E•Train Spring 2002

Map helps small Montana utility develop vulnerability assessment, emergency response plan

By Ann Murray, NETCSC Contributing Writer

Editor's Note: The “Public Health Security and Bioterrorism Preparedness and Response Act of 2002” passed by Congress last year requires all community water systems serving more than 3,300 people to conduct an assessment of the system’s vulnerability to a terrorist or other intentional act, submit a copy of the assessment to the U.S. Environmental Protection Agency (EPA), and prepare or revise an emergency response plan that incorporates results of the vulnerability assessment. Under this new law, communities with fewer than 3,300 people are not required to perform vulnerability assessments or create emergency response plans, but EPA encourages them to
do so and is providing guidance to help smaller
communities undertake these challenging tasks. This article details how a small drinking water utility in Montana performed a vulnerability assessment and created an emergency response plan with the help of an assistance agency.

A Security camera enables the system operator to monitor activity at the plant. Photo by Sandra Fallon.

Human nature explains the scarcity of updated emergency response plans found among small water utilities, according to Paul Torok, a rural development specialist with Midwest Assistance Program (MAP), a regional affiliate of the Rural Community Assistance Program. “People like to put things off until they’re in a situation when it’s forced on them,” he says. Torok would know considering he has 24 years experience managing water and wastewater facilities and has spent the past three years providing rural systems with onsite technical assistance through his work with MAP.

Like most water professionals, Torok believes that the terrorist events of September 2001 have forced communities to re-examine the vulnerability of their infrastructure to unanticipated events. For small communities, the litany of possible emergency scenarios includes not only terrorism but vandalism and natural disasters as well.

Small communities are now seizing the opportunity to obtain funding to perform vulnerability assessments and to update or, in some cases, to create an emergency response plan (ERP) for their water systems. A vulnerability assessment helps water systems evaluate susceptibility to potential threats and identify corrective actions that can reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack, etc.). An emergency response plan is a written document that spells out a water system’s plan of action for responding to potential emergencies or disasters.

With a lack of time and resources to devote to security planning, some small systems have turned to assistance agencies like MAP for help in dealing with security issues. Over the past year, Torok helped a Montana community of 1,200 perform a vulnerability assessment and develop a water facility ERP from scratch. This utility, like other small utilities serving fewer than 3,300 people, is not legally required to assess its vulnerabilities, but it chose to follow the guidelines set forth in the “Public Health Security and Bioterrorism Preparedness and Response Act of 2002.” The utility, however, will not submit the vulnerability assessment or the certifications stating that it has completed a vulnerability assessment and emergency response plan to the U.S. Environmental Protection Agency (EPA), as larger communities are required to do under the law.

Security important for small systems
Although a thorough and effective security effort is critical in this post-September 11 era, the Montana community that Torok worked with—like many other small communities—was not thinking only about terrorist attacks when town council members contacted MAP for help.

“Small systems do not define security as the ability to prevent acts of terrorism, but rather the ability to prevent vandalism and loss of service to customers,” says Torok. He also points out that there are broader implications to man-made or natural disasters than just physical damage to facilities and service interruption. The health of system employees, the public, and the environment are potentially at stake during and after emergencies, he notes.

Small communities, says Torok, must also consider the effects of nature on their systems. Fire, floods, high winds, and extreme temperatures can wreak havoc on new and aging components. Therefore, a system’s ability to respond to many kinds of unforeseen events is critical.

But even with such high stakes in the offing, small communities often do not have the staff, the time, or the experience to route through governmental requirements, conduct evaluations, and prepare emergency response plans. Torok recommends that small utilities with limited resources follow the example of the Montana community and get help from an experienced third party. Assistance organizations, such as MAP, can help small communities with their security issues often at no charge.

Overcoming barriers to security planning

In his work as a rural development specialist with the Midwest Assistance Program, Paul Torok helps small water facilities perform vulnerability assessments and develop emergency response plans. Although each community he has worked with has its own set of circumstances, common issues have surfaced.

