] resulting from COVID-19”
Having a global pandemic arise during
this important ERP time has been
disruptive/challenging… but it does
serve as a good reminder of why we
build these plans.”
- Kim Anderson, CAP-OM, Emergency Manager,
Portland, OR Water Bureau
“
Assessing Risk
• Risk Profile
• Increase Mitigation Measures
• Emergency Response Plans
Risk
Risk Calculation
Most critical assets/capability?
Relevant Threats?
Consequences of losing asset/capability
Protection of asset/capability?
Probability of threat?
Mitigation Prioritization?
AWIA Requirements
• Improve system resilience, including physical & cyber security
• Detect malevolent acts or natural hazards
• Lessen the impact of threats and hazards
• Identify alternate source water options
• Relocate water intakes
• Construct flood barriers
EMERGENCY RESPONSE PLAN
Prepare an ERP within six months of the initial risk and resilience assessment, to :
Emergency Response Plan
• Purpose - To identify and support specific response actions to be taken during an emergency to:
Protect employees & public
Preserve property
Protect the environment
Maintain operations & minimize
disruption to the public
System of Plans
AWIA Self Assessment
• Question: How do I get started?
• Answer: Internal Gap Analysis
List requirements vs. completed
What remains?
Who has the answers you will require?
Who needs to be involved?
Who needs to review or certify?
How will you protect the information?
© Arcadis 2019
Emergency & Security Program Building
Update VA
AWIA Compliance
Emergency
Response Plans
The Future:
Mitigation
RRA Report
RRA & ERP
Update ERPs
Risk Mitigation
Project List
J100 Compliant, Special
Project Integration
Build Program
Customized ERPs,
Training & Exercise
Integrated Enterprise
Risk & Resilience
Management
Basic Advanced
“Begin with the end in mind”
© Arcadis 2019
What are the key ERP topics for utilities?
COMMUNICATIONS
Internal & External
PROTECTION
Safety Programs
Pandemic
DOCUMENTATION
Incident Forms
OPERATIONS
Coordination & AWIA
EFFICIENCIES
NIMS/ICS Standards
RESPONSE TEAM
Roles & Responsibilities
FINANCE
Revenue & Cyber
Building a Planning Team
Don’t Plan in a Vacuum - Build Your Team
• ERP Meetings
Build the right team
Collect data/info
Review plans
Review RRA
Conduct meetings/workshops
Interview SMEs
Plans are worthless, but planning
is everything.” – Eisenhower, 1957
Submitted by Walter Barber, Safety & Compliance Officer,
Clayton County Water Authority
“
ERP Partners & Stakeholders
Building relationships today
helps solve problems
tomorrow.”
- Johnnie Mayfield, Birmingham Water
Works Board
Water/Wastewater
Utility
Local Emergency
Planning Committees
Local Fire, EMS,
and HazMat
Local Health
Department
Local Law
Enforcement
Local Civil
Government
Federal Bureau of
Investigation
Centers For Disease
Control and Prevention
EPA National Response
Center
Neighboring Utilities
EPA Regional Offices
State Emergency
Responders
State GovernmentPublic Health and
Environmental
Laboratories
State Drinking and Waste
Water Primacy Agencies
State Law
EnforcementMedia
State Emergency
Management
and
Homeland Security
Agencies
Local Emergency
Management
Host
Facilities
EPA Criminal
Investigation Division
Department of
Homeland
Security
Source: U.S. EPA
Know and involve your stakeholders.”
- Dusti Lowndes, Director of Emergency
Management, DC Water & Sewer Authority
Engage Emergency Managers
• Resources Contacts, equipment
Training & Exercises
• Communications Equipment
Messaging – 5 W’s
• Coordination Needs, tasks, and reporting
Credentials and site security
• Funding
25
A robust, multi-disciplinary emergency response plan is a critical element to ensuring your water systems’ continuous operation in times of crises… we owe it to our citizens... Don’t be caught unprepared
-Jacqueline Silva, MPA, CEM, Emergency Manager, San Antonio Water System
AWIA Requires Coordination with LEPCs
• AWIA Sec.1433(c): Community water systems (CWSs) shall coordinate with local emergency planning committees (LEPCs)… when revising their ERPs.
