AWWA G430 2024
$76.92
AWWA G430-24 Security Practices for Operation and Management
| Published By | Publication Date | Number of Pages |
| AWWA | 2024 | 52 |
This standard covers the minimum requirements for a protective security program for a water, wastewater, or reuse utility. It can be referenced in the evaluation of security practices. The stipulations of this standard apply when this document has been referenced and then only to the security practices of the utility.
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 1 | Document Article Figure G430-24 G430-24 ANSI/AWWA (Revision of ANSI/AWWA G430-14(R20)) Ideal crop marks AWWA Management Standard AWWA Management Standard Security Practices for Operation and Management Security Practices for Operation and Management Effective date: Aug. 1, 2024. First edition approved by Board of Directors Jan. 25, 2009. This edition approved Jan. 11, 2024. Approved by American National Standards Institute Feb. 26, 2024. Designation by the U.S. Department of Homeland Security SAFETY Act on Dec. 9, 2022. Figure Figure Since 1881SM Figure |
| 2 | AWWA Management Standard AWWA Management Standard This document is an American Water Works Association (AWWA) management standard. It is not a specification. AWWA management standards describe consensus requirements for utility management practices. The use of AWWA management standards is entirely voluntary. This standard does not supersede or take precedence over or displace any applicable law, regulation, or code of any governmental authority. AWWA management standards are intended to represent a consensus of the water industry of requirements and practi Note that this Standard was originally developed to incorporate the results of the NDWAC Report to USEPA on the “elements of an active and effective security program” for water-sector utilities. Following publication, this Standard was granted SAFETY Act designation as a Qualified Anti-Terrorism Technology. Although this Standard is voluntary, the prescriptive requirements included in the Standard (those expressed as “shall”) represent the minimum requirements that a utility must achieve to qualify for the American National Standard An American National Standard implies a consensus of those substantially concerned with its scope and provisions. An American National Standard is intended as a guide to aid the manufacturer, the consumer, and the general public. The existence of an American National Standard does not in any respect preclude anyone, whether that person has approved the standard or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standard. American National Sta Caution Notice: The American National Standards Institute (ANSI) approval date on the front cover of this standard indicates completion of the ANSI approval process. This American National Standard may be revised or withdrawn at any time. ANSI procedures require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of ANSI approval. Purchasers of American National Standards may receive current information on all standards by calling or writing the America [email protected] ISBN-13, print: 978-1-64717-182-7 ISBN-13, electronic: 978-1-61300-709-9 DOI: http://dx.doi.org/10.12999/AWWA.G430.24 All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Copyright © 2024 by American Water Works AssociationPrinted in USA All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including scanning, recording, or any information or retrieval system. Reproduction and commercial use of this material is prohibited, except with written permission from the publisher. Please send any requests or questions to [email protected]. |
| 3 | Committee Personnel Committee Personnel The AWWA Standards Committee on Security Practices for Operation and Management, which reviewed and approved this standard, had the following personnel at the time of approval: Andrew Ohrt, Chair Consumer Members C. Herndon, Herndon Solutions Group, Las Vegas, Nev. I. Jones, Alexandria, Va. J.W. McLaughlin, Highfill, Mint Hill, N.C. A. Ohrt, West Yost Associates, Duluth, Minn. K. Owens, Control Cyber, Inc., Pullman, Wash. C.R. Sapp, Arcadis, Virginia Beach, Va. L.P. Warren, Launch! Consulting Inc., Charlottesville, Va. Management Interest Members C.L. Bowen, Pleasant Hill, Calif. T.A. Kelly (liaison, nonvoting), Standards Council Liaison, Martinsburg, W.Va. K. Morley, AWWA, Washington, D.C. E.S. Ralph (liaison, nonvoting), Standards Engineer Liaison, AWWA, Denver, Colo. User Members R. Axtell, City of Sacramento, Folsom, Calif. J. Hines, Las Vegas Valley Water District, Las Vegas, Nev. M.I. Inyang, Massachusetts Water Resources Authority, Southborough, Mass. Mike Stuhr, Chiloquin, Ore. J. Taussig, Denver Water, Denver, Colo. |
| 5 | Foreword Foreword Foreword I Introduction ……………………………… vii I Introduction ……………………………… vii I.A Background ………………………………. vii I.A Background ………………………………. vii I.B History …………………………………….. viii I.B History …………………………………….. viii I.C Acceptance ……………………………….. viii I.C Acceptance ……………………………….. viii II Special Issues …………………………….. viii II Special Issues …………………………….. viii II.A Advisory Information on II.A Advisory Information on Application of Standards ……….. viii II.B Origination of Standard ……………… ix II.B Origination of Standard ……………… ix II.C SAFETY Act Designation ……………. ix II.C SAFETY Act Designation ……………. ix III Use of This Standard ………………….. ix III Use of This Standard ………………….. ix III.A Options and Alternatives …………….. ix III.A Options and Alternatives …………….. ix III.B Modification to Standard ……………. ix III.B Modification to Standard ……………. ix IV Major Revisions …………………………. ix IV Major Revisions …………………………. ix V Comments ……………………………….. x V Comments ……………………………….. x Standard Standard 1 General 1 General 1.1 Scope……………………………………….. 1 1.1 Scope……………………………………….. 1 1.2 Purpose ……………………………………. 1 1.2 Purpose ……………………………………. 1 1.3 Application ……………………………….. 1 1.3 Application ……………………………….. 1 2 References ……………………………….. 1 2 References ……………………………….. 1 3 Definitions ………………………………. 2 3 Definitions ………………………………. 2 4 Requirements 4 Requirements 4.1 Explicit Commitment to Security …. 6 4.1 Explicit Commitment to Security …. 6 4.2 Security Culture ………………………… 7 4.2 Security Culture ………………………… 7 4.3 Defined Security Roles and 4.3 Defined Security Roles and Employee Expectations………….. 7 4.4 Up-to-Date Assessment of Risk ……. 8 4.4 Up-to-Date Assessment of Risk ……. 8 4.5 Resources Dedicated to Security 4.5 Resources Dedicated to Security and Security Implementation Priorities ……………………………… 9 4.6 Access Control and Intrusion 4.6 Access Control and Intrusion Detection ……………………………. 9 4.7 Contamination Detection, 4.7 Contamination Detection, Monitoring, and Surveillance …. 12 4.8 Information Protection and 4.8 Information Protection and Continuity ………………………….. 15 4.9 Design and Construction ……………. 17 4.9 Design and Construction ……………. 17 4.10 Threat-Level–Based Protocols ………. 18 4.10 Threat-Level–Based Protocols ………. 18 4.11 Emergency Response and Recovery 4.11 Emergency Response and Recovery Plans and Business Continuity Plan ……………………………………. 19 4.12 Internal and External 4.12 Internal and External Communication …………………… 20 4.13 Partnerships ………………………………. 21 4.13 Partnerships ………………………………. 21 5 Verification 5 Verification 5.1 Documentation Required ……………. 22 5.1 Documentation Required ……………. 22 5.2 Human Resources ……………………… 25 5.2 Human Resources ……………………… 25 5.3 Equipment ……………………………….. 25 5.3 Equipment ……………………………….. 25 6 Delivery …………………………………… 25 6 Delivery …………………………………… 25 xes Appendi A Resources …………………………………. 27 B Bibliography ……………………………… 39 Table 1 Supporting Documentation 1 Supporting Documentation Required by this Standard by Section ……………………………….. 23 |
| 7 | Foreword Foreword This foreword is for information only and is not a part of ANSI*/AWWA G430. * American National Standards Institute, 25 West 43rd Street, Fourth Floor, New York, NY 10036. * American National Standards Institute, 25 West 43rd Street, Fourth Floor, New York, NY 10036. I. Introduction I.A. Background. The AWWA Management Standards Program is designed to serve water, wastewater, and reuse utilities and their customers, owners, service providers, and government regulators. The standards developed under the program are intended to improve a utility’s overall operation and service. Among these standards is this effort to establish formal management and operational guidelines. These guidelines identify appropriate practices, procedures, and behaviors—the implementation of which will provide e AWWA’s standards process has been used for more than 100 years to produce American National Standards Institute (ANSI)-recognized standards for materials and processes that are used by the water sector. These standards are recognized worldwide and have been adopted by many utilities and organizations. Likewise, this management standard is developed using the same ANSI-recognized formal process. Volunteer standards committees establish standard practices in a uniform and appropriate format. Formal standards committees have been and continue to be formed to address the individual standard practices for the diverse areas of the water sector. A formal standards committee was created in 2007 to develop a standard for security. This standard is the outcome of the Security Practices for Operation and Management Committee. The Utility Management G-Series Standards were developed to assist utilities with identifying and implementing applicable best management practices. To further enhance the use of the Standards, the AWWA Utility Quality Management Committee developed both self-assessment and peer-review programs to assist utilities that choose to meet performance criteria contained within the Standards. The Committee developed a framework for the stringent expectations of all Utility Management Standards, as follows: • Utility Management Standards are voluntary, and their intent is to provide guidance toward best management practices. • Requirements set forth in the Standards describe best practices that are achievable but not necessarily the best of class. |
