Presentation is loading. Please wait.

Presentation is loading. Please wait.

Water Infrastructure Security Enhancement (WISE) Workshop

Similar presentations

Presentation on theme: "Water Infrastructure Security Enhancement (WISE) Workshop"— Presentation transcript:

1 Water Infrastructure Security Enhancement (WISE) Workshop
Presented by Mike Chritton Ken Thompson Gary Jacobson, PE Yakir Hasit, PhD, PE Bill Desing, PE Raja Kadiyala, PhD Atlanta, GA Reston, VA Dallas, TX Los Angeles, CA Seattle, WA August August August September September 23 1

2 Logistics For everyone’s comfort, please…
Silence your cell phones, pagers, Blackberry devices Restrooms are located… Exits are located… 2

3 Acknowledgments Funding by EPA’s Water Infrastructure Security Enhancements (WISE) project WISE Project Managers Mr. Chris Hanson (ASCE) Mr. Muhammad Amer (ASCE) Ms. Stacy Passaro (WEF) Mr. Jim Wailes (AWWA) Technical oversight by ASCE/EWRI WISE Standards Committee 3

4 Agenda Introduction The Importance of Security
Management and O&M Considerations to Enhance Security Design Considerations and Features to Improve Security Design and Implementation of Online Water Quality Monitoring Systems Closing 4

5 The Importance of Security at Water, Wastewater, and Stormwater Utilities

6 Past Incidents Show Cause for Concern
Sewer Explosion – April 22, 1992 200+ dead 1,500+ injured 15,000+ homeless 1,000+ buildings destroyed or damaged Guadalajara, Mexico 6

7 Sabotage in Australia 2002 Former contract employee releases untreated sewage Insider manipulated SCADA system Caused pump station failure, resulting in overflow onto tourist resort and into storm sewers Resulting challenges Crisis communication Bio-hazards Liability Public relations Damaged “trust” in the city’s system. 7

8 Wastewater Security Concerns
Wastewater security concerns include Physical destruction Illegal dumping of toxic chemicals or flammable substances in the collection system Release of chlorine gas or other toxics Interruption in wastewater service can result in Widespread public health impacts Significant environmental damage 8

9 Water Distribution System Contamination Scenarios
Intentional contamination—injection of agents through Assets under atmospheric pressure Assets under system pressure Chemical feed systems Easily accessed sites for contamination Source water Finished water storage facilities Terminal appurtenances 9

10 Water Distribution System Contamination Scenarios
Accidental contamination can occur through Backflow from cross-connections Infiltration of contaminated water through breaks in pipes Inadvertent spills Runoff Effluent discharge 10

11 Drivers for Implementing System Security
107TH CONGRESS 1ST SESSION P.L AN ACT To improve the ability of the United States to prevent, prepare for, and respond to bioterrorism and other public health emergencies. Public Health Security and Bio-terrorism Preparedness and Response Act of 2002 National Intelligence Reform Act of 2004 Congress has also provided direction in this area. Commonly referred to as the Bioterrorism Act, the Public Health Security and Bioterrorism Preparedness and Response Act was developed by the U.S. Congress and signed into law in It required that vulnerability assessments be conducted for community drinking water systems that serve more than 3,300 people. It also required that an emergency response plan be created or updated based on the outcome of each water system’s vulnerability assessment. As a prudent business and management activity, the security recommendations resulting from the vulnerability assessment should be applied to any utility upgrades, improvements, or expansion. The National Intelligence Reform Act of 2004 codifies Homeland Security Presidential Directive 7. It includes the use of a “unified incident command system” to enhance communication between all levels of government and emergency responder and directs the Department of Homeland Security to assess the vulnerabilities of the key resources and critical infrastructure of the U.S. Commonly referred to as the Bioterrorism Act, the Public Health Security and Bioterrorism Preparedness and Response Act was developed by the U.S. Congress and signed into law in It required that vulnerability assessments be conducted for community drinking water systems that serve more than 3,300 people. It also required that and emergency response plan be created or updated based on the outcome of each water system’s vulnerability assessment. As a prudent business and management activity, the application of the results of the vulnerability assessment be applied to any upgrades, improvements, or expansion of an individual utility. Leave flexibility in for additional regulations w/ second bullet 11

12 Drivers for Implementing System Security
Homeland Security Presidential Directives HSPD-5 – Management of Domestic Incidents HSPD-7 – Critical Infrastructure Identification, Prioritization, and Protection HSPD-8 – National Preparedness HSPD-9 – Defense of United States Agriculture and Food The government has provided some initiative to implement water system security. The White House has provided direction in this area. Presidential Directives issued under the Department of Homeland Security emphasize the importance of protecting our public infrastructure. The Directives having the greatest impact on water issues include numbers 5, 7, 8, and 9. HSPD-5 – February 28, 2003, Management of Domestic Incidents HSPD-7 – December 17, 2003, Critical Infrastructure Identification, Prioritization, and Protection HSPD-8 – December 17, 2003, National Preparedness HSPD-9 – January 30, 2004, Defense of United States Agriculture and Food 12

13 Drivers for Implementing System Security
Provides utilities with opportunities to protect public health and safety Increases public confidence Considers legal consequences and helps to define “standard of care” There are many good reasons that water utilities should implement system security. In addition to the governmental drivers that support increased security, protecting the water supply is something every utility should do. Enhancing public health and safety are essential components of most water utility missions. Water is considered to be critical infrastructure (2001 Executive Order on Critical Infrastructure Protection and The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets-2003), impacting both the health and economy of the nation. Both the supply of drinking water and wastewater collection and treatment are essential components of our society. Citizens expect an adequate supply of potable water when they turn on the taps. Businesses use water in myriad ways, from restaurants serving it to their customers to industries using it in manufacturing processes. When the water supply is contaminated or inadequate, public health and safety, as well as economic health, is jeopardized. A water system that is demonstrably secure increases public confidence. Expending resources to improve security after conducting a vulnerability assessment is a proactive step that supports the stewardship of public resources that is inherent in a public utility. Security system improvements can prevent outage conditions and damage to facilities, can reduce non-service consequences to utility assets, can lessen the effects of a malevolent or natural events by involving a well-trained staff ready to react to an emergency, and may mitigate potentially adverse legal actions. 13

14 Benefits of Implementing System Security
Proactive planning, actions, and training Can be applied during any emergency Can prevent damage to systems and outage conditions Reduce non-service consequences May mitigate potentially adverse legal reactions 14

15 ASCE WISE SC Response to Need for Security Information
Establishment of Water Infrastructure Security Enhancements Committee (WISE) Standards Committee (SC) ASCE enters into cooperative agreement with USEPA to develop, with WISE SC oversight, physical security standards for water and wastewater utilities AWWA prepares water guidance; WEF prepares wastewater/stormwater guidance; ASCE prepares methodology/characteristics 15

16 WISE Documents Developed to Aid Utility Security Planning
Three phases of development for each guidance area Phase 1: Development of interim voluntary security guidelines for water and wastewater/stormwater utilities and contaminant monitoring systems (December 2004) Phase 2: Preparation of training and outreach materials for Phase 1 documents (August 2005) Phase 3: Development, vetting, and acceptance of appropriate standards through accredited consensus process (December 2006) The Security Guidance was designed to provide a variety of ideas—from management to operations to design—for utility systems to integrate best practices and develop an optimal security strategy. 16

17 WISE Security Guidance and Standards

18 Objectives of this Workshop
Provide utility personnel, designers, educators, regulators and other water/wastewater/ stormwater industry professionals with An overview of the contents of the WISE documents Relevant management, operational, and design concepts to reduce security risks Information to develop a balanced and optimized security strategy 18

19 Basic Assumptions when Developing a Security Strategy

20 Developing a Security Strategy Overview
Identifying the threats Assessing the threats Defining vulnerability and risk Evaluating risk Assessing vulnerability Developing a security strategy Determining efficient actions Balance and benefits 20

21 Developing a Security Strategy Identifying the Threats
A threat is defined as an event that may result in Harm to the public Damage or harm to a utility’s physical, cyber, or human assets An upset or disruption to service or operations Threats can be divided into three categories Malevolent threats Natural threats Unintentional threats 21

