Imagine that it’s Monday morning and you’re in your kitchen filling up the coffeemaker before starting the work week and nothing comes out of the tap. Now imagine by Friday you still have no water — not for coffee, your morning shower, your cooking, cleaning, or to flush toilets. Imagine for five days being unable to do these mundane activities you’ve come to take for granted every day. And that’s just the impact to you, personally. Without water and wastewater service, many businesses can’t open. An entire community’s ability to function begins to degrade. The fact remains that drinking water is fundamental to life and our expectation is to have this convenient service (along with wastewater service) at our fingertips every minute of every day of every year. When it’s gone, it’s not only extremely disruptive to us individually, but its absence also threatens an entire community’s ability to thrive.
Twenty years after 9/11, the challenges to maintain normal operation of water and wastewater systems continue to increase as the water sector works to improve drinking water security and resilience. In response to 9/11, the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107- 188) was passed on June 12, 2002. This legislation amended the Safe Drinking Water Act (SDWA) and required approximately 8,400 community water systems serving greater than 3,300 people to conduct vulnerability assessments (VAs) and prepare emergency response plans (ERPs). This legislation authorized (but didn’t appropriate) funding for preparing the VAs and ERPs and for emergency grants to states and utilities. This legislation directed the Environmental Protection Agency (EPA), not the Department of Homeland Security (DHS), to review methods to prevent, detect, and respond to threats to water safety and infrastructure security. EPA set up a Water Security Division (WSD) and focused its initial efforts on foreign and domestic terrorist threats, improving physical security, and on detecting intentional contamination by adversaries. This legislation did not require water systems to make security upgrades to address potential vulnerabilities, but many water systems made physical security improvements such as improving access control to their facilities.
In the same timeframe, DHS identified 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health, or safety. Water and wastewater systems are one of the 16 sectors, and guidance and resources have been developed by DHS and EPA to assist systems in improving security and resilience – but there is much more to do.
As the water sector increased its knowledge on security and resilience, and there were zero or a limited number of incidents of physical attacks or intentional contamination, it became apparent that an all-hazard approach was needed that addressed extreme weather events such as hurricanes, flooding, ice storms, wildfires, etc., as well as cybersecurity and other threats. The water sector then established Water/Wastewater Response Networks (WARNs) across the country to provide a system for “utilities helping utilities” in the aftermath of an extreme weather event. In many cases, the WARNs have been effective ways to bring people and equipment in to assist prior to the arrival of federal resources and to aid in navigating the federal process for reimbursement of response and recovery expenditures.
Extreme weather events occur on a regular basis and Hurricane Ida and its impacts on water systems in Louisiana are the latest example. As of 9/11/21 (12 days after Ida made landfall) at 3 p.m. CDT, according to the Louisiana Department of Health website, the impacts to its water systems included:
- 217 water systems serving 822,246 people cleared off boil water advisories
- 91 water systems serving 326,226 people on boil water advisories
- 18 water systems serving 19,661 people with water outages, i.e., no water service
The above statistics show the power of extreme weather events to impact water systems, even in areas like Louisiana that are used to hurricanes. They know better than most how to prepare and how to respond. But there’s only so much a utility can do with 150 mph wind, several inches of rain, and substantial power outages. Supplies of treatment plant chemicals became an issue in the aftermath of Ida. The strength of Ida created water service impacts for approximately 25 percent of Louisiana’s population, and considerable impacts to water and wastewater systems in other states.
System resilience goes beyond response and recovery into design and operational issues that also need improvements. For example, EPA regulates around 50,000 community water systems, where people live and work every day. Remember that EPA’s focus, as defined by the SDWA, is ensuring that these systems meet the standards for more than 90 regulated contaminants. Meeting the standards is essential for public health protection but having an adequate water source is part of the equation. Approximately half of those systems serve fewer than 500 people, and it’s likely that most, if not all, of them are groundwater systems with a single well and single storage tank. With only a single source of water, the well pump can’t be pulled and maintained as it should be, and the well casing and screens also can’t be checked and maintained.
While it’s a small system issue, it becomes a big problem in the community when there’s no drinking water. Additionally, there are no federal requirements for back-up power, nor are there state-level requirements for back-up power and fuel storage for generators vary from state to state.
Time marches on, and Congress responded to the increasing number and diversity of threats to water systems with another round of legislation. The America’s Water Infrastructure Act (AWIA) was passed on October 23, 2018, and AWIA Section 2013 required approximately 10,000 community water systems serving greater than 3,300 people to develop or update risk and resilience assessments and ERPs. The law specifies the components that these assessments and ERPs must address and establishes deadlines by which water systems must certify to EPA completion of the risk and resilience assessment and ERP.
