Security and Vulnerability Assessments for Water Utilities

Is your drinking water security plan adequate to protect the public?


A recent risk assessment for a municipal government, whose water department serves approximately 50,000 citizens, revealed significant vulnerabilities associated with booster pump stations. These booster pump stations featured low walls (five feet at the highest point) and unsecured chlorination injection equipment. Lids to the equipment were unsecured, making it possible to introduce any number of contaminants into the water. The facility featured no detection and no delay to penetration attempts. Significant amounts of graffiti inside the facility provided ample evidence that criminals were routinely breaching the security of this facility without detection or intervention by water personnel or local law enforcement. The city administration was surprised by the fact that this vulnerability existed, as they had conducted an in-house vulnerability assessment using a city engineer and an employee of the Public Works Department.

Failure to Implement Appropriate Countermeasures

In another instance, a large metropolitan community water system serving more than 100,000 users had installed a number of technical security systems. During the course of a revalidation of the recommendations from the original security vulnerability assessment, we discovered that none of the installed alarms were being monitored. Management was surprised to learn that a breach of security at one of the facilities would have gone undetected until employees returned to work in the targeted facility. Again, there had been no independent security professional guiding the process. The client was relying upon the guidance of a security systems vendor, whose primary mission was simply to sell more products.

Conclusions

In light of these findings ranging from coast to coast, we advise administrators of community water systems to consistently (but prudently) invest energy into their security programs. One client of ours conducts no less than semi-annual meetings to review the progress of implementation, confer on what is new in the industry and discuss how to involve and secure board approval for high priority recommendations. That slow and steady pace is proving to be very effective to achieve sustainable results.

More guidance has been published to establish industry standards on a balanced security program and safeguarding our drinking and fire protection water. For example, in June of 2005, The National Drinking Water Advisory Council published a report entitled, "Recommendations of the National Drinking Water Advisory Council to the U.S. Environmental Protection Agency on Water Security Practices, Incentives, and Measures." The report can be downloaded at www.epa.gov.

We recommend conducting an immediate gap analysis against the industry guidance published in this report. The results of this gap analysis can form the foundation for a long-term security plan for each community water system. The 14 recommendations in this report are:

  1. Make an explicit and visible commitment of the senior leadership to security.
  2. Promote security awareness throughout the organization.
  3. Assess vulnerabilities and periodically review and update vulnerability assessments to reflect changes in potential threats and vulnerabilities.
  4. Identify security priorities and, on an annual basis, identify the resources dedicated to security programs and planned security improvements, if any.
  5. Identify managers and employees who are responsible for security and establish security expectations for all staff.
  6. Establish physical and procedural controls to restrict access to utility infrastructure to only those conducting authorized, official business and to detect unauthorized physical intrusions.
  7. Employ protocols for detection of contamination consistent with the recognized limitations in current contaminant detection, monitoring, and surveillance technology.
  8. Define security-sensitive information, establish physical and procedural controls to restrict access to security-sensitive information as appropriate, detect unauthorized access, and ensure information and communications systems will function during emergency response and recovery.
  9. Incorporate security considerations into decisions about acquisition, repair, major maintenance, and replacement of physical infrastructure. This should include consideration of opportunities to reduce risk through physical hardening and the adoption of inherently lower risk design and technology options.
  10. Monitor available threat-level information; escalate security procedures in response to relevant threats.
  11. Incorporate security considerations into emergency response and recovery plans, test and review plans regularly, and update plans as necessary to reflect changes in potential threats, physical infrastructure, utility operations, critical interdependencies, and response protocols in partner organizations.
  12. Develop and implement strategies for regular, ongoing security related communications with employees, response organizations, and customers.
  13. Forge reliable and collaborative partnerships with communities, managers of critical interdependent infrastructure, and response organizations.
  14. Develop utility-specific measures of security activities and achievements, and self assess against these measures to understand and document program progress.