Wastewater Infrastructure Security

A bill entitled "Wastewater Treatment Works Security Act of 2003" was introduced in the Senate on May 12, 2003 that will provide grants for conducting Vulnerability Assessments (VA's) and implement security enhancements. The VA's look at the following five (5) plant assets: the Physical Plant, the People (employees), the Knowledge Base (plans, drawings, etc.), Information Technology, and Customers. VA's help identify weaknesses and recommend areas for improvements, e.g. closed circuit cameras. S-1039 would authorize $200,000,000 for VA's of which $15,000,000 is slated for small communities (less than 20,000 people). The grants are for a maximum Federal share of 75%.

The above referenced Bill can be reviewed at The Library of Congress link located below in "Other Links of Interest" , and by typing in the Bill number and hitting "Search".

Introduction

Did you know that nation's wastewater infrastructure is one of America's most valuable assets, valued at more than $2 trillion? Check out these USEPA facts:

190 million people are hooked up to 16,000 POTWs
600,000 miles of municipal sewers
3,000 systems serve major metropolitan sewers

Security at wastewater plants may not have received the attention that is should have over the years, but now times are different. Protect this huge public investment by looking at such issues as guarding against intruders, increased lighting, access to SCADA systems, and emergency response plans.

As a response to the significant role that water treatment and wastewater treatment facilities play in our society, there has been an interest in assessing the security of this sector of our infrastructure.

The need is quite obvious for water treatment facilities. Wastewater treatment is rarely recognized as the last bastion prior to release to the environment Significant environmental damage, impacts to recreation, and contaminated water supplies can be attributed to losses in wastewater treatment. This article highlights some of the key concepts from the Association of Metropolitan Sewage Agencies' "Asset Based Vulnerability Checklist for Wastewater Utilities."

WWTP Assets

Current security assessment is based on a series of five (5) assets common to wastewater facilities. These five include the Physical Plant, the People (employees), the Knowledge Base (As-built drawings, plans, records, SOP's deeds, legal agreements, O&M manuals, contracts and other business critical documents), Information Technology or IT Platform (internet use, SCADA systems, telephone and communications), and lastly, Customers (the sustainable revenue stream critical to the utility). The potential threats against these assets are not limited to the following: natural disaster, low-level vandalism, employee sabotage, terrorist sabotage, computer hacking, theft, and fires.

Criticality and Vulnerability

There are two factors assigned to assets. The first is the "criticality" which evaluates the consequences of the asset if it fails or is compromised. The second factor is the "vulnerability" which evaluates the ability to survive a threat. An asset's ability to survive a threat is based on the existing counter-measures, and the potential for additional counter-measures. An example might be a SCADA system's exposure to vandalism. The system may have existing counter-measures like the location in a separate building, and clear glass walls for observation. If the criticality identifies that failure of this system is so severe that service is interrupted for a prolonged period and is deemed unacceptable, then additional counter-measures may be sought. Perhaps a self locking door with security access, or station a secretary at the entrance to track who comes and goes, or possibly CCTV (closed circuit television) to a security office monitor may be employed.

The concept of criticality and vulnerability can be visually portrayed by using the following four by four (4x4) "risk matrix":

Criticality Rating				Vulnerability Level
1 (Very High)	2 (High)	3 (Moderate)	4 (Low)	Vulnerability Level
1A	2A	3A	4A	A (Very High)
1B	2B	3B	4B	B (High)
1C	2C	3C	4C	C (Moderate)
1D	2D	3D	4D	D (Low)

The matrix shows that assets falling in the upper left corner have the highest criticality and vulnerability which yields the highest risk levels. Conversely, assets in the lower right corner have the least criticality and vulnerability with the lowest risk levels. Assets that fall into the high risk areas of the matrix can be lowered by reducing the criticality, vulnerability, or both. This can be accomplished through the addition of new or improved counter-measures. Many times the criticality cannot be lowered although vulnerability may. "Time" is a prime component that controls vulnerability regarding security issues. Many of the counter-measures employed will relate to time options. Three (3) time options exist that can reduce the vulnerability:

Reduce detection time of a security related event.
Increase delay time, i.e. force the security breach to take longer to be perpetrated.
Shorten the response time to minimize the impact of the event.

The identification of risk is determined from the matrix. Once determined, the acceptability of these risks depends on a rational threat assessment, recognition of consequences, evaluation of vulnerability, effectiveness of counter-measures, and most importantly the cost associated with an asset loss. The decision for risk reduction if often governed by the expense of the counter-measures that are required. These financial decision variables are:

Risk Reduction - All necessary steps will be taken since the risk cannot be accepted at any cost.
Benefit/Cost Analysis - The risk will be reduced by the approach which yield the greatest net benefits.
Risk/Cost Analysis - The risk will be reduced by the approach which yield the greatest reduction in unit risk per dollar invested.
Regret Analysis - The risk will be reduced by the approach that minimizes the expected value of residual losses.