| 8 | • The language used in the Standards should avoid requirements related to numeric values and words such as “shall” or “must” in areas that describe or could be considered in exceedance of existing local and/or federal regulations. I.B. History. The first edition of this standard was approved by the AWWA Board of Directors on Jan. 25, 2009. The second edition was approved on June 8, 2014, and reaffirmed on Oct. 26, 2020. This edition was approved on Jan. 11, 2024. I.C. Acceptance. No applicable information for this standard. II. Special Issues. II.A. Advisory Information on Application of Standards. This standard includes only those requirements that are limited exclusively to security practices for operation and management of a drinking water, wastewater, or reuse system. Separate standards will cover utility programs such as distribution system operation and management, emergency preparedness, financial management, water collection and treatment, source water protection, communication and customer relations, and business systems. The America’s Water Infrastructure Act (AWIA) of 2018 (PL 115-270) requires community water systems serving a population of more than 3,300 to prepare a risk and resilience assessment and emergency response plan every five years. The risk and resilience assessment must consider threats from both malevolent acts and natural hazards that could affect the mission of the utility due to physical or cyber incidents. The findings of the risk and resilience assessment must then be used to inform the development of • ANSI/AWWA J100—Risk and Resilience Management of Water and Wastewater Systems • ANSI/AWWA G440—Emergency Preparedness Practices • AWWA M19—Emergency Planning for Water and Wastewater Utilities • AWWA Water Sector Resource Typing Guidance • ANSI/AWWA G300—Source Water Protection • AWWA Water Sector Cybersecurity Risk Management Guidance and Assessment Tool |
| 9 | II.B. Origination of Standard. This standard originates from recommendations prepared by the US Environmental Protection Agency (USEPA)’s National Drinking Water Advisory Council (NDWAC) on water security practices, incentives, and measures, dated June 2005. A subsequent workgroup was convened in February 2007 by the Critical Infrastructure Partnership Advisory Council (CIPAC) to develop a national performance measurement system and revise the NDWAC recommendations to track with the Water Sector-Specific Pl † National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. National Drinking Water Advisory Council, Office of Ground Water and Drinking Water (4601), Ariel Rios Building, 1200 Pennsylvania Avenue, NW, Washington, DC 20460. † ‡ Critical Infrastructure Partnership Advisory Council, US Department of Homeland Security, Washington, DC 20528. Critical Infrastructure Partnership Advisory Council, US Department of Homeland Security, Washington, DC 20528. ‡ II.C. Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act Designation. The ANSI/AWWA standards G430 and J100 have been awarded SAFETY Act designation by the US Department of Homeland Security. The designation carries important liability protection for the association and for utilities that properly implement these standards. The SAFETY Act of 2002 was enacted by Congress in the wake of the terrorist attacks on Sept. 11, 2001. The SAFETY Act was created in part because of the extraordinarily large liability entities might face if a terrorist attack occurs despite deployment of anti-terrorism security measures already in place. Congress designed the SAFETY Act as an incentive for the creation and deployment of technologies and services with anti-terrorism capabilities. Under the SAFETY Act designation, both the entity that create III. Use of This Standard. It is the responsibility of the user of an AWWA standard to determine that the products described in that standard are suitable for use in the particular application being considered. III.A. Options and Alternatives. There is no applicable information in this section. III.B. Modification to Standard. No applicable information for this section. IV. Major Revisions. The major changes made to the standard in this revision include the following: 1. Added a paragraph on the background of the AWWA Utility Management G-Series standards to Sec. I.A. of the Foreword. |
| 10 | 2. Added background on AWIA of 2018 to Sec. II.A of the Foreword. 3. Incorporated the AWIA of 2018 for Risk and Resilience Assessments and Emergency Response Plans requirements where applicable throughout standard. 4. Updated requirements for cybersecurity throughout. 5. Improved consistency with ANSI/AWWA J100 and ANSI/AWWA G440. 6. Updated Section 2 References. 7. In Section 3 Definitions, revised numerous definitions and added new definitions for AWIA, Risk and Resilience Assessment, and Risk and Resilience Management. 8. Added a new Sec. 4.7.7 Source water protection. 9. Added a new Sec. 4.9.1.3 Process control system design features. 10. Added a new Sec. 4.10.3 Monitor available threat information specific to enterprise systems. 11. Added a new Sec. 4.11.6 Response to enterprise systems. 12. Added new Secs. 4.13.1.3, 4.13.1.4, and 4.13.1.5 on establishing mutual aid relationships. 13. Updated Sec. A.2 Water Security Initiative Phase III with additional guidance. 14. Deleted Sec. A.4 Guidelines for Physical Security of Water and Wastewater/Stormwater Utilities. 15. Deleted Sec. A.5 Response Protocol Toolbox. 16. Added a new Sec. A.6 AWIA of 2018. Section 2013 Community Water System Risk and Resilience. V. Comments. If you have any comments or questions about this standard, please contact AWWA Engineering and Technical Services at 303.794.7711; write to the department at 6666 West Quincy Avenue, Denver, CO 80235-3098; or e-mail at . [email protected] |
| 11 | G430-24 G430-24 ANSI/AWWA (Revision of ANSI/AWWA G430-14(R20)) ® AWWA Management Standard AWWA Management Standard Security Practices for Operation and Management SECTION 1: GENERAL |
| 12 | America’s Water Infrastructure Act (AWIA) of 2018 (PL 115-270). ANSI*/AWWA G440—Emergency Preparedness Practices. * American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036. * American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036. ANSI/AWWA J100—Risk and Resilience Management of Water and Wastewater Systems. AWWA Process Control System Security Guidance for the Water Sector (2017). AWWA Water Sector Cybersecurity Risk Management Guidance and Assessment Tool. AWWA Water Sector Cybersecurity Risk Management Guidance for Small Systems. AWWA Water Sector Resource Typing Guidance. Idaho National Laboratory (INL)—Cyber-Informed Engineering Implementation Guide (2023). † Idaho National Laboratory, 1955 North Fremont Avenue, Idaho Falls, ID 83415. Idaho National Laboratory, 1955 North Fremont Avenue, Idaho Falls, ID 83415. † National Electric Code Article 708®. Water Research Foundation (WRF)— (2008). ‡ Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. Water Research Foundation, 6666 West Quincy Avenue, Denver, CO 80235. ‡ Business Continuity Planning for Water Utilities SECTION 3: DEFINITIONS The following definitions shall apply in this standard. 1. All hazards: An approach for prevention, protection, preparedness, response, and recovery that addresses a full range of threats and hazards, including domestic terrorist attacks, natural and man-made disasters, accidental disruptions, and other emergencies. 2. Asset: An item of value or importance. In the context of critical water and wastewater infrastructure, an asset is something of importance or value that, if targeted, exploited, destroyed, or incapacitated, could result in serious interruption of the water supply to the community, illness and/or injury, death, economic damage to the community, financial damage to the owner of the asset, destruction of property, or environmental damage or could profoundly damage a utility’s reputation, public confidence, |
| 13 | • Critical asset is an asset whose absence or unavailability would significantly degrade the ability of a utility to carry out its mission or would have unacceptable financial, political, or physical consequences for the utility, the community, or the environment. 3. AWIA: America’s Water Infrastructure Act (AWIA) of 2018 (PL 115-270). Additional information on AWIA can be found in Appendix A, Sec. A.6. 4. Business continuity plan (BCP): A plan designed to maintain essential business functions and preserve the utility’s ability to perform its mission or function during an incident and recovery. For example, a BCP should be designed to preserve the utility’s ability to acquire and pay for essential supplies, personnel, components, or services; to receive funds; and to maintain a record of all transactions for subsequent accounting, billing, or reimbursement. 5. Consequence: The immediate, short-term, and long-term effects of a malevolent attack or natural, technological, or human-caused hazard. These effects include losses suffered by the owner of the asset and by the community served by that asset. They include human and property losses, environmental damages, and lifeline interruptions. 6. Incident: An occurrence (natural or human caused) that requires a response to protect life, property, continued service, the environment, or customer confidence. Incidents are unplanned and may include major disasters, emergencies, terrorist attacks, terrorist threats, civil unrest, wildfires, floods, hazardous material spills, nuclear accidents, earthquakes, hurricanes, tornadoes, tropical storms, tsunamis, public health and medical emergencies, and other occurrences requiring an emergency response. 7. Incident command system (ICS): A standardized on-scene, all-hazards incident management concept that allows its users to adopt an integrated organizational structure to match the complexities and demands of single or multiple incidents without being hindered by jurisdictional boundaries. ICS is a scalable response to an emergency of any magnitude and provides a common framework within which responders from multiple agencies can work together. 8. InfraGard: InfraGard is an information-sharing and analysis effort serving the interests and combining the knowledge bases of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation* (FBI) and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. |
| 14 | * FBI Headquarters 935 Pennsylvania Avenue, NW, Washington, D.C. 20535. * FBI Headquarters 935 Pennsylvania Avenue, NW, Washington, D.C. 20535. 9. Intrusion detection system (IDS): Intrusion detection for enterprise systems, supervisory control and data acquisition (SCADA), and process control systems is not a single product or a single piece of technology, even though commercial systems are available. Instead, intrusion detection is a comprehensive set of tools and processes providing network monitoring that can give an administrator a complete picture of how the network is being used. Implementing a variety of these tools helps to create a defens 10. National Incident Management System (NIMS): NIMS was developed by the US Department of Homeland Security (DHS) in response to Homeland Presidential Decision Directive 5 (HSPD-5) so that responders from different jurisdictions and disciplines can work together to better respond to natural disasters and emergencies, including acts of terrorism. NIMS benefits include a unified approach to incident management, standard command, and management structures. NIMS emphasizes preparedness, mutual aid, and resourc 11. National Infrastructure Protection Plan (NIPP): The NIPP is a strategy developed by the US DHS in response to HSPD-7 (since superseded by Presidential Decision Directive 21) that sets forth a comprehensive risk-management framework and clearly defines critical infrastructure protection roles and responsibilities for the DHS; federal sector risk-management agencies (SRMAs); and other federal, state, local, tribal, and private sector partners. The NIPP outlines the approach used to establish national prio 12. Physical hardening: A process designed to deter and/or help mitigate physical damage, service disruption, or other serious consequences of an attack by making the facility harder to attack, delaying entry until responders arrive, or reducing the effect that an attack may have. |