22 Developing a Security Strategy Identifying the Threats
Utilities protect against Vandals Criminals Saboteurs Terrorists Insiders Outsiders These threats have been defined as follows: Vandals – one or more individuals who spontaneously and surreptitiously access a facility site with the intent of causing damage to the assets. Criminals – one or more individuals who, either spontaneously or intentionally, surreptitiously access a facility site with the intent to steal assets. It is possible that these individuals may have weapons such as knives or pistols, and the possibility exists that they could cause injuries, sometimes fatal, to utility staff. Saboteurs – one or more individuals who intentionally and surreptitiously access a facility with the intent to damage facility assets. It is likely that these individuals will possess weapons, including explosives. Their intent is to cause significant damage, possibly including system contamination, that may result in injuries or fatalities. Terrorists – one or more individuals who extensively plan to access a facility, either surreptitiously or obviously, with the intent to cause widespread damage and harm to utility staff and the public. These individuals can possess any type of weapon and will likely attempt to contaminate the system. Insiders – an insider is a person with knowledge of the water utility and who has access to the facilities as part of daily work activities. Insiders are typically current employees or their spouses/partners. Unfortunately, the insider threat is much harder to manage. Outsiders – an outsider (who may work in concert with an insider) is someone who is not normally allowed access to water system facilities. Outsiders can take many forms—former employees, their spouses/partners, vendors/contractors, customers, vandals, criminals, saboteurs, cyber terrorists, domestic terrorists, and foreign terrorists. As implied in the description of the threats, malevolent acts can include: Physical damage to system Disruption of service Harm to employees and the public Use of facilities for malicious purposes Normally, threats to a utility can range the spectrum; while some may be less likely than others, they usually all exist. It’s likely that utilities have been working toward providing security against their Design Basis Threats since the completion of their vulnerability assessments. During this process, it’s also likely that they’ve realized that as the threat level increases, the cost of preventing and mitigating that threat goes up, sometimes exponentially. 22

23 Developing a Security Strategy Identifying the Threats
Threat Characteristics by Category Threat Categories Vandal Thrill, dare Property damage Little or none Stealth None Minimal Criminal Financial gain Theft Possible Stealth Knife, pistol, rifle None Minimal Saboteur Political cause Disruption/destruction Definite Stealth Explosives Possible Significant Terrorist Political cause Destruction and human casualties Extensive Stealth or overt Assault weapons, explosives, RPGs Probable Definite Motivation Objective Planning Access Weapons Contaminants Asset damage Injuries Fatalities Characteristic 23

24 Developing a Security Strategy Assessing the Threats
Understand the likelihood of a threat occurring at this utility based on the Design Basis Threat (DBT) Capability of the threat (i.e., number of adversaries) History of threats Tactics and methods of attacks (including tools) Access to critical equipment (internal) Motivation of adversary The identification of a utility’s design basis threat (DBT) and its characteristics was conducted during the vulnerability assessment. The DBT provides insight into the types of man-made threats facing the utility, their likelihood, and the potential impacts from a successful malevolent event. While a regular review of this information is valid to ensure that there have not been changes to the DBT, it is not necessary to repeat this step. By basing prevention, mitigation, and response, this specific information about the DBT generally identifies the methods necessary to detect, delay, and mitigate an attack. The methods chosen, in turn, become the basis for changes in security operations at your utility. Remember, rather than planning for generic threats, you need to understand the threats to YOUR utility. This understanding should come from the utility’s VA and be updated as new information becomes available from local and national authorities. Keep in mind that disgruntled employees/insider threats can be a very real concern. 24

25 Developing a Security Strategy Assessing the Threats
Identify the threat category that is appropriate for the utility based on Existing information gathered from law enforcement Experience Threat category becomes the Design Basis Threat Improvements to reduce risk should target DBT Improvements that reduce risk against one category will also reduce risk against lower-risk categories 25

26 Developing a Security Strategy Defining Vulnerability and Risk
Vulnerability is a characteristic of an infrastructure’s design, implementation, or operation that makes it susceptible to destruction or incapacitation by a threat Risk is the potential for realization of unwanted adverse consequences to human life, health, property, or the environment 26

27 Developing a Security Strategy Evaluating Risk
Risk = ƒ (probability x criticality) What is the likelihood of the occurrence? What is the severity of the occurrence? Countermeasures are procedures, operational tactics, or elements of physical infrastructure that decrease probability or criticality 27

28 Developing a Security Strategy Assessing Vulnerability
Objectives of vulnerability assessments (VAs) Identify threats Identify specific assets that may be impacted Determine the relative criticality of the utility’s assets Determine the likelihood that a threat may materialize Evaluate existing countermeasures Analyze current risks Identify additional countermeasures and prioritize 28

29 Developing a Security Strategy Assessing Vulnerability
Vulnerability assessment tools Vulnerability Self-Assessment Tool (VSATTM) developed by NACWA Software is free at Risk Assessment Methodology for Water (RAM-WTM ) developed by Sandia National Laboratories Checklist-based tools developed by AMSA, National Environmental Training Center for Small Communities, USEPA 29

30 Developing a Security Strategy
Assess the threats and conduct a vulnerability assessment Apply the 3 approaches to the development of a balanced plan Management of the utility Operations and operational functions Security design enhancements Build support for the strategy Consider all potential drivers Evaluate cost vs. risk reduction 30

31 Developing a Security Strategy A Balanced Approach
Design Implementation Management Vision Policies Funding Communications Redundancy Physical Protection Electronic Security Security Strategy The Integration of Management, Operations, and Design Emergency Response Plan Operations Sustainability Standard Operating Procedures 31

32 Developing a Security Strategy A Balanced Plan
Apply the balanced approach to each of these areas Mitigation - the ability to control the events offers a chance to mitigate the effects of a malevolent act Response - the ability to respond requires proper detection and assessment Recovery - the ability of the utility system to return to full operation. Mitigation Response Recovery Mitigation The ability to control the events offers a chance to mitigate the effects of a malevolent event. To effectively mitigate, a utility must first identify the parts of the operation that present the most risk or cannot be easily mitigated, then conduct a risk reduction analysis. Continue to identify and prioritize risks and subsequent mitigations until all have been considered. Response Utilities cannot initiate a response to an event until detection and assessment of an intruder alarm or an actual intrusion has occurred. Initiating response will typically require the notification and cooperation of, and benefit from a good working relationship with, law enforcement. Recovery Recovery is a critical part of a utility’s balanced approach to securing its water system against malevolent events. This part of the approach refers to the ability of the water system to return to full operation. 32

33 Developing a Security Strategy Determining Efficient Actions
This slide shows the law of diminishing returns with regard to security upgrades. Improvements to procedures are the least expensive and probably provide the greatest “bang for the buck.” Operational changes like switching from gaseous chlorine to chloramines can be more effective instead of applying increased security. More robust security systems cost more per reduction in risk level. Lowering the consequence of the event is usually preferred (due to its lower expense) over increasing the security level. To ensure that your security improvements are the most efficient in both risk reduction and affordability, they should balances management, operations, and design actions. Reduction in Risk 33

34 Developing a Security Strategy Multiple Benefits
Security focus complements utilities’ mission Protect public health and safety Improve protection of the environment Increase public confidence Demonstrate good stewardship Being proactive may Prevent damage to systems and outage conditions Mitigate potentially adverse legal reactions 34

35 Developing a Security Strategy The Best Solution
There is no single solution the only wrong approach is to do nothing Consider Practicality Financial ability to pay for security improvements, O&M DBT and consequences Community restrictions Political considerations System redundancy Sophistication of utility staff Utility managers need to understand all of the internal and external factors prior to developing a plan for their water systems. Often, a utility manager will be asked to compare his utility’s approach with the approaches of other utilities or directed to protect his system from an attack from international terrorists by the utility’s governing body. This is when the utility manager needs to work with the utility’s legal council to identify the most appropriate method to communicate to the governing body in a manner that does not jeopardize the overall water system approach to security. 35

36 Management and O&M Considerations to Enhance Security for Water, Wastewater, and Stormwater Utilities 36

37 Effective Security Starts with Management Commitment
Design Implementation Management Vision Policies Funding Communications Security Strategy The objective of this section is to provide guidance that enables the water utility managers, operators, and decision-makers to identify and apply operational improvements to their systems. The purpose of these improvements will be to protect public health and safety, ensure safe sites and facilities, and to protect people, information, property, and assets related to the mission and goals of the utility. KEN – THIS IS NOT THE CORRECT GRAPHIC, BUT WILL BE REPLACED ON THURSDAY. MANAGEMENT WILL BE HIGHLIGHTED INSTEAD OF OPERATIONS. The Integration of Management, Operations, and Design Operations Sustainability 37

38 Management Responsibilities and Best Practices
Keep the Governing Board informed Involve all stakeholders Ensure effective communication Initiate interagency coordination Address human resources Address financial resources Plan for emergency procurement Manage sensitive records Update policies and procedures Water utilities have the ability to reduce the risks associated with malevolent actions and, to a great extent, natural disasters using those means available to them that can be developed and put into effect without major financial expenditures. The nine items listed are management responsibilities in regard to systems security. Each item is addressed in the Security Guidance and is discussed in some depth in the following slides. 38

39 Management Responsibilities/Best Practices Keep the Governing Body Informed
Governing board has ultimate responsibility to customers and citizens May need to be convinced that the utility is indeed vulnerable Be cautious of revealing security details in public forums 39

