EPA Releases VSAT 6.0

EPA developed the Vulnerability Self-Assessment Tool (VSAT) to assist water and wastewater utilities of all sizes with determining vulnerabilities to both man-made and natural hazards and with evaluating potential improvements to enhance their security and resiliency.  As an update to earlier versions, VSAT 6.0 has been designed to be consistent with the ANSI/AWWA J100-10 Risk Analysis and Management for Critical Asset Protection (RAMCAP®)Standard for Risk and Resilience Management of Water and Wastewater Systems. To meet this standard, VSAT 6.0 includes quantitative risk and resilience  metrics, asset prioritization and a new threat category to assess interdependencies.

To assist small systems and new users in building an assessment, VSAT now includes a new Analysis Wizard with abbreviated lists and default assignments for common utility assets, countermeasures, and threats. Plus, data from earlier assessments made with SEMS (Security and Emergency Management System) can be imported directly into VSAT.

Go to http://water.epa.gov/infrastructure/watersecurity/techtools/vsat.cfm to learn more about VSAT and to access both basic and advanced training videos on its use.  For general questions and assistance, send an email request to  VSATHelp@epa.gov

EPA strongly encourages water and wastewater utility owners and operators to use VSAT 6.0 to conduct or update an all-hazards risk assessment.

DHS Webinar Series on Critical Infrastructure Security

The Department of Homeland Security Office of Infrastructure Protection And The Regional Consortium Coordinating Council Present:

A Joint Critical Infrastructure Partnership Webinar Series

Each hour-long session is designed to assist critical infrastructure owners and operators, physical security and information security professionals, Chief Information Officers, risk managers, business continuity planners, information technology directors, and local homeland security and emergency management staff in their efforts to enhance the preparation, security, and resilience of communities and their critical infrastructure assets.


Preparedness: September 23 & 30, 2014

Preparedness: Topics are designed to assist private industry and governmental partners and any other critical infrastructure practitioners in enhancing their preparation and resilience efforts:
• Risk Management – Learn from a panel of Minnesota-based Critical Infrastructure practitioners that includes Grant Hosmer, Critical Infrastructure Coordinator for the City of Minneapolis, Glenn Sanders, DHS Protective Security Advisor for Minnesota, and the Downtown Security Executive Group, who will discuss infrastructure resilience planning, and threat assessment associated with large-scale public events such as the 2014 Major League Baseball All Star Game by leveraging public/private partnerships and strategically utilizing risk management tools and resources.
• Training Resources – Christy Magee, Chief of the DHS/IP Stakeholder Education and Training Section, will review training offered by DHS/IP related to security awareness as well as foundational courses available to industry practitioners on critical infrastructure security and resilience.
Register Today! http://www.govevents.com/word-redir.php?id=13964


Cybersecurity Awareness: October 21 & 23, 2014

Cybersecurity Awareness: Topics provide background information about reviewing cyber resilience capabilities, improving information sharing, and evaluating security needs for protecting our local and regional cyber assets:
• Awareness – Learn from the DHS Office of Cybersecurity and Communications how industry and government can serve as strategic partners in two national public awareness and cyber risk management efforts (Stop-Think-Connect and the C3 Voluntary Program) that are aligning business enterprises and local governments to manage cyber risks, better understand cyber threats, and empower the American public to be safer and more secure online.
• Assessment – Hear from industry and government practitioners who have successfully utilized cybersecurity exercises, cyber evaluations, or Cyber Resilience Reviews (CRRs) to improve cyber resilience.

Register Today! http://www.govevents.com/word-redir.php?id=13963


Critical Infrastructure Security and Resilience: November 18 & 20, 2014

Critical Infrastructure Security and Resilience: Topics focus on tools and resources for improving the overall security of a critical infrastructure asset or facility:
• Public/Private Partnerships – A panel comprised of representatives from industry and local government will share innovative best practices from public/private partnerships they have collaboratively developed related to critical infrastructure security and resilience.
• Exercises – Learn from DHS and local critical infrastructure practitioners about scenarios and exercise plans that have been successfully developed to address the most salient threats to local communities, enhancing their ability to respond to and recover from all- hazard events.

Register Today! http://www.govevents.com/word-redir.php?id=13965

WaterISAC Hosts Free Webcast on Cybersecurity Assessments and DHS Tools

DHS has released an updated version (6.1) of its downloadable Cyber Security Evaluation Tool (CSET) and the WaterISAC is hosting a webinar to showcase the updated tool as well as other cybersecurity tools and services.  There is no charge to attend this event and it is open to all interested parties.