| 15 | 13. Preparedness: A continuous cycle of planning, organizing, training, equipping, exercising, and evaluating for emergency situations and taking corrective action in an effort to ensure effective coordination during the incident response and recovery, including continuity of operations plans, continuity of government plans, and preparation of resources for rapid restoration of function. 14. Risk: A function of the following: (1) consequences; (2) hazard frequency or threat likelihood; and (3) vulnerability, which, with point estimates, is the product of these three terms. It is the expected value of the consequences of an initiating event weighted by the likelihood of the event’s occurrence and the likelihood that the event will result in the consequences, given that it occurs. Risk is based on identified events or event scenarios. 15. Risk and Resilience Assessment: To comply with AWIA, a Risk and Resilience Assessment shall include an assessment of the following: • the risk to the system from malevolent acts and natural hazards; • the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) that are used by the system; • the monitoring practices of the system; • the financial infrastructure of the system; • the use, storage, or handling of various chemicals by the system; and • the operation and maintenance of the system. The assessment may include an evaluation of capital and operational needs for risk and resilience management for the system. 16. Risk and Resilience Management: A deliberate process of deciding whether actions are needed to reduce risk, improve resilience, or both and, if so, which options are most effective and efficient. If risk reduction or resilience enhancement is needed, decide on and implement one or a portfolio of options (e.g., establishing or improving security countermeasures, designing in consequence mitigation, building in redundancy, entering into mutual aid pacts, creating emergency response plans, or training and |
| 16 | 17. Security plan: A comprehensive plan, developed by the utility, that includes its security goals, objectives, strategies, policy or policies, and procedures. The security plan should coordinate closely with the utility’s emergency preparedness and response plan, business continuity plan, and cybersecurity response plan. 18. Vulnerability: An inherent state of a system (e.g., physical, technical, organizational, cultural) that can be exploited by an adversary or affected by a natural hazard to cause harm or damage. 19. Water sector: The NIPP defines the water sector as both drinking water and wastewater utilities. For the purpose of this standard, this definition will expressly include water reclamation or reuse facilities. 20. Water Sector Information Sharing and Analysis Center (WaterISAC): WaterISAC is a highly secure, subscription-based Internet portal that provides a source for sensitive security information and alerts to help the drinking water and wastewater community protect consumers and the environment. † WaterISAC, 1620 I Street, NW, Suite 500, Washington, DC 20006. WaterISAC, 1620 I Street, NW, Suite 500, Washington, DC 20006. † SECTION 4: REQUIREMENTS This standard is intended to apply to water, wastewater, or reuse utilities, regardless of size, location, ownership, or regulatory status. This standard builds on the long-standing practice among utilities of using a multiple-barrier approach for the protection of public health, public safety, and the environment. The requirements of this standard are designed to support a protective utility-specific security program that will result in consistent and measurable outcomes. Sec. 4.1 Explicit Commitment to Security 4.1.1 Explicit and visible commitment of senior leadership to security. The utility shall establish an explicit, visible, easily communicated, and enterprise-wide commitment to security. This shall be represented by the development of security policies, procedures, and plans implemented as part of daily operations visible to employees and customers. 4.1.1.1 Periodic review and update of security plan, policies, or documents. The utility shall establish and maintain a schedule for periodic review of its security plan, policies, and documents and update them as needed. The schedule for review shall not exceed five years but can be more frequent based on operational changes or other incidents that warrant further review. Community water systems serving more than 3,300 people must comply with the requirements of AWIA for performance of a Risk and Resilienc |
| 17 | Sec. 4.2 Security Culture 4.2.1 Promote security awareness throughout the utility. The utility shall promote a culture whereby every person understands, appreciates, and contributes to enhanced security. 4.2.1.1 Employee reports and suggestions. The utility shall establish a process for employees to report security violations or concerns and to make suggestions for improvement. 4.2.1.2 Employee training. The utility shall train employees and other responsible parties in security awareness, individual responsibility, and appropriate responses. 4.2.1.3 Incorporating security into job descriptions. The utility shall include security in job performance evaluations and rate employees, including top management, on their performance. 4.2.1.4 Measure security activities and progress. The utility shall establish a means of measuring security activity, establish goals for improvement, and monitor progress. Improvement goals requiring significant investment should be considered in the utility’s budgetary process. This can be best accomplished by integrating risk and resilience management strategies from a Risk and Resilience Assessment into plans such as those focused on capital improvements. 4.2.1.5 Visible identification. The utility shall establish a means of visible identification of employees and others authorized to access utility facilities and ensure that every person routinely complies. 4.2.2 Reward employees for appropriate security activities. The utility is encouraged to have a means of rewarding appropriate security awareness by employees and others. Sec. 4.3 Defined Security Roles and Employee Expectations 4.3.1 Identify managers and employees who are responsible for security. The utility shall identify managers and employees responsible for creating, maintaining, and implementing the security plan; for performing the Risk and Resilience Assessment and implementing and maintaining risk and resilience management strategies; and for providing security leadership. Other security-related roles and responsibilities include security program management, physical intrusion and contamination detection, and incident co |
| 18 | 4.3.2 Establish security expectations for staff. The utility shall identify and disseminate security expectations for staff and periodically review performance. Sec. 4.4 Up-to-Date Assessment of Risk 4.4.1 Perform a Risk and Resilience Assessment. The utility shall perform a Risk and Resilience Assessment. The utility’s Risk and Resilience Assessment may use publicly or commercially available tools, consistent with ANSI/AWWA J100, that allow the assessment to be replicated and based on the following steps: 1. Asset Characterization 2. Threat Characterization 3. Consequence Analysis 4. Vulnerability Analysis 5. Threat Analysis 6. Risk and Resilience Analysis 7. Risk and Resilience Management 4.4.2 Review and update. The utility shall review and update its Risk and Resilience Assessment as new hazards and threats emerge, when facilities are constructed or removed from service, and when other changes occur that significantly affect the operating environment. 4.4.2.1 Periodic review. The utility shall establish and maintain a schedule for periodic review and update of the Risk and Resilience Assessment, including its analysis and risk and resilience management strategies, based on the utility-specific circumstances. The schedule for review shall not exceed five years but can be more frequent based on operational changes or other incidents that warrant further review. Community water systems serving more than 3,300 people must comply with the requirements of AWIA |
| 19 | Sec. 4.5 Resources Dedicated to Security and Security Implementation Priorities 4.5.1 Sustain focus on security. The utility shall sustain a focus on security by maintaining security as a current priority. 4.5.1.1 Maintain focus. Executives and line managers shall maintain a focus on security throughout the years by doing one or more of the following items or a defined alternative: • Include security in periodic progress reports to the governing body; • Make security a standing item on executive management agendas; • Make security a routine item in manager or supervisor meetings with employees or other authorized persons; and • Make security an explicit component of capital improvement planning and operations planning. 4.5.1.2 Resources. The utility shall invest staff time and resources in security by including security considerations in budgets for personnel and training. The utility may consider having trained and certified security staff or explicitly assigning security responsibilities to existing staff and budgeting accordingly. 4.5.1.3 Exercises. The utility shall include security exercises in operational planning and should identify associated training costs in budgets as appropriate. If circumstances warrant, the utility should consider performing a third-party security assessment with penetration testing on an annual basis, during major upgrades or retrofits, or when designing new facilities. 4.5.2 Identify security priorities. The utility shall establish and implement security priorities based on its Risk and Resilience Assessment (see Sec. 4.4). 4.5.2.1 Integrate security plan. The utility shall integrate risk and resilience management strategies with other operational plans and investments and shall establish the appropriate relationship of security priorities based on the utility’s Risk and Resilience Assessment in context with other organizational priorities. 4.5.2.2 Identify resources required for the security plan. The utility shall identify and commit resources dedicated to security programs and planned security improvements. Based on the relationship with other organizational priorities, the utility shall identify and plan for the resources required to maintain the security program and make necessary improvements. Sec. 4.6 Access Control and Intrusion Detection 4.6.1 Identify utility assets requiring access control. Through the Risk and Resilience Assessment or other means, the utility shall identify assets or facilities that require controlled access based on criticality to maintain normal operations (identified critical assets). |