Using the above analyses, estimated damages can be projected for individual and combined counter-measures helping to determine which ones are appropriate for a given scenario. The final phase is to implement the counter-measures.

Summary

Wastewater treatment plants are comprised of five major assets - Physical Plant, People, Knowledge Base, Information Technology, and Customer. These components have differing degrees of criticality from plant-to-plant. the most critical assets are generally the ones that are tagged for security issues due to their importance. A vulnerability is evaluated to determine the ease of rendering an asset useless. The criticality and vulnerability can be used to form a risk matrix and identify the order that asset counter-measures are employed. Many counter-measures are concerned with the time characteristics of early detection, delay of an event, and early response. Risk reduction assessment often has a financial balancing between counter-measure costs and estimated benefits.

Resources

The Vulnerability Self Assessment Software Tool (VSAT), is now available. This tool provides a comprehensive, intuitive system for wastewater utilities seeking to analyze their vulnerability to both intentional threats and natural disasters. This software tool includes reference libraries of both potential threats and countermeasures, and provides a method for managing the information generated by security vulnerability assessments.

Developed by the Association of Metropolitan Sewerage Agencies (AMSA) in collaboration with PA Consulting Group and SCIENTECH, Inc., the software is available free of charge to all public wastewater utilities. Visit AMSA to request a copy of the VSAT wastewater software. For technical assistance regarding this software, please visit www.VSATusers.net or call (888) 340-8830.

The Association of Metropolitan Sewerage Agencies (AMSA) has published a useful checklist for POTWs. Visit the AMSA web site to download the PDF file, "Asset Based Vulnerability Checklist for Wastewater Utilities"

Sample "Vulnerability Assessment, (VA)" available. The New York State Department of Environmental Conservation (NYSDEC) is offering a free sample VA Report available via a request made in writing on official community letterhead. The 84 page report developed by Applied Risk Management (ARM), of Boston, MA describes the processes used in each step, key findings, and listing of recommendations. Contact NYSDEC, Facility Operations Assistance Section at, 625 Broadway, Albany, NY 12233-3506.

The New England Interstate Water Pollution Control Commission (NEIWPCC) is conducting a number of wastewater security workshops. NEIWPCC is located in Lowell, MA and can be reached at (978) 323-7929 or via their web site.

Visit the National Environmental Training Center for Small Communities "Calendar of Events" on their web site for the latest security seminar information.

EMERGENCY MANAGEMENT and RESPONSE

Every year emergencies take their toll on utilities and industries. Various events can generate an emergency including: fire, flood, hurricane, winter storm, hazardous material incident, etc... The Federal Emergency Management Agency(FEMA) has developed a step-by-step approach entitled Emergency Management Guide for Business and Industry to create and maintain a comprehensive emergency management program. This 80 page document is organized as follows:

Section 1 - The 4 Steps in the Planning Process
Section 2 - Emergency Management Considerations
Section 3 - Hazard - Specific Information
Section 4 - Information Sources

Utilities and industries have a moral responsibility to protect employees, comply with various regulations, minimize loss of services and possible damage to equipment, and reduce exposure to civil or criminal liability. Implementation of an emergency management program may also reduce your insurance premiums. For a copy of the guide, call FEMA at 202-566-1600 or download the entire the document at the EPA EMERGENCY MANAGEMENT and RESPONSE link under Wastewater Links.

Articles

Water Environment & Technology, Volume 14, No. 1 - January 2002, "A Sense of Security, Part 1: Protect Your Facility's Most Precious Resource - Personnel" (Page 37-38) and "Maximum Security" (Page 39-41).

Water Environment & Technology, Volume 14, No. 2 - February 2002, "A Sense of Security, Part 2: Enhance Your Facility's On-Site Chemical Security" (Page 38-39).

Water Environment & Technology, Volume 14, No. 3 - March 2002, "U.S. Congress Focuses on Security Funding" (Page 6) and "A Sense of Security, Part 3: "Maintain Your Facility's Integrity by Installing Measures Inside and Out" (Page 35-36).

Legal Issues in a Time of Crisis Checklist, 2002, Association of Metropolitan Sewerage Agencies, Order No. PSECTY 02 (60 Pages).

Natural Disaster Management for Wastewater Treatment Facilities, 1999, Water Environment Federation, Order No. P0910 CH (113 Pages).

Water Connection - Volume 18, Number 2, Spring 2002 from New England Interstate WPCC.

American City & County, November 2001, "Preparing for the Worst" (6 pages).