DATE:  Wednesday, August 20

TIME:   2:00-3:00PM (eastern)

REGISTER:  Click this link Register Now

The webinar will cover three tools:

  • CSET: A desktop software tool that can produce a prioritized list of recommendations for improving the cybersecurity posture of an organization’s enterprise and industrial control systems. The tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. The most significant change for this version involves the integration of the NIST Cybersecurity Framework.
  • ICS-CERT: CERT’s onsite industrial control system assessment program; and
  • Cyber Resilience Review (CRR): A non-technical assessment that can evaluate an organization’s operational resilience and cybersecurity practices. From DHS’s Cyber Security Evaluation Program, the CRR is meant to complement the NIST Cybersecurity Framework and may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals.

FEMA Hosts Webinars on New National Protection Framework

Please mark your calendars for an upcoming virtual roundtable hosted by FEMA and the Office of Infrastructure Protection regarding the release of the National Protection Framework and Federal Interagency Operational Plans (FIOP) as well as the NIPP 2013. All webinars will be open to the whole community.  You do not need to pre-register. These virtual roundtables will provide an overview on how to develop and implement protection plans under the guidance of the National Protection Framework and the NIPP 2013.

DATES:     August 26        September 2      September 3

TIMES:      11AM-Noon    11AM-Noon       Noon-1:00PM   (all times Eastern)

DIAL/PIN:  800-369-1725/5116984

LINK:      (8/26)   https://share.dhs.gov/nipp2013npfaug26/

(9/2)     https://share.dhs.gov/nipp2013npfsept2/

(9/3)     https://share.dhs.gov/nipp2013npfsept3/

ACCESS:  Enter as a GUEST

The National Protection Framework http://www.fema.gov/national-protection-framework-0 describes what the whole community should do to safeguard against acts of terrorism, natural disasters, and other threats or hazards. The whole community includes:  individuals (including those with disabilities and others with access and functional needs), businesses and nonprofits, faith-based and community groups, schools, and all levels of government. The Protection Framework also describes the core capabilities; roles and responsibilities; and coordinating structures that facilitate the protection of individuals, communities, and the Nation. This Framework is focused on actions to protect against the greatest risks in a manner that allows American interests, aspirations, and way of life to thrive.

You may also find these documents helpful National_Protection_Framework_Stakeholder_Advisory_20140730


Questions? Please email: PPD8-engagement@fema.dhs.gov.

EPA Expands Tabletops on Labs and Contamination Incidents

EPA is expanding its series of free tabletop exercise webcasts that examine the coordination of laboratory services in response to a drinking water contamination incident.

The scenario-based exercise provides state and local governments, utilities, emergency responders, and laboratory personnel with the opportunity to answer questions based on their real-life experiences and knowledge of emergency response practices and procedures contained in the Water Laboratory Alliance Response Plan (WLA-RP). Exercise participants will receive first-hand experience with Water Sector emergency response “best practices” and Water Security tools and resources.

Because of the popularity of these exercises, seven additional exercise events have been added:

2014 Exercises                                              2015 Exercises

September 17   10:00AM-Noon (eastern)      January 14      1:00-3:00PM (eastern)

October 8         1:00-3:00PM (eastern)             February 18    10:00AM-Noon (eastern)

November 5     10:00AM-Noon (eastern)       March 11         1:00-3:00PM (eastern)

         April 15            10:00AM-Noon (eastern)

Registration:  To register for the exercise and select the date of your choice, please visit: http://water.epa.gov/infrastructure/watersecurity/wla/training.cfm.

Over 200 people participated in the first six webcasts of this series conducted between March and July of 2014. The following is some of the feedback that has been received.

State Drinking Water Agency Participant: “We like the way that the exercise was conducted.  …it was interactive, we could see the responses, and it was the perfect length of time.”

Water Utility Participant:  “We learned a great deal during the course of this scenario. The step-by-step question and answer process was very helpful.”

Laboratory Participant: “Very good exercise. A fun way to spend a couple hours!”

For more information about the exercise, please click this link Perfect Storm TTX flyer_2014_2015_07312014

EPA’s SmartGrowth Program to Host Flood Resilience Webinar

WEBINAR EVENT:  Flood Resilience and Recovery Assistance:  Lessons Learned from Vermont

DATE:  August 13, 2014

TIME:   1:00-2:30PM (eastern)

REGISTRATION:  Click https://epa.connectsolutions.com/epasmartgrowth at the time of the event.  No pre-registration required but you must log in as a “Guest.”  Audio is through computer speakers only – no dial in available.