40 Management Responsibilities/Best Practices Involve All Stakeholders
Build awareness of utility security issues Why it’s important Security concepts and issues Ways in which stakeholders can assist Gain the confidence & support of stakeholders Customers Community organizations Environmental advocates Regulatory agencies Elected officials Public health departments Stakeholders also include law enforcement, local fire departments, first responders, upstream providers 40

41 Management Responsibilities/Best Practices Ensure Effective Communication
Effective communication requires planning and use of appropriate tools and techniques Communications tools Practices and procedures Public outreach preparation and coordination Different objectives for external and internal communication Effective communication includes the ability to use the appropriate tools: Two-way radios/cellular phones. Note: Cell phones and two-way radios should not be used during a bomb threat because their signal may set off the bomb. Following a detonation, their can be a brief (approximately 15 second) period in which radio and cell phones may not work due to shock waves from the blast. 800 MHz radios. These radios are typically used by fire and police departments; a utility is encouraged to have at least one 800 MHz radio to facilitate communication with first responders. Volunteer Amateur (Ham) Radio Operators. This system offers an alternate distance communication channel. Government Emergency Telecommunications Service (GETS). It is free to sign up for this service and to receive calling cards for selected staff. Note: Utilities must sign up for this service prior to the actual emergency or need to use the service. Effective communication includes use of internal and external practices and procedures. Internal practices include establishing a clear protocol for reporting security issues, keeping up-to-date emergency contact lists, and communicating to all employees via meetings, newsletters, etc. External practices include building solid relationships with local emergency managers and first responders, involving staff from emergency agencies in utility emergency planning and exercises, sharing emergency contact lists, being part of the community and asking customers to be more aware, being ready with public notices and designated spokespersons, and providing accurate information. Effective communication also includes public outreach preparation and coordination. Public outreach is required for a utility to develop a successful relationship with those it serves. A utility may handle security and emergency response in a technically solid manner, but if the public is not properly informed, then any situation can develop into a disaster. 41

42 Management Responsibilities/Best Practices Initiate Interagency Coordination
Coordinate in advance with city or county emergency management agencies and other local and regional major utilities Conduct emergency response exercises with external agencies Set up mutual aid agreements with other utilities and agencies Part of protecting utility infrastructure involves interaction with other agencies. Clear and concise communication between the utility and outside assistance is crucial in planning for and responding to an emergency. By reaching out to neighboring utilities both near and far, a utility may gain use of equipment and technical resources at lower costs. Coordination with city or county offices such as emergency management agencies (e.g., Local Emergency Planning Committees [LEPCs]) and health departments may open doors to existing equipment, grants, and other assistance that the utility did not previously know existed. Coordination with other major utilities such as electric and telephone companies prior to an emergency can also prove beneficial during an emergency event. Exercises can be conducted with these agencies and utilities to practice coordination and identify issues, concerns, and overlapping jurisdiction between them. Prior to an incident, it is important to have mutual aid agreements in place with other utilities, laboratories, first responders, and other agencies. These agreements often save time, money, and confusion. These agreements should address: Interconnections Sharing of laboratory facilities Loans of supplies and materials, heavy equipment, and trained personnel Other considerations: Reach out to neighboring utilities for sharing of equipment, information, and other resources. Initiate a dialogue with other utility providers to develop “priority customer” status. Interlocal agreements can: Provide for mutual aid during times of crises Address utilization of resources to augment impacted or insufficient capabilities Identify responsibilities of the parties Establish procedures for reimbursements Assure legal authority for operating outside of service area Provide for indemnification of the parties 42

43 Management Responsibilities/Best Practices Address Human Resources
Create a culture of safety and security Protect worker health and safety Involve employees in security decisions Provide security orientation and continuous training and cross-training for all employees Include security as an agenda item at meetings Ask security officers and employees to participate Conduct background investigations Provide photo identification badges Use employee surveillance techniques Consider security related to contractors and vendors Just as employees are critical to the successful operation of a water system, they are also critical to ensuring a secure water utility and protecting public health and safety. Employees are “insiders“; they have unique knowledge of the water system’s infrastructure, processes, and vulnerabilities. They are authorized to access both facilities and information; if that access is used with malicious intent, the results could be catastrophic. The approach to integrating security into the culture of the utility is similar to the process used to integrate worker safety into all aspects of utility operations. While employees do not become security guards, full-time, permanent employees offer the knowledge and awareness capability to detect, discern, and deny an outsider from causing an emergency situation within the utility. Include security orientation and responsibilities as part of new employee orientation. Security training refresher courses should be routinely addressed on a semi-annual or annual basis. Updates or changes to security measures can be distributed or presented in the short term through meetings or “tailgate” sessions. Means and methods to mitigate risks Background checks Photo identification badges Surveillance Check with legal counsel first ! Bargaining unit agreements Work rules and HR policies Local, state, and federal law. 43

44 Management Responsibilities/Best Practices Address Financial Resources
Develop a Capital Improvement Plan (CIP) that adequately supports security funding requirements Assess competition for funds between CIP programs and new requirements, growth, operational deficiencies, and infrastructure improvements Develop funding programs to support operating requirements Develop funding programs that governing boards and customers can support To meet normal customer demands on the systems and to accomplish security objectives, water utilities invest in CIP programs and O&M programs to keep existing facilities functioning. Because funding must be allocated between regulatory needs, repair of current infrastructure, and growth requirements and now must integrate security measures into these areas, the use of a prioritization process is important. The Capital Planning Strategy Manual, developed by AWWA and AwwaRF, provides instructions and tools for prioritization and decision management. Implementation of security measures could have substantial impacts on water system budgets, both capital and operating. Whether the utility will fund security projects from debt sources or net revenue, pressure on water rates may necessitate a rate increase. Thus, utility managers will need to inform customers of the importance of security measures in providing uninterrupted service and protection of public health and the environment, without revealing significant details about the approach to security or specific countermeasures. When looking for opportunities to facilitate ways improve security, financial planning presents a very important opportunity to reduce risks. Items developed to gain governing board support, such as risk-reduction, cost-benefit, and cost-risk reduction analyses, can be used in the development of these programs. Ensure balanced financial programs: security improvements, operations and maintenance, rehabilitation and replacement, regulatory requirements, and system growth. 44

45 Management Responsibilities/Best Practices Plan for Emergency Procurement
Include information about emergency procurement of supplies, equipment, materials, and contract labor in the Emergency Response Plan Identify circumstances under which emergency procurement can be used Consider cooperative purchasing agreements with other utilities or agencies to provide flexibility Ensure the security of your procurement process For the most efficient response and recovery to an emergency, utilities should be familiar with both standard and emergency procurement procedures. Emergency procedures should be identified in advance and be easily executed. Emergency procurement procedures should cover supplies, equipment, materials, and contract labor, as necessary. Identify who can execute emergency procurement contracts, expend funds. Also identify what defines an emergency and at what point emergency procurement is permitted. Utilities should coordinate with other utilities and local governments in their states and adjacent states and cooperate on developing specifications and allowing purchases from each other’s contracts. To ensure the security of your procurement process: Limit the solicitation process by using pre-qualified vendors to do security work. Require signed confidentiality agreements. Provide only centralized, secure access to plans. Compartmentalize projects to limit view of any one vendor, or limit selection to one company (such as construction design-build or a single vendor developing and installing security equipment). 45

46 Management Responsibilities/Best Practices Manage Sensitive Records
Develop levels of document security from non-sensitive to highly sensitive for management and storage Institute policies for securing sensitive documents Limit documents to authorized staff only Use locked metal file cabinets Use a password-protected secure server Add a confidentiality clause to sensitive documents Do not transmit sensitive material electronically Control bid documents and associated information It is critical that utilities have policies in place that specify the documents that are sensitive, and that the utilities manage their documents and records so that sensitive documents remain in a secure environment. These actions are needed to prevent sensitive documents from being accidentally released to the public, for example, in response to a FOIA request. Utilities should consider how information about their facilities is distributed to potential contractors, consultants, and other outside agencies and organizations. Plans, maps, and specifications can serve as roadmaps and planning tools for malevolent actions. Utilities should also review the information on their web sites to ensure that sensitive information has not been inadvertently included. New information for web sites should routinely be screened for sensitive content. Additional considerations: Secure sensitive documents subject to FOIA, such as vulnerability assessments, details of security systems, security incident reports, as-built plans and specs, personnel records, and emergency response plans. Store documents in locked metal file cabinets. Keep minimal information on the Internet. Include confidentiality statements on documents. Apply “clear-desk” and “clear-screen” policies. Keep backups of records and data offsite. 46

