Safe water project funding is impacted by new cyber mandates. Are states and utilities ready?

USEPA’s recently released memorandum interprets existing regulations requiring state oversight of public water systems' cybersecurity practices. This new oversight policy will cost state governments and every public water system money needed to repair failing infrastructure in a time of escalating project costs. The news is even worse – no one knows how much more money will be required.

Public Water Utilities Are Already Responsible

Water utilities bear the ultimate responsibility for providing safe water to their customers and the environment. And all water utilities support reasonable and effective cybersecurity regulations that help to protect public health and safety. However, the new policy forces state agencies directly into the accountability framework. In addition to concerns about the costs, feasibility, and potential unintended consequences on capital projects, there is limited value-added being provided to the customer.

Good Intentions from USEPA

According to the USEPA memorandum, drinking water systems will be more protected from cyber-attacks by mandating more aggressive state-level accountability. USEPA provides no ideas on how states will implement the new policy. In fact, USEPA states that it wants to be highly flexible with how states do their work and are there to help. Nevertheless, the new policy ensures the public has safe drinking water.

How Initial Assessments Work

Public water systems are required by USEPA to do regular audits (“sanitary surveys”) on all aspects of their systems and to make necessary improvements. The new policy requires that during a sanitary survey, the following must now be performed:

1. If the public water system uses an Industrial Control System (ICS) or other operational technology as part of the equipment or operation of any required component of the sanitary survey, then the state must evaluate the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.

2. If the state determines that a cybersecurity deficiency identified during a sanitary survey is significant, then the state must use its authority to require the PWS to address the significant deficiency.

Significant Deficiencies

EPA has defined "significant deficiencies" as including, but not limited to, "defects in design, operation, or maintenance, or a failure or malfunction of the sources, treatment, storage, or distribution system that the state determines to be causing, or have the potential for causing, the introduction of contamination into the water delivered to consumers." For cybersecurity, significant deficiencies should include the absence of a practice or control, or the presence of a vulnerability, that has a high risk of being exploited, either directly or indirectly, to compromise an operational technology used in the treatment or distribution of drinking water.

Do States Have the Required Resources?

The short answer is no. Of course, USEPA is there to help. In reality, the new requirement means states will redivert capital project grants and loans into the new cybersecurity initiative to develop new state capabilities or hire consultants. Some states will tell utilities to pay for it, which has the same effect of less funding is available for capital projects.

Unintended Consequences for Utilities

Traditional costs for cybersecurity measures in water utilities include assessment costs, capital improvement costs, staff training, ongoing system upgrades, and compliance (reporting). The new policy now injects another player and potential uncertainties into every new capital project. Look for more change orders and more cost escalation as states, or their contractors, find "insignificant deficiencies" in projects already designed by water utility staff and their design consultants.

Moving Forward

The costs of implementing cybersecurity measures can be significant, particularly for smaller water utilities with limited resources. The exact cost will depend on the duplicate role that the states will play as dictated by the USEPA cybersecurity memorandum. The magnitude of the costs is unknown and one reason that policy by fiat is bad. However, the new policy will certainly result in less money for new water projects.

JD Solomon Inc provides solutions at the nexus of the facilities, infrastructure, and the environment. Contact us for more information on our program development, project management, and capital program prioritization solutions. Subscribe for monthly updates.

1. What is PFAS?

PFAS, or perfluoroalkyl or polyfluoroalkyl substances, are fluorinated carbon-chain compounds. PFAS has been used in fire response, industrial applications, and consumer products for decades. For these reasons, PFAS is also found in landfills and wastewater treatment facilities. PFAS chemicals are manufactured and produced worldwide.

2. How many PFAS compounds will USEPA regulate and to what levels?

The EPA would cap PFOA and PFOS at 4 parts per trillion, essentially the lowest level at which they can be reliably measured. Four other PFAS chemicals will also be regulated based on an index.

3. How have the human health effects of PFAS been determined?

Some studies on PFAS have been conducted on humans, and many studies have also used animal models or epidemiological approaches to assess the potential health effects of these chemicals.

