U.S. water utilities want more security information and more training and financial assistance to support security initiatives, according to a limited survey by EPAs Inspector General (IG).
Summarizing the results of surveys of 16 mostly large systems in six states, the IG report also reveals that water systems received most of their information on threat identification, problem detection, delay barriers, response capabilities and computer control systems from consultants, EPA and AWWA.
It further indicated that while some systems obtained information from the Water Information Sharing and Analysis Center, several said they want better access to the center, which is only available to paid subscribers.
Other information sources includes the Federal Bureau of Investigation, the Department of Homeland Security, the Centers for Disease Control and Prevention, state agencies, local law enforcement officials, the National Rural Water Association, water security experts and InfraGard, a cooperative public-private sector source of cybersecurity information.
Surveyed systems emphasized their continuing need for more security information, especially regarding threat identification and incident response. The survey also found that 11 of the 16 utilities estimated they would spend more than $100,000 in the next year on security improvements, with four estimating their security expenses would top $1 million.
Also, 11 said they may limit such improvements to those they can afford and/or budget as capital improvements while three indicated they would rely in Drinking Water State Revolving Fund (DWSRF) loans to help cover the costs and seven said they would need financial assistance to do the work.
Fourteen of them described addition training needs ranging from seminars on general topics to specialized training in tasks such as crime scene preservation. An equal number said they need training in emergency response, including identifying and detecting threats.
A dozen want EPA to fund related research on real-time contaminant detection technology while the16 systems split down the middle regarding desire for procedural changes such as including security matters as part of operator certification, changing DWSRF rules and establishing security standards.
Finally, the survey revealed utility suggestions for performance indicators to measure security improvements. They include measuring how long utilities can provide safe water during or after a security event, how long it could take to detect and respond to threats and utility capacity to detect deadly contaminants and computer system intrusions.
While the IG report cautioned that the limited survey "should not be generalized to represent all water utilities nationally," it nevertheless stated that the results "could help USEPA, other agencies and water utilities focus their efforts on the security issues identified."
Of the 16 surveyed systems, four serve 3,300 to 99,999 people and 12 serve 100,000 or more, while 14 have completed mandated vulnerability systems and 15 employed consultants to do so. Seven of them are located in New York, three in California, two each in Virginia and Florida and one each in Nebraska and Washington.