47 Management Responsibilities/Best Practices Update Policies and Procedures
Basic Track and retrieve keys; maintain locks Conduct random but frequent perimeter inspections Annually review and update security plans Develop security protocols for visitors, vendors, and suppliers Inventory and keep on hand redundant, spare, and emergency parts Develop and implement a utility vehicle security and use policy Develop an operators off-hours protocol for emergency response Require security components in facility Your utility may want to develop or update its policies and procedures for each of the items listed (Section 2.7.1) with an eye toward how each affects security. Control keys in order to control access. For example, keys must be retrieved from employees leaving the utility, especially those leaving involuntarily. Facility access control--implement key and lock control (including electronic systems using access cards); limit access to portions of facilities by security level; specify how to handle visitors, tour groups, vendors and deliveries, chemicals, construction materials, packages, mail and construction site security. Perimeter inspections include remote sites as well as the main plant. Security plans are living documents and must be regularly reviewed to include changes to the DBT, the community, and technology. Security protocols for vendors and suppliers who are at the plant on a regular basis require detailed information, such as manifests, driver identification, and supporting documents, provided in advance, as well as validation of the delivery process, truck inspections, etc. Similar protocols must be developed for mail and other package delivery. An on-hand inventory of spare parts and equipment can save time during an emergency, and is most cost-effective when reviewed regularly to ensure that the correct items are on hand. Vehicle and heavy equipment use--define authorized use in both normal and emergency situations; identify how and where vehicles and equipment are to be parked, stored, and secured. An off-hours protocol should include how to obtain emergency support from off-duty personnel as quickly as possible. Security should be built-in to all aspects of the water system. An especially good time to do this is when building new or retrofitting facilities. 47

48 Management Responsibilities/Best Practices Update Policies and Procedures
Advanced Limit employee access Automatically reset alarmed facilities at preset time Keep citizen crime watch and incident alarm logs Institute a preventative maintenance program for all security equipment Develop a distribution system response, isolation, and flushing plan Practice a sampling protocol that uses off-site laboratories for non-routine samples Routinely exercise generators and back-up equipment Ensure emergency supplies are reviewed, rotated, and updated Develop or update policies and procedures for each of the items listed. Entry control systems allow flexibility in allowing employees access to or restricting access from specific facilities. Alarms should automatically reset after a preset period of time. Thus, if an alarm was disabled for any reason (for example, for maintenance personnel to enter the facility), it will not inadvertently remain disabled. Your DBT is based on the history of malevolent acts at your utility and in your community. To ensure that your DBT is kept up-to-date, you must track this type of information. Exercising and maintaining your security system to be confident in its reliability. Ensure that employees are familiar with the plan can minimize the time that your customers are without service. The Security Guidance contains general procedural recommendations specifically for onsite laboratories. The testing of back-up power generators should include operating them under load to ensure proper circuits and systems are capable of being supported. Similar to bench stock, stored emergency supplies should be inspected and replaced, as necessary, to ensure availability during an emergency. 48

49 Management Responsibilities/Best Practices Summary
Management security practices can increase security very cost effectively can be applied immediately used consistently can build a culture of security 49

50 Apply the Optimal Solutions to Improve Security
Design Implementation Management Vision Security Strategy The objective of this section is to provide guidance that enables the water utility managers, operators, and decision-makers to identify and apply operational improvements to their systems with the goal of protecting public health and safety. The purpose of these improvements will be to ensure secure sites and facilities and to protect people, information, property, and assets related to the mission and goals of the utility. This module provides suggestions for a variety of operational approaches that water utilities may adopt to improve the security of their aboveground and underground infrastructure and support facilities in a cost-effective fashion. Keep in mind that operational solutions involve the planning and action of operations, management, and supervisory personnel, and that they work in concert with management and design solutions. A Balanced Approach to Security Integrates Management, Operations, and Design Emergency Response Plan Operations Sustainability Standard Operating Procedures 50

51 Operational Responsibilities/Best Practices Operational Security Solutions
Operational solutions are concerned with acts of nature and accidents, as well as security against malevolent events, and are integral to all aspects of utility operations Operational solutions to security are included both in the design of the systems and how they are operated. Operating systems and operational practices and procedures can be addressed to manage both malevolent and natural events and to mitigate the effects of those events. 51

52 Operations Responsibilities and Best Practices
General practices Facility-specific practices Cyber system Support operations Water utilities have the ability to reduce the risks associated with malevolent actions and, to a great extent, natural disasters using those means available to them that can be developed and put into effect without major financial expenditures. The nine items listed are management responsibilities in regard to systems security. Each item is addressed in the Security Guidance and is discussed in some depth in the following slides. 52

53 Operational Responsibilities/Best Practices General Operational Practices
Implementation of policies Visitor Control Policy Key Control Policy Access Control Policy Alarms and set-points Alarm response protocols General practices are those that are applicable across different parts of the water system. Practices that manage visitor, key, and access control apply uniformly. Operating protocols that are designed to respond to emergency situations can be either procedurally driven, or they can be hard-wired into the process through the use of set points and alarms. These general practices will apply to all major water utility facilities, such as treatment plants. <The photo is of a river diversion structure.> 53

54 Operational Responsibilities/Best Practices General Operational Practices
Vehicle Checkpoints Maintenance Activities Fences Clearzone areas Locks Doors and windows Spare part inventory Routine testing of equipment Random site inspections for remote locations The outer-most barriers to a water operation provide the first opportunity to establish detection and delay to a malevolent event. Maintaining these barriers for security and to allow for clearzone visibility should be part of a regular maintenance program. Establishing vehicle checkpoints allows for the ability to limit access to a location. Vehicle check points should be able to slow down approaching vehicles, and permit barriers to be used to stop entry or egress. A regular inspection, maintenance, and repair program for fences, barriers, gates, and other access points is a critical investment in maintaining operational security. However, fences alone will not stop the more sophisticated intruders. The photo above demonstrates the ease of entry over tall and short fences by intruders with the expertise and equipment. If the local threat has these capabilities, additional measures such as intrusion sensors should be considered to alert the utility to the threat as early and as far away as possible from the target. 54

55 Operational Responsibilities/Best Practices Facility-specific Practices
Water system facilities Source water Raw water conveyance Treatment facilities Finished water storage and conveyance Limited time only allows a brief discussion of a few of these facility types. Source Water, both from groundwater and surface water, marks the first opportunity for operational practices and design to mitigate disruption of water service to customers. 1) Groundwater Protected groundwater supplies from an aquifer are unlikely to be intentionally contaminated through the environment (e.g., spills) because of the depth of the groundwater, protective clay lenses, and the volume of water. A wellhead provides a more vulnerable target. The two potential intrusion points of a wellhead are the site inspection tube and the wellhead sample port. Sample points and sounding tubes can be secured from simple threats by using locking devices or metal cages. Wellheads equipped with intrusion alarms can be used to trigger an automatic shutdown of the well. This would allow operations staff to inspect the facility for potential contamination prior to introducing the well water back into the system. 2) Groundwater under the influence of surface water These sources typically lack protective clay lenses and are relatively shallow supplies, which make them more vulnerable to contamination events. The vulnerable components of these unprotected groundwater supplies are the water source, the site inspection tube, and the wellhead sample port. Each of these components can be a conduit for the introduction of contaminants. Online monitoring could be used for unprotected groundwater supplies to provide early detection for unusual water quality changes that could be associated with a contamination event. (Keep in mind that there are limitations to online monitoring and, thus, no guarantees of successful early detection.) In addition, the wellheads can also incorporate the same automatic shutdown mechanism as previously described for protected wellheads. <The photo shows a typical wellhead facility that has unrestricted access and would be vulnerable to intentional contamination.> 55

56 Operational Responsibilities/Best Practices Facility-specific Practices
Wastewater/storm- water system facilities Wastewater treatment plants Collection systems Pumping stations Source Water (continued) Both impounded water and some surface water sources require treatment at water treatment plants and monitoring for quality. Reservoirs and lakes are typically large bodies of water, significantly reducing the potential for introducing a contaminant at a dose high enough to be a of concern. Streams and rivers have a higher potential for short-term contamination events due to intentional dumping or accidental releases of contaminants upstream of the raw water intake structures. Part of an integrated water quality monitoring response program is one that evaluates surrogates that are indicative of unusual and unanticipated changes in water quality. This approach may provide an early warning of a potential contamination event, but it may not detect the intentional introduction of certain types of contaminants. In these events, the contamination would go unnoticed until the public impacts were reported. Intake structures are typically located in remote locations (resulting in a slower emergency response time), are gravity fed (allowing easier introduction of contaminants), and are often single of points of failure for the raw water delivery system. Operational security recommendations may include: Conducting random site inspections of screens and bars by operations staff during elevated alert periods, and temporary use of guards during emergencies. Coordinating with other agencies and community groups to develop an “alert” program. Installing intrusion alarms on fencing located on the land side of the intake structures that may include lights and cameras. Securing hatches and valves against tampering and entry attempts into the intake structure. <The photo shows a pristine water source that is open and vulnerable to intentional contamination.> 56

