10651 Perspectives on J100 Vulnerability Assessment ...
Transcript of 10651 Perspectives on J100 Vulnerability Assessment ...
1
PERSPECTIVES ON A J100 VULNERABILITY ASSESSMENT – OUTCOMES AND LESSONS LEARNED BY MINNEAPOLIS WATERAUGUST 2016
Mr. Glen Gerads, Director of Minneapolis WaterMr. Andrew Ohrt, PE, Arcadis
© Arcadis 2016
Agenda
2
• What is Resilience?
• What is a J100 Vulnerability Assessment?
• Who is Minneapolis Water?
• Why did Minneapolis Water decide to complete a J100 Vulnerability Assessment?
• What was the project approach?
• What are the lessons learned and conclusions?
• How does this effort fit within Minneapolis Water’s overall risk management program?
2
© Arcadis 2016
Resilience: One Definition
“Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.”
3
© Arcadis 2016
Rockefeller Foundation –Resilience Cities Framework
4
http://www.100resilientcities.org/
3
© Arcadis 2016
The Many Facets of Resilience
Cyber securityAsset managementSupply chain managementClimate change/drought planningAll hazards risk assessments Flood protectionEmergency response planning and exercisingPhysical security designGreen InfrastructureAnd more
5
© Arcadis 2016
Common Utility Risk Questions
• How many critical assets do I have?
• What is the most likely threat for my assets?
• Which threats have the biggest consequences?
• Do I need to worry about cyber-attacks?
• Should I protect my assets against a bomb?
• How do I set my utility up for compliance with future rules and laws?
6August 30, 2016
4
© Arcadis 2016
Questions on Quantifying Risk
• How do I measure the risk associated with threats?
• What are the means to track risk reduction?
• How do I prioritize projects to increase resilience?
• What is the definition of resilience for my utility?
7August 30, 2016
What is a J100 Vulnerability Assessment?
5
© Arcadis 2016
What is “J100”? Historical Context
9
• Bioterrorism Act of 2002• Vulnerability Assessments
• Emergency Response Plans
• 2002: Department of Homeland Security (DHS) Established
• 2003: Homeland Security Presidential Directive 7 (HSPD-7)• 17 (now 16) Critical Infrastructure Sectors
established
© Arcadis 2016
What is “J100”? Historical Context
10
Guns
Guards
Gates
All Hazards Approach
Response
Recovery
Resilience
6
© Arcadis 2016
Takes an “All Hazards” Approach
11
© Arcadis 2016
Who is using the J100 methodology?
12
7
© Arcadis 2016
What is the AWWA J100 Standard?
• AWWA J100 Standard (Risk and Resilience Management of Water and Wastewater Systems “J100”)
• Methodology to quantify risk ($)
• Down to the individual asset level
• Analyzing multiple threat types
• A way to compare apples to oranges
13August 30, 2016
© Arcadis 2016
J100 – What Can J100 do?
14
• Security and Safety• Natural Hazards threats• Cyber Security• Operational and Financial Resilience• Emergency Response• Business Continuity
An All Hazards VA is a broad, holistic process that can
address:
• Dovetails with asset management• Supports planning for population
growth, maintaining water quality and quantity
• Inform capital expenditures across the organization
Outcomes are not isolated but tied to organization’s
objectives:
8
© Arcadis 2016
What is the J100 Process?
15August 30, 2016
1) Asset Characterization
2) Threat Characterization
3) Consequence Analysis
4) Vulnerability Analysis
5) Threat Likelihood Analysis
6) Risk/Resilience Analysis
7) Risk/Resilience Management
Risk = C x V x T
VC
T
= Consequences
= Vulnerability
= Threat Likelihood
Who is Minneapolis Water?