| 20 | 4.6.2 Establish and maintain physical control of access to identified critical assets. The utility shall establish and maintain a means of physically controlling access to identified critical assets. Examples of physical access controls include the following and can be used individually or in combination: • Substantial buildings with intrusion prevention devices on windows and access points • Fences • Barriers • Locked gates, hatches, and doors • Tamper-resistant devices at key distribution or collection points 4.6.3 Implement inspections of identified critical assets. The utility shall implement and maintain inspections to ensure that security features are adequate and functioning and to identify whether any corrective work is necessary to maintain access control or other security features. The schedule for inspection shall be at the least annually but can be more frequent based on observations or other incidents that warrant further review. 4.6.4 Establish and maintain a means of detecting and assessing intrusion. The utility shall establish and maintain a means of detecting and assessing intrusion into identified critical assets by unauthorized persons in a manner that is timely and enables the utility to respond effectively. Monitoring for physical intrusion can include physical and procedural improvements. Examples of physical improvements include installing detection devices such as motion detectors and intrusion alarms or improved assessm 4.6.5 Establish and maintain procedures to control personnel access to identified critical assets. The utility shall establish and maintain procedural controls to limit access to identified critical assets to authorized persons only. Examples of procedural access controls include the following and can be used individually or in combination: • Inventory and control keys if keyed locks are used • Utilize key card–, key fob–, biometric– (fingerprint, retina scan, etc.), or personal identification number (PIN)–based access control systems |
| 21 | • Develop procedure that limits access rights to employees to maximum extent possible • Develop hierarchical key and/or access card system to limit access to extent possible • Change access codes regularly • Require security passes for access • Establish a security presence at access points • Require visitors to have scheduled appointments and/or have a protocol to address unscheduled visitors • Require employees and other authorized persons to display identification at all times when on site, if appropriate • Require visitors to sign in and display identification at all times when on site • Implement chemical delivery and testing procedures, including chain-of-custody control and tamper-evident packaging requirements • Implement unique chemical delivery point connection devices, locks, and prominent identification to prevent mixing of chemicals • Escort vendors and chemical deliveries when on site • Limit delivery hours • Check deliveries to ascertain the nature of the material 4.6.6 Establish and maintain a means of restricting authorization for access. The utility shall establish and maintain a means of restricting unescorted access to identified critical assets. 4.6.6.1 Background checks. Where legally permissible and appropriate, the utility shall institute a system of routine background checks on employees, contractors, temporary workers, or any other person authorized to access identified assets without an escort. The level or complexity of background checks utilized should be commensurate with the level of access and the privileges granted to the person. Other benefits of background checks, depending on the level that is employed, may include verifying identity 4.6.6.2 Other means of identity verification. When background checks are not permitted or appropriate, the utility shall establish a defined alternative method of verifying identity and granting access rights and privileges to a person seeking authorization. |
| 22 | 4.6.7 Establish a protocol for employees or others who have been terminated, have resigned, or have had a relevant change of status. The utility shall establish and maintain a protocol to manage credentials, recover keys, revise passwords, and take other appropriate actions immediately on termination, resignation, or reassignment of an employee or the relevant change of status of other personnel who have access to high-risk assets. Other personnel may include vendors, consultants, contractors, public offici 4.6.8 Testing. The utility shall test physical and procedural access controls routinely to ensure performance. The tests shall be conducted annually or more frequently if required by law or regulation. Sec. 4.7 Contamination Detection, Monitoring, and Surveillance 4.7.1 Surveillance and response for chemical, biological, or radiological contamination. The utility shall develop and implement a surveillance and response system. A surveillance and response system provides a proactive approach to managing threats that uses monitoring technologies/strategies and enhanced surveillance activities to collect, integrate, analyze, and communicate information. However, it should not be merely a collection of monitors and equipment placed throughout a distribution or collection system to alert of intrusion or contamination but rather should be an exercise in information acquisition and management. Different information streams are captured, • Online water quality monitoring involves monitoring for typical water quality parameters throughout the distribution or collection system and comparison with an established base-state to detect possible contamination incidents. The utility should stay current on developments in online contaminant monitoring systems and should consider implementing such systems if feasible. |
| 23 | • Sampling and analysis involve the collection of samples that are analyzed for various contaminants and contaminant classes for the purpose of establishing a baseline of contaminant occurrence (contaminants detected, levels detected, and frequency of detections) and method performance, as well as for the purpose of investigating suspected contamination incidents triggered by other monitoring and surveillance components. • Enhanced security monitoring includes the equipment and procedures that detect and respond to security breaches at distribution or collection system facilities. • Consumer complaint surveillance enhances and automates the collection and analysis of consumer calls reporting unusual water quality concerns and compares trends against an established base-state to detect possible contamination incidents. • Public health surveillance involves the analysis of health-related data sources to identify illness in the community that may stem from drinking water contamination. The utility is directed to Appendix A, Sec. A.2—Water Security Initiative for more discussion of guidance developed by USEPA and others. 4.7.2 Monitoring or surveillance of indicators of contamination. Although typical water quality parameters (surrogate parameters) may not be a direct indication of chemical, biological, or radiological contamination, the utility may find that monitoring surrogate parameter concentrations or trends is useful and appropriate in its individual circumstance. Recognizing that surrogate parameter changes may be difficult to interpret from a security perspective, the utility should review and consider any physical • Pressure change abnormalities • Free and total chlorine residual • Temperature • Dissolved oxygen • Conductivity • Oxygen-reduction potential • Total dissolved solids • Turbidity • pH |
| 24 | • Color • Odor • Taste Among the parameters that could be considered for monitoring wastewater collection systems are pH and volatile organic carbon. 4.7.3 Laboratory testing for contaminants. The utility shall routinely sample and monitor the water or wastewater system as required by law or regulation and shall include additional test parameters or elevated sampling frequencies if appropriate to a specific security concern or threat notification. The utility should consider identifying and prequalifying laboratories that have the necessary capabilities. 4.7.4 Communication with customers and public health authorities as a means of identifying contamination. The utility shall monitor customer complaints and initiate or improve communication with local public health authorities or networks and health care facilities such as hospitals and emergency departments. 4.7.4.1 Documentation of complaints. The utility shall establish a means to record and analyze customer complaints and evaluate them as an indicator of possible system contamination. This process should include communication with customer communities that receive bulk water deliveries, if appropriate. 4.7.4.2 Communication. The utility shall establish and maintain two-way communication and relationships with local public health authorities and health providers to expedite the potential identification of public health anomalies that may be indicators of system contamination. 4.7.5 Adjacent utilities. The utility shall establish and maintain two-way communication with adjacent utility systems to identify any contamination. In the case of a water utility, this may be an upstream water or wastewater utility. In the case of a wastewater utility, this may be downstream users or others that assess the receiving stream quality. 4.7.6 Incident detection and response. The utility shall establish written procedures for, at a minimum, the following key components of a surveillance and response system: (1) the criteria that will be used to identify a potential contamination event and trigger an investigation; (2) the criteria that will be used to declare that a contamination incident has occurred; and (3) the response protocol for a contamination incident. This response protocol should be a part of the utility’s emergency response plan |