57 Operational Responsibilities/Best Practices Cyber System: External Threats
Cyber systems that need protection Telephone Internet Wireless Defense strategies Telephone: restrict modems, turn modems off when not in use, don’t divulge user information over the telephone Internet: create and test firewall, restrict general access Wireless: eliminate unauthorized wireless networking, apply highest encryption levels Cyber security addresses the need for continuous functioning of the information systems serving the utility. Of special concern to water utilities is the SCADA system, whose distributed components maintain the process. Given the complex and interrelated nature of SCADA systems, a comprehensive approach is recommended to safeguard the systems’ reliability. Telephone - The most common method of telephone system intrusion is via dial-up modem. Most SCADA systems employ a modem to facilitate operations and maintenance of the HMI by vendor or in-house SCADA technicians. Traditionally, these modem connections have little or no security; they are an attractive target for “war-dialing,“ a common technique used by telephone hackers that uses a software program to automatically call thousands of telephone numbers to look for any that have a modem attached. Internet - Internet access to the enterprise is not always under the control of utility IT staff. It is common for the umbrella municipality to administer all security aspects of the Internet gateway, including firewall configuration and Intrusion Detection System (IDS) oversight. In that case, it is important that the utility IT staff participate in municipal IT matters via technical committees or similar intra-organization forums. Wireless - Many wireless installations in the workplace can exist without the knowledge of the IT group. These installations generally have little or no security and can be accessed by anyone within signal range. Defense strategies are available for each of these systems, and they include these. Telephone – Configure modems to allow dial-up access from only a specific list of telephone numbers. Modems should be turned off when not in use. It may be necessary to use a timer to turn off modems after a preset period of time if they are not in use. Warn employees that user information should not be given out over the telephone without a prior authorization to do so. Internet – Firewalls can be a reliable deterrent; however, they must be tested to ensure that they work properly. Restrict general user access to critical applications. This may require a segregated servers or separate networks. Wireless – Use wireless detection software to ensure that no unauthorized wireless access points have been installed. Where wireless connections are authorized, minimize the broadcast range and use the highest encryption levels available. 57

58 Operational Responsibilities/Best Practices Cyber System: Internal Threats
Insider Intrusion Post security policies Base access level on responsibility level Create an audit trail for changes Reset all passwords away from default Back up information daily Although an inside attacker has a decided advantage by possessing access privileges to the enterprise system, a stringent security environment renders operational staff activities less anonymous. A well-designed cyber security plan seeks to minimize inadvertent or intentional damage to the SCADA system by former or current employees and contractors. At the core of any security plan is an enforceable security policy and accompanying procedures that promote operational accountability and auditability. Several security practices that promote accountability and auditability are part of this mainstream movement, including these basic operational security considerations (four identified on slide, plus the following): Require more complex passwords for access to sensitive information Remove a user account upon employee termination Set up an inactivity logout based on a pre-determined time or install a proximity sensor logout Require a password to make programming changes Program set point ranges to reject out-of-range adjustments Sensitive electronic SCADA components are often completely accessible to anyone in the plant. Utilities can reduce crimes of opportunity through these basic operational security considerations: backing up data on a daily basis, controlling access to cabinets and rooms, and restricting access to the cyber systems. 58

59 Operational Responsibilities/Best Practices Support Operations
Operational considerations for maintenance shops, warehouses, storage facilities, administrative offices, and garages Control access Track equipment Ensure secure storage of high-value equipment and parts Prevent theft of vehicles and equipment Warehouse facilities serve an important function for providing key supplies during emergency events. Loss of the warehouse contents can impair the ability of staff to rapidly respond and correct system problems. Administrative offices house the business functions (e.g., human resources, billing, and purchasing) that are required to keep the utility operating. The administrative offices also contain sensitive information about employees, customers, and utility operations. To protect support operations, consider these options: Controlling access to the support facilities limits the potential for theft or criminal activity. Tracking equipment using an accountability program allows needed equipment to be quickly located during an emergency. Secure storage of high-value items not only saves replacement cost, but also ensures their availability during an emergency. Theft-prevention programs can include both policies and procedures as well as theft-control devices such as alarms and Lo-Jack. <The photo shows a warehouse for a large water treatment facility. These are typically unmanned in the evening hours and susceptible to vandals thieves.> 59

60 Operational Responsibilities/Best Practices Support Operations
Additional operational considerations for laboratories Use a chemical receiving receipt log Create and maintain an inventory of chemicals kept at the laboratory Remove chemicals from laboratory inventory logs as necessary Operational considerations for labs begin with recording the information necessary to track the chemicals that have been received as well as those that have been consumed, disposed of, or shipped. In addition, critical information can include the shelf life, rotation date, and expiration date of each chemical listed. Water quality laboratories often house hundreds of chemicals in small amounts that are used for water analyses. Some of these chemicals are in concentrated form, such as the vials shown in the photo, and can have significant impacts if introduced into the water. 60

61 Operational Responsibilities/Best Practices Support Operations
Additional operational considerations for laboratories Secure reagents and gas cylinders, and limit access to authorized personnel Store highly toxic and hazardous materials in locked cabinets or refrigerators Limit the staff authorized to purchase chemicals and other supplies Controlled access to laboratories and their contents can be accomplished by implementing the appropriate operational procedures. This includes practices dealing with hazardous materials, testing materials, and their use and storage. Laboratories often have hundreds of thousands of dollars in analytical equipment and supplies, which can become targets for criminals looking for a profit. <The photo above shows a laboratory area with very valuable equipment and toxic chemicals that can be easily carried away.> 61

62 Operational Responsibilities/Best Practices Summary
Operational security practices can provide cost-effective opportunities to enhance security can be applied to all utility components, from the perimeter to individual operational features used consistently can build a culture of security 62

63 Break 63

64 Design Considerations and Features to Improve Security at Water & Wastewater Treatment Facilities

65 Apply a Balanced Approach to Improve Security
Design Implementation Management Vision Security Strategy Redundancy Physical Protection Electronic Security Design focuses on the physical security aspects that should be considered for a new or retrofitted facility. Design, along with management and operations, can provide a balanced approach that is the most effective and cost-efficient for your utility. A Balanced Approach to Security Integrates Management, Operations, and Design Operations Sustainability 65

66 Physical Protection Design Basics

67 Design Considerations Basis for Security Design
Threat identification Determines which threats are credible and likely Vulnerability assessment (VA) Characterizes those assets that may be targeted Evaluates how assets are currently protected and where vulnerabilities exist Considers the consequences of those vulnerabilities Design basis threat (DBT) Expert judgment based on the results of the above plus Adversary type Tactics Weapons Routes of attack 67

68 Design Considerations Physical Protection System Concepts
Crime Prevention Through Environmental Design (CPTED) Elements of a Physical Protection System (PPS) Protection in depth Basic design elements DBT-specific countermeasures 68

69 Design Considerations CPTED
Crime Prevention Through Environmental Design (CPTED) Reduces the opportunity and the ability to commit a crime undetected Should be used for all designs regardless of DBT CPTED strategies Access control Territorial reinforcement Surveillance Appearance and maintenance 69

70 Design Considerations CPTED Strategies
Access control Physical guidance for vehicles and people Smart placement of entrances, exits, landscaping, lighting, and controlling devices (e.g., guard stations, turnstiles, etc.) Territorial reinforcement Physical attributes that express ownership and designate a change from public to restricted spaces Natural markers such as landscaping Built markers such as signage and fences Procedural barriers such as a receptionist or guard 70

71 Design Considerations CPTED Strategies
Surveillance Placement of physical features, activities, vehicles, and people in such a way as to maximize visibility by others during their normal activities Natural or electronic Formal or informal Appearance Vigilant site and facility maintenance indicates that the space is being used, regularly attended to, and possibly occupied Proper grounds maintenance More closely related to O&M rather than design 71

72 Design Considerations Elements of a PPS
Detection Intrusion sensing Alarm communication Alarm assessment Entry control Delay Barriers Distance Response Communications to response force Deployment and arrival of response force 72

73 Design Considerations Protection in Depth
Provides multiple layers of protective measures Requires an adversary to defeat a system, travel to the next protective layer and then defeat that system At site boundary (perimeter fencing system) At building envelope (exterior walls, doors, windows, grilles, and roof system) At target enclosure (the room in which the targeted asset is housed) 73

74 Design Considerations Protective Layers – Layer 1

75 Design Considerations Protective Layers – Layer 2

76 Design Considerations Protective Layers – Layer 3

77 Design Considerations Protective Layers – Layer 4

78 Design Considerations Basic Design Elements
Perimeter Access via no more than two designated and monitored entrances Entrances defined by different paving materials and signage All pedestrian entrances adjacent to vehicle entrances Access controlled with fences, gates, and/or guards Sufficient lighting at all entrances Opaque fencing, landscaping, and walls that would not provide hiding places along the perimeter 78

79 Design Considerations Basic Design Elements
Site Illuminated clear zone Adequate standoff distance to critical facilities 79