9
© Arcadis 2016
City of Minneapolis Water Treatment & Distribution Services
17
• Established in 1867
• Provides drinking water and fire-
fighting capabilities
• Sole water source is the Mississippi
River
• Withdraws 21 billion gallons of water
per year
• Produces an average of 57 MGD
• Softens water prior to distribution
• 1,000 miles of water mains
© Arcadis 2016
Customers
18
• ~38% is for institutional, commercial and industrial use
• ~22% goes to suburban customers
10
Why did Minneapolis Water Conduct a J100 Vulnerability Assessment?
© Arcadis 2016
Better Understand Risks
20
11
© Arcadis 2016
Project Objectives
21
• Improve Minneapolis Water’s ability to achieve its mission
• Improve Minneapolis Water’s emergency preparedness posture & resilience
• Validate current actions
• Fine tune operations and performance
© Arcadis 2016
Expected Outcomes
22
• The final Vulnerability Assessment would:
• Improve resilience
• Reduce risks
• Outline concrete risk reduction projects
• Risk reduction projects would:• Be phased • Have associated estimated costs• Prioritization based on risk distribution • Integrate easily with capital planning
• Right-sizing of current physical security
• Validation of current actions
12
Project Approach
© Arcadis 2016
Project Phasing
24
2013 2014 2015
J100 – Phase 1 –Scoping
Additional VA Focus Areas
J100 VA – Phase 2 – Implementation
13
© Arcadis 2016
J100 VA – Phase I – Scoping
25
• Where Minneapolis Water wanted to focus the VA
• Where Minneapolis Water already had risk mitigation measures in place
Facilitated workshops to focus scope and build consensus:
© Arcadis 2016
J100 VA – Phase I Conclusions
26
• Identified natural hazards for evaluation
• Floods
• Tornadoes
• Blizzards/ice storms
• Identified focal points for malicious adversary and cyber threats
• Identified relevant dependency hazards
• Identified additional focus areas
14
© Arcadis 2016
Additional Focus Areas
27
• Contaminant Warning System Gap Analysis
• Electrical System Analysis
• Emergency Response Planning Gap Assessment
• Grant Funding Opportunities
• Cyber Vulnerability Assessment
© Arcadis 2016
Cyber Vulnerability Assessment
28
• Attacks more publicized and frequent
• Critically important to Water/WW• Ongoing convergence – more data
+ faster to more people • Lots of attention from the Feds and
industry organization
15
© Arcadis 2016
Cyber Systems IT vs. OT (SCADA)
29
Item IT SCADA
Outage Impact
Loss of service/productivity
Infrastructure damage, impact to public health, regulatory violation
Availability 24/7, can be shutdown to retain system integrity
24/7, shutdowns have operation ramifications
Core Hardware
Server Logic Controller
Operator Impact
Productivity Real-time operator situational awareness, process knowledge
© Arcadis 2016
Phase II – Implementation
30
• Harnessed momentum from Phase I: – Leadership Team
Alignment
– Focused Threat Characterization
– Understanding of the J100 Standard & Process
1) Asset Characterization
2) Threat Characterization
3) Consequence Analysis
4) Vulnerability Analysis
5) Threat Likelihood Analysis
6) Risk/Resilience Analysis
7) Risk/Resilience Management
16
© Arcadis 2016
Mission & Service Levels
31
What is our Mission? –
What is our Service Level –
• For the utility
• For each critical asset
© Arcadis 2016
Critical Asset Identification• Do you know what your critical assets are?
• “Something of importance that, if targeted, exploited, destroyed, or incapacitated could result in injury, death, economic damage to the owner or the community”
• High Repair/Replacement Cost
• Long Outage Time/Service Denial
• Little/No Redundancy
• Single Point of Failure
32August 30, 2016
17
© Arcadis 2016
Threat Identification
33August 30, 2016
Critical Asset
Malevolent (Physical)
Natural Hazards
Dependency/ Proximity Hazards
Malevolent (Cyber)
© Arcadis 2016
Threat Characterization – Critical Assumptions –Malicious Adversaries
34
Does the adversary have explosives?
