In March 2006, two teenage vandals illegally entered a 1.3 million gallon water tank in Blackstone, Mass. A five-gallon container with an odor was found on top of the tank, but in the end, authorities determined the water was not contaminated. The teenagers had defeated security by simply scaling a fence, smashing an electric meter, and breaking through the security apparatus that would have prevented them from climbing the tank's ladder.
An April 2006 city-wide municipal risk assessment revealed a significant exposure to water contamination that was overlooked in an EPA-required vulnerability assessment conducted in house. The city administration was dismayed to learn they had such blatant exposure to contamination given they conducted their own security vulnerability assessment within the last two years. Those city administrators are not alone; others may be operating under a similar false sense of security. All water systems serving greater than 3,300 persons were mandated by the Bioterrorism Act of 2002 to conduct vulnerability assessments to evaluate susceptibility to potential threats and identify corrective actions that could reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack, etc.).
There are numerous security vulnerability assessment tools available to community water system managers: (i.e. RAM-W, VSAT, NETCSC, FRWA Method and NRWA / ASDWA self-assessment) however, they each have potential deficiencies. None of those assessment tools provide:
- A utility specific blueprint for how to properly conduct a vulnerability assessment
- Specific localized threats against which a community water system must protect itself and its consumers
- Specific security solutions for any identified vulnerabilities
The tools range from complex methodologies to simple self-assessment checklists that can be completed in a matter of minutes. Many smaller water systems have chosen to complete the latter, in many cases without the assistance of a properly qualified security expert. This is a risky endeavor that unfortunately happened all too routinely. It is also contrary to the directive in the self-assessment checklists, which state "This document is meant to encourage smaller systems to review their system vulnerabilities, but it may not take the place of a comprehensive review by security experts."
The fact that administrators of community water systems would take such an approach is no surprise to those who have read the March 2005 GOA report "Protection of Chemical and Water Infrastructure." The report concludes that many water systems operate in a climate where it is a struggle to fund security improvements. Consumers oppose rate increases, opinions differ regarding the need for security at community water systems (many feel "it won't happen here") and employee cultures that embrace security are difficult to achieve.
While the use of a checklist is compliant with the Bio-Terrorism Act of 2002, there are several potential shortfalls that are magnified when a security expert is omitted from the security vulnerability assessment team. Common weaknesses include: a) incomplete and inaccurate conclusions on the quality of existing security measures; b) Potential to miss vulnerabilities that could be exploited by vandals, criminals, disgruntled former employees or terrorists, and; c) Potential failure to implement adequate or reasonable security solutions. Weaknesses in security may only become evident after a security incident occurs or a SVA re-assessment is conducted with the proper credentialed participants. The following municipal water system case studies underscore the potential exposure to drinking water everywhere.