80 Design Considerations Basic Design Elements
Site Access to both the front and back of buildings to facilitate patrols Restricted access to roofs from adjacent buildings, dumpsters, loading docks, poles, and ladders Walls only where necessary; consider stretched aircraft cable as an alternative for maximum visibility Good visibility of approach, entry, parking, storage areas Plantings that prevent easy passage 80

81 Design Considerations Basic Design Elements
Buildings and other structures Well-lit, well-defined, and visible entrances Stairways without solid walls Employee entrances next to employee parking Restrooms entrances visible from work areas Interior windows and doors that provide visibility into hallways Reinforced doors and windows with break-resistant glass 81

82 Design Considerations Basic Design Elements
Target hardening Physical protective measures that increase resistance to a threat, e.g., cages, bars, locks, separate rooms Enhance delay and detection through physical improvements Above and beyond CPTED and basic design considerations Based on vulnerability and criticality of facility 82

83 Design Considerations DBT-Specific Countermeasures
Progressive designs CPTED Strategies Countermeasures Against Vandal Threats Countermeasures Against Criminal Threats Countermeasures Against Saboteur Threats Countermeasures Against Terrorist Threats All Designs Designs for Vandal Threats Designs for Criminal Threats Designs for Saboteur Threats Designs for Terrorist Threats 83

84 Design Considerations Vandal Threat
Vandal-resistant items Composite plastics that resist graffiti, shattering, and scratches Lights with low-profile lenses or recessed lenses Security cameras and equipment Switches and controls Locks Valves Cages or other protective fittings 84

85 Design Considerations Vandal Threat
Perimeter and site Fence to provide an appropriate standoff distance Provide fencing that resists climbing or is 7+ feet high topped with barbed wire, razor tape, or concertina wire Securely anchor fence posts in concrete footings Fence over smaller elements Provide adequate lighting Landscape to provide an appropriate clear zone 85

86 Design Considerations Vandal Threat
Buildings and other structures Vandal-resistant items Non-removable bolts, hinges, screws Glazed concrete masonry units or glazed ceramic tiles Non-stick, non-mark polyurethane-based paints and coatings Rough-textured bricks, blocks, or rough concrete surfaces Climb-resistant cages around exterior ladders Plastic materials rather than glass (e.g., polycarbonate) Non-flammable materials Tamper-resistant switches Low-profile lights Pipes, valves, and other appurtenances behind sturdy fencing or panels with tamper-proof fastenings 86

87 Design Considerations Criminal Threat
Site Provide emergency telephones or other communications devices throughout the site Bury or otherwise conceal conduits and wires carrying electric supply, telecommunications, and alarm signals Stealth Burglary Theft Overt Robbery Assault 87

88 Design Considerations Criminal Threat
Building and other structures Minimal signage Warning signs to restrict access but without description of asset or reason for warning Waiting area for visitors Door locks a minimum of 40 inches from windows Single-cylinder dead bolt locks with minimum 1-inch throw Locksets with removable cores to ease replacement Solid exterior doors with 180-degree door viewers Two locking devices on all windows 88

89 Design Considerations Criminal Threat
Building and other structures For a DBT including handguns, provide bullet‑resistant construction assemblies (walls, windows, doors) in bullet-resistant guard shelters, control rooms, or bill-paying booths Critical assets and functions located to the interior of facilities, away from lobby areas but within view of other occupied areas Maximize layers of delay between access points and assets 89

90 Design Considerations Criminal Threat
Facility access control system Perimeter openings and locked interior doors monitored for door-ajar status One primary entrance door with access control, a visitor intercom, and video surveillance equipment Secure lobby area capable of “lock-down” Exterior circulation doors accessible by employees only Mechanical or electronic access control with increasing levels of security Digitally recorded CCTV surveillance using two cameras 90

91 Design Considerations Saboteur Threat
Perimeter Locate entry control, perimeter detection, and barriers as far as possible from facilities and assets Control access to sites by unauthorized vehicles through use of an entry control point for vehicular and pedestrian traffic Design entry control points to ensure unimpeded access by emergency vehicles Provide remote meter reading devices or locate meters outside of the perimeter 91

92 Design Considerations Saboteur Threat
Effective entry control Means to associate vehicle with driver, such as validation of the drivers’ identification prior to authorizing access Mechanism to turn away unauthorized vehicles Location for inspection of vehicles and their contents Location to detain unauthorized persons and vehicles Bullet-resistant guardhouse with toilet facilities Turnstile for pedestrians that can entrap adversaries Barriers to prevent a vehicle from penetrating the gate or crashing into the guardhouse Ram-resistant gate A telephone or intercom 92

93 Design Considerations Saboteur Threat
Vehicle barriers Design for the vehicle weight, including explosives carried, and the speed at which the vehicle may be traveling Locate to allow time to activate and fully deploy the barrier before the vehicle reaches the barrier Active barriers 93

94 Design Considerations Saboteur Threat
Passive vehicle barriers Aircraft cable anchored to concrete that may be integrated into the perimeter fence Landforms and landscaping elements such as ditches, berms, and heavy vegetation Boulders, bollards, and concrete “King Tut” blocks Passive barriers 94

95 Design Considerations Saboteur Threat
Site Control vehicle motion with curves, speed bumps, or other traffic-calming devices Consider placing critical assets below grade Provide redundant critical utility connections Secure exposed exterior valves, hydrants, manholes, and other appurtenances Enclose critical assets with expanded metal mesh enclosures, reinforced concrete walls/block with roof grilles Locate fuel tanks, natural gas lines, or fueling stations as far from critical assets as possible 95

96 Design Considerations Saboteur Threat
Buildings Forced entry-resistant window and door assemblies and hardware Critical assets kept within metal enclosures Intrusion detection with camera verification 96

97 Design Considerations Terrorist Threat
Perimeter and site Vehicle sally port and video surveillance Assets away from vantage points from where rocket propelled grenades (RPGs) may be fired Pre-detonation screens far as possible from assets Sufficient standoff distance Non-employee parking areas as far from buildings as possible Dumpsters as far away as practical 97

98 Design Considerations Terrorist Threat
Buildings and other structures Building systems that resist blast and contamination Blast walls behind entrances and large windows Isolated areas where delivered IEDs would cause minimal damage Air intakes as high as possible Air-tight structure or ensure positive pressure is maintained Single control to shut down all HVAC systems Safe rooms with separate HVAC systems Minimal mixing between HVAC zones 98

99 Electric and Electronic Security Devices

100 Electric and Electronic Security Devices
Rapidly expanding market Many innovations Wide variety of systems and components available Wide range of manufacturers Before specifying or purchasing Understand the characteristics and requirements of the area to be protected Thoroughly research capabilities Specify exactly how the device should be implemented and how the device fits into the overall security system 100

101 Security Devices Steps in Choosing Devices
Determine the type of equipment needed Identify the required equipment features Match needs with available security equipment Section 6.1 101

102 Security Devices Questions to Ask
What areas need to be covered by alarms and cameras? What information will be needed about the intruder—detection, classification, or identification? As such, what system size and quantity of devices will be needed? Will an operator or a third party monitor and respond to alarms? Section 6.2 102

103 Security Devices Questions to Ask
What are the requirements for radio, telephone modem, or wide bandwidth telemetry? What is the long-term cost of this security, including operations and maintenance? What is the availability of electricity at the facility? How much backup power will be needed? Is the solution long term and sustainable? Section 6.2 103

104 Security Devices Types of Devices
Access control systems Mechanical locks Card readers PIN access Biometrics Interior and exterior intrusion detection CCTV surveillance 104

105 Security Devices Card Reader Systems
Limits access to certain areas or times of day Event logging Two-Person Rule Software Anti-Passback Software 105

106 Security Devices PIN Access
PIN should be long enough to prevent guessing PIN should not be meaningful (e.g., birth date) Alarm should be activated if multiple incorrect attempts are made in a short period of time 57031 106

107 Security Devices Biometrics
Hand and fingerprint readers are most common Fingerprint readers have higher false-rejection rates than hand geometry readers Training on use and limitations is recommended 107

108 Security Devices Interior Intrusion Detection
Interior volumetric sensors Microwave, ultrasonic, passive infrared (PIR), dual-technology (microwave and PIR) Interior boundary penetration sensors Door switches, glass-break, linear beam sensors Common approach is to combine door contact alarms with interior dual-technology or motion detectors 108

109 Security Devices Exterior Intrusion Detection
Freestanding sensors Microwave, dual-technology Buried-line sensors Pressure/seismic, magnetic field, buried-ported coaxial cable, buried fiber-optic cable sensor Fence-mounted cabling sensors Coaxial strain-sensitive cable, fiber-optic strain-sensitive cable 109

110 Security Devices CCTV Surveillance Systems
Key characteristics Camera Resolution Minimum Illumination Lenses Position (Fixed, Pan-Tilt-Zoom) Other elements Matrix Switchers Digital Video Recording Video Motion Detection Systems 110