Adversary Attributes:
1. Intentions 2. Motivations3. Capabilities4. Expected Number5. Police Response 6. Threat Level 7. ImpactsC
rim
inal
18
© Arcadis 2016
Threat Characterization –Cyber
35
• Insiders:
Accidental/Intentional
User/Privileged User
• Outsiders:
Small-Scale Attackers
Criminal groups
Terrorists
Foreign Intelligence Services
© Arcadis 2016
Threat Characterization – Critical Dependencies
36
• Electrical Utilities
• Natural Gas Utilities
• Mississippi River
• Upper St. Anthony Falls Dam and Pool
• State Duty Officer for Notification of River Contamination
19
© Arcadis 2016
Threat Characterization – Proximity Hazard –Mississippi River
37
Rail & Highway
© Arcadis 2016
Threat Characterization – Mississippi River Rail and Highway Crossings
38
20
© Arcadis 2016
Threat Characterization – Monticello Nuclear Generating Plant
39
• Located ~40 miles upriver
• Began operating in 1971
• Strong operational record
© Arcadis 2016
Threat Characterization – Mississippi River –Hazardous Material Pipeline Crossings
40
Mississippi River Pipeline Crossing
Minneapolis WaterWorks
21
© Arcadis 2016
Threat Characterization – Data Sources
41
© Arcadis 2016
Threat-Asset Pairs (TAPs)
• All Combinations of Threats + Critical Assets
• TAPs Organized by Asset Type or Geography
42August 30, 2016
Threat Asset Threat Asset
22
© Arcadis 2016
Data Management
43
Data Summary
Total Number of Facilities 38Total Number of Critical Facilities 24Approximate Total Number of Assets >1,000Total Number of Critical Assets ~300Total Number of Selected Threats 15Total Number of Threat-Asset Pairs (TAPs) ~200Total Number of TAPs (to focus on) ~70
© Arcadis 2016
Data Management Software – Which is the right tool?
44
What functionality did we need?• Easily handle large datasets• Automate natural hazard calculations• Automate vulnerability calculations (event tree, path analysis, expert
elicitation)• Automate risk & resilience calculations• Automate documentation of assumptions and inputs
Arcadis selected:
(Vulnerability Self Assessment Tool)
(Program to Assist Risk & Resilience Examination)
23
© Arcadis 2016
ConsequencesRisk = C x V x T
Worst Reasonable Case: most severe but reasonable and credible consequences
C is expressed as cost ($)
45August 30, 2016
Caution: Somewhat subjective. Utilize same team members for consistent analysis.
© Arcadis 2016
VulnerabilityRisk = C x V x T
46August 30, 2016
Assume threat occurs.
V = Probability Of Consequences Occurring
24
© Arcadis 2016
Threat LikelihoodRisk = C x V x T
What is the likelihood the threat will strike my operation?
T = Probability Undesirable Event Occurs
47August 30, 2016
© Arcadis 2016
Risk Calculation Revisited
48August 30, 2016
Risk = C x V x T
V
C
T
= Consequences
= Vulnerability
= Threat Likelihood
25
© Arcadis 2016
R = C x V x T
Risk/Resilience AnalysisR
isk
Flood TornadoDroughtMalicious Adversary Utility DependenceDistribution Contamination Source Water Contamination
49
© Arcadis 2016
Setting the “Bar”
Considerations:
• Resources (Man-power, $)
• Physical constraints
• Regulatory
• Social/customer influence
• Time
Where should we start?
50August 30, 2016
Why wouldn’t you want to target a Risk = $ Zero?
26
© Arcadis 2016
R = C x V x T
Target RisksR
isk
Flood TornadoDroughtMalicious Adversary Utility DependenceDistribution Contamination Source Water Contamination
Risk Reduction Target
51
© Arcadis 2016
Trending TAP Risk
•What projects reduce risk?
