Frank Pisciotta, CSC, is a security consultant who focuses on critical infrastructure.
Step back to high school science class and you might remember the statistic that roughly two-thirds of a human body is made up of water. That fact in itself is a central reason that the security of America's drinking water is not to be taken for granted. Water systems, like any other company or essential infrastructure, must take into account a myriad of potential threats. Today's threats do not simply stem from terrorism, though that has been a chief concern in these years after September 11th. A quick scan of headlines and new stories, like the reports below, illustrates the concern that water utilities must place on the security of their systems:
"A former water department employee has been charged with poisoning a pair of city wells and alarming thousands of home owners. The perpetrator was accused of spiking two wells with PCE and TCE in June 2001. During a 6 day crisis, thousands of homeowners with private wells were told not drink or bathe in their water while the Ohio EPA tested hundreds of wells and searched the water table and streams for the source of contamination." Source: Michigan Section of the American Water Works Association, www.mi-water.org
"Vandals broke into a fenced compound containing a 3-million gallon drinking water reservoir about 7 weeks ago, causing the system to be taken offline until officials could confirm that no damage was done and the water was not contaminated. The vandals left behind a pair of rubber gloves, an empty plastic bag, and a pair of shorts, and also changed the padlock on the gate." Source: North County Times, California, 10/11/02
"Italian police arrested 4 Morrocans in possession of large quantities of cyanide and maps of Rome highlighting the locations of the U.S. Embassy. Police are investigating whether the men were plotting an attack on the embassy or on Rome's water supply. The men arrested had 10 pounds of cyanide, maps pinpointing the embassy and other locations, maps of Rome's water network, and a stack of counterfeit immigration papers." Source: ABCnews.com, 2/20/02"
"Residents [of Columbus, Miss.] were urged Tuesday [Jan. 21, 2003] to drink bottled water while authorities investigated a phone call that the water supply had been poisoned. The incident turned out to be a hoax." Source: The Clarion-Ledger, 1/22/03
"Bottled water was a prime commodity as Baldwin [Kansas] continued under a state boil advisory while the city's water system was returning to normal. The town of about 3,600 people has two 750,000 gallon water tanks that almost went dry earlier in the week because of a valve problem in the water line that brings treated water to Baldwin from Lawrence." Source: Lawrence Journal-World, January 2006
As these incidents indicate, there are significant challenges faced when it comes to safeguarding our nation's water supply. Those challenges include:
- Obtaining accurate, credible and timely threat information;
- Identifying vulnerabilities that can be exploited by an array of adversaries, including terrorists using an appropriate risk management framework;
- Funding security improvements identified in vulnerability assessments;
- Preparing for and responding to emergencies;
- Safeguarding security sensitive information in light of federal FOIA and local/state sunshine laws;
- Understanding interdependencies with other sectors; and
- Incorporating security into facilities where security was never a primary concern.
This is the first of a series of articles that is designed to improve America's ability to protect our drinking water. Contrary to popular belief, the federal government does not have primary responsibility for implementing security enhancements at privately owned critical infrastructure such as water. In the absence of federal regulation of water security expectations, the Environmental Protection Agency (EPA), as the lead federal agency for the water sector, has taken some actions to try to facilitate private sector security improvements by (1) providing financial assistance, (2) providing information and guidance, (3) providing training and exercises, (4) developing infrastructure protection initiatives, (5) setting security requirements for some facilities and related deadlines for taking required measures, and (6) reviewing actions taken at those facilities.
The protection effort for water is complex with a number of different federal agencies and private sector organizations involved such as the EPA, Department of Homeland Security, FBI's National Infrastructure Protection Center, Federal Emergency Management Agency, Critical Infrastructure Assurance Office, American Water Works Association, and Association of Metropolitan Water Agencies. This article will provide background on what efforts the government and water sector has taken to protect America's drinking water. Subsequent articles in this series will highlight readily available resources, key strategies that can be employed to improve security and the challenges to protecting America's Water supply.
Current Threats to Water and Water Facilities
There is growing concern that chemical, biological and radiological weapons may be used against the U.S. civilian population with water as one possible vehicle of transmission for these weaponized agents. Damage to or destruction of the nation's water supply and water quality infrastructure by terrorist attack could disrupt the delivery of vital human services in this country, threatening public health and the environment, or possibly causing loss of life. A loss of flow and pressure would also cause problems for customers and would hinder firefighting efforts. Cyber attacks on computer operations can affect an entire infrastructure network, and hacking in water utility systems could result in theft or corruption of information or denial and disruption of service.
In his 2002 State of the Union Address, President Bush noted that captured Al Qaeda documents included detailed maps of several U.S. municipal public drinking water systems. Apprehension regarding a terrorist assault on drinking water systems has also been reinforced by news reports and arrests of suspects charged with threatening to contaminate municipal water supplies in the U.S. No matter how minor the contamination event or short-term the disruption to the delivery of safe drinking water, the psychological, medical and potential public health impact on the U.S. population could be significant.
The threat from terrorism continues to resurface from time to time with the most recent statement from Osama bin Laden released in January 2006 where he made a general warning that security measures would not be able to prevent attacks. As translated and reported by NBC, bin Laden charged that "the proof of that is the explosions you have seen in the capitals of European nations," he said "The delay in similar operations happening in America has not been because of failure to break through your security measures. The operations are under preparation and you will see them in your homes the minute they are through [with preparations], with God's permission."