111 Security Devices CCTV Surveillance Systems
Low-light cameras Color to black/white switching cameras Infrared illuminators Thermal imaging cameras Camera assessment Use cameras for alarm assessment Use frame-grabber technology to simplify assessment 111

112 Security Devices CCTV Surveillance Systems
Compression standards Digital images and video are compressed to conserve hard disk space and decrease transmission times/increase transmission speed Typical compression standards JPEG - 10:1 Motion JPEG - 20:1 MPEG :1 MPEG :1 112

113 Security Devices CCTV Surveillance Systems
Equipment purchasing recommendations Consider scalability and compatibility of system Understand service plan Consider how images will be viewed/recorded Implementation recommendations Use ample light and avoid back-light Select lens and field of view to obtain at least 4.5 pixels per 1-foot square target Use wide-angle lenses with large depth of field Use auto-iris lenses 113

114 Security Devices Sample Performance Criteria
Power and wiring Four-hour battery backup, at a minimum, should be provided for security equipment All exposed security wiring should be installed in conduit Security panels should be UL listed as meeting standard UL804 114

115 Security Devices Sample Performance Criteria
Visibility and lighting Lighting at entry and exit points should be at least 1.5 to 2.0 foot-candles for safety and for adequate observation by employees or CCTV RP-20-98, Lighting for Parking Facilities, published by the Illumination Engineering Society of North America (IESNA), provides recommended illumination levels for parking facilities 115

116 Security Devices Sample Performance Criteria
CCTV cameras To detect intruders, the area of interest should occupy a minimum of 10 percent of the field of view, with a maximum field of view of 300 feet in length or less Exterior cameras should have minimum resolution of 470 horizontal lines and be rated for use at 0.05 foot-candles All CCTV cameras should be listed in accordance with UL 3044, Surveillance Closed Circuit Television Equipment The camera should provide adequate onsite digital recording capacity at 30 days of continuous storage at 1 frame per second 116

117 Physical Security Design Standards

118 Design Standards Presented in WISE Phase 3 Documents
Guidelines for the Physical Security of Wastewater/Stormwater Utilities Guidelines for the Physical Security of Water Utilities Documents released in December 2006 118

119 Phase 3 Standards Built on Previous WISE Documents
Phase 1 documents present concepts for effective security systems Phase 3 documents present design aspects of physical security elements 119

120 Application of Phase 3 Standards (Section 1)
Elements of physical protection systems (deterrence, detection, delay and response) Source: Adapted from Garcia, Mary Lynn The Design and Evaluation of Physical Protection Systems 120

121 Application of Phase 3 Standards (Section 1)
Description and characteristics of Design Basis Threats (DBTs) Vandals Criminals Saboteurs Insiders Terrorists not included Effective security approaches are focused on defeating the appropriate DBT 121

122 Understanding DBT’s Objective is Critical to Security Design
Intentional contamination of potable water Release of chlorine gas or other toxics Theft or vandalism of critical equipment Physical harm to employees or the public 122

123 Understanding DBT’s Objective is Critical to Security Design
Interruption of service caused by Physical destruction of system components Illegal dumping of toxic chemicals or flammable substances in the collection system Interruption in service can result in Increased fire risk Potential public health impacts Significant environmental damage Loss of public confidence in utility or government 123

124 Benchmark Capabilities of DBTs
Characteristic Vandal Criminal Saboteur Insider Objective Motivation Base Enhanced Base Enhanced Base Enhanced Base Enhanced Planning/system knowledge Weapons Tools and implements of destruction Contaminants Asset damage Injuries Fatalities 124

125 A Step-wise Approach to Using the Phase 3 Standards
Step 1 – Complete Vulnerability Assessment Step 2 – Characterize DBT Step 3 – Identify Appropriate Security Measures (the primary focus of the Phase 3 standards) Step 4 – Consider Consequence Mitigation 125

126 Focus on Physical Security for Specific Facilities (Sections 2-7)
Facility mission Philosophy of security approach for specific facility Special considerations for critical assets Benchmark security measures tables listing relevant physical security measures against DBTs 126

127 Benchmark Security Measures Tables Comprise 7 Categories
Perimeter Site (area between perimeter and structures) Facility structures Water quality monitoring Closed circuit television (CCTV) Power and wiring systems SCADA – physical security 127

128 Security Measures Tables are the Backbone of the Phase 3 Standards

129 Tables Comprise Several Components
Security Measure Objective DBT Category Design Guidelines in Appendix A Security Measures Recommended Security Measure 129

130 First Step: Select the Appropriate DBT
Base Level Vandals 130

131 Second Step: Identify the Recommended Security Measure
Basic perimeter fencing or perimeter walls 131

132 Third Step: Review Details about Recommended Security Measure
Applicable Sections in Appendix A, Physical Security Elements 1.0, 1.1, 8.1 132

133 Relevant Information from Appendix A
1.0 Fencing and Perimeter Walls (1) The primary goals of fencing and perimeter walls are . . . (2) Secondary goals may include . . . 1.1 Chain-Link Fencing For terms related to chain-link fencing systems, refer to ASTM F Base-level fence guideline is galvanized steel chain-link fence post with a 6-foot (1.8‑meter [m]) or greater fabric height . . . 133

134 Relevant Information from Appendix A
8.1 Fence Signage Post “No Trespassing” signs at 50-foot (15 m) intervals in multiple languages . . . Include appropriate federal, state and local laws prohibiting trespassing 134

135 Fence Examples Meeting Recommended Standards

136 Compare to Fence Recommended for Base Level Saboteur
Saboteurs 136

137 Recommended Security Measures for Base Level Saboteur
Enhanced climb/cut-resistant fencing or walls Foundation enhancements for fencing to prevent tunneling 137

138 Recommended Security Measures for Base Level Saboteur
System Objective Vandals Criminals Saboteurs Insiders Applicable Sections in Security Measure Delay Detection Base Level Enhanced Appendix A Physical Security Elements Site (area between perimeter and facilities) Perimeter minimum clear zone distance 3.0 Locate public or visitor parking as far away from the facility as practical, but at least 30 feet (9 meters away) Second layer of basic fencing 1.0, 1.1 Enhanced second layer of fencing that is climb/cut resistant 1.2 Intrusion detection at second layer of fencing 3.0, 7.0, 9.1, 9.2, 11.0 Second layer of basic fencing Intrusion detection at second layer of fencing 138

139 Fence Examples Meeting Recommended Standards

140 Summary All designs should incorporate security features commensurate with the design basis threat Use layers to protect critical assets Focus on detection, delay, and response Incorporate CPTED and basic security concepts followed by specific progressive strategies 140

141 Summary Many elements of good engineering practices are inclusive of specific security design considerations Incorporate specific security design criteria if needed in addition to good engineering design Select proper security equipment based on the goals and environment 141

142 Break 142

143 Design and Implementation of Online Water Quality Monitoring Systems

144 Objectives of this Presentation
Familiarize workshop participants with the contents of the WISE Online Contaminant Monitoring System (OCMS) guidance document (ASCE 2004) Update this information with related work currently being undertaken at EPA Water Security Initiative CH2M HILL work 144

145 EPA’s Water Security Initiative (WSi)
In EPA’s Water Security Initiative (WSi), Online Water Quality Monitoring is one of multiple detection strategies that makes detection more timely and reliable Syndromic Surveillance 911 & EMS Integrated Contamination Warning System Consumer complaint surveillance Enhanced security monitoring Water quality monitoring Sampling and analysis Graphic Source: Steve Allgeier, Water Security Division, U.S. EPA 145

146 WSi – Concept of Operations
Source: USEPA 146

147 Outline of OCMS Guidance Document
The OCMS guidance covers the following elements: The Contamination Problem Rationale for Online Monitoring and System Design Basics Using Contaminant Lists and Determining Concentrations to be Detected Selection and Siting of Instruments and Platforms 147

148 Outline of OCMS Guidance Document (con’t)
Data Analysis and the Use of Models Communication System Requirements Responses to Contamination Events Interfacing with Existing Surveillance Systems Operations, Maintenance, Upgrades, and Exercise of the System 148

149 Focus of this Presentation
Will use the term “Online Water Quality Monitoring System” (OWQMS) instead of OCMS Limited to water distribution systems Topics covered will consist of: Online WQ monitoring station design OWQMS network design Water quality data analysis and event detection Operational benefits 149

150 Online Water Quality Monitoring Station Design

151 Types of Contamination
Intentional (e.g. sabotage) Unintentional (e.g. operator error, accidents, natural disasters) Contaminants chemical (including biotoxins) biological radiological 151

152 Consequences of Contamination
Public health problems such as death and illness among consumers Economic problems from the use of contaminated water or the unavailability of potable water Loss of public confidence in the ability of the utility to provide safe water 152

