top of page
  • Writer's pictureDragoon Security Group

America's Water Infrastructure Act of 2018

On October 23, 2018, America's Water Infrastructure Act (AWIA) was signed into law. The law requires the administrators of Community Water Systems (CWS) serving more than 3,300 citizens to develop or update Risk and Resilience Assessments and Emergency Response Plans (ERP). The Environmental Protection Agency (EPA), who has oversight of the AWIA, interprets population count as direct and indirect citizens within the district served.

This amendment to the Clean Water Drinking Act, provides CWS administrators the opportunity to identify and respond to risks, while improving their aging infrastructure. Over 80% of the US relies on the 153,000 public drinking water systems and 16,000 wastewater treatment systems and are categorized as Critical Infrastructure by the Department of Homeland Security.

The AWIA is in response to a 2016 digital attack of a US water treatment plant’s SCADA network. During the two months in which the attackers had unfettered access to the plant’s infrastructure, they were found to have manipulated the chemicals used to assure safe drinking water and disrupted distribution. This attack also resulted in the theft of 2,500,000 customer’s Personally Identifiable Information.

Beginning March of 2020, CWS administrators will need to submit to the EPA certification that assessments and plans have been documented in order to avoid financial penalties. Under the AWIA, the EPA is authorized to place fines of up to $25,000 per day for any CWS that has not certified both the assessments and ERP have been completed.

AIWA also creates a five-year life cycle for CWS administrators to maintain their assessments and ERP before they are required to be reviewed and revised.

Conducting the Risk & Resiliency Assessment

Under the updated AWIA, CWS administrators will be required to conduct an assessment of their risks from both natural and human threats. Human threat actors may include both physical and digital threats attempting to damage or destroy infrastructure and systems supporting the delivery of a community’s clean water.

In addition to assessing risks, administrators are required to assess the resiliency of their existing infrastructure. This includes water sources, pipelines, physical protections, treatment and storage facilities. Other areas of focus for assessments should include, existing CWS monitoring capabilities and practices, billing systems, chemical usage, and maintenance.

CWS administrators are also encouraged to evaluate financial and operational requirements as part of their assessments. The assessments aid in driving projects funded through grants established under the AIWA. These grants are intended to assist the CWS administrators in remediating or mitigating the risks through improving aging infrastructure and implementing physical and technical controls.

Developing the Emergency Response Plan

Within six months of the CWS administrator certifying to the EPA the assessment has been completed, administrators are required to create and deploy ERPs for identified risks. The ERP serves as both a Corrective Action Plan (CAP) and an Incident Response (IR) Plan.

The ERP should address strategies and resources to improve the resilience of the system, to include protections from both physical and digital attacks of the system. ERPs should address all risks identified during the assessment, as it will create a strategic roadmap for hardening CWS infrastructure.

The ERP should also address what actions the CWS administrators should take in response to a successful or in-progress attack.

Completion of the ERP will also enable CWS administrators to apply for grants under the Drinking Water Infrastructure Risk and Resilience Program, which the EPA will begin awarding in 2020. These grants, if the assessment and ERP relate the need, will allow for CWS administrators to initiate remediation and mitigation projects to include:

  • Purchase and installation of equipment for detection of drinking water contaminants or malevolent acts;

  • Purchase and installation of fencing, gating, lighting, or security cameras;

  • Tamper-proofing of manhole covers, fire hydrants, and valve boxes;

  • Purchase and installation of improved treatment technologies and equipment to improve the resilience of the system;

  • Improvements to electronic, computer, financial, or other automated systems and remote systems;

  • Participation in training programs, and the purchase of training manuals and guidance materials relating to security and resilience;

  • Improvements in the use, storage, or handling of chemicals by the community water system;

  • Security screening of employees or contractor support services;

  • Equipment necessary to support emergency power or water supply, including standby and mobile sources; and

  • Development of alternative source water options, relocation of water intakes, and construction of flood protection barriers.

About Us

Dragoon Security Group’s consultants have collaborated with civil engineering firms and public works in support of municipal governments, USACE and USAID water engineering projects to include; water treatment plants, canals, and dams to develop and implement SCADA security programs in both the United States and abroad.

Our team is available to assist in guiding your organization in identifying and determining reasonable risks to your CWS infrastructure, as well as developing actionable plans to remediate and mitigate those risks.

Contact us for more information at (803) 298-4500 or

44 views0 comments

Recent Posts

See All

Small Town But Not Too Small To Fail

After a chaotic summer of coordinated ransomware attacks against municipal governments, resulting in disruption of critical services to citizens, some refreshing news from Rhode Island of a small town

60 Minutes on Ransomware

While I’m glad this issue is gaining national attention, this piece was very defeatist. Companies wouldn’t accept a thief walking in and taking tens of thousands of dollars from the register. Yet beca

Post: Blog2_Post
bottom of page