The Association of Metropolitan Water Agencies (AMWA) recognizes that water utilities must protect their critical facilities from acts of terrorism, cyber attacks and other hazards. Drinking water utilities’ first responsibility is to protect public health by providing potable water and therefore AMWA believes that Congress should encourage utilities to explore the resiliency of their systems to a range of possible threats.
AMWA believes the U.S. Environmental Protection Agency (EPA) should continue to be the lead federal agency for security at drinking water and wastewater facilities. Having more than one federal agency with oversight of water security could not only be inefficient, but could also impair the ability of drinking water systems to properly and efficiently treat their water supplies, making simultaneous compliance with multiple standards or guidelines difficult or even impossible.If contradictory or duplicative security measures were recommended by different federal agencies, water systems would face difficulties in assuring compliance and could incur substantial costs with no real improvement in security or resiliency.
Legislative and regulatory proposals that would require the adoption of alternative disinfection chemicals or “inherently safer technologies” over the objections of local officials fail to recognize the potential for negative risk trade-offs and unacceptable costs. Requirements that propose, directly or indirectly, to displace locally preferred and effective treatment practices could undermine public health.
Some water security programs include the collection of data from water providers. Given the sensitive nature of water security information, AMWA believes that Congress should continue the explicit prohibition on the disclosure of such information under federal, state, and local public information laws. Likewise, federal, state and local agencies must take all internal precautions to prevent the inappropriate disclosure of water system information.
The increasing attractiveness of water systems and other critical infrastructure assets as targets of cyber attacks poses new risks and challenges to water utilities. Water sector officials and organizations should have full access to cyber threat briefings and assistance offered by the Department of Homeland Security and other federal agencies. The federal government should not dictate particular cyber defense mechanisms for water treatment facilities but should offer information on best practices for protecting industrial control systems and other water utility infrastructure against attack.
Any expanded federal security requirements should be accompanied by federal funding assistance. Such assistance could be targeted to help utilities update threat assessments or implement other physical security or water treatment process enhancements that the utility determines will increase security without compromising public health. Otherwise, new security requirements will amount to unfunded federal mandates on local governments at a time when water treatment facilities are facing hundreds of billions of dollars in other priority infrastructure projects.
Finally, AMWA supports the federal government’s grouping of certain governmental and private sector capabilities into an organizational structure known as Emergency Support Functions (ESF), 29whichprovide support, resources, program implementation, and services for victims and communities following domestic incidents.However, the water sector should be placed entirely within its own ESF, as are other critical lifeline sectors like energy, communications and transportation.
- Metropolitan drinking water agencies are experienced in reviewing threats and evaluating their security posture through their ongoing compliance with Section 1433 of the Safe Drinking Water Act. As a result of these activities, water systems have made significant strides in protecting their facilities and building resilience to a variety of hazards.
- Drinking water utilities are essential to maintaining public health, as well as its trust and confidence in a safe and reliable supply of water. Water utilities are on the front line for defending critical water facilities across the United States.
- Federal mandates requiring utilities to implement “inherently safer technologies” could conflict with drinking water disinfection options determined locally based on source water quality and other feasibility considerations. Switching from one technology to another is a matter of risk-tradeoffs, such as whether to manage risk presented by large chlorine gas supplies or to accept new risks from more frequent deliveries of smaller quantities by truck.
- The Department of Homeland Security (DHS)is charged with regulating security at the nation’s chemical facilities, but does not have similar authority over water and wastewater facilities. Because EPA oversees water utility compliance with required risk management plans under the Clean Air Act and vulnerability assessments under the Safe Drinking Water Act, altering this arrangement could result in confusing multiple-agency requirements being placed on water and wastewater systems.
- Placing the water sector within its own ESF will promote better communication and coordination with preparedness and response partners at all levels and align the water sector with other critical infrastructure sectors.