| 25 | 4.7.7 Source Water Protection. AWWA’s G300 Source Water Protection standard provides an approach to improve source water protection for utilities. AWIA also amended the Emergency Planning and Community Right-to-Know Act (EPCRA). These revisions require that community water systems (1) receive prompt notification of any reportable release of an EPCRA extremely hazardous substance (EHS) or a Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) hazardous substance (HS) that potentiall * * https://www.epa.gov/waterresilience/americas-water-infrastructure-act-2018-spill-notification-and-access-chemical Sec. 4.8 Information Protection and Continuity 4.8.1 Define security-sensitive systems and information. For most systems, information technology (IT), enterprise systems, Operations Technology (OT), Industrial Control Systems, Process Control Systems, and SCADA systems are essential to the efficient and continuous operations of a utility. The utility shall identify critical IT, enterprise systems, process control systems, or SCADA systems as security sensitive. The utility shall also identify other security-sensitive information. This information review 4.8.1.1 Secure information. The utility shall evaluate information that it shares with vendors, bidders, or the public (e.g., facility tours, brochures, or Internet access). Where appropriate and practicable, security-sensitive information shall be removed or controlled. 4.8.1.2 Regulations. The utility shall consider any applicable freedom-of-information or Sunshine Act provisions with which it must comply to understand and abide by limitations on controlling information. 4.8.2 Protecting IT, enterprise systems, operations technology, process control systems, and SCADA systems. The utility should review the AWWA Water Sector Cybersecurity Risk Management Guidance and Assessment Tool (see Appendix A, Sec. A.4) as an aid in evaluating appropriate practices and controls for securing process control system and/or SCADA vulnerabilities. These strategies may also be useful in securing critical business enterprise systems for the business continuity plan. |
| 26 | 4.8.2.1 Restricting access. The utility shall identify and implement steps necessary to control access to critical IT, enterprise systems, process control systems, and SCADA systems to only authorized persons conducting official utility business. Physical hardening and procedural controls shall be considered and implemented. Examples of procedural controls include the following: • Restricting access to data networks • Safeguarding critical data through backups and storage in safe places • Establishing procedures to restrict network access • Implementing policies to ensure that IT contractors or their products will not negatively affect IT systems • Establishing procedures to require strong passwords, change passwords periodically (e.g., 90 days), and control password accessibility • Establishing policies and procedures for revoking access credentials Examples of physical steps include the following: • Installing and maintaining firewalls • Screening for viruses • Separating business systems from operational systems • Installing a system for virus protection • Ensuring security at each location of SCADA components • Incorporating encryption technologies • Establishing and routinely changing access codes Utilities are advised to review state and local information protections provided to critical infrastructure systems with legal counsel, including those referenced in AWWA’s Protecting the Water Sector’s Critical Infrastructure Information. † † Information.pdf |
| 27 | 4.8.4 Detect unauthorized access. The utility shall establish and maintain the means to detect unauthorized access or intrusion to IT, enterprise systems, process control systems, or SCADA systems or to security-sensitive information and the means to respond in an appropriate and timely manner. For additional information on IDS and defense-in-depth strategies, see Appendix A, Sec. A.6. 4.8.5 Ensure information and communication systems will function during emergency response and recovery. 4.8.5.1 Critical information. The utility shall identify critical information and ensure its preservation and accessibility during emergency response and recovery. Offsite backup of critical data should be considered for preservation and accessibility. 4.8.5.2 Critical communication. The utility shall identify critical internal and external communication capabilities and ensure their functionality during emergency response and recovery. Sec. 4.9 Design and Construction 4.9.1 Incorporate security objectives into utility design and construction standards. Consistent with the Risk and Resilience Assessment and associated risk and resilience management strategies, where applicable, the utility shall incorporate its security objectives into the design of infrastructure repairs or replacements or the acquisition or construction of new assets. 4.9.1.1 Physical hardening of identified critical assets. The utility shall include physical hardening in the repair/replacement of identified critical assets or in the design and construction of new assets. Physical hardening is intended to protect or help mitigate physical damage, service disruption, or other serious consequences of an attack by making the facility harder to attack or by reducing the effect an attack may have. Examples of physical hardening include the following: • Location of critical assets within a facility, • Use of substantial building materials, and • Designing in inherent redundancy for critical services. |
| 28 | Design choices should also consider the ability to ensure continuity of operations and rapid recovery in the event of an attack, natural disaster, or other event. 4.9.1.2 Adoption of security risk technologies or approaches. The utility shall consider the adoption of security technologies or approaches that have the demonstrated capability of reducing or mitigating the consequences of an attack, natural disaster, or other event when making design or technology choices. Examples of such technologies and approaches include Crime Prevention Through Environmental Design (CPTED), Cyber-Informed Engineering (CIE), increased redundancy of critical components, increased inte 4.9.1.3 Process control system design features. The utility shall consider the implementation of security functional features and requirements in the specifications for SCADA and process control systems. Once implemented, these features should be tested and validated to ensure they are properly configured and functional. The utility shall ensure that associated hardware is maintained and updated as appropriate, that critical software updates are routinely performed, and that system diagrams are kept current Sec. 4.10 Threat-Level–Based Protocols 4.10.1 Monitor available threat-level information. The utility shall establish an appropriate means to stay apprised of changes in threat levels. Sources of information may include the DHS, local police or local FBI office, WaterISAC, InfraGard, Cybersecurity and Infrastructure Security Agency (CISA), or other credible sources. The utility should research and establish communication with networks and information sources that are appropriate to its security environment. 4.10.2 Escalate security procedures in response to relevant threats. The utility shall establish a procedure to escalate security operations in the event of a relevant increase in the threat level or a significant local event or physical threat. 4.10.3 Monitor available threat information specific to enterprise systems, SCADA, and process control systems. The utility shall establish an appropriate means to stay apprised of specific physical and cybersecurity threats against enterprise systems, SCADA, and process control systems. Sources of information may include those listed in Section 4.10.1 above, ICS-CERT, or other credible sources. The utility should research and establish communication with networks and information sources appropriate to its |
| 29 | Sec. 4.11 Emergency Response and Recovery Plans and Business Continuity Plan 4.11.1 Incorporate security into emergency response and recovery plans, business continuity plans, and operations. 4.11.1.1 Update plans. The utility shall revise its emergency response and recovery plans and business continuity plans as necessary to incorporate security considerations into the plans. Additional guidance is provided in ANSI/AWWA G440 and the (WRF Web Report #4319). Community water systems serving more than 3,300 people must comply with the requirements of AWIA for certification of these updates to USEPA (see Appendix Sec. A.6 for additional information on the AWIA requirements). Business Continuity Planning for Water Utilities 4.11.1.2 Emergency response. The utility should consider using the NIMS guidelines and ICS protocols for emergency response. 4.11.2 Test emergency response and recovery plans and business continuity plans regularly. The utility shall establish and maintain a schedule for testing its emergency response and recovery plans and business continuity plans. Testing may include training, table-top exercises or drills, or real-time simulated responses. 4.11.3 Update emergency response and recovery plans and business continuity plans as necessary. 4.11.3.1 Review and update. The utility shall perform a timely review and update its emergency response and recovery plans and business continuity plans as necessary to correct identified deficiencies after exercises or actual implementation (lessons learned) in accordance with AWIA requirements and ANSI/AWWA G440 and AWWA Manual M19. 4.11.3.2 Routine reviews. The utility shall perform a timely review and update of its emergency response and recovery plans and business continuity plans routinely and as necessary to reflect relevant changes in potential threats, physical infrastructure, utility operations, critical interdependencies, or response protocols in partner organizations. In no event shall the interval exceed five years, and the review and update can be more frequent if required by law or regulation. Community water systems servi 4.11.3.3 Mutual aid and assistance agreement. The utility should consider participating in a mutual aid and assistance agreement with local, regional, and state utilities and agencies, as appropriate, to expedite response and recovery of service. This may include, but not be limited to, joining the state Water/Wastewater Agency Response Network (WARN). |