Water systems as with any other organization must protect themselves from a myriad of security threats both external and internal. In my line of business, we have conducted a number of threat assessments for water systems around the U.S. And while terrorism always grabs the headlines from more commonplace crimes, we have found that security incidents and resulting crimes typically stem from disgruntled insiders and common criminals. These "everyday" incidents occur with a much higher frequency than terrorist plots, even when considered on an international scale. An effective security program therefore must be based on a comprehensive understanding of the threats and resulting risk of security attacks against the water systems personnel, assets or information.
Government Response to Perceived Threats
President Clinton's 1998 Presidential Decision Directive 63 identified eight critical infrastructure systems requiring a coordinated national effort to achieve the capability to protect the nation's critical infrastructure from intentional acts that would diminish them. Water was included in the list of eight. Protection efforts focused primarily on the large community water supply systems that serve more than 100,000 persons.
In 1974, the Safe Drinking Water Act identified the EPA as the lead federal agency for liaison with the water supply sector, and the EPA has continued to operate in this leadership role for water security. In partnership with the American Metropolitan Water Association and American Water Works Association, the EPA in the year 2000 began to work on measures to security the water sector from terrorist acts. Interest in attacks against water systems increased since the September 11, 2001, terrorist attacks. The year 2002 saw the release of the Bioterrorism Act of 2002 in June. In September of that same year, the EPA published a Strategic Plan for Homeland Security. This plan included key programs to maintain the security of America's water, many of which are still unfolding even today.
The Bioterrorism Act of 2002
In June 2002, President George W. Bush signed the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act) into law. The Bioterrorism Act required that certain community water systems conduct vulnerability assessments, certify to EPA that the vulnerability assessments were conducted, and submit a copy of the assessment to EPA. The act further required that certain community water systems prepare or revise emergency response plans and certify to EPA that an emergency response plan has been completed. The Bioterrorism Act took into account the different size water systems and established deadlines for compliance that ended on Dec. 31, 2004, for the smallest of water systems covered under the act.
EPA's Role in Homeland Security
The EPA took on a more expanded role in safeguarding America against terrorism after September 11th. To meet the perceived expanded role, the EPA Director Christie Todd Whitman ordered the preparation of a strategic plan for Homeland Security. This was a comprehensive plan but included a number of key issues relevant to the water sector. The EPA made several commitments in their report, namely:
"By the end of FY2003, all water utility managers will have access to basic information to understand potential water threats, and basic tools to identify security needs. By the end of FY2003, all large community drinking water utilities shall have identified key vulnerabilities and shall be prepared to respond to any emergency. By the end of 2004, all medium community drinking water utilities shall be similarly positioned. By 2005, unacceptable security risks at water utilities across the country will be significantly reduced through completion of appropriate vulnerability assessments; design of security enhancement plans; development of emergency response plans; and implementation of security enhancements."
The EPA further committed to:
- Develop tools, training and technical assistance for utilities in conducting vulnerability assessments.
- Conduct research to improve threat information and knowledge and enable community water systems to make timely and effective analytical and technological decisions to enhance security, detect contamination, and respond to incidents.
- Establish an information sharing and analysis (Water ISAC) organization to offer expert analysis, information gathering, and the rapid distribution of reports and government alerts about threats to America's drinking water and wastewater utilities.
- Work with states, tribes, and water utilities to implement water security practices in ongoing water utility operations so that security becomes integrated with day-to-day operations.
- Foster coordination among various state and federal agencies to improve response to actual or potential emergencies.
- Work with other critical infrastructure to understand interdependencies and reduce the impact of terrorist incidents.
The work outlined above is far from complete. The General Accounting Office (GAO) released a report on a study of the chemical and water sectors in March 2005. A complete copy of the report can be found at http://www.gao.gov/new.items/d05327.pdf. Officials representing eight of the 10 chemical facilities and eight community water systems GAO visited reported encountering obstacles in making security enhancements and maintaining a level of security consistent with their needs. Officials at six of the community water systems GAO visited reported economic constraints, such as balancing the need for rate increases to fund security enhancements with efforts to keep rates low. Four of the eight community water systems visited stated that instituting a cultural change that stresses the importance of security was another challenge they needed to address. An official at another system noted that the public in his locality did not perceive the water system to be at risk and, if it was, the public believed that little could be done to prevent a terrorist attack, making it difficult for the community water system to obtain budget increases to pay for security enhancements.
The GAO report accurately underscores the core issues observed by this author in his work with community water systems. The protection of our drinking water is an extremely challenging task. The next article in this series will focus on the methodologies available to identify security risk and will examine the pros and cons of each of the methodologies in terms of risk identification and the cost of implementation. In closing, to meet the security mission, community water system directors must consider the entire spectrum of threats that their organizations face. The war against terrorism provides unique opportunities to improve the effectiveness of security programs and reduce the consequences associated with security or criminal attacks. Next month, we'll look at current insights for seizing that opportunity and improving water utility security.
About the author: Frank Pisciotta is president of Business Protection Specialists, an international security consulting firm headquartered in Canandaigua, N.Y. Business Protection Specialists Inc. has assisted community water system clients in preventing security incidents and crime since 1990. He was recently named by the IAPSC as its eighth CSC (Certified Security Consultant) in the United States and is a member of the Institute of Internal Auditors. He is an ASIS member who achieved his CPP in 1994. He can be reached via email at firstname.lastname@example.org.