4. How does USEPA develop regulatory levels for PFAS?

According to USEPA, the threshold concept is important in the regulatory concept. The individual threshold hypothesis holds that a range of exposures can be tolerated by an organism with essentially no chance of toxic effects. Further, it is often prudent to focus on the most sensitive members of the population. Therefore, regulatory efforts are made to keep exposures below the most sensitive population threshold.

5. How can I relate the proposed USEPA regulatory levels to something I understand?

Four parts per trillion are approximately equal to 4 eyedroppers of fluid in an Olympic-sized pool.

6. Have we seen clusters of human health effects in places like Wilmington, NC, where the population has been subjected to PFAS exposure in the pert-per-trillion range for decades?

No, but there are thousands of PFAS compounds that can interact with different effects—the models on which the regulatory levels are acknowledged to be conservative by USEPA.

7. Will all drinking water systems be covered?

Public water systems would be required to monitor these six PFAS. These systems would have to pay for upgrades to ensure their levels remain below the legally enforceable limits set by the EPA. The proposed regulations do not cover private drinking water or irrigation wells.

8. How much will this cost?

The costs will be in the range of hundreds of billions of dollars. The cost of monitoring for PFAS at the lowest detectable limits is expensive. The treatment systems for PFAS are granulated activated carbon, which is expensive to install and maintain.

9. Who will pay for the costs?

Utility systems ratepayers will pay for nearly all of the costs. The Federal government will be required to provide capital funding to help many systems; however, water utilities in the US receive only about 4 percent of the income from the Federal government.

10. Will these regulations fix the problem?

No, there are over 7000 PFAS compounds that have properties that allow them to repel water and oil. For this reason, PFAS compounds do not break down easily over time and have been dubbed "forever chemicals." PFAS has been found at elevated levels across the United States in solid, surface water, groundwater, and air. At 4 parts per trillion, PFAS is everywhere and will continue to be manufactured as long as there is public demand for it.

Part of the "problem" is also related to the human health effects of PFAS compounds is largely unknown. It will take decades to understand how PFAS affects people of different ages and those with different conditions or diseases.

JD Solomon Inc provides solutions at the nexus of the facilities, infrastructure, and the environment. Contact us for more information on environmental reviews, permitting, and integrated assistance with new project development. Subscribe for monthly updates on how we are applying reliability and risk concepts to natural systems.

Monte Carlo Analysis Provides Analytical and Communication Value When Complexity and Uncertainty Are High

Monte Carlo analysis or Monte Carlo simulation is a technique used for forecasting which considers uncertainty and variability. As an analytical tool, Monte Carlo analysis forces the project development process to incorporate wider thinking and minimize biases. As a communication tool, Monte Carlo analysis is powerful in showing the probabilities and possibilities and identifying the input parameters that impact a specific project context.

Monte Carlo analysis is now more convenient and affordable than at any point in its 70-year history. The technique provides huge additive value for large and complex projects and capital-intensive programs.

Caveats

Out of the gate, let me say that I love Monte Carlo analysis. I have used the approach for over thirty years. I have degrees in engineering and finance. I built an asset management practice that used MCA as a core technique and even did a keynote address at an international user conference on how to do it.

A separate article discusses what is wrong with using Monte Carlo analysis for new project development. Some of those reasons include that Monte Carlo analysis is often poorly communicated and the technique misses the rare events that are the source of catastrophic project results.

Project Managers Thinking In Ranges

According to Gustavo Vinueza, you may be in the ballpark with high, medium, and low estimates of input parameters. However, forecasts based on a single-point estimate for each parameter are science fiction. Simply, Monte Carlo analysis allows you to explore uncertainty. It forces you to start thinking in ranges.

What is Monte Carlo Analysis

Monte Carlo Analysis is a computer-based method of analysis developed in the 1940s that uses statistical sampling techniques to obtain a probabilistic approximation to the solution of a mathematical equation or model. This 1997 definition from the United States Environmental Protection Agency is painfully simple, but a few key insights can be gained from it.

