Frank Pisciotta, CSC, is an independent security consultant well-versed in the practice of critical infrastructure protection.
In March 2006, two teenage vandals illegally entered a 1.3 million gallon water tank in Blackstone, Mass. A five-gallon container with an odor was found on top of the tank, but in the end, authorities determined the water was not contaminated. The teenagers had defeated security by simply scaling a fence, smashing an electric meter, and breaking through the security apparatus that would have prevented them from climbing the tank's ladder.
An April 2006 city-wide municipal risk assessment revealed a significant exposure to water contamination that was overlooked in an EPA-required vulnerability assessment conducted in house. The city administration was dismayed to learn they had such blatant exposure to contamination given they conducted their own security vulnerability assessment within the last two years. Those city administrators are not alone; others may be operating under a similar false sense of security. All water systems serving greater than 3,300 persons were mandated by the Bioterrorism Act of 2002 to conduct vulnerability assessments to evaluate susceptibility to potential threats and identify corrective actions that could reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack, etc.).
There are numerous security vulnerability assessment tools available to community water system managers: (i.e. RAM-W, VSAT, NETCSC, FRWA Method and NRWA / ASDWA self-assessment) however, they each have potential deficiencies. None of those assessment tools provide:
- A utility specific blueprint for how to properly conduct a vulnerability assessment
- Specific localized threats against which a community water system must protect itself and its consumers
- Specific security solutions for any identified vulnerabilities
The tools range from complex methodologies to simple self-assessment checklists that can be completed in a matter of minutes. Many smaller water systems have chosen to complete the latter, in many cases without the assistance of a properly qualified security expert. This is a risky endeavor that unfortunately happened all too routinely. It is also contrary to the directive in the self-assessment checklists, which state "This document is meant to encourage smaller systems to review their system vulnerabilities, but it may not take the place of a comprehensive review by security experts."
The fact that administrators of community water systems would take such an approach is no surprise to those who have read the March 2005 GOA report "Protection of Chemical and Water Infrastructure." The report concludes that many water systems operate in a climate where it is a struggle to fund security improvements. Consumers oppose rate increases, opinions differ regarding the need for security at community water systems (many feel "it won't happen here") and employee cultures that embrace security are difficult to achieve.
While the use of a checklist is compliant with the Bio-Terrorism Act of 2002, there are several potential shortfalls that are magnified when a security expert is omitted from the security vulnerability assessment team. Common weaknesses include: a) incomplete and inaccurate conclusions on the quality of existing security measures; b) Potential to miss vulnerabilities that could be exploited by vandals, criminals, disgruntled former employees or terrorists, and; c) Potential failure to implement adequate or reasonable security solutions. Weaknesses in security may only become evident after a security incident occurs or a SVA re-assessment is conducted with the proper credentialed participants. The following municipal water system case studies underscore the potential exposure to drinking water everywhere.
Checklist Weaknesses and the Potential for Inaccurate Conclusions
One client relied upon the "Security Vulnerability Self-Assessment Guide for Small Drinking Water Systems," one of the free self-assessment checklists. One checklist item is "Key control and accountability policy." Key control and accountability is an appropriate security expectation. The proper deployment of locks and control of keys is effective in reducing the likelihood of security incidents from insiders, contractors, former employees and, to some extent, low-level outside criminals. Having completed the checklist in a departmental meeting with in house personnel, water system personnel considered themselves performing satisfactorily in this area. However, a consultant investigation revealed:
- The client was using low-grade keys with the potential for unauthorized duplicates to be made at any local hardware store.
- The client had no tracking or accountability system to be assured of how many keys were in circulation or whether the location of all assigned keys was known.
- Employees and contractors routinely separated from the organization and keys were not recovered.
- Third-party contractors had locks on gates and the client had no idea how many had access to their sites as a result.
Without the proper facilitation and guidance, it is easy for a community water system to conclude that a key control and accountability program is adequate. Yet, in 16 years of evaluating security programs (and there have been hundreds) we have found only one company whose key control program was properly in order. The self assessment checklist question as written leaves a significant exposure to an invalid conclusion, particularly without a security professional assisting in the process. For example, in the checklist there is no mention of the utilization of a patented controlled keyway that minimizes the exposure of unauthorized duplication of keys. This should be a baseline requirement of mechanical locks on critical facilities. In fact there are at least 10 measurements that need to be evaluated when determining the adequacy of a lock and key control program - some of which include:
- Having a proper tracking system (preferably a relational database such as Best's Keystone system)
- Properly / uniquely engraving keys
- Changing locks when keys are lost or stolen
- Assigning responsibility for the management of the key control program to a properly trained individual
- Implementing a procedure for users to sign for keys on removal and return
- Implementing a procedure that ensures the distribution of keys is appropriate (particularly for master keys.) One client issued a master key to a senior employee in management who really didn't need the key and had lost the key three times without a single lock being changed!
- Securing spare keys with a level of security that is commensurate with the value of the keys.
To ensure adequacy of a key control program, one would also have to look at procedures to ensure keys are recovered when personnel separate. So while the checklist approach can be quick, easy and inexpensive to execute, it often leaves a lot to be desired in terms of thoroughness and reliability of the conclusions.
