Water/Wastewater Utilities Implement, Enhance System Security
Malicious attacks now being addressed along with natural disasters in new plans
The mission of America’s water utilities is to provide safe and sufficient water and wastewater treatment to customers. Historically, the pressing issues in water safety were microorganisms, disinfectant byproducts and infrastructure maintenance
. However, long before the tragic events of 9/11, water utility managers, law enforcement agencies, local emergency planning committees and epidemiologists were laying the groundwork for averting, detecting and responding to other threats.
Those efforts were directed at low-level threats such as burglary, vandalism or natural disasters. Understandably, the events of 9/11 triggered a new perspective on water system security. Since the attacks, security measures have been examined and revamped. They are now being implemented in every facet of the nation’s utility infrastructure.
Detect, delay, respond
The mission of any security system is to detect, delay and respond to destructive action. Destructive action to a water system can range from vandalism, such as graffiti, to cyber sabotage all the way to a full-fledged terrorist attack on a major treatment plant.
By their nature, utility systems are inherently difficult to secure. The physical assets are ubiquitous and the distribution systems accessible. Whereas a building is a single physical structure, a water system is a widespread network with many possible access points vulnerable to compromise. In addition, older treatment plants were built without security as a priority.
An attack on a water or wastewater system does not require high-tech tools, well-organized teams or exotic chemicals.
For example, in Neenah, Wis., a group of teenagers gained access to a water treatment plant with a stolen key. They planned to string trip wires, spread liquid soap on the floors, contaminate filters with dry soap powder and ignite firecrackers near chemical tanks. The youths were armed with baseball bats, dressed in dark clothing, and carrying radios and flashlights. Fortunately, the plan was thwarted when a would-be accomplice alerted police.
Equally important to the operation of a water system as its capital assets are the external supporting infrastructure—energy, transportation and telecommunications. Effective security measures must protect all the members of this interdependent web of operations from physical destruction, contamination and cyber attack.
Security is built from a combination of policies, procedures, people and technology, according to Jeffrey Danneels, manager of the Security Systems & Technology Center at Sandia National Laboratories in New Mexico.
Policies must be developed and implemented to address risks and communicated with employees. Operating procedures must be modified to meet policy goals. Although every employee must be cognizant and compliant with security procedures, security system monitoring cannot be loaded as collateral duties onto already burdened operators.
Vulnerable to attack
A water system consists of its sources, treatment facilities, controllers, distribution and storage system, and wastewater treatment. According to Danneels, “to protect one component of the system and neglect the protection of others will not achieve the objective of improving the security within the water infrastructure.” Contamination of large-volume water supplies such as reservoirs is considered unlikely, as it is difficult to obtain and transport sufficient quantities of hazardous materials to contaminate sources. As water volume decreases, the risk of contamination increases. Conventional water treatment technologies are effective in removing most biological agents, assuming the water treatment process has not been compromised. However, treatment methods may not deter all contaminants, especially chemical and pharmaceuticals.
Early warning systems with real-time monitoring sensors are needed to protect against and warn of contamination of raw water sources. To rely on after-the-fact reporting by the medical community on illnesses is not an effective method of detection.
An effective early warning system would alert operators in time to take action, be expandable, allow remote operation, require low skill to operate, give minimal false reports and be verifiable.
Potable water treatment plants use many chemicals, most notably chlorine, that could be used to cause harm to the surrounding community with a deliberate release or to contaminate the water supply by increasing chemical injection rates to dangerous levels.
The integrity of the plant could be breached by perpetrators climbing over or burrowing under fences, avoiding infrared sensors and nullifying alarms. Access can be as simple as a stolen key or a leaked access code. A disgruntled employee could be recruited to sabotage a plant. Often, contractors have easy access as well.
In recognition of these vulnerabilities, some water utilities are requiring escorts for contractor technicians who need access to sensitive areas, keeping a tighter rein on keys and access codes, and changing passwords on a regular basis.
Also at risk are supervisory control and data acquisition (SCADA) systems used to automate almost all modern water and wastewater treatment plants. Often, passwords on control equipment are not changed from the default. Many SCADA systems are susceptible to hacking that could result in disclosure or theft of information, corruption of data or denial of service. Because many SCADA systems are not connected to the Internet, the threat of cyber attack is most likely from an employee with access.
Of the three elements of a drinking water system—source water, treatment plant and distribution system—the distribution system of pipelines, pumps and storage tanks offers the greatest opportunity for malicious action because it is relatively unprotected and accessible, and often isolated.
If potable water is compromised, it is only a matter of time before wastewater is affected. In the event of contamination, wastewater treatment plants would have to be shut down to avoid contamination of the receiving stream. The wastewater treatment plant itself also could be the target of a physical attack.
The threats to a water or wastewater system are broadly classified into physical destruction, bio-terrorism and chemical contamination, and cyber attack.
Physical destruction of a water system’s assets or disruption of the water supply is considered more likely than contamination. Explosives and guns are more easily obtained than large quantities of harmful chemicals. An attack on a treatment plant can be accomplished by a small group with a minimum of organization.
