preparedness project lessons nc awwa / wea 2015 annual conference jack moyer

Preparedness Project Lessons

NC AWWA / WEA 2015 Annual Conference

Placeholder area for filmstrip graphic. Use “SlideGraphics.indd” file to customize with your own imagery and export out new .png graphic to insert into presentation

Jack Moyer

Types of Projects Included

Project Locations

General Lessons and Observations

Security and VA Lessons

Emergency Planning Lessons

Business Continuity Planning Lessons

Closing Points

Overview01

02

03

04

05

06

07

3Preparedness Lessons Learned

• Vulnerability assessments (VA)• Emergency response plans (ERP)• Continuity of operations plans (COOP) and

business continuity plans (BCP)• Tabletop exercises and games (enhanced

tabletop exercises)• Physical security standards development• Other security and preparedness planning

projects

Types of Projects Included

4Preparedness Lessons Learned

• Drought preparedness planning• Emergency operations center (EOC) and joint

information center (JIC) preliminary design• Continuity of government (COG) planning• Public information office

(PIO) planning• Dam emergency action

plan (EAP) tabletop exercises

Other Types of Projects

5Preparedness Lessons Learned

Project Locations

6Preparedness Lessons Learned

• Lack of a culture of security and preparedness• Opportunity to address “low-hanging fruit”• Importance of visible management commitment• Importance of

engagingstakeholders

• IT engagement challenges

General Lessons and Observations

7Preparedness Lessons Learned

• Inadequate policies and procedures• Lack of training and awareness• Lack of enforcement

Lack of Security / Preparedness Culture

8Preparedness Lessons Learned

• Many have good disaster recovery plans (DRP)• Often difficult to get IT leadership engaged with

the rest of the preparedness project team • The project champion or upper management

must get the IT experts to participate

IT Engagement Challenges

9Preparedness Lessons Learned

• Lack of maintenance• Fence weaknesses• Camera weaknesses• Need to address cyber

security and process control systems

• Other weaknesses in security equipment and procedures

VA Lessons

10Preparedness Lessons Learned

• Inadequate maintenance of security improvements,resulting in inoperablecameras, damaged fences, etc.

• Inadequate budget and resources for the maintenance of security systems

• Competing priorities for funding such as rehabilitating degraded infrastructure or decreasing revenues

Inadequate Maintenance

11Preparedness Lessons Learned

• Gaps underneath or at gates

• Unrepaired damage• Vegetation and other

compromises to the fences

• Cheap padlocks, chains, and daisy-chaining of padlocks

Fence Weaknesses

12Preparedness Lessons Learned

• Where present, cameras and camera systems nearly always have weaknesses, including:

• Camera systems that don't work as intended, and often never did

• Cameras that are intended to be monitored, but are not

• Cameras that are no longer compatible with computers in use

Camera Weaknesses

13Preparedness Lessons Learned

• Rapidly evolving threats

• Stuxnet / Germany• Presidential Executive

Order February 2013• AWWA Process

Control (Cyber) System Security Guidance Document

Need to Address Cyber Security

14Preparedness Lessons Learned

• Doors propped open that are supposed to be closed and locked

• Unresolved concerns regarding disgruntled past or current employees

• Poor housekeeping in some areas, leading to safety and security compromises

• Lack of enforcement of existing policies and procedures

Other Common Weaknesses - 1

15Preparedness Lessons Learned

• Vulnerable to potential malevolent acts by both contractors and disgruntled employees

• Background checks on contractors are generally inadequate

• Contractors often have unsupervised access

• Password protection and key control programs at many systems are often lacking

Other Common Weaknesses - 2

16Preparedness Lessons Learned

• ERPs not up-to-date, particularly contact information

• Insufficient emergency response training and exercises

• Few ERPs includeNIMS and ICS

• Better inter-agencycoordination needed

Emergency Planning Lessons

17Preparedness Lessons Learned

• National Incident Management System

• Incident Command System

Few ERPs include NIMs and ICS

18Preparedness Lessons Learned

Better Inter-agency Coordination Needed

19Preparedness Lessons Learned

• Few plans include crisis communication plans for critical notifications

• Few plans address the threat of armed intruders or active shooters

Emergency Planning Lessons - 2

20Preparedness Lessons Learned

• Pandemic plans are often lacking or too focused on the flu

Often Lack Pandemic Plans

21Preparedness Lessons Learned

• Employees are a water utility’s most valuable and most vulnerable resource

• They are only as valuable at work as their families are prepared at home

• Many systems do not have adequate provisions to help employees and their families prepare

Weak Employee Preparedness

22Preparedness Lessons Learned

• Few water systems have BCPs or COOPs• Stakeholder engagement is critical in BCP and

COOP projects• Mission essential functions (MEF) are often very

challenging for systems to identify and prioritize in BCP development

• The importance of succession plans is often a challenge to convey and seldom done

• Emergency procurement needs to be addressed

BCP Lessons

23Preparedness Lessons Learned

Plans often lack provisions for emergency procurement and to address critical interdependen -cies

Emergency Procurement

24Preparedness Lessons Learned

• Water and wastewater systems have done much to prepare

• There are many opportunities for improvement and security preparedness in most water and wastewater systems

• Many of those opportunities are neither difficult nor expensive

• What is needed is a commitment to improvement in those areas

Closing Points

Questions orComments?

November 17, 2015

919.461.1472 | jack.moyer@aecom.com

Jack Moyer