Having an awareness of the all-hazards threat landscape and the associated risks that could disrupt critical infrastructure operations is a foundational requirement for every organization’s security program. To help water and wastewater utilities, EPA recently published an updated edition of its “Baseline Information on Malevolent Acts for Community Water Systems.”

This guidance document was created to help water utility owners and operators assess the threat that certain malevolent acts pose to their systems and to identify steps that may reduce their risks. EPA emphasizes that assessing threats is a critical step in an “all-hazards” approach to risk management, which also involves evaluating and mitigating the vulnerabilities of critical assets, as well as understanding and reducing the potential consequences of incidents that may occur. The first version of the document was released in 2019, and version 3.0 was published earlier this year in May.

Version 3.0 Updates Include:

• Replaced most point estimates of default threat likelihood with order of magnitude ranges.
• Eliminated accidental contamination of source and finished water as malevolent act threat categories.
• Revised factors potentially impacting threat likelihood.
• Eliminated default threat likelihood values for wastewater.
• Combined cyberattacks on business enterprise systems and process control systems into a single category of cyberattack.

Access the updated report at EPA.

Alongside this guidance document, water and wastewater utilities are encouraged to review the following complementary government resources below:

• EPA - Vulnerability Self-Assessment Tool: Assess risk to human-made threats and natural hazards (recommended for large systems).
• EPA - Small System Risk and Resilience Assessment Checklist: Assess risk to human-made threats and natural hazards (recommended for small systems).  
• EPA - Climate Resilience Evaluation and Awareness Tool: Assess risk to climate change impacts and build resilience through adaptation. 
• EPA - Resilient Strategies Guide: Identify assets that are vulnerable to climate impacts and learn about strategies and funding options for adaptation. 
• CISA - Infrastructure Survey Tool (IST): A voluntary, web-based assessment to identify and document the overall security and resilience of a facility.
• FEMA - Climate Risk and Resilience Portal: Offers free data to stakeholders seeking to understand the risks facing their communities from natural hazards like flooding, wildfires, droughts, extreme heat, and more through the end of the century.
• FEMA - Resilience Analysis and Planning Tool: Allows users to combine layers of community resilience indicators, infrastructure locations, and hazard data to prioritize preparedness and resilience strategies.