A recent risk assessment for a municipal government, whose water department serves approximately 50,000 citizens, revealed significant vulnerabilities associated with booster pump stations. These booster pump stations featured low walls (five feet at the highest point) and unsecured chlorination injection equipment. Lids to the equipment were unsecured, making it possible to introduce any number of contaminants into the water. The facility featured no detection and no delay to penetration attempts. Significant amounts of graffiti inside the facility provided ample evidence that criminals were routinely breaching the security of this facility without detection or intervention by water personnel or local law enforcement. The city administration was surprised by the fact that this vulnerability existed, as they had conducted an in-house vulnerability assessment using a city engineer and an employee of the Public Works Department.
Failure to Implement Appropriate Countermeasures
In another instance, a large metropolitan community water system serving more than 100,000 users had installed a number of technical security systems. During the course of a revalidation of the recommendations from the original security vulnerability assessment, we discovered that none of the installed alarms were being monitored. Management was surprised to learn that a breach of security at one of the facilities would have gone undetected until employees returned to work in the targeted facility. Again, there had been no independent security professional guiding the process. The client was relying upon the guidance of a security systems vendor, whose primary mission was simply to sell more products.
In light of these findings ranging from coast to coast, we advise administrators of community water systems to consistently (but prudently) invest energy into their security programs. One client of ours conducts no less than semi-annual meetings to review the progress of implementation, confer on what is new in the industry and discuss how to involve and secure board approval for high priority recommendations. That slow and steady pace is proving to be very effective to achieve sustainable results.
More guidance has been published to establish industry standards on a balanced security program and safeguarding our drinking and fire protection water. For example, in June of 2005, The National Drinking Water Advisory Council published a report entitled, "Recommendations of the National Drinking Water Advisory Council to the U.S. Environmental Protection Agency on Water Security Practices, Incentives, and Measures." The report can be downloaded at www.epa.gov.
We recommend conducting an immediate gap analysis against the industry guidance published in this report. The results of this gap analysis can form the foundation for a long-term security plan for each community water system. The 14 recommendations in this report are:
- Make an explicit and visible commitment of the senior leadership to security.
- Promote security awareness throughout the organization.
- Assess vulnerabilities and periodically review and update vulnerability assessments to reflect changes in potential threats and vulnerabilities.
- Identify security priorities and, on an annual basis, identify the resources dedicated to security programs and planned security improvements, if any.
- Identify managers and employees who are responsible for security and establish security expectations for all staff.
- Establish physical and procedural controls to restrict access to utility infrastructure to only those conducting authorized, official business and to detect unauthorized physical intrusions.
- Employ protocols for detection of contamination consistent with the recognized limitations in current contaminant detection, monitoring, and surveillance technology.
- Define security-sensitive information, establish physical and procedural controls to restrict access to security-sensitive information as appropriate, detect unauthorized access, and ensure information and communications systems will function during emergency response and recovery.
- Incorporate security considerations into decisions about acquisition, repair, major maintenance, and replacement of physical infrastructure. This should include consideration of opportunities to reduce risk through physical hardening and the adoption of inherently lower risk design and technology options.
- Monitor available threat-level information; escalate security procedures in response to relevant threats.
- Incorporate security considerations into emergency response and recovery plans, test and review plans regularly, and update plans as necessary to reflect changes in potential threats, physical infrastructure, utility operations, critical interdependencies, and response protocols in partner organizations.
- Develop and implement strategies for regular, ongoing security related communications with employees, response organizations, and customers.
- Forge reliable and collaborative partnerships with communities, managers of critical interdependent infrastructure, and response organizations.
- Develop utility-specific measures of security activities and achievements, and self assess against these measures to understand and document program progress.
Since an adequate vulnerability assessment makes up the foundation for any effective security program, a reassessment of the adequacy of the initial effort is critical for every community water system that is serious about safeguarding water. A board certified security professional should be involved in the process with preferably CPP, PSP or CSC and RAM-W experience. Security is not an end point, but a goal that can be achieved only through continued efforts to assess and upgrade your system. The vulnerability assessment report is a sensitive document. It should be stored separately in a secure place at your water system. Water systems should review their vulnerability assessments periodically to account for changing threats or additions to the system to ensure that security objectives are being met.
We urge CWS managers to take a hard look at their SVA to decide whether it was effectively done by the right people or whether it was simply an exercise to put another check in a regulatory box. An alternative strategy might also include bringing in an independent consultant to evaluate the implementation of vulnerability recommendations. There is currently numerous RfP's circulating meant to provide this third-party validation. The lives of community members, fire protection capability and consumer confidence hang in the balance. Doctors generally do not prescribe medications or other procedures without a qualified assessment. Your security program to safeguard a community's drinking water should enjoy the same qualified analysis.
About the author: Frank Pisciotta, CSC, is president of Business Protection Specialists, an international security consulting firm headquartered in New York. Business Protection Specialists Inc. has helped community water systems prevent criminal and terrorist attacks since 1990. Pisciotta was recently named by the IAPSC as its eighth Certified Security Consultant (CSC) in the United States. Frank serves on the Board of Directors for IAPSC. He is an ASIS member who achieved his Certified Protection Professional (CPP) designation in 1994 and currently serves on the ASIS Risk Assessment Guidelines Committee and Agriculture and Food Security Council. He can be reached via email at firstname.lastname@example.org