•Can a single project benefit multiple TAPs?
•Iterative process
52August 30, 2016
27
© Arcadis 2016 53
Risk/Resilience Management
• R&R Analysis provided baseline level of risk• Develop Risk Mitigation Measures (RMMs)
– Scope with conceptual designs – Cost Estimate Recalculate Risk assuming RMM
implemented• Executed Benefit-Cost Analysis (BCA)
BCA = Risk Reduction ($) – Cost ($)Cost ($)
© Arcadis 2016
Risk Mitigation Measure Projects• Training/exercising program enhancements
• Conceptual design projects
– Physical security experts, Water engineer, Structural engineer, Architect, Cyber security expert, Emergency response expert
• Packages included:
– Project descriptions
– Schematics
– Capital costs
– O&M costs
54
28
© Arcadis 2016 55
Risk Mitigation Measure Project Profile
Project Name Pump Station A Upgrade
Project No. X
Priority Medium
Relevant Threats and Assets
TornadoPump Station A
Duration 1 year
Description Upgrade description.
Impacted Stakeholders Maintenance staff Operations staff
Cost Estimate CAPITAL COST RANGE $90,000 - $120,000
ANNUAL O&M COSTS $10,000
PROJECT USEFUL LIFE 10 years
© Arcadis 2016
Year 1
Project 1
Project 2
Year 2
Project 3
Project 4
Year 3
Project 5
Project 6
Year 4
Project 7
Project 8
Year 5
Project 9
Project 10
Capital Planning Ready
• RMM projects identified (20-25 total)
• 5-Year-Capital Plan Ready
• Prioritization:
– Short-term/Long-Term
– Benefit-Cost Analysis
– Capital Cost
– % Risk Reduction
56
29
© Arcadis 2016
RMM Cost Estimates
• Association for the Advancement of Cost Engineering International (AACE)
• Level 4 – Feasibility • Project Definition: 1-15%
• Purpose of Estimate: Feasibility
• Accuracy: -30% to +50% cost range
• Assumed annual O&M costs Assumed average project useful life
57
© Arcadis 2016
Summary of RMMs
RMM Threat Type Critical Assets Project Name1 All All Emergency Response Plan and Multi-Year Training
and Exercise Plan Development
2 Natural Hazard - Tornadoes Pump Station A Tornado Protection
3 Natural Hazard - Floods Pump Station B Flood Protection
4 Malevolent Threat - SabotageInsider/Outsider
Treatment Building Physical Security Upgrades (Access Control)
5 Malevolent Threat - SabotageInsider/Outsider
Pump Station C Physical Security (Cameras)
6 Dependence - Utilities Pump Station D Backup Power Installation
7 Natural Hazard - Floods Pump Station E Flood-proofing and Response Exercising
8 Malevolent Threat - SabotageInsider/Outsider
Pump Station F SCADA Cabinet Upgrade (Cyber VA)
9 Malevolent Threat - SabotageInsider/Outsider
All Cabinet Physical Security Policy (Cyber VA)
10 Natural Hazard - Tornadoes All Facility Connectivity (Cyber VA)
58
30
© Arcadis 2016
Risk Reduction Summary
RMM No. Priority Cost Estimate1 – All – Emergency Response Planning,Training and Exercising
High $200,000
2 – Pump Station A – Tornado Protection Low $400,0003 – Pump Station B – Flood Protection Low $20,0004 – Treatment Building – Sabotage Low $300,0005 – Pump Station C – Sabotage Low $40,0006 – Pump Station D – Sabotage High $30,0007 – Pump Station E – Floods Medium $100,0008 – Pump Station F – Backup Power Medium $500,0009 – All – Sabotage – Security Policy High $1,00010 – Communications System – Tornadoes High $50,000
59
© Arcadis 2016
RMM PrioritizationRMM No. Priority Cost Estimate
1 – All – Emergency Response Planning,Training and Exercising
High $200,000
9 – All – Sabotage – Security Policy High $1,00010 – Communications System – Tornadoes High $50,0006 – Pump Station D – Sabotage High $30,000
TOTAL $281,0007 – Pump Station E – Floods Medium $100,0008 – Pump Station F – Backup Power Medium $500,000