• AWIA Sec. 2018: Requires that CWSs receive prompt notification of any reportable release of an extremely hazardous substance (EHS) or a hazardous substance (HS) that potentially affects source water…..to prevent contaminated water from entering its system.
© Arcadis 2020
Established under “Right-to-Know”
AWIA requires LEPCs and SERCs to share data & notify
Emergency Planning and Community Right-To-Know Act of 1986 (42 U.S.C. 11001 et seq.)
Formed primarily in response to concerns over hazardous chemical releases
• Provides information about chemicals in the community to citizens
• LEPCs develop hazmat emergency response plans
© Arcadis 2020
Who is Represented on the LEPC?
LEPCs are usually welcoming, small groups
Must Include:
• Elected officials
• First responders, such as police, fire, public health, and emergency managers
• Environment, transportation, and hospitals
• Facilities with hazardous chemical inventories
• Community groups
• Media
© Arcadis 2020
How Can LEPCs Assist Utilities?
Assessment & Information
Training Share Resources
Planning Exercise Provide Guidance
Emergency Response Plan Resources
Preparedness Cycle
5
4
1
3
2
Plan
Organize /
Equip
Train
Exercise
Evaluate
Assess Risk
All-Hazards
Emergency
Response &
Recovery Plans
Capabilities Building
Org Chart, Equipment,
Resources, Budget,
Grants
SOPs, Incident
Command System &
Emergency Operations
Center
Workshops, Drills,
Tabletop,
Functional & Full
Scale Exercises
After-Action Reports &
Improvement Plans
Preparedness
Cycle
AWWA
G430 & 440
FEMA
CPG-101
THIRA & HMP
AWWA J100 AWWA M19
© Arcadis 2018
Standards, Guidance and Tools
© Arcadis 2018
A Standards Based Approach J100 Cyber
Frameworks
M19
Risk & Resilience Assessments
Risk to the system from malevolent acts and natural hazards
Resilience of physical and cyber assets
Monitoring practices of the system
Financial infrastructure of the system
Use, storage, or handling of various chemicals by the system
Operation and maintenance of the system
Optional – include an evaluation of capital and operational needs for risk and resilience
management or the system
Emergency Response Planning
Strategies and resources to improve the resilience of the system, including physical
security and cybersecurity
Response plans and procedures
Actions, procedures, and equipment which can obviate or significantly lessen the impact
of a threat or hazard
Strategies to support detection of malevolent acts or natural hazards that threaten the
security or resilience of the system
Coordinate with existing local emergency planning committees established pursuant to
EPCRA 1986 during ERP development
© Arcadis 2018
ANSI/AWWA M19 Chapters
• Preparedness Culture
• Risk and Resilience Assessment
• Developing an Emergency Response Plan
• Mutual Aid and Partnerships
• Internal and External Communications
• Training and Exercises
• Mitigation
© Arcadis 2018
Response Plans: NIMS & ICS
• Scalable, common framework
• Command & management structures
• Mutual aid & resources management
© Arcadis 2020
Complete NIMS Training
Why? First responder definition, all sectors
work together
Who? All personnel with an active role in
dealing with an emergency (i.e. supervisors
and lead workers at a minimum)
What? Four online courses: ICS-100, ICS-
200, IS-700, IS-800
How? FEMA’s Emergency Management
Institute (https://training.fema.gov/nims/)
Incorporate ICS training into your ERP
process…teaches the ICS structure &
importance of a systematic approach”
- Josh Smith, Superintendent, Industrial & Commercial
Accounts, BWWB
Operations-based Discussion-based
Multi-Year Training & Exercise Plan
CRAWL WALK RUN
Seminars
Workshops
Tabletops
Games
Drills
Functional
Full-Scale
38
Planning Process
CPG 101 Planning Process
Team 1 Situation 2 Goals 3 Develop 4 Write 5 Use 6
Form a Collaborative
Planning Team
• Identify Core Planning Team
• Engage the Whole Community in Planning
Understand the Situation
• Identify Threats and Hazards
• Assess Risk
Determine Goals and Objectives
• Determine Operational Priorities
• Set Goals and Objectives
Plan Development
• Develop and Analyze Course of Action
• Identify Resources
• Identify Information and Intelligence Needs
Plan, Preparation, Review, & Approval
• Write the Plan
• Review the Plan
• Approve and Disseminate the Plan
Plan Implementation &
Maintenance
• Exercise the Plan
• Review, Revise, and Maintain the Plan
Source: FEMA CPG-101 Figure 4.1: Steps in the Planning Process
Planning Schedule & Milestones
Team Meeting
90 days
5
Team Meeting
60 days
4 Team Meeting
30 days
3
Finalize & Self-Certification
6
Information Request
2 Kick-Off Meeting
1
ETA = 4 - 6 months
Writing, Compiling, or Updating the Plan
• Review existing plans
• Understand the system of plans, response structure
Every area of a system
could be a weak link…”
- Kim Anderson, Portland, OR
“ Every team member is vital in
the collection of information…”
- Victoria Bailey, Emergency Management
& Security Operations Coordinator,
Tarrant Regional Water District, TX
“
Review All Existing Plans
• Create an inventory of plans
Utility
City
County
State
• Identify dates, drafts, location, plan owners, etc.
