1

PERSPECTIVES ON A J100 VULNERABILITY ASSESSMENT – OUTCOMES AND LESSONS LEARNED BY MINNEAPOLIS WATERAUGUST 2016

Mr. Glen Gerads, Director of Minneapolis WaterMr. Andrew Ohrt, PE, Arcadis

© Arcadis 2016

Agenda

2

• What is Resilience?

• What is a J100 Vulnerability Assessment?

• Who is Minneapolis Water?

• Why did Minneapolis Water decide to complete a J100 Vulnerability Assessment?

• What was the project approach?

• What are the lessons learned and conclusions?

• How does this effort fit within Minneapolis Water’s overall risk management program?

2

© Arcadis 2016

Resilience: One Definition

“Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.”

3

© Arcadis 2016

Rockefeller Foundation –Resilience Cities Framework

4

http://www.100resilientcities.org/

3

© Arcadis 2016

The Many Facets of Resilience

Cyber securityAsset managementSupply chain managementClimate change/drought planningAll hazards risk assessments Flood protectionEmergency response planning and exercisingPhysical security designGreen InfrastructureAnd more

5

© Arcadis 2016

Common Utility Risk Questions

• How many critical assets do I have?

• What is the most likely threat for my assets?

• Which threats have the biggest consequences?

• Do I need to worry about cyber-attacks?

• Should I protect my assets against a bomb?

• How do I set my utility up for compliance with future rules and laws?

6August 30, 2016

4

© Arcadis 2016

Questions on Quantifying Risk

• How do I measure the risk associated with threats?

• What are the means to track risk reduction?

• How do I prioritize projects to increase resilience?

• What is the definition of resilience for my utility?

7August 30, 2016

What is a J100 Vulnerability Assessment?

5

© Arcadis 2016

What is “J100”? Historical Context

9

• Bioterrorism Act of 2002• Vulnerability Assessments

• Emergency Response Plans

• 2002: Department of Homeland Security (DHS) Established

• 2003: Homeland Security Presidential Directive 7 (HSPD-7)• 17 (now 16) Critical Infrastructure Sectors

established

© Arcadis 2016

What is “J100”? Historical Context

10

Guns

Guards

Gates

All Hazards Approach

Response

Recovery

Resilience

6

© Arcadis 2016

Takes an “All Hazards” Approach

11

© Arcadis 2016

Who is using the J100 methodology?

12

7

© Arcadis 2016

What is the AWWA J100 Standard?

• AWWA J100 Standard (Risk and Resilience Management of Water and Wastewater Systems “J100”)

• Methodology to quantify risk ($)

• Down to the individual asset level

• Analyzing multiple threat types

• A way to compare apples to oranges

13August 30, 2016

© Arcadis 2016

J100 – What Can J100 do?

14

• Security and Safety• Natural Hazards threats• Cyber Security• Operational and Financial Resilience• Emergency Response• Business Continuity

An All Hazards VA is a broad, holistic process that can

address:

• Dovetails with asset management• Supports planning for population

growth, maintaining water quality and quantity

• Inform capital expenditures across the organization

Outcomes are not isolated but tied to organization’s

objectives:

8

© Arcadis 2016

What is the J100 Process?

15August 30, 2016

1) Asset Characterization

2) Threat Characterization

3) Consequence Analysis

4) Vulnerability Analysis

5) Threat Likelihood Analysis

6) Risk/Resilience Analysis

7) Risk/Resilience Management

Risk = C x V x T

VC

T

= Consequences

= Vulnerability

= Threat Likelihood

Who is Minneapolis Water?

9

© Arcadis 2016

City of Minneapolis Water Treatment & Distribution Services

17

• Established in 1867

• Provides drinking water and fire-

fighting capabilities

• Sole water source is the Mississippi

River

• Withdraws 21 billion gallons of water

per year

• Produces an average of 57 MGD

• Softens water prior to distribution

• 1,000 miles of water mains

© Arcadis 2016

Customers

18

• ~38% is for institutional, commercial and industrial use

• ~22% goes to suburban customers

10

Why did Minneapolis Water Conduct a J100 Vulnerability Assessment?