TOTAL $600,0002 – Pump Station A – Tornado Protection Low $400,0003 – Pump Station B – Flood Protection Low $20,0004 – Treatment Building – Sabotage Low $300,0005 – Pump Station C – Sabotage Low $40,000
TOTAL $760,00060
31
Conclusions
© Arcadis 2016
Additional Benefits of Vulnerability Assessment• Workshops Encouraged:
• Engagement • Information sharing across departments
• Staff Learned How to Assess Risk
• Improved “Risk” Culture
• Risk Mitigation Projects Support Capital Improvement Planning
62
32
© Arcadis 2016
VA Conclusions
63
• Identified areas for improvement
• Documented capabilities
• Informed the CIP
• Informed the overall risk management process
© Arcadis 2016
Acknowledgements
64
• Bob Ervin, PE, Minneapolis Water
• Annika Bankston, PE, Minneapolis Water
• Minneapolis Water Staff!
• Shannon Spence, PE, Arcadis
33
THANK YOU!August 29, 2016
Mr. Glen GeradsDirectorMinneapolis [email protected]
Mr. Andrew Ohrt, PESenior Consultant Arcadis U.S., [email protected]
AUGUST 29, 2016
Presentation Handout Perspectives on a J100 Vulnerability Assessment – Lessons Learned by Minneapolis Water
Mr. Glen Gerads & Mr. Andrew Ohrt
August 29th, 2016
Resilience – One Definition –
“Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.”
Common Questions Regarding Risk –
• How many critical assets do I have?
• What is the most likely threat for my assets?
• Which threats have the biggest consequences?
• Do I need to worry about cyber-attacks?
• Should I protect my assets against a bomb?
• How do I set my utility up for compliance with future rules and laws?
• How do I measure the risk associated with threats?
• What are the means to track risk reduction?
• How do I prioritize projects to increase resilience?
• What is the definition of resilience for my utility?
What is the American Water Works Association J100 Standard for Risk and Resilience Management of Water and Wastewater Systems?
• Methodology to quantify risk ($) to the individual asset level.
• Provides a way to evaluate multiple threat types.
• A way to compare “apples” to “oranges” for both asset and threat/hazard types.
AUGUST 29, 2016
Presentation Handout Perspectives on a J100 Vulnerability Assessment – Lessons Learned by Minneapolis Water
Mr. Glen Gerads & Mr. Andrew Ohrt
August 29th, 2016
Steps to perform a VA using the J100 Standard are:
1) Asset Characterization
2) Threat Characterization
3) Consequence Analysis
4) Vulnerability Analysis
5) Threat Likelihood Analysis
6) Risk/Resilience Analysis
7) Risk/Resilience Management
What happens to my assets & operations if attacked by terrorists, natural hazards or supply chain disruption? How much money lost, to me? fatalities? injuries? How much economic loss to the regional community?
What reasonable worst case man-made threat, natural hazard & supply chain scenarios should I consider?
What assets do I have that are critical to my operations?
What vulnerabilities would allow a terrorist, natural disaster or supply chain problems to cause these consequences? Given the scenario, what is the likelihood it will result in these consequences?
What is the likelihood that a terrorist natural disaster or supply chain disruption will strike my operations?
Risk = Consequences x Vulnerability x Threat Likelihood Resilience = Service Outage x (Vulnerability x Threat Likelihood)
What options do I have to reduce risks & increase resilience? How much will each benefit in reduced risks and Increased resilience? How much will it cost? What is the net benefit & benefit/cost ratio of my options? How can I manage the chosen options?