The state of Vermont experienced major damage to roads, houses, and businesses due to flood impacts from Tropical Storm Irene in fall 2011. Vermont’s Agency of Commerce and Community Development, along with the Agency of Natural Resources, Agency of Transportation, and the Mad River Valley Planning District, requested assistance from EPA and the Federal Emergency Management Agency (FEMA) to recover from flood impacts and plan for long-term resilience to future disasters. Through EPA’s Smart Growth Implementation Assistance Program, EPA and FEMA worked with state agencies and communities in Vermont to identify smart growth strategies that can help vulnerable communities prepare for and recover from floods. The project resulted in the report, Planning for Flood Recovery and Long-Term Resilience in Vermont: Smart Growth Approaches for Disaster-Resilient Communities, and a Flood Resilience Checklist, available at http://www.epa.gov/smartgrowth/sgia_communities.htm#rec1.

This webinar will discuss the project, highlighting Smart Growth approaches and strategies communities can consider to become more flood resilient and what the state of Vermont and communities in the Mad River Valley have done since Irene to help enhance flood resilience by building back better than before.

Who Should Attend
Planners; community leaders; state, local, and federal government staff; academics; researchers; and others interested in helping communities prepare for and recover from floods.

Continuing Education
This webinar qualifies for 1.5 certification maintenance credits from the American Planning Association.

Please use http://admin.adobeconnect.com/common/help/en/support/meeting_test.htm to test your computer before attending the event.

Emergency Response: Preparing for Unplanned Events

[Editor’s Note:  Does your state have access to HSIN – the Homeland Security Information Network?  The information below (reprinted from the HSIN Advocate newsletter) may help you use HSIN to establish critical information web pages for use in emergencies.  Read on for more information.]

Emergencies leave little time for planning, but with some strategic preparation, even emergency response operations can run smoothly from the start. HSIN enables users to create a communications framework well in advance of any emergency so affected organizations at every level of government can efficiently access the information they need, when they need it.

Create Event Pages for Quick Deployment

Whenever there is greater potential for an emergency, such as at the beginning of hurricane season, HIN Site Owners can set up event or incident pages in advance with predefined web parts and functionality so that they can be turned on in a moment’s notice. For weather-related events, the basic framework of required information is known well in advance. Emergency planning pages on HSIN can be populated with incident response plans and contact lists along with areas for users in the field to upload documents, input geospatial files and submit images and situational reports.

In addition to the event pages, Site Owners can establish dedicated HSIN Connect rooms and pre-populate them with important, relevant and focused information. This ensures that the room is beneficial to all users, right from the start. Another best practice is to create separate chat rooms so that different user groups can keep conversations and information sharing topic-focused.

Get the Word Out

Make sure that all your partner organizations have appropriate HSIN access and know the correct web addresses to access event-related information.

Conduct Training

Once your HSIN Connect room and event pages are created, use them for drills and training exercises. This will help ensure that users are familiar with the available tools. It is also a good idea to periodically conduct spot training to ensure knowledge is not lost.

Use It, Use It, Use It

The more you use HSIN in your daily routines, the easier, more efficient. and more natural it becomes to use during an event or emergency response operation. We [DHS] recommend incorporating HSIN into training and other planning events and to use HSIN Connect for regular meetings to ensure your users are not only familiar with the platform, but comfortable in its use as well.

To learn additional best practices to help you prepare for unplanned events, contact the HSIN Outreach Team at HSIN.Outreach@hq.dhs.gov.


EPA Seeks Comments on Potential Revisions to its Risk Management Program

EPA is seeking comment on potential revisions to its Risk Management Program (RMP) regulations and related programs to improve chemical facility safety and security as required under Executive Order (EO) 13650: Improving Chemical Facility Safety and Security. Once published in the Federal Register, there will be 90 days to provide input on regulatory elements and safety approaches.

During the 90-day comment period, EPA asks for information and data on specific regulatory elements and process safety management approaches to enhance public health and safety, and aid local fire, police, and emergency response personnel to prepare for and respond to chemical emergencies. The information received will be used when reviewing chemical hazards covered by the RMP and to determine how this program should be expanded to improve chemical facility safety. The RFI does not commit the agency to rulemaking.

The RFI addresses potentially updating the list of RMP regulated substances; seeks comment on strengthening or clarifying several existing process safety elements; and also seeks comment on adding additional risk management program elements. Among these is the use of inherently safer technologies such as whether or how gaseous chlorine use at water treatment facilities would continue to be allowed.

Ultimately, the Agency expects that this effort will enhance public health and safety, as well as assist local fire, police, and emergency responders to prepare for and respond to chemical emergencies. You can learn more here.   To view EPA’s RFI and provide public comment, please go to:  http://www.epa.gov/emergencies/eo_improving_chem_fac.htm.  Once published, the public will have 90 days to submit written comments online, www.regulations.gov (the portal for Federal rulemaking), or by mail.

