This document summarizes the key points from a presentation given by Buck Henderson on the 2002 Bioterrorism Act and requirements for water systems in Texas. The act requires all community water systems serving over 3,300 people to complete a Vulnerability Assessment and those between 50,000-100,000 people to submit theirs by December 2003. It also discusses the development of a Critical Infrastructure Protection Council in Texas to advise the governor on security issues. The presentation covers what should be included in a Vulnerability Assessment and an Emergency Response Plan, such as identifying critical system components, potential threats, and response procedures. It provides guidance on responding to security incidents through site investigation, sampling, and public health measures like boil water advisories
The 7 Things I Know About Cyber Security After 25 Years | April 2024
2003 08 Tceq Speaker Notes
1. Presented At
Southeast Chapter of TAWWA
August Meeting
08/21/03
By
Buck Henderson
Manager
Public Drinking Water Section
Water Supply Division
2. 2002 Bioterrorism Act
(Public Law 107-188)
< VA’s for CWS >3,300 population Served
Í Between 50,000 & <100,000 due 12/31/03
Í Between 3,300 & <50,000 due 06/30/04
* Note: ERPs are due 6 months after
submittal of VAs
< FOIA Protection
< Increased Penalties
3. Texas HB 9
< State Protection from open records & open
meetings for security sensitive information
< Protection of VAs, ERPs, security systems
& location of security cameras
< Developed a Critical Infrastructure
Protection (CIP) Council to advise the
Governor
4. Critical Infrastructure Protection Council
< Dept of Agriculture
< Office of Att. General
< General Land Office
< Public Utility Commission
< TCEQ
< Tx Dept of Health
< Dept of Information Services
< Dept of Public Safety
< Division of Emergency Management
< Tx National Guard
< Railroad Commission
< Tx Strategic Military Planning Commission
< Tx Dept of Transportation
5. Critical Infrastructure Protection Council
Duties
< Develop a statewide CIP Strategy
< Develop an annual report to the Governor to:
Í Update progress on CIP Strategy
Í Provide status & funding of state security
programs
Í Recommend actions to reduce threats to
Homeland Security
Í Recommend ways to improve alert, response
and recovery capabilities of state & local
authorities
6. A “Vulnerability Assessment” (VA) is an evaluation
of a water system that identifies the system’s security
weaknesses and focuses on possible threats to its
ability to provide safe and adequate drinking water.
7. quot;Security Vulnerability Self Assessment Guide For
Small Drinking Water Systems Serving Populations
Between 3,300 and 10,000quot; - (Handout Outline)
TCEQ Home Web site :
http://www.tceq.state.tx.us/AC/comm_exec/homelands
ecurity.html#water
8. A Vulnerability Assessment addresses risks
for all components of a Water System
<Wellhead or Surface Water Intake
<Treatment Plant
<Storage Tank(s)
<Pumps
<Distribution System
9. Six Common Elements of a Vulnerability
Assessment
< Description of the Water System
< Identification & prioritization of possible emergency
situations
< Determination of Critical Components that might be
subject to attack
< Assessments of the Likelihood of such an attack
< Evaluation of existing response measures
< Analysis of current risk & development of a prioritized
plan for risk reduction
10. An “Emergency Response Plan” (ERP) is a well
thought-out series of planned actions designed to
allow operators to effectively respond to natural and
man-made emergencies.
11. Events That May Trigger A Response
< Security Breach
< Direct Utility Notification/Threat
< Media Notification
< Law Enforcement/National Alert
< Early Warning System
< Consumer Complaint
< Public Health Notification
12. Who To Contact For A Possible Event
<Internal
Í ERP
Í Communication Tree
<External
Í Local Law Enforcement (911) & ERs
Í TCEQ Region Office (24-hour Hotline #
1-800-255-3924)
Í Civic Government
<Incident Command
Í Criminal Investigation
Í Public Health Investigation
Í Environmental Response & Remediation
13. Who Determines Threat Credibility ?
< Role of Law Enforcement
< Role of The Utility
< Role of The TCEQ PDW Program
< Role of the State Health Department
< Role of Local & Other State Governments
15. Contengencies For Public Health
Response
< Alternate Water Supply
< Bottled Water
< Fire Protection
< Sanitation
16. Information Used For A Threat
Assessment
< Previous security events @ the utility
< National trends for security events (ISAC)
< Details of the circumstances that triggered the
event
< Warnings & Alerts
< Intelligence Information
< National/Sector/DEM Threat Level
< Site Characterization
< Field Screening Results
< Analytical Results
< Distribution System Modeling
< Additional Resources
17. Site Characterization
The process of collecting information from the site of
a suspected contamination event at a DW System
< Site Investigation
< Field Safety Screening
< Rapid Field Water Testing
< Sample Collection
< Maintain Crime Scene Integrity
Í Avoid disturbing physical evidence
< Photos/videos may likely be helpful
18. General Evidence of Potential
Contamination
< Discarded gloves, masks, goggles & protective
outerwear
< Discarded equipment - tubing, hoses, pumps,
sprayers, etc.
< Unusual empty containers (caution !)
< Unusual residual material around the site-
powders, granules, oily liquids, metallic debris,
etc. (caution !)
19. Signs of Possible Chemical
Contamination
< Unexplained dead/sick wildlife
< Unusual dead, discolored or withered vegetation
< Oily liquid on surfaces or oily film on water
surface
< Unusual odors
Í Almonds, peach, fruity/flowery,
sharp/pungent, garlic/horseradish, sulfur,
new mown hay, irritating
< Unexplained low lying fog
20. Typical Public Health Response
Measures
< Boil Water Advisory
< Don’t Drink Advisory
< Don’t Use Advisory
< Seek Medical Attention
21. Who Is Involved In Remediation
Efforts ?
< Role of The Utility
< Role of The TCEQ
< Role of Remediation Teams
< Role of the State Health Department
22. Remediation, Disinfection &
Decontamination
< Characterization of Contaminated Area
< Containment of Contaminated Water
< Treatment, Disinfection & Decontamination
< Disposal of Decontamination Residuals
< Return to Normal Operation
23. How Can A Water System Prepare ?
< Conduct a VA
< Develop an ERP
< Develop Response Guidelines
< Establish & Maintain a Communication
Tree
< Familiarize First Responders to your WS
< Training & Desk/Field exercises
< Enhance Physical Security
< Implement An Early Warning System
24. Effective Communication With
Stakeholders
< Let Public know you have Identified your
weaknesses thru VAs & ERPs
Í But do not provide details of weaknesses
and corrective actions you will take
< Being too free with your system’s security
information is a vulnerability itself
< Your goal should be to provide enough
information so the public is reassured & key
players are prepared, but limit access to sensitive
info by the “need to know” rule
25. VA & ERP Communication Targets
< Internal Staff (most important)
< State Drinking Water Agencies
< First Responders
< Priority Customers & community
Organizations
< General customers
< Others (Public Health Sector & other
systems)
26. Common Questions
< Who performs/pays for response
sampling?
< Who performs/pays for analyses of water
samples suspected of contamination?
< Who determines what to test for?
27. “He is best secure from dangers who is on his
guard even when he seems safe” -Syrus Publilius