| 30 | 4.11.4 Contact list. The utility shall establish, distribute, and maintain a list of current contacts to include key employees and key contacts for critical customers and support organizations. This list shall include names, titles, phone numbers, and other information necessary to establish contact with those persons or designated alternates during an emergency. The utility shall maintain and distribute the contact list electronically and in hard copy. 4.11.5 Response to contamination threat. The emergency response plan shall have a procedure for responding to potential contamination incidents or threats, which includes reporting out, field verification, credibility assessments, site sampling, laboratory qualification, laboratory analysis, and public notification. 4.11.6 Response to enterprise system, SCADA, and process control system security threats. The emergency response plan or incident response plan shall have a procedure for responding to cybersecurity incidents or threats to enterprise systems and SCADA and process control systems, which includes computer and control system incident response plans, logs, tools, procedures, tiered control systems, etc. The utility’s response should be informed by the information sources listed in Sec. 4.10.1 and Sec. 4.10.3. L 4.11.7 Protection of public health. The utility shall be prepared to consider contamination evidence carefully and make public health decisions with available data and analysis in consultation with the utility’s regulatory agency and local health officials. Sec. 4.12 Internal and External Communication 4.12.1 Establish and maintain strategies for regular and ongoing communication with employees. The utility shall establish and maintain strategies for effective communication with employees about security issues. These strategies should be designed to maintain security awareness, motivate staff to take security seriously, allow staff to notify security personnel or others about security concerns or suspicious events or activities, promote employee safety during an event, and enable effective employee partic |
| 31 | 4.12.2 Establish and maintain strategies for regular and ongoing relationships and communication with response partner organizations. The utility shall establish and maintain strategies for effective relationships and communication with response partner organizations. The utility’s strategies should focus on ensuring clarity and reliability of information during an emergency. The utility shall evaluate the need and means for providing backup systems that will maintain communication with agencies such as pol 4.12.3 Establish strategies for regular and ongoing communication with customers. The utility shall establish strategies for effective communication with customers before any emergency. Communication strategies should especially consider the most effective way to reach customers with information, both in terms of delivery and source, and ways to get information from customers about unusual events or suspicious activities. The utility’s strategies should consider key messages, which person is equipped and tr 4.12.4 Establish strategies for regular and ongoing communication with regulatory agencies. The utility shall establish strategies for effective communication with relevant regulatory agencies. Communication strategies should consider timely two-way communication in the event of an actual incident or threat. Sec. 4.13 Partnerships 4.13.1 Forge reliable and collaborative partnerships with communities served, managers of critical interdependent infrastructure, and response partner organizations. 4.13.1.1 Identify key partnerships. The utility shall identify key agencies that are essential to emergency response and recovery and establish and maintain collaborative partnerships with these agencies. Customer community agencies such as police and fire, managers of critical interdependent infrastructure such as power companies, first-responder agencies, and adjacent utilities are typically included as key agencies. 4.13.1.2 Establish collaborative partnerships. The utility shall establish collaborative partnerships with key agencies as appropriate to ensure cooperation and effective coordination during emergency response and recovery. 4.13.1.3 Establish mutual aid relationships. The utility shall join local, regional, and state mutual aid organizations. |
| 32 | 4.13.1.4 Establish emergency contracts. The utility shall establish emergency support contracts for such things as generator fuel, treatment chemicals, and professional services. 4.13.1.5 Local Emergency Planning Committees (LEPC) coordination. Per AWIA, community water systems shall, to the extent possible, coordinate with existing local emergency planning committees established pursuant to the EPCRA when preparing or revising a Risk and Resilience Assessment or emergency response plan under this section. SECTION 5: VERIFICATION Sec. 5.1 Documentation Required • The utility shall define critical security activities and create written procedures for them. • The utility shall have an up-to-date Risk and Resilience Assessment and associated risk and resilience management strategies. • The utility shall have an up-to-date emergency response and recovery plan that incorporates security objectives. • The utility shall have a training component for personnel. • The utility shall maintain an adequate recordkeeping system so that compliance with this standard can be measured. 5.1.1 General. The documentation shall include the following: • Documented statements of a security policy and security objectives. • Documented procedures required by this standard. • Records required by this standard. Note: Where the term documented procedure appears within this standard, this means that the procedure is established, documented, implemented, trained upon, exercised, and maintained. 5.1.2 Required documentation. Documentation shall be sufficient to support the requirements in Section 4, including the documents listed by section in Table 1. |
| 33 | Table 1 Supporting documentation required by this standard by section Table 1 Supporting documentation required by this standard by section ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 Documents Required |
| 34 | 5.1.3 Control of documents. Documents required for this standard shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in Sec. 5.1.4. A documented procedure shall be established to define the controls needed: • To approve documents for adequacy prior to issue. • To review and update as necessary and reapprove documents. • To ensure that changes and the current revision status of documents are identified. • To ensure that relevant versions of applicable documents are available at points of use. • To ensure that documents remain legible and readily identifiable. • To ensure that documents of external origin are identified and that their distribution is controlled. ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 ReferenceSection 4 Documents Required |
| 35 | • To prevent the unintended use of obsolete documents and to apply suitable identification to them if they are retained for any purpose. 5.1.4 Control of records. Records shall be established and maintained to provide evidence of conformity to requirements and evidence of the effective operation of this standard. Records shall remain legible, readily identifiable, and retrievable. A documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records. All procedures shall account for regulatory/legal requirements such as those protecting per Sec. 5.2 Human Resources 5.2.1 General. Personnel performing work affecting system security shall be competent on the basis of appropriate education, training, skills, and experience. 5.2.2 Competence, awareness, and training. The utility shall do the following: • Determine the necessary competence for personnel performing work affecting security. • Provide training or take other actions to satisfy these needs. • Evaluate the effectiveness of the actions taken. • Ensure that its personnel are aware of the relevance and importance of their activities. • Retain appropriate records of education, training, skills, and experience (see Sec. 5.1.3). Sec. 5.3 Equipment 5.3.1 General. Utilities should field-test security devices (i.e., motion detectors, intrusion sensors) quarterly and field-test passive measures (i.e., fences, gates, doors) every six months or as required by law or regulation. SECTION 6: DELIVERY This standard has no applicable information for this section. |
| 37 | APPENDIX A APPENDIX A Resources This appendix is for information only and is not a part of ANSI*/AWWA G430. * American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036. * American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036. SEC.TION.A.1: US.DEPARTMENT.OF.HOMELAND SECURITY: INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM (ICS-CERT) CISA diligently tracks and shares information about the latest cybersecurity risks, attacks, and vulnerabilities, providing our nation with the tools and resources needed to defend against these threats. CISA provides cybersecurity resources and best practices for businesses, government agencies, and other organizations. CISA shares up-to-date information about high-impact types of security activity affecting the community at large and in-depth analysis on new and evolving cyber threats. https://www.cisa.gov/topics/cyber-threats-and-advisories https://www.cisa.gov/topics/cyber-threats-and-advisories SECTION.A.2 WATER.SECURITY.INITIATIVE The Water Security initiative (WSi) is a USEPA program that addresses the risk of contamination of drinking water distribution systems. USEPA established this research initiative in response to Homeland Security Presidential Directive 9, under which the agency is charged with developing “robust, comprehensive, and fully coordinated surveillance and monitoring systems, including international information, for…water quality that provides early detection and awareness of disease, pest, or poisonous agents.” |
| 38 | USEPA implemented the WSi in three phases: • • • • Phase I: Develop the conceptual design for a system that achieves timely detection of and response to contamination and other water quality incidents in drinking water distribution systems to mitigate public health and economic effects. ű ű ű ű USEPA completed this phase in 2006 with the design of a comprehensive water quality surveillance and response system. • • • Phase II: Demonstrate and evaluate water quality surveillance and response systems through pilots at drinking water utilities and municipalities. ű ű ű ű USEPA completed this phase in 2013. Pilot systems were designed, deployed, and evaluated in Cincinnati, San Francisco, New York City, Philadelphia, and Dallas. • • • Phase III: Develop practical guidance and outreach to promote voluntary national adoption of effective and sustainable water quality surveillance and response systems. ű ű ű ű A Water Quality Surveillance and Response System (SRS) is a framework designed to support monitoring and management of distribution system water quality. The system consists of one or more components that enhance a drinking water utility’s capability to quickly detect and respond to water quality incidents. Early warning and effective response to an emerging water quality incident can prevent escalation to a more serious problem. Additionally, an SRS provides information that improves a utility’s understand ű ű ű USEPA completed this phase in 2015. The Guidance for Developing Integrated Water Quality Surveillance and Response Systems is available at:. https://19january2017snapshot.epa.gov/sites/production/ |