• Any missing plans?
• Review your roles during an emergency
at the utility, and
within the community
Understand Your System of Plans
Source: FEMA CPG-101
© Arcadis 2020 29 April 2020
• What does the plan contain?
• Who maintains your local plan?
• Is your utility represented on the planning team?
• When was the plan last updated?
Local Hazard Mitigation Plan
How could this plan benefit your utility?
Writing, Compiling, or Updating the Plan
• Review existing plans
• Understand the system of plans, response structure
• Complete Base Plan section headings
• Gather or develop missing information “Be clear when requesting
information.”
- Jaimie Foreman, Drinking Water
Compliance Supervisor &
WT3/WT5 Certified Operator,
Carmel, IN Water
Picking a Plan Format
Picking a Plan Format: CPG-101
Source: FEMA CPG-101
Basic Plan a) Introductory Material
i. Promulgation Document/Signatures
ii. Approval and Implementation
iii. Record of Changes
iv. Record of Distribution
v. Table of Contents
b) Purpose, Scope, Situation Overview, & Assumptions
i. Purpose
ii. Scope
iii. Situation Overview
a) Hazard Analysis Summary
b) Capability Assessment
c) Mitigation Overview
iv. Planning Assumptions
c) Concept of Operations
d) Organization and Assignment of Responsibilities
e) Direction, Control, and Coordination
f) Information Collection, Analysis, and Dissemination
g) Communications
h) Administration, Finance, and Logistics
i) Plan Development and Maintenance
j) Authorities and References
Picking a Plan Format
Basic Plan
Functional
Annexes
Appendices
CWS ERP
Template
• Updated Guidance
• AWIA Elements
• Action Plans
• Incident Specific
Response Procedures
1. Utility Information
2. Resilience Strategies
3. Emergency Plans &
Procedures
4. Mitigation Actions
5. Detection Strategies
Writing, Compiling, or Updating the Plan
• Review existing plans
• Understand the system of plans, response structure
• Complete Base Plan section headings
• Gather or develop missing information
• Refine the narratives
• Decide on appendices and annexes
• Develop content over time
Analysis and reporting will
take time. Create a master
calendar w/ invites for
updates.”
- Kim Anderson, Portland, OR
“
Conclusions
© Arcadis 2018
• Utilities will have to continue to build resilience
• Use the consensus standards & resources
• Integrate into other planning processes
• Be prepared to do it again in 5 years!
Closing Thoughts
Get started sooner rather than later!
The main thing is to
keep the main thing the
main thing.”
- Stephen Covey [Jaimie]
© Arcadis 2019
Next Steps
Who is doing this work in your utility?
Build a Team
Final ERP & Certification Letter Deadline
Webinar #2: May 26th Building Blocks of Your ERP
© Arcadis 2019 Questions/Discussion
© Arcadis 2019
Contact Information
Sarah Moore, CEM
Senior Resilience Consultant
Long Island City, NY
614.985.9139
Susan Wyatt
Senior Resilience Consultant
Columbus, OH
614.985.9171