Torok finds that small communities must overcome barriers to getting emergency response plans in place. Common roadblocks they face include limited time and available resources, a lack of policies to addresss security issues, and an inablilty to prioritize security because of other pressing concerns, such as water quality and customer service. Torok says that these competing interests can take a toll on the local decision makers who must implement a security plan.

But Torok reiterates that while emergency response planning is a difficult and time consuming job, it must be done to safeguard the facility, staff, community, and environment.

Torok offers these suggestions for small communities that are about to create or revise thier ERP.

1. Contact a qualified third party to do the evaluation and assist in the development of the plan.

2. Create a team to work on the project.

3. Promote community spirit and the willingness to improve and safeguard the utility.

4. Evaluate and test the new plan.

5. Be willing to periodically revise the ERP because emergency response is a fluid, dynamic proposition. Staff, resources, and the environment change over time.

The first step: assess vulnerabilities
To help the Montana community, Torok began the process by assessing what was needed to secure the water system from vandalism, natural disasters, and terrorism. The evaluation started with a walking tour of system components. Torok and the system operator looked at storage, conveyance, treatment, and operations facilities.

Torok asked very specific questions while examining the water utility.

“The idea was to ask questions that would provide answers to things that are often overlooked,” says Torok. “‘Is the wellhead locked?’ ‘If not, how do we lock it with an inexpensive device?’ ‘Are the pumps and motor controls secure?’ ‘Are controls equipped with a password?’”

Following the walking tour, Torok and community members took questions and observations back to the town hall where they met for in-depth discussions. These discussions provided what Torok calls “basic background information”—details about inventory of equipment, staff, and mutual aid agreements with adjacent communities.

According to Torok, participants understood the importance of keeping this type of information inside the meeting. “Everyone involved was very willing to share and discuss any of the issues in the assessment,” he says. “However, it was made clear—and all persons involved agreed prior to meeting—that any matters that were discussed were considered confidential and would not be discussed in any way with persons outside of the group.”

Background information and the initial tour of the facility led to a discussion of which vulnerability assessment method the community would use.

Under Torok’s guidance, the community chose to use the Security Vulnerability Self-Assessment Guide for Small Drinking Water Systems developed by the National Rural Water Association (NRWA) and the Association of State Drinking Water Administrators (ASDWA). (The self-assessment guide is available through ASDWA’s Web site at www.asdwa.org.)

The NRWA/ASDWA vulnerability self-assessment is designed to address likely threats to small systems. The guide poses a series of questions that look at the condition, operation, and maintenance of pipes and conveyances; physical barriers such as fences; water collection, pretreatment, treatment, storage, and distribution systems; electronic, computer or other automated systems; and the use, storage, or handling of various chemicals. Answers to the assessment are indicated as “Yes” or “No” and space is available to identify actions needed to improve security.

Torok also emphasizes that anyone doing an assessment needs to take the time to do the actual walk-through of the facilities. “The point is that you can’t do the security analysis using the instrument while sitting in the office,” he says. “You have to get out and actually check to see what’s in place and what’s not.”

Torok offers fencing as a good example. He says it is easy to answer the question “Are facilities fenced?” with a “Yes,” but an onsite inspection might find any number of problems with the fence or its location. For example, the ground level might drop below the fence level, there might be trees or buildings near the fence that someone could climb to get over the fence, or the fence itself could be damaged.

Clearly this type of detailed site evaluation takes time, says Torok. But deficiencies in security are often brought to light and low-cost alternatives can be implemented and incorporated into the ERP. In this case, Torok offered simple suggestions to the Montana utility about protecting its wellhead without fencing it and securing windows with available materials.

External buildings, such as this outbuilding that houses an air compressor, should be locked and secured to prevent access. Photo by Sandra Fallon.

Systems should prepare Emergency Contact List

To be adequately prepared to respond to a potential emergency situation, emergency response expers recommend that water systems' emergency response plan include an Emergency Contact List. This list should include the name, phone number, back-up phone number, fax number, e-mail address, and mailing address for internal and external contacts, including the following:

Local law enforcement, emergency, fire, and medical contacts
Appropriate state and federal agencies
Local government contacts
Chlorine hazardous materials contacts
State drinking water agencies
Board members
Staff members
Professionals affiliated with the system
Technical assistance contacts
Other utilities
News media contacts
Insurance carriers
Critical customers

Putting the ERP together
Torok considers the vulnerability assessment to be just part of the prep work in putting together an effective emergency response plan. He says it was important for the Montana community to get the local department of emergency services, the police department, and the fire department to the table when the utility’s plan was created.