Uncertainty and Variability

Monte Carlo simulation uses thousands or millions of permutations of random variables to calculate all possible outcomes. The probability distribution it generates makes it an effective tool in forecasting uncertainties and variability experienced in many project management applications.

There is a fine difference between uncertainty and variability. Uncertainty is quantified by a probability distribution related to the likelihood of an uncertain quantity's single, true value. Variability is quantified by a distribution of frequencies derived from observed data of multiple instances of the quantity.

Strengths According to ISO 31010

ISO 31010 is the supporting standard for the international risk standard (ISO 31000) and provides guidance on the selection and application of systematic techniques for risk assessment. Five of Monte Carlo analysis strengths include the following:

1. the method can accommodate any distribution in an input variable, including empirical distributions derived from observations of related systems

2. models are relatively simple to develop and can be extended as the need arises

3. sensitivity analysis can be applied to identify strong and weak influences

4. models can be easily understood as the relationship between inputs and outputs is transparent

5. software is readily available and relatively inexpensive

Questions to Ask Before Performing a Monte Carlo Analysis

Questions to consider at the initiation of a quantitative variability and uncertainty analysis, such as Monte Carlo analysis, include:

• Will the quantitative analysis of uncertainty and variability improve the assessment?

• What are the major sources of variability and uncertainty? How will variability and uncertainty be kept separate in the analysis?

• Are there time and resources to complete the analysis?

• Does the project warrant this level of effort?

• Will a quantitative estimate of uncertainty improve the decision? (How could the decision change?)

• What types of skills and experience are needed to perform the analysis?

• Have the weaknesses and strengths of the methods been evaluated?

• How will the variability and uncertainty analysis be communicated to the public and decision makers?

The Greatest Value: Insights

The most important aspect of a quantitative variability and uncertainty analysis is the interaction between the analysts, decision makers, and other interested parties, which makes risk assessment a dynamic rather than a static process.

Uncertainty Requires Effective Communication

One of the most important challenges is effectively communicating the sources of variability and uncertainty and their impacts. Higher levels of complexity and uncertainty usually make Monte Carlo analysis more attractive because it helps with communication.

Tornado diagrams are effective for showing Monte carlo sensitvity analysis and the impact of key inputs on project performance.

Ironically, insights gained from a quantitative analysis are generally qualitative in their expression and understanding. Insights can include an understanding of the following:

• the degree of variability and uncertainty and the confidence that can be placed in the analysis and its findings related to the project budget, schedule, and quality.

• the key sources of project delivery variability and uncertainty and their range of impacts

• the critical assumptions and their importance to project agreements and risk management

• the unimportant assumptions and why they are unimportant

• the extent to which plausible alternative assumptions or risk and uncertainty mitigation could affect the project

• the key project development controversies and a sense of what difference they might make individually and collectively

Implementing It with FINESSE

Monte Carlo analysis or Monte Carlo simulation is a technique used for forecasting which considers uncertainty and variability. As an analytical tool, Monte Carlo analysis forces the project development process to incorporate wider thinking and minimize biases. As a communication tool, Monte Carlo analysis is powerful in showing the probabilities and possibilities and identifying the input parameters that impact a specific project context.

Monte Carlo analysis is now more convenient and affordable than at any point in its 70-year history. The technique provides huge additive value for large and complex projects and capital-intensive programs. For more routine projects with low levels of complexity and uncertainty, an incremental approach, where Monte Carlo analysis is considered after traditional high-medium-low analysis is performed, is the most practical.

The trademarked FINESSE fishbone diagram is a proven tool for effective communication in the presence of high levels of complexity and uncertainty.

FINESSE provides a proven cause-and-effect approach to effective communication with high complexity and uncertainty. Communicating the results of Monte Carlo analysis is well suited for the FINESSE approach.

JD Solomon Inc provides solutions at the nexus of the natural and built environments. Contact us for information on new project development, capital program prioritization, Monte Carlo analysis, and project risk assessments. Subscribe for brief monthly updates on our projects and collaborations.