| 39 | For current information, the utility is directed to USEPA’s Water Quality Surveillance and Response website at: . https://www.epa.gov/ waterqualitysurveillance SEC.TION.A.3 HOMELAND.SECURITY.INFORMATION NETWORK (HSIN) The HSIN is the Department of Homeland Security’s official system for trusted sharing of Sensitive But Unclassified (SBU) information between federal, state, local, territorial, tribal, international, and private sector partners. Mission operators use HSIN to access Homeland Security data, send requests securely between agencies, manage operations, coordinate planned event safety and security, respond to incidents, and share the information they need to fulfill their missions and help keep their communities http://www.dhs.gov/homeland-security-information- network SEC.TION.A.4 AWWA—WATER.SECTOR.CYBERSECURITY RISK MANAGEMENT GUIDANCE AND ASSESSMENT TOOL In 2019, the AWWA Water Utility Council initiated project WITAF Project #039 to update AWWA resources and guidance for protecting Water Sector Process Control Systems (PCS) from cyber-attacks. A panel of industry subject matter experts has been consulted to identify the most pressing cybersecurity issues facing water utilities today. In response to these issues, a list of recommended cybersecurity practices has been developed. This list identifies practices considered to be the most critical for managing the cybersecurity risk to Process Control Systems in the Water Sector. A copy of this report can be downloaded from AWWA at the following: http://www.awwa.org/cybersecurity http://www.awwa.org/cybersecurity A supporting self-assessment tool is also available from this site. |
| 40 | SEC.TION.A.5 CYBER.SECURITY.EVALUATION TOOL (CSET) ® Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resilience of the systems that comprise and interconnect these infrastructures. The DHS Cybersecurity and Infrastructure Security Agency (CISA) collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to protect against cyber t The DHS CISA released Version 11.5 of the Cyber Security Evaluation Tool (CSET®). This newest version of the tool can be downloaded from the CISA website at . The CSET® is a product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the NCSD by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of https://www.cisa.gov/ downloading-and-installing-cset Through a collaboration between AWWA, CISA, and Idaho National Laboratory (INL), the AWWA Water Sector Cybersecurity Risk Management and Assessment tool now integrates with CSET®. Utilities using the AWWA tool may upload the completed self-assessment tool spreadsheet to CSET® to refine and mature their cybersecurity assessments. This capability may be accessed through the CSET® application. |
| 41 | SEC.TION.A.6 AWIA.OF.2018..SECTION.2013 COMMUNITY WATER SYSTEM RISK AND RESILIENCE SEC. 2013. COMMUNITY WATER SYSTEM RISK AND RESILIENCE. (a) IN GENERAL.—Section 1433 of the Safe Drinking Water Act (42 U.S.C. 300i-2) is amended to read as follows: SEC. 1433. COMMUNITY WATER SYSTEM RISK AND RESILIENCE. (a) Risk and Resilience Assessments.— (1) IN GENERAL.—Each community water system serving a population of greater than 3,300 persons shall conduct an assessment of the risks to, and resilience of, its system. Such an assessment— (A) shall include an assessment of— (i) the risk to the system from malevolent acts and natural hazards; (ii) the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) which are utilized by the system; (iii) the monitoring practices of the system; (iv) the financial infrastructure of the system; (v) the use, storage, or handling of various chemicals by the system; and (vi) the operation and maintenance of the system; and (B) may include an evaluation of capital and operational needs for risk and resilience management of the system. (2) BASELINE INFORMATION.—The Administrator, not later than August 1, 2019, after consultation with appropriate departments and agencies of the Federal Government and with State and local governments, shall provide baseline information on malevolent acts of relevance to community water systems, which shall include consideration of acts that may— |
| 42 | (A) substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water; or (B) otherwise, present significant public health or economic concerns to the community served by the system. (3) CERTIFICATION.— (A) CERTIFICATION.—Each community water system described in paragraph (1) shall submit to the Administrator a certification that the system has conducted an assessment complying with paragraph (1). Such certification shall be made prior to— (i) March 31, 2020, in the case of systems serving a population of 100,000 or more; (ii) December 31, 2020, in the case of systems serving a population of 50,000 or more but less than 100,000; and (iii) June 30, 2021, in the case of systems serving a population greater than 3,300 but less than 50,000. (B) REVIEW AND REVISION.—Each community water system described in paragraph (1) shall review the assessment of such system conducted under such paragraph at least once every 5 years after the applicable deadline for submission of its certification under subparagraph (A) to determine whether such assessment should be revised. Upon completion of such a review, the community water system shall submit to the Administrator a certification that the system has reviewed its assessment and, if applicable, revised (4) CONTENTS OF CERTIFICATIONS.—A certification required under paragraph (3) shall contain only— (A) information that identifies the community water system submitting the certification; (B) the date of the certification; and (C) a statement that the community water system has conducted, reviewed, or revised the assessment, as applicable. |
| 43 | (5) PROVISION TO OTHER ENTITIES.—No community water system shall be required under State or local law to provide an assessment described in this section (or revision thereof) to any State, regional, or local governmental entity solely by reason of the requirement set forth in paragraph (3) that the system submit a certification to the Administrator. (b) EMERGENCY RESPONSE PLAN.—Each community water system serving a population greater than 3,300 shall prepare or revise, where necessary, an emergency response plan that incorporates findings of the assessment conducted under subsection (a) for such system (and any revisions thereto). Each community water system shall certify to the Administrator, as soon as reasonably possible after the date of enactment of America’s Water Infrastructure Act of 2018, but not later than 6 months after completion of the as (1) strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system; (2) plans and procedures that can be implemented, and identification of equipment that can be utilized, in the event of a malevolent act or natural hazard that threatens the ability of the community water system to deliver safe drinking water; (3) actions, procedures, and equipment which can obviate or significantly lessen the impact of a malevolent act or natural hazard on the public health and the safety and supply of drinking water provided to communities and individuals, including the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers; and (4) strategies that can be used to aid in the detection of malevolent acts or natural hazards that threaten the security or resilience of the system. (c) COORDINATION.—Community water systems shall, to the extent possible, coordinate with existing local emergency planning committees established pursuant to the Emergency Planning and Community Right-To-Know Act of 1986 (42 U.S.C. 11001 et seq.) when preparing or revising an assessment or emergency response plan under this section. |
| 44 | (d) RECORD MAINTENANCE.—Each community water system shall maintain a copy of the assessment conducted under subsection (a) and the emergency response plan prepared under subsection (b) (including any revised assessment or plan) for 5 years after the date on which a certification of such assessment or plan is submitted to the Administrator under this section. (e) GUIDANCE TO SMALL PUBLIC WATER SYSTEMS.—The Administrator shall provide guidance and technical assistance to community water systems serving a population of less than 3,300 persons on how to conduct resilience assessments, prepare emergency response plans, and address threats from malevolent acts and natural hazards that threaten to disrupt the provision of safe drinking water or significantly affect the public health or significantly affect the safety or supply of drinking water provided to communitie (f) ALTERNATIVE PREPAREDNESS AND OPERATIONAL RESILIENCE PROGRAMS.— (1) SATISFACTION OF REQUIREMENT.—A community water system that is required to comply with the requirements of subsections (a) and (b) may satisfy such requirements by— (A) using and complying with technical standards that the Administrator has recognized under paragraph (2); and (B) submitting to the Administrator a certification that the community water system is complying with subparagraph (A). (2) AUTHORITY TO RECOGNIZE.—Consistent with section 12(d) of the National Technology Transfer and Advancement Act of 1995, the Administrator shall recognize technical standards that are developed or adopted by third-party organizations or voluntary consensus standards bodies that carry out the objectives or activities required by this section as a means of satisfying the requirements under subsection (a) or (b). |