These local officials, along with representatives of other facilities subject to emergency planning requirements, community groups, and the media, are part of a Local Emergency Planning Committee (LEPC), one of about 3,500 such committees in the country. LEPCs are designated by State Emergency Response Commissions (SERCs) to prepare for and respond to emergencies involving hazardous materials. Because water and wastewater systems use, store, or handle hazardous materials such as chlorine, these utilities fall under the comprehensive emergency response plan of LEPCs. SERCs and LEPCs are mandated under the federal “Emergency Planning and Com-munity Right-to-Know Act.” (Systems may be able to find their local LEPC by accessing EPA’s Emergency Planning Committee Database on the Web at www.epa.gov/ceppo/lepclist.htm.)

Unsecured chlorine tanks can pose a major security risk. Photo by Sandra Fallon.

Not only are systems required to coordinate their emergency response plans with LEPCs, they depend upon them during and after an emergency. Torok says it is imperative that all entities know that the safety of the utility is a collaborative effort. The Montana utility’s
completed ERP will fold into an existing county-wide disaster mitigation plan. To that end, Torok emphasized the need for good communication between the water utility and the community.

"Create a team to work on the project and stay in touch," says Torok. "The team should include every entity that can play a role in emergency response, including the schools, civic groups, police and fire departments, the media, and other water systems."

Basic Components of a vulnerability assessment

According to guidelines issued by the US Environmental Protection Agency, a satisfactory vulnerability assessment should include the following elements:

1. Characterization of the water system, including its mission and objectives.

2.Identification and prioritization of adverse consequences to avoid.

3. Determination of critical assets that might be subject to malevolent acts that culd result in undesired consequences.

4. Assessment of the likelihood of such malevolent acts from adversaries.

5. Evaluation of existing countermeasures.

6. Analysis of current risk and development of a prioritized plan for risk reduction.

Source: Instructions to Assist Community Water Systems in Complying with the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, Water Protection Task Force, US Environmental Protection Agency, January 2003

After Torok and community members sat down with local first-responders, government contacts, and other local representatives, the utility’s ERP began to take shape. The ERP was tailored to address specific types of emergencies common to the utility’s geographic location, the resulting problems, and the parts of the system that would be affected. Infor-mation obtained through the vulnerability assessment proved to be useful in developing the ERP. According to Torok, the final ERP addressed the security weaknesses that became apparent during the vulnerability assessment.

Torok and the community expect the town council to officially adopt the ERP in March or April. After that, the utility will test and evaluate its new plan to make sure it works. The best way to do that, says Torok, will be through practice drills and evaluation. This way system personnel and the community will be aware of the plan’s strengths and weaknesses and will be able to make adjustments
to the ERP.

Basic Components of an emergency response plan

Rather than developing an emergency response plan (ERP) from scratch, systems may be able to obtain a sample ERP or template from their state drinking water agency. A completed ERP should incorporate the following basic components:

1. Specific goals and objectives for responding to an emergency.

2. A stategy for activating emergency plans

3. Personal assignments

4. Communication strategies and updated contact list.

5. Agreements with other organizations

6. Specific plans for handling specific disasters, pecific system components, security vreaches, or hazardous material releases/spills.

7. A distibution list of individuals possessing copies of the ERP for tracking all plan updates and modifications.

8. A legal and administrative basis

9. A classification of emergency conditions

10. Provisions for command and control, communications, emergency supplies and distribution, threat management, and plan review and revision.

Please note that the contents of an ERP may be dictated by state or local regulations or guidelines.

This information is adapted from the following sources: Emergency Planning for Water Utilitities: Manual for Water Works Association, 2001, Security Analysis & Response for Water Utilities, American Water Works Association, 2001.