WaterISAC to Host Two Webcasts to Help Utilities Reduce Cyber Risks to IT and Industrial Control Systems

WaterISAC is hosting two webcasts in July and August about cybersecurity best practices, services, and tools. These webcasts are open to members and non-members without charge.

1.         NIST Cybersecurity Framework, Getting Started in the Water Sector


DATE:  Tuesday, July 22, 2014

TIME:   2:00-3:15 PM (eastern)

REGISTER:  Click this link Register Now

The NIST Cybersecurity Framework is a set of best practices derived from consensus-based IT and industrial control systems security standards. Water and wastewater systems are not legally required to implement the Framework, but the Federal government is urging all critical infrastructure owners and operators to do so voluntarily in order to reduce their risks from possible cyber attacks against their IT and industrial control systems.

The goal of the webcast is to help the water sector get started using the Framework by providing attendees a basic understanding of its components and recommendations. The webcast will also highlight various programs, guidance and tools to help the water sector implement the Framework, such as the AWWA Cybersecurity Guidance & Tool.


2.         Cybersecurity Assessments and Tools by DHS

DATE:  Wednesday, August 20, 2014

TIME:   2:00-3:00 PM (eastern)

REGISTER:  Click this link Register Now

Cybersecurity services and tools offered by the U.S. Department of Homeland Security (DHS) include free, confidential onsite cybersecurity assessments conducted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) as well as the Cyber Security Evaluation Tool (CSET). CSET is a downloadable tool developed by cybersecurity experts under the direction of ICS-CERT to help users assess the security posture of their cyber systems and networks.

Presenters will also discuss the Cyber Resilience Review (CRR) provided by DHS’s U.S. Computer Emergency Readiness Team (US-CERT). The CRR measures the operational resilience of a specific critical service to provide participants with a detailed report containing options for consideration. It is a voluntary assessment that can either be conducted via a facilitated one-day workshop or as a self-assessment; the CRR Self-Assessment Kit is meant to complement the NIST Cybersecurity Framework.

QUESTIONS?  Contact WaterISAC if you have any questions about either webcast.

EPA Responds to Community Flood Concerns

Earlier today, Joel Beauvais, Associate Administrator for EPA’s Office of Policy, made the following announcement.

EPA’s Office of Sustainable Communities recently released a report and a handy checklist that communities seeking to prepare for or recover from a major flood can use to assess whether their codes, policies, and regulations can help them withstand floods.

The report and checklist cover a wide range of activities. Not all of these activities will be appropriate for each community. However, community leaders may want to consider them all and then choose the activities that work best for their local conditions and circumstances.

Here are some general steps communities can take to improve their flood resilience:

  • Update and integrate community or comprehensive land use plans with hazard mitigation plans to ensure they are coordinated and that they prioritize planning for new growth in safer areas.
  • Audit policies, regulations, and budgets to ensure consistency with flood-resilience goals outlined in community plans and hazard mitigation plans.
  • Amend existing policies, regulations, and budgets or create new ones to help achieve the flood-resilience goals outlined in plans.

Here are some specific local land use policy options communities can consider:

  • Conserve land and discourage development in particularly vulnerable areas along river corridors, such as flood plains and wetlands.
  • Where development already exists in flood-prone areas, take steps to protect people, buildings, and facilities from flooding risks.
  • Plan for and encourage new development in areas that are less vulnerable to future floods.
  • Manage stormwater using watershed-wide stormwater management and green infrastructure approaches to slow, spread, and infiltrate floodwater.

State agencies can also partner to support recovery and flood-resilience planning. Specific actions states can take to improve their flood recovery and resilience efforts include:

  • Auditing all state programs to determine how well they help communities achieve flood-resilience goals.
  • Developing a comprehensive recovery plan before the next flood happens.
  • Developing a personnel plan that delineates who will assist with post-disaster recovery.

The checklist and report come on the heels of President Obama’s announcement on June 14 of a new National Disaster Resilience Competition, which will provide nearly $1 billion in funding from the U.S. Department of Housing and Urban Development’s Community Development Block Grant-Disaster Recovery funds to help communities that have experienced natural disasters rebuild and prepare for future disasters. The Notice of Funding Availability for the competition will be posted on www.hud.gov.

The Office of Sustainable Communities will host a webinar on smart growth approaches for flood-resilient communities with FEMA and the state of Vermont on Wednesday, August 13, from 1:00-2:30 EDT. Find details at http://www.epa.gov/smartgrowth/webinars/index.html.