Why Are We Doing This? And What Should We Be Doing?

Conducting an risk analysis (RA) allows a utility to consider a broad spectrum of worst reasonable threats that may compromise the utility's mission of providing drinking water and/or treating wastewater. The RA assigns a monetized value for risks against critical assets such as pump stations, and that value enables utility managers to make informed decisions. There is a standard available to follow when conducting an RA: the ANSI/AWWA J100-10 Risk and Resilience Management of Water and Wastewater Systems (AWWA 2010). There are also software tools to help with the process. Taken together, the RA and stand-alone (SA) provide a comprehensive view of the risks and countermeasures that can be implemented to address the myriad threats facing a water or wastewater system. In the RA, it's important to remember that cyber-related physical attacks may occur, and physically related cyberattacks may occur. Then the SA uses these threats to determine, in detail, what type of measures will counteract them. One approach to conducting SAs, the CARVER method, evaluates Criticality, Accessibility, Recoverability, Vulnerability, Effect, and Recognizability (CARVER).