© Arcadis 2016

Better Understand Risks

20

11

© Arcadis 2016

Project Objectives

21

• Improve Minneapolis Water’s ability to achieve its mission

• Improve Minneapolis Water’s emergency preparedness posture & resilience

• Validate current actions

• Fine tune operations and performance

© Arcadis 2016

Expected Outcomes

22

• The final Vulnerability Assessment would:

• Improve resilience

• Reduce risks

• Outline concrete risk reduction projects

• Risk reduction projects would:• Be phased • Have associated estimated costs• Prioritization based on risk distribution • Integrate easily with capital planning

• Right-sizing of current physical security

• Validation of current actions

12

Project Approach

© Arcadis 2016

Project Phasing

24

2013 2014 2015

J100 – Phase 1 –Scoping

Additional VA Focus Areas

J100 VA – Phase 2 – Implementation

13

© Arcadis 2016

J100 VA – Phase I – Scoping

25

• Where Minneapolis Water wanted to focus the VA

• Where Minneapolis Water already had risk mitigation measures in place

Facilitated workshops to focus scope and build consensus:

© Arcadis 2016

J100 VA – Phase I Conclusions

26

• Identified natural hazards for evaluation

• Floods

• Tornadoes

• Blizzards/ice storms

• Identified focal points for malicious adversary and cyber threats

• Identified relevant dependency hazards

• Identified additional focus areas

14

© Arcadis 2016

Additional Focus Areas

27

• Contaminant Warning System Gap Analysis

• Electrical System Analysis

• Emergency Response Planning Gap Assessment

• Grant Funding Opportunities

• Cyber Vulnerability Assessment

© Arcadis 2016

Cyber Vulnerability Assessment

28

• Attacks more publicized and frequent

• Critically important to Water/WW• Ongoing convergence – more data

+ faster to more people • Lots of attention from the Feds and

industry organization

15

© Arcadis 2016

Cyber Systems IT vs. OT (SCADA)

29

Item IT SCADA

Outage Impact

Loss of service/productivity

Infrastructure damage, impact to public health, regulatory violation

Availability 24/7, can be shutdown to retain system integrity

24/7, shutdowns have operation ramifications

Core Hardware

Server Logic Controller

Operator Impact

Productivity Real-time operator situational awareness, process knowledge

© Arcadis 2016

Phase II – Implementation

30

• Harnessed momentum from Phase I: – Leadership Team

Alignment

– Focused Threat Characterization

– Understanding of the J100 Standard & Process

1) Asset Characterization

2) Threat Characterization

3) Consequence Analysis

4) Vulnerability Analysis

5) Threat Likelihood Analysis

6) Risk/Resilience Analysis

7) Risk/Resilience Management

16

© Arcadis 2016

Mission & Service Levels

31

What is our Mission? –

What is our Service Level –

• For the utility

• For each critical asset

© Arcadis 2016

Critical Asset Identification• Do you know what your critical assets are?

• “Something of importance that, if targeted, exploited, destroyed, or incapacitated could result in injury, death, economic damage to the owner or the community”

• High Repair/Replacement Cost

• Long Outage Time/Service Denial

• Little/No Redundancy

• Single Point of Failure

32August 30, 2016

17

© Arcadis 2016

Threat Identification

33August 30, 2016

Critical Asset

Malevolent (Physical)

Natural Hazards

Dependency/ Proximity Hazards

Malevolent (Cyber)

© Arcadis 2016

Threat Characterization – Critical Assumptions –Malicious Adversaries

34

Does the adversary have explosives?

