Choosing a Vulnerability Assessment Trainer or Consultant
Although it has been more than a year since the Sept. 11 attacks, water and wastewater utilities around the nation have remained on high alert. Over the past 13 months, some important steps have already been taken to beef up security at water and wastewater plants. For example, Congress has approved additional appropriations to shore up water facilities. In early October, the U.S. Environmental Protection Agency (EPA) announced its Homeland Security Plan, with a particular focus on protecting the nation’s water infrastructure. By and large, however, the responsibility for safeguarding water and wastewater plants belongs to cities and counties.
On June 12, 2002, President Bush signed an anti-terrorism bill that requires public water systems to conduct vulnerability assessments of their facilities. Several cities have already initiated efforts to determine the vulnerability of their water utilities. Milwaukee Water Works, for example, was working with the Sandia National Laboratories in Albuquerque, N.M., well before Sept. 11 to create a process to assess its vulnerabilities. Sandia subsequently developed a training methodology — known as Risk Assessment Methodology for Water Utilities (RAM-W) — to help other utilities conduct such assessments.
Under a joint agreement between Sandia, EPA and the Department of Energy, 17 organizations were trained in the methodology and are now licensed to teach it. (For a complete listing of the licensed firms, visit http://www.epa.gov/safewater/security/ and click on the link titled “Private sector firms provide training on the vulnerability assessment methodology for water infrastructure protection.”) EPA does not single out any of the authorized companies for endorsement. Furthermore, EPA notes that utilities looking for RAM-W training need not limit their search to the original 17 organizations, since each of those organizations is training other entities in RAM-W.
How does a water utility choose the right trainer? First of all, water utilities should consider hiring a firm that can act as both a trainer and a security consultant, says Christy Cooper, Water Sector Director of Research and Analysis for Kansas City, Mo.-based Black & Veatch. A trainer can teach the utility to assess its own risk factors, and a consultant can aid in developing an emergency operations plan (see “Key elements of an emergency response plan” on page S10). “You’re not really trained until you go through the whole process,” Cooper says. “A trainer would say ‘Here is the process,’ but they don’t actually put together the whole plan for you.”
Cooper offers three main criteria in choosing a security consultant:
the firm should have facility security assessment and design experience:
the firm should be familiar with issues specific to the water business, such as treatment and water quality; and
the firm should be versed in emergency response planning.
Ideally, the consulting firm has trained with several different agencies, and it has an appropriate number of people focused specifically on water security, Cooper says. “Do they have one person they hired since Sept. 11, or do they have a whole group of people that were there before Sept. 11?” she notes.
A firm also should have demonstrated experience working with multiple agencies and users. A typical water agency has thousands of users and must deal with personnel at the federal, state and local levels. A wide variety of possible events — such as chemical, biological or radiological events — must be considered, and the response personnel must be coordinated accordingly. The goal is to “coordinate all of these various personnel and make sure everyone understands the role of each,” Cooper says.
It also is critical for a third-party consultant to keep all important documents secure. After Sept. 11, for example, the Massachusetts Water Resources Authority announced that it would no longer release documents detailing its water-delivery infrastructure or emergency response plans.
“Even firms with extensive security experience may not be used to such high levels of document security in the water business,” Cooper says. “Now, we recommend that utilities limit both their own employees and their consultant’s employees who have access to certain sensitive documents. Clients should control people in their own organizations, and they should control who is allowed to see documents in the consultant’s organizations. Some clients make us provide a list of who will see any piece of certain documents.”
Today, an ounce of prevention truly is worth a pound of cure. By taking the time to assess its vulnerabilities and develop appropriate responses, water utilities will be in an excellent position to respond to — and possibly prevent — emergencies.
Kim O’Connell is an Arlington, Va.-based freelance writer.