| 45 | (g) TECHNICAL ASSISTANCE AND GRANTS.— (1) IN GENERAL.—The Administrator shall establish and implement a program, to be known as the Drinking Water Infrastructure Risk and Resilience Program, under which the Administrator may award grants in each of fiscal years 2020 and 2021 to owners or operators of community water systems for the purpose of increasing the resilience of such community water systems. (2) USE OF FUNDS.—As a condition on receipt of a grant under this section, an owner or operator of a community water system shall agree to use the grant funds exclusively to assist in the planning, design, construction, or implementation of a program or project consistent with an emergency response plan prepared pursuant to subsection (b), which may include— (A) the purchase and installation of equipment for detection of drinking water contaminants or malevolent acts; (B) the purchase and installation of fencing, gating, lighting, or security cameras; (C) the tamper-proofing of manhole covers, fire hydrants, and valve boxes; (D) the purchase and installation of improved treatment technologies and equipment to improve the resilience of the system; (E) improvements to electronic, computer, financial, or other automated systems and remote systems; (F) participation in training programs, and the purchase of training manuals and guidance materials, relating to security and resilience; (G) improvements in the use, storage, or handling of chemicals by the community water system; (H) security screening of employees or contractor support services; (I) equipment necessary to support emergency power or water supply, including standby and mobile sources; and |
| 46 | (J) the development of alternative source water options, relocation of water intakes, and construction of flood protection barriers. (3) EXCLUSIONS.—A grant under this subsection may not be used for personnel costs, or for monitoring, operation, or maintenance of facilities, equipment, or systems. (4) TECHNICAL ASSISTANCE.—For each fiscal year, the Administrator may use not more than $5,000,000 from the funds made available to carry out this subsection to provide technical assistance to community water systems to assist in responding to and alleviating a vulnerability that would substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water (including sources of water for such systems) which the Administrator determines to present an immediate and urgent nee (5) GRANTS FOR SMALL SYSTEMS.—For each fiscal year, the Administrator may use not more than $10,000,000 from the funds made available to carry out this subsection to make grants to community water systems serving a population of less than 3,300 persons, or nonprofit organizations receiving assistance under section 1442(e), for activities and projects undertaken in accordance with the guidance provided to such systems under subsection (e) of this section. (6) AUTHORIZATION OF APPROPRIATIONS.—To carry out this subsection, there are authorized to be appropriated $25,000,000 for each of fiscal years 2020 and 2021. (h) DEFINITIONS.—In this section— (1) the term ‘resilience’ means the ability of a community water system or an asset of a community water system to adapt to or withstand the effects of a malevolent act or natural hazard without interruption to the asset’s or system’s function, or if the function is interrupted, to rapidly return to a normal operating condition; and (2) the term ‘natural hazard’ means a natural event that threatens the functioning of a community water system, including an earthquake, tornado, flood, hurricane, wildfire, and hydrologic changes. |
| 47 | (b) SENSITIVE INFORMATION.— (1) PROTECTION FROM DISCLOSURE.—Information submitted to the Administrator of the Environmental Protection Agency pursuant to section 1433 of the Safe Drinking Water Act, as in effect on the day before the date of enactment of America’s Water Infrastructure Act of 2018, shall be protected from disclosure in accordance with the provisions of such section as in effect on such day. (2) DISPOSAL.—The Administrator, in partnership with community water systems (as defined in section 1401 of the Safe Drinking Water Act), shall develop a strategy to, in a timeframe determined appropriate by the Administrator, securely and permanently dispose of, or return to the applicable community water system, any information described in paragraph (1). |
| 49 | APPENDIX B APPENDIX B Bibliography This appendix is for information only and is not a part of ANSI/AWWA G430. • • • • Standard Specification for Metallic-Coated Carbon Steel Barbed Wire. ASTM A121-22 • • • Standard Guide for Security of Tank Farm Installations for Compliance with Spill Prevention, Control and Countermeasure Plan (SPCC) Regulations. ASTM E2942-22 • • • Standard Test Methods for Security of Swinging Door Assemblies. ASTM F476-23 • • • Standard Terminology Relating to Chain Link Fencing. ASTM F552-14 • • • Standard Practice for Installation of Chain-Link Fence. ASTM F567-23 • • • Standard Specification for Strength and Protective Coatings on Steel Industrial Fence Framework. ASTM F1043-18 • • • Standard Specification for Long Barbed Tape Obstacles. ASTM F1910-98(2022) • • • Standard Specification for Expanded Metal Fence Systems for Security Purposes. ASTM F2548-20 • • • Standard Guide for Design and Construction of Chain Link Security Fencing. ASTM F2611-15 • • • Standard Guide for Design and Construction of Ornamental Steel Picket Fence Systems for Security Purposes. ASTM F2814-09(2015) • • • Standard Guide for Design and Construction of Welded Wire Fence Systems for Security Purposes. ASTM F3204-16 • • • Guide Specifications for Forced Entry/Bullet Resistant (FE/BR) Security Hollow Metal Doors and Frames. NAAMM/HMMA 862-21 • • • Guide for Security Lighting for People, Property, And Critical Infrastructure. IES G-1-22 • • • Information Security, Cybersecurity and Privacy Protection – Biometric Information Protection. ISO/IEC 24745:2022 |
Related products
-
AWWA G440 2022
AWWA G440-22 Emergency Preparedness Practices Published By Publication Date Number of Pages AWWA 2022 24
-
FL Building 07 2007
Florida Building Code – Building Published By Publication Date Number of Pages FL 2007 1140
-
SC BuildingCode 2021 1stptg
South Carolina Building Code Published By Publication Date Number of Pages SC 2021
-
ASCE Pipelines2015 2015
Pipelines 2015 – Recent Advances in Underground Pipeline Engineering and Construction Published By Publication Date…
-
OH ResidentialCode 2019
Ohio Residential Code Published By Publication Date Number of Pages OH 2019 657
-
MN BuildingCode 1stptg 2020.pdf
Minnesota Building Code Published By Publication Date Number of Pages MN 2020 741
-
ICC IBC Commentary Volume 2 2021 1stptg
International Building Code and Commentary, Volume 2 Published By Publication Date Number of Pages ICC…
-
FL FloridaBuildingCode 2020
Florida Building Code – Building, Seventh Edition Published By Publication Date Number of Pages FL…
-
AWWA G430 2014 R2020
AWWA G430-14(R20) Security Practices for Operation and Management Published By Publication Date Number of Pages…
-
WA StateBuildingCode 2021 1stptg
Washington State Building Code Based on the 2021 International Building Code Published By Publication Date…
-
CA Building Code Volumes 1 2 2022 1stptg
California Building Code, Title 24, Part 2 (Volumes 1 & 2) (W/ ERRATA & SUPPLEMENT)…
-
FL FloridaResidentialCode 2023 1stptg
Florida Building Code – Residential, Eighth Edition Published By Publication Date Number of Pages FL…
-
AWWA C150 2023
AWWA C150(R23) Thickness Design of Ductile-Iron Pipe Published By Publication Date Number of Pages AWWA…
-
FL FloridaBuildingCode Residential 5thEdition 2014
Florida Building Code – Residential, 5th edition Published By Publication Date Number of Pages FL…
-
ICC IBC 2024 1stptg
International Building Code Published By Publication Date Number of Pages ICC 2024
-
NJ BuildingCode 2021 1stptg
International Building Code, New Jersey Edition Published By Publication Date Number of Pages NJ 2021
-
OR ResidentialCode 2021 1stptg
Oregon Residential Specialty Code Published By Publication Date Number of Pages OR 2021
-
Chicago Building Code Title 14B – with March 2021 Supplement:2019 Edition
Chicago Building Code Title 14B – with March 2021 Supplement Published By Publication Date Number…
-
ICC IRC Commentary Volume 2 2021 1stptg
International Residential Code and Commentary, Volume 2 Published By Publication Date Number of Pages ICC…
-
NY StateBuildingCode 2020
Building Code of New York State Published By Publication Date Number of Pages NY 2020…
-
VA Construction Code 2021 1stptg
Virginia Construction Code Published By Publication Date Number of Pages VA 2021
-
Chicago Building Code Title 14B – with April 2022 Supplement:2019 Edition
Chicago Building Code Title 14B – with April 2022 Supplement Published By Publication Date Number…
-
AWWA OpGuide J100 2021
Operational Guide to AWWA Standard J100 Risk & Resilience Management of Water & Wastewater Systems…
-
FL FloridaBuildingCode 2023 1stptg
Florida Building Code – Building, Eighth Edition Published By Publication Date Number of Pages FL…
-
FL FloridaResidentialCode 2020
Florida Building Code – Residential, Seventh Edition Published By Publication Date Number of Pages FL…
-
CA LA County Building Code Vols1 2 2023
County of Los Angeles Building Code (2 Volumes) Full Code Published By Publication Date Number…
-
ICC IMC Commentary 2021 1stptg
International Mechanical Code and Commentary Published By Publication Date Number of Pages ICC 2021
-
MN ResidentialCode 1stptg 2020.pdf
Minnesota Residential Code Published By Publication Date Number of Pages MN 2020 611
-
CA Building Code Volumes 1 2 2022 1stptg
California Building Code, Title 24, Part 2 (Volumes 1 & 2) (W/ ERRATA & SUPPLEMENT)…
-
MN Mech FuelGasCode 1stptg 2020
Minnesota Mechanical and Fuel Gas Code with ANSI/ ASHRAE Standard 62.2-2016 and ANSI/ ASHRAE Standard…
-
AWWA G430 2014 RA 2020
AWWA G430-14(R20) Security Practices for Operation and Management Published By Publication Date Number of Pages…
-
NJ ResidentialCode 2021 1stptg
International Residential Code, New Jersey Edition Published By Publication Date Number of Pages NJ 2021
-
NY NYC BuildingCode 2022 1stptg
New York City Building Code Published By Publication Date Number of Pages NY 2022 1095
-
CA City of LA Residential Code 2023 1stptg
City of Los Angeles Residential Code – Full Code Published By Publication Date Number of…
-
AWWA G410 2023
AWWA G410-23 Business Practices for Operation and Management Published By Publication Date Number of Pages…
-
WA StateResidentialCode 2021 1stptg
Washington State Residential Code Based on the 2021 International Residential Code Published By Publication Date…
-
FL BuildingCode 2010
Florida Building Code, Building Published By Publication Date Number of Pages FL 2010 871
-
OR StructuralSpecialtyCode 2022 1stptg
Oregon Structural Specialty Code, Based on the 2021 International Building Code Published By Publication Date…
-
ICC IBC 2021 1stptg
International Building Code, 2nd Printing Published By Publication Date Number of Pages ICC 2021 833
-
ICC IBC 2021 1stptg
International Building Code, 2nd Printing Published By Publication Date Number of Pages ICC 2021 839