Adversary Attributes:

1. Intentions 2. Motivations3. Capabilities4. Expected Number5. Police Response 6. Threat Level 7. ImpactsC

rim

inal

18

© Arcadis 2016

Threat Characterization –Cyber

35

• Insiders:

Accidental/Intentional

User/Privileged User

• Outsiders:

Small-Scale Attackers

Criminal groups

Terrorists

Foreign Intelligence Services

© Arcadis 2016

Threat Characterization – Critical Dependencies

36

• Electrical Utilities

• Natural Gas Utilities

• Mississippi River

• Upper St. Anthony Falls Dam and Pool

• State Duty Officer for Notification of River Contamination

19

© Arcadis 2016

Threat Characterization – Proximity Hazard –Mississippi River

37

Rail & Highway

© Arcadis 2016

Threat Characterization – Mississippi River Rail and Highway Crossings

38

20

© Arcadis 2016

Threat Characterization – Monticello Nuclear Generating Plant

39

• Located ~40 miles upriver

• Began operating in 1971

• Strong operational record

© Arcadis 2016

Threat Characterization – Mississippi River –Hazardous Material Pipeline Crossings

40

Mississippi River Pipeline Crossing

Minneapolis WaterWorks

21

© Arcadis 2016

Threat Characterization – Data Sources

41

© Arcadis 2016

Threat-Asset Pairs (TAPs)

• All Combinations of Threats + Critical Assets

• TAPs Organized by Asset Type or Geography

42August 30, 2016

Threat Asset Threat Asset

22

© Arcadis 2016

Data Management

43

Data Summary

Total Number of Facilities 38Total Number of Critical Facilities 24Approximate Total Number of Assets >1,000Total Number of Critical Assets ~300Total Number of Selected Threats 15Total Number of Threat-Asset Pairs (TAPs) ~200Total Number of TAPs (to focus on) ~70

© Arcadis 2016

Data Management Software – Which is the right tool?

44

What functionality did we need?• Easily handle large datasets• Automate natural hazard calculations• Automate vulnerability calculations (event tree, path analysis, expert

elicitation)• Automate risk & resilience calculations• Automate documentation of assumptions and inputs

Arcadis selected:

(Vulnerability Self Assessment Tool)

(Program to Assist Risk & Resilience Examination)

23

© Arcadis 2016

ConsequencesRisk = C x V x T

Worst Reasonable Case: most severe but reasonable and credible consequences

C is expressed as cost ($)

45August 30, 2016

Caution: Somewhat subjective. Utilize same team members for consistent analysis.

© Arcadis 2016

VulnerabilityRisk = C x V x T

46August 30, 2016

Assume threat occurs.

V = Probability Of Consequences Occurring

24

© Arcadis 2016

Threat LikelihoodRisk = C x V x T

What is the likelihood the threat will strike my operation?

T = Probability Undesirable Event Occurs

47August 30, 2016

© Arcadis 2016

Risk Calculation Revisited

48August 30, 2016

Risk = C x V x T

V

C

T

= Consequences

= Vulnerability

= Threat Likelihood

25

© Arcadis 2016

R = C x V x T

Risk/Resilience AnalysisR

isk

Flood TornadoDroughtMalicious Adversary Utility DependenceDistribution Contamination Source Water Contamination

49

© Arcadis 2016

Setting the “Bar”

Considerations:

• Resources (Man-power, $)

• Physical constraints

• Regulatory

• Social/customer influence

• Time

Where should we start?

50August 30, 2016

Why wouldn’t you want to target a Risk = $ Zero?

26

© Arcadis 2016

R = C x V x T

Target RisksR

isk

Flood TornadoDroughtMalicious Adversary Utility DependenceDistribution Contamination Source Water Contamination

Risk Reduction Target

51

© Arcadis 2016

Trending TAP Risk

•What projects reduce risk?

•Can a single project benefit multiple TAPs?