A loss of water pressure would compromise firefighting capabilities and also lead to possible bacteria build-up in mains and pipes. More frightening to the general public is the spectrum of contaminants introduced into the drinking water supply.
Even the chemicals used by utilities to treat water can be a hazard. Chlorine is a potentially lethal respiratory hazard. The delivery chain also presents vulnerability. Smaller utilities receive chlorine in tanks as either liquid or pressurized gas.
Karl Goldapp of College Station (Texas) Utilities emphasized the importance of certifying the legitimacy of the delivery person, as liquid chlorine could easily be partially drained off and replaced with a noxious chemical that would be added to potable water unintentionally by the operator.
Not only pranksters, malcontents and terrorists, but also contractors and communications systems could sabotage a treatment works. The burgeoning demand for cell phones and pagers, television and radio transmission, and law enforcement communications has given rise to water towers bristling with antennas. For years, the mounting of communications antennas on water tanks was considered a win-win situation. Water utilities recouped the capital cost of towers from rental space atop water towers and communication companies were relieved of the tasks of tower construction, zoning hearings and other maintenance costs. However, providing access to this communication equipment exposes the utility to potential sabotage.
The Commission on Critical Infrastructure Protection (CCIP) established in 1996 by President Bill Clinton, examined the security of the nation’s critical infrastructures, defined as structures, information and cyber resources essential to the minimum operations of the economy and government. The CCIP determined that water infrastructure was highly vulnerable to a range of potential attacks. In 2000, the CCIP convened a public-private partnership called the Water Sector Critical Infrastructure Advisory Group that helps Sandia National Laboratories in developing security risk assessment methodology.
Critical water infrastructures—the systems used to collect, treat and distribute potable water and treat wastewater—are fundamental to the public health and welfare and are subject to both natural disaster as well as intentional attacks. Potable water is one of the top priorities in emergency medical services, firefighting, sanitation and general disaster recovery.
In 1998, responsibility for the critical water infrastructure was assigned to EPA under the National Security Council’s Presidential Directive 63.
Development of a security framework was the responsibility of Sandia National Laboratories. Sandia has a proven history of developing security protocols for the nuclear weapons industry, Department of Defense entities, and, more recently, hydroelectric dams. After reviewing the operations of a large water utility relying on both groundwater and surface water, Sandia personnel determined that the existing Sandia risk assessment methodology could be adapted to the water infrastructure.
Sandia conducted a workshop to develop a framework for risk assessment methodologies. Workshop participants included the FBI, AWWA, AMWA and several large water utilities.
EPA’s Water Protection Task Force targets the critical needs of small- and medium-sized systems, providing guidance, training, and financial assistance for conduct of vulnerability assessments, for preparation of emergency response plans and for establishment of security objectives. The task force draws on the experience of Sandia National Laboratories and provides baseline information on potential threats.
For these smaller utilities, EPA depends on states, through which grants are channeled, to build upon existing partnerships with other stakeholder organizations, such as emergency response councils and community health entities, and to coordinate implementation tasks. To facilitate planning, EPA provides support to improve communication between states and smaller utilities.
For wastewater utilities, the Vulnerability Self-Assessment Tool (VSAT) developed by the Association of Metropolitan Sewerage Associations and two consulting companies, PA Consulting Group and Scientech, Inc., provides a comprehensive system for analysis of both international threats and natural disasters. VSAT is available free of charge to wastewater utilities, and more information can be found at www.vsatusers.net.
Response, recovery, remediation
Emergency response planning is primarily a local responsibility. Every water utility should have in place an emergency response plan coordinated with federal, state and local emergency response organizations, regulatory authorities and local government officials. EPA recommends that utilities augment an established emergency operations plan addressing natural disasters with procedures for responding to intentional attacks. According to the EPA, counter-terrorism planning is an extension of existing activities.
Response refers to actions immediately following the incident. Recovery involves bringing the system back into operation, and remediation refers to long-term restorative action.
Of primary concern in an emergency response plan is the identification of the organizational structure responsible for incident response and management. To avoid confusion, utilities must coordinate with other emergency response activities to develop clear protocols and chains-of-commands for decision-making and for reporting and responding to threats.
Entities to be alerted include emergency management personnel, law enforcement, public health officials, emergency medical services, state environmental agencies, critical care facilities and the FBI. Contact lists of all relevant personnel should be kept current.
As with water providers, local emergency planning committees established under the Emergency Planning & Community Right-to-Know Act, prepare and maintain comprehensive emergency plans for releases of hazardous substances. The same planning principles followed for accidental releases can be adapted to deliberate releases by terrorists. Emergency planning committee members include state and local officials; police, fire, civil defense, public health, environmental, hospital and transportation officials; and representatives of facilities where chemicals are stored.
The public, as well as emergency responders, has a right to know about hazardous situations. Under the Emergency Planning & Community Right-to-Know Act, people are entitled to information that affects their lives. Communicating a threat proactively to the public through the media establishes credibility, allows the utility to control the accuracy of information, builds public trust and allows meaningful public involvement.