After two rounds of federal legislation and two cycles of assessments and ERPs, where are we today in the water sector? The short answer is that we are still facing many, many challenges. First, a significant challenge is the sheer number of public water systems. There are more than 150,000 public water systems and more than 50,000 community water systems (CWSs) where people live and work. Another challenge is that the majority of CWSs are publicly owned and become easily tangled up in politics and resistance to raising rates to buy “insurance,” i.e., make improvements to protect against low-probability events.
Second, neither round of federal legislation nor the systems’ assessments required systems to make any improvements to address any of the vulnerabilities that were identified. It’s up to the governing board or the city council to make the financial decisions on whether to invest in the necessary security and resiliency improvements. Progress on these improvements is unknown.
Third, after 9/11, many states passed exceptions to Sunshine Act or other public disclosure laws for security information. These protections are logical, as one wouldn’t want adversaries to know the strengths and weaknesses of any system’s security improvements. But these protections present challenges for federal and state regulators to understand the breadth and depth of potential security problems. The national scope of the problems is unknown, i.e., what is the total national need (cost) for security and resiliency improvements?
Fourth, there is no systematic reporting of security breaches and outages at water and wastewater systems, other than at the state level as previously discussed for the recovery from Ida in Louisiana. When there is a power outage in an area, sometimes the system has adequate backup power and enough fuel to sustain the generators during the outage, but in a sustained power outage maintaining an adequate fuel supply can be problematic. There is no systematic reporting of impacts to water and wastewater systems during power outages and there is a legitimate issue on what the data would be used for if collected.
“There’s only so much a utility can do with 150 mph wind, several inches of rain, and substantial power outages”
Fifth, an understanding of the relative risks of the threats (physical destruction, versus intentional contaminant, versus cyberattacks) is needed to prioritize investments in improvements so that the most likely risks are addressed. Research is needed on how to harden water and wastewater infrastructure in a cost-effective manner.
Finally, cybersecurity in the water sector has emerged as a top priority in the past couple of years. In 2019 and 2021, well-publicized incidents in Ellsworth, Kansas and in Oldsmar, Florida, respectively, are prime examples. The media carried the story of the 2021 indictment of a former employee in Ellsworth, and law enforcement held a news conference in Oldsmar to report the attack (no indictments yet). But many other cyberattacks in the water sector don’t make the news – and we don’t know how many attacks occur or how significant the attacks are to system operations. Increased automation in water and wastewater systems has improved efficiency but has likely increased the risk of cybersecurity attacks. The water sector is lacking a baseline estimate of how many systems have remote access but it’s likely at least 50 percent. Cybersecurity tools and resources have been developed by EPA and others, such as the American Water Works Association (AWWA), but it’s unclear how many systems have taken advantage of these resources or made any of the improvements noted in a cybersecurity assessment.
So, what’s next for the water sector? Several questions need to be answered in a collaborative manner, so that everyone agrees with the path forward for improving security and resilience in the water sector:
- What are the greatest risks for water and wastewater systems? Is the risk for each system site-specific?
- What have systems done already to lower those risks? What improvements remain? How much would those improvements cost?
- How many water systems have a single source of supply? How would emergency water be supplied if that source failed? How long could the emergency supply be sustained?
- How many systems have full back-up power? Who would look at this data if it was collected? What would be the resultant actions from this data collection?
- Do we need a national reporting system of system breaches and cyberattacks? Who would look at this data? What would be the resultant actions from this data collection?
- How do we best increase the cybersecurity skills and knowledge across the water sector?
- How do we best reduce the cybersecurity risks to water and wastewater systems?
- Are the ongoing treatment plant chemical supply issues solely related to the pandemic or are they indicative of a more systemic problem?
- How could we optimize the federal/state/local response to extreme weather events?
The above list of questions sounds simple, but it represents a staggering research agenda that needs significant federal funding for making progress on the necessary security and resiliency improvements to our water and wastewater systems. A coordinated effort is needed as soon as possible, as it’s critical that the speed of the progress be increased through a collaboration between federal and state agencies and the water and wastewater systems. The alternative – to stay with the status quo – means the water sector will continue to make slow and steady progress on improving security and resiliency, while many more extreme events occur, likely leaving communities without water, which will continue to destabilize their economies and the lives of the people within them.