National
Drinking Water Clearinghouse
West Virginia University
P.O. Box 6064
Morgantown, WV
26506-6064
Water
Systems Should Polish Security Plans
by
Kathy Jesperson
On Tap Managing Editor
“What was previously an abstract possibility became
on September 11 an appalling reality, and our security environment must now
be seen in
a fundamentally different and considerably darker light.”
General George Robertson, NATO secretary.
Virtually every water system in the U.S. is anxious about security. While
no water system can be absolutely free from threats, it can be prepared. Jeffrey
Danneels, a security researcher at Sandia National Laboratories, says that
water system security includes tactics, such as:
• researching alternative solutions;
• reducing the consequences of an attack or accident;
• developing advanced treatment technologies;
• moving toward small, local systems;
• crafting new drinking water safety and security standards;
• understanding how to protect critical assets; and
• providing water system security education.
According to “Reducing Vulnerability of Water Supply Systems to Attack,”
in the Journal of Infrastructure Systems, December 1998, Yacov Y. Haimes and
others reports that small drinking water systems should evaluate four factors
to help toughen themselves against threats:
1. security,
2. redundancy,
3. robustness, and
4. resilience.
Security
Security includes all the measures that monitor or restrict access to the
system, such as locks, surveillance cameras, guards, fences, and entry control
systems. However, “guards, guns, and gates are not sufficient when it
comes to terrorism,” says Mike Hightower, technical staff, Sandia National
Laboratories. Hightower talked about the vulnerability assessment process
at the Water Security Summit held in Washington, D.C., December 4, 2001.
“These measures constitute neither a complete nor a very cost-effective
solution,” says Danneels. “We need fundamental changes in our approach
to potable water supply, treatment, and delivery to provide the most efficient
and economical approach to water supply safety, security, and reliability.”
Besides physical damage to water systems, cyber-terrorism is now a threat.
According to Hightower, this new threat is increasing because system designers
often did not incorporate security or protection methods into the supervisory
control and data acquisition (SCADA) systems in use today. However, he notes
that the security industry is developing standards that include enhanced security
measures. Water systems should include these updated features whether the
SCADA system in their facility is old or new. Since September 11, water systems
have been adding security measures. But they need to be careful about routing
everything through an existing SCADA system. Any security element that a water
system employs should be part of an independent protection system, and not
a part of the SCADA system. Directing the security system through the SCADA
system creates a single point of failure vulnerability.
Redundancy
“Being redundant means that you will have another option for running
the plant if something goes wrong,” Danneels explains. “If you have
one, maybe you need two. These improvements reduce consequences rather than
enhance security.
“Water systems must conduct a vulnerability assessment to identify components
that can leave the system vulnerable to single points of failure,” he
says. “Adding pipelines, storage tanks, or alternate energy sources may
eliminate these vulnerabilities and improve operational capabilities as well.”
For a water supply system, redundancy means:
• multiple gates for releasing water from reservoirs;
• extra pipes, canals, aqueducts, and tunnels;
• multiple methods of running the system;
• duplication of emergency response; and
• standardize system design and components, such as pumps, turbines,
and generators.
A primary problem is that “redundancies” often do not exist, Hightower
says. One of the reasons for this problem is that system planners often do
not design redundancies into plants, meaning that most facilities don’t
have spare pumps let alone spare parts. In addition, many of the existing
pumps, valves, and other mechanical equipment are old, and replacement parts
are no longer available. Manufacturing spares of some critical components
and storing them away from the facilities could reduce consequences of a physical
attack as well as the consequences of an equipment failure.
“Find a way to separate equipment,” says Danneels. “If you
do have two pumps, don’t install them right next to each other. Having
this kind of design isn’t very smart. If somebody blows up part of your
facility and destroys the main pump with the ‘redundant’ pump sitting
right beside it, what’s going to happen? Having two won’t do you
any good if they are both destroyed.”
Drinking water infrastructure is highly dependent upon electrical power to
pump and treat water. However, loss of power does not result in an immediate
loss of water supply for most water utilities because customers can use water
stored in large reservoirs as a temporary supply. Back-up generators can reduce
consequences and risk if the generators are designed and installed to meet
the system’s needs. Another alternative is to work with the local power
supplier. They may be able to provide equipment during an extended power outage.
Robustness
Robustness isn’t something that a water system can measure using typical
calculations. In engineering circles, robustness is typically understood this
way: A water system can produce and store more water than its customers demand.
And that typically means that a system can provide its customers with water,
even if it can’t produce water. Generally, having alternative water supplies
can enhance a system’s robustness. Water systems can work together to
truck in water or store it for future needs.
Resilience
Resilience means that the system can bounce right back into service after
an unexpected event does occur. And that implies that the system has an emergency
preparedness plan.
Most systems already have emergency preparedness plans, which can be used
to develop counter-terrorism responses. The Federal Emergency Management Agency
notes, “Were you to witness or experience an act of terrorism, remember
what you have learned about responding to other emergencies.” Combining
security, redundancy, robustness, and resilience can help water systems be
prepared for almost anything. While there’s never a 100-percent guarantee
that a system can be totally safe, it can be prepared for the worst and come
out even better for the wear.
And help is on the way. The American Water Works Association coordinated a
project between the U.S. Environmental Protection Agency and Sandia National
laboratories to help water and wastewater facilities conduct security vulnerability
assessments.
Their goal is to find out where systems are vulnerable and what the best,
most cost-effective ways are to make upgrades. Sandia National Laboratories
hopes to have a draft of its plan ready by early summer 2002.
For more information about this draft plan, visit Sandia’s Web site at
www.sandia.gov or AWWA’s site at www.awwa.org.