•Iterative process

52August 30, 2016

27

© Arcadis 2016 53

Risk/Resilience Management

• R&R Analysis provided baseline level of risk• Develop Risk Mitigation Measures (RMMs)

– Scope with conceptual designs – Cost Estimate Recalculate Risk assuming RMM

implemented• Executed Benefit-Cost Analysis (BCA)

BCA = Risk Reduction ($) – Cost ($)Cost ($)

© Arcadis 2016

Risk Mitigation Measure Projects• Training/exercising program enhancements

• Conceptual design projects

– Physical security experts, Water engineer, Structural engineer, Architect, Cyber security expert, Emergency response expert

• Packages included:

– Project descriptions

– Schematics

– Capital costs

– O&M costs

54

28

© Arcadis 2016 55

Risk Mitigation Measure Project Profile

Project Name Pump Station A Upgrade

Project No. X

Priority Medium

Relevant Threats and Assets

TornadoPump Station A

Duration 1 year

Description Upgrade description.

Impacted Stakeholders Maintenance staff Operations staff

Cost Estimate CAPITAL COST RANGE $90,000 - $120,000

ANNUAL O&M COSTS $10,000

PROJECT USEFUL LIFE 10 years

© Arcadis 2016

Year 1

Project 1

Project 2

Year 2

Project 3

Project 4

Year 3

Project 5

Project 6

Year 4

Project 7

Project 8

Year 5

Project 9

Project 10

Capital Planning Ready

• RMM projects identified (20-25 total)

• 5-Year-Capital Plan Ready

• Prioritization:

– Short-term/Long-Term

– Benefit-Cost Analysis

– Capital Cost

– % Risk Reduction

56

29

© Arcadis 2016

RMM Cost Estimates

• Association for the Advancement of Cost Engineering International (AACE)

• Level 4 – Feasibility • Project Definition: 1-15%

• Purpose of Estimate: Feasibility

• Accuracy: -30% to +50% cost range

• Assumed annual O&M costs Assumed average project useful life

57

© Arcadis 2016

Summary of RMMs

RMM Threat Type Critical Assets Project Name1 All All Emergency Response Plan and Multi-Year Training

and Exercise Plan Development

2 Natural Hazard - Tornadoes Pump Station A Tornado Protection

3 Natural Hazard - Floods Pump Station B Flood Protection

4 Malevolent Threat - SabotageInsider/Outsider

Treatment Building Physical Security Upgrades (Access Control)

5 Malevolent Threat - SabotageInsider/Outsider

Pump Station C Physical Security (Cameras)

6 Dependence - Utilities Pump Station D Backup Power Installation

7 Natural Hazard - Floods Pump Station E Flood-proofing and Response Exercising

8 Malevolent Threat - SabotageInsider/Outsider

Pump Station F SCADA Cabinet Upgrade (Cyber VA)

9 Malevolent Threat - SabotageInsider/Outsider

All Cabinet Physical Security Policy (Cyber VA)

10 Natural Hazard - Tornadoes All Facility Connectivity (Cyber VA)

58

30

© Arcadis 2016

Risk Reduction Summary

RMM No. Priority Cost Estimate1 – All – Emergency Response Planning,Training and Exercising

High $200,000

2 – Pump Station A – Tornado Protection Low $400,0003 – Pump Station B – Flood Protection Low $20,0004 – Treatment Building – Sabotage Low $300,0005 – Pump Station C – Sabotage Low $40,0006 – Pump Station D – Sabotage High $30,0007 – Pump Station E – Floods Medium $100,0008 – Pump Station F – Backup Power Medium $500,0009 – All – Sabotage – Security Policy High $1,00010 – Communications System – Tornadoes High $50,000

59

© Arcadis 2016

RMM PrioritizationRMM No. Priority Cost Estimate

1 – All – Emergency Response Planning,Training and Exercising

High $200,000

9 – All – Sabotage – Security Policy High $1,00010 – Communications System – Tornadoes High $50,0006 – Pump Station D – Sabotage High $30,000

TOTAL $281,0007 – Pump Station E – Floods Medium $100,0008 – Pump Station F – Backup Power Medium $500,000

TOTAL $600,0002 – Pump Station A – Tornado Protection Low $400,0003 – Pump Station B – Flood Protection Low $20,0004 – Treatment Building – Sabotage Low $300,0005 – Pump Station C – Sabotage Low $40,000

TOTAL $760,00060

31

Conclusions

© Arcadis 2016

Additional Benefits of Vulnerability Assessment• Workshops Encouraged:

• Engagement • Information sharing across departments

• Staff Learned How to Assess Risk

• Improved “Risk” Culture

• Risk Mitigation Projects Support Capital Improvement Planning

62

32

© Arcadis 2016

VA Conclusions

63

• Identified areas for improvement

• Documented capabilities

• Informed the CIP

• Informed the overall risk management process

© Arcadis 2016

Acknowledgements

64

• Bob Ervin, PE, Minneapolis Water

• Annika Bankston, PE, Minneapolis Water

• Minneapolis Water Staff!

• Shannon Spence, PE, Arcadis

33

THANK YOU!August 29, 2016

Mr. Glen GeradsDirectorMinneapolis WaterWorksGlen.Gerads@minneapolismn.gov612.673.2191

Mr. Andrew Ohrt, PESenior Consultant Arcadis U.S., Inc.Andrew.Ohrt@arcadis.com612.373.0232

AUGUST 29, 2016

Presentation Handout Perspectives on a J100 Vulnerability Assessment – Lessons Learned by Minneapolis Water

Mr. Glen Gerads & Mr. Andrew Ohrt

August 29th, 2016

Resilience – One Definition –

“Resilience is the capacity of individuals, communities, institutions, businesses, and systems within a city to survive, adapt, and grow no matter what kinds of chronic stresses and acute shocks they experience.”

Common Questions Regarding Risk –

• How many critical assets do I have?

• What is the most likely threat for my assets?

• Which threats have the biggest consequences?

• Do I need to worry about cyber-attacks?

• Should I protect my assets against a bomb?

• How do I set my utility up for compliance with future rules and laws?

• How do I measure the risk associated with threats?

• What are the means to track risk reduction?

• How do I prioritize projects to increase resilience?

• What is the definition of resilience for my utility?

What is the American Water Works Association J100 Standard for Risk and Resilience Management of Water and Wastewater Systems?

• Methodology to quantify risk ($) to the individual asset level.

• Provides a way to evaluate multiple threat types.

• A way to compare “apples” to “oranges” for both asset and threat/hazard types.

AUGUST 29, 2016

Presentation Handout Perspectives on a J100 Vulnerability Assessment – Lessons Learned by Minneapolis Water

Mr. Glen Gerads & Mr. Andrew Ohrt

August 29th, 2016

Steps to perform a VA using the J100 Standard are:

1) Asset Characterization

2) Threat Characterization

3) Consequence Analysis

4) Vulnerability Analysis

5) Threat Likelihood Analysis

6) Risk/Resilience Analysis

7) Risk/Resilience Management

What happens to my assets & operations if attacked by terrorists, natural hazards or supply chain disruption? How much money lost, to me? fatalities? injuries? How much economic loss to the regional community?

What reasonable worst case man-made threat, natural hazard & supply chain scenarios should I consider?

What assets do I have that are critical to my operations?

What vulnerabilities would allow a terrorist, natural disaster or supply chain problems to cause these consequences? Given the scenario, what is the likelihood it will result in these consequences?

What is the likelihood that a terrorist natural disaster or supply chain disruption will strike my operations?

Risk = Consequences x Vulnerability x Threat Likelihood Resilience = Service Outage x (Vulnerability x Threat Likelihood)

What options do I have to reduce risks & increase resilience? How much will each benefit in reduced risks and Increased resilience? How much will it cost? What is the net benefit & benefit/cost ratio of my options? How can I manage the chosen options?