153 An Ideal Early Warning System
Rapid detection and notification for sufficient response time Alarm or report to set response in action Detection of a wide range of contaminants Identification of contaminant source Affordable Robust/reliable Minimal number of false positives and negatives Remote operation Low level of skill and training requirement An ideal water quality monitoring system will possess the traits listed; however, this ideal system does not exist at this time. Research in this area is currently underway. Source: T. Brosnan, Early Warning Monitoring To Detect Hazardous Events In Water Supplies, International Life Sciences Institute Workshop Report 153

154 Objectives of a OWQMS Increased and/or earlier likelihood of contamination detection Enhanced distribution system operations and water quality maintenance Enhanced regulatory compliance 154

155 Approach to Monitoring Station Design
Select water quality parameters to monitor Select specific monitoring equipment Select communication architecture Design monitoring station Source: Steve Allgeier, Water Security Division, U.S. EPA 155

156 Water Quality Parameters
Surrogate parameters are physical or chemical properties that may be affected by potential contamination Chemical Surrogates Microbiological Surrogates Toxin Surrogates Radiological Surrogates pH Alpha ORP Beta Cl residual Gamma Conductivity Turbidity TOC DO/BOD Nitrate, nitrite Phosphate UV Toxicity indicators 156

157 Water Quality Parameters
Surrogates parameters are used because quick, reliable, and contaminant specific online tests do not currently exist for most potential contaminants Many common online instruments measure surrogate parameters with good reliability and accuracy Water utilities are already familiar with the O&M of many of these instruments 157

158 Water Quality Parameter Selection
Parameter selection must relate to contaminants of concern Of the general WQ parameters, TOC and free chlorine observed to be most responsive Distribution system residual disinfectant Free chlorine is responsive to many contaminants Combined chlorine is generally non-responsive Distribution system water quality Baseline quality and variability Alkalinity, pH, stability (corrosion), bio-stability, etc. Dual-use applications Disinfectant residual maintenance Monitoring for system events Source: Steve Allgeier, Water Security Division, U.S. EPA 158

159 Potential Contaminants of Concern and Detection Strategies
Class Description Water Quality Consumer Calls 911 Calls/ EMS Hospital Data 1 Petroleum products 2 Pesticides (with odor or taste) 3 Inorganic compounds 4 Metals 5 Pesticides (odorless) 6 Chemical warfare agents 7 Radionuclides 8 Bacterial toxins 9 Plant toxins 10 Pathogens (unique symptoms) 11 Pathogens (common symptoms) 12 Persistent chlorinated organic compounds Contaminants fall into three major categories: toxic chemicals (including biotoxins), pathogens, and radioactive materials. Source: U.S. EPA Water Security Initiative Presentation, June 18, 2007 159

160 Effectiveness of Cl Residual, TOC, and Conductivity in Detecting Contaminants
CHLORINE 4, 7 1, 12 5 2 3 8, 10, 11 Source: U.S. EPA Water Sentinel System Architecture, Draft. Version 1.0 160

161 Instrument Selection Compatibility with distribution system water quality Applicable instrument range Reactivity with residual disinfectant Formation of inorganic scale deposits O&M considerations Technical complexity of equipment Familiarity of technicians with equipment Real-world O&M experience versus manufacturer claims Quality of manufacture technical support Data quality Completeness: data loss due to instrument downtime Reasonableness: sensor values within expected range Accuracy: agreement with reference measurements 161 Source: Steve Allgeier, Water Security Division, U.S. EPA

162 Sample Instruments YSI Drinking Water Sonde (Cl2 Residual, Conductivity, Turbidity, pH/temperature) Hach Distribution Monitoring Panel (Turbidity, pH, Cl2 Residual, Conductivity, Pressure) s::can spectro::lyser (UV Spectral Analysis, Turbidity, TOC, DOC, NO3, DO, NO2, Cl2 Residual, THMs) 162

163 S::CAN carbo::lyserTM
Sample Instruments Total Organic Carbon GE/Sievers Series 900 S::CAN carbo::lyserTM 163

164 s::can spectrolyzer 164

165 GCWW WSi Monitoring Station
TOC analyzer – GE/Sievers 900 Electrical and PLC cabinet Transmitter and local display Sample collection bottles Water supply manifold Chlorine analyzer Turbidity analyzer pH sensor Conductivity sensor ORP sensor 165 Source: Steve Allgeier, Water Security Division, U.S. EPA

166 Glendale, AZ, Monitoring Stations

167 Online Water Quality Monitoring Station Network Design

168 Hydraulic Network Models – a key tool in OWQMS Network Design
Optimal instrument placement Pre-event response scenarios and planning Design/upgrade water systems Alter flow patterns Methods to isolate and flush contaminants Identify contamination location and prediction of its fate and transport Confirm positive event via model prediction of downstream monitor reading(s) There are several distinct uses for models in security applications. To be useful, the model must be calibrated for a wide range of alternative scenarios and be ready to apply rapidly in the EPS mode. The model must be set up in an automated mode so that operation is represented by a series of logical controls established for the current operating procedures. The obvious key to this is that the model must be ready immediately because there would not be time to develop the model in an emergency. Pre-event response scenarios. - Extensive modeling could be conducted before an event occurs to facilitate response planning. Various scenarios can be input to a model and then run to determine the extent of the contamination and to develop and test response plans that will minimize any impacts. Design/upgrade of water systems. After the model is run and the possible contamination areas are highlighted, the next step will be to identify the weak points in the water system. There are two aspects to this use. Flow patterns through sections of the network can be seen in the model. System design modifications may be able to alter these flow patterns, thus preventing flow from re-entering the major distribution lines and spreading to other areas. Optimal system design will include methods to isolate and flush the contaminants, all the time ensuring the contaminant water is handled properly. Identifying location of contamination. During an actual contamination event, a model could be used to determine and predict the location of the contaminant source. When there has been a confirmed response, the model could be run with the data available to determine the input location of the contaminant as well as its future path. This however, is still a very complex issue, and cannot be performed with ease.. Confirmation of positive event. One positive alarm from a monitor may not necessarily indicate contamination. There could be numerous causes that would result in a false positive, and therefore a reasonable approach for confirming a positive alarm must be developed. It would be unreasonable for a utility to immediately react as though the system is contaminated on only one reading; however, due diligence must be practiced to ensure a proper response is initiated. After a positive alarm is detected, there would be a mobilization to verify the field monitors with other monitors. At the same time, another verification could be done with the model. This would be performed through predicting where the contamination, if truly in the system, would travel to next and the appropriate reading that would be expected at that point. After the water reaches that point and the monitor responds in the model-predicted manner, the second positive response has been found. Depending on how the utility decides to respond (depending on whether two or three positives are required prior to initiating a response), the response can be initiated. In water quality models the reaction equations are very important. If the constituent is assumed not to decay, then there may be a substantial overestimation of the level of constituent. If field measurements do not match model predictions with these conservative reaction kinetics, it may lead to the conclusion that there was not a contamination event even though there was one. 168

169 Overview of Network Design
Validate distribution system model Develop monitoring network design using model, contamination scenarios and optimization tools Perform field verification of candidate monitoring locations Revise monitoring network design Select final monitoring locations Source: Steve Allgeier, Water Security Division, U.S. EPA 169

170 Selection of Candidate Monitoring Locations
Numerous potential locations source water, raw water conveyance, treatment plant, finished water reservoirs, distribution system, service lines Each has advantages and disadvantages Also need to consider critical infrastructure, risk, and local conditions when identifying usable locations 170

171 Selection of Candidate Monitoring Locations
Finished water reservoirs Distribution system Strategic end user entry points Allied end users Government buildings, fire stations, schools High-visibility contamination targets Stadiums, arenas, shopping areas Prestige hotels and restaurants Vulnerable populations Hospitals, nursing homes, day care centers 171

172 Selection of Candidate Monitoring Locations
Site requirements Easy access to the distribution system water Available space for installation of instruments and auxiliary equipment Availability of required utilities Electric power Sewer connection for sample flow disposal Phone or radio communication systems 172

173 Selection of Candidate Monitoring Locations
Site requirements Easy, 24-hour access by authorized personnel Physical security against unauthorized personnel Acceptable site hydraulic conditions, such as avoidance of Ts, pipe intersections, etc. 173

174 Network Model Tools The candidate locations for monitoring stations can then be reduced by using various contamination scenarios and hydraulic network tools such as: The Threat Ensemble Vulnerability Assessment Sensor Placement Optimization Tool (TEVA-SPOT), an EPANET based model used to determine the best location for sensors in a distribution system. PipelineNet, a GIS and EPANET based model that ranks locations primarily based on the vulnerability of the customers served. 174

175 TEVA-SPOT Methodology
Priority Threat Scenario Selection Simulation Outcomes (Conc, Exposure) Scenario 1 Scenario 2 Scenario N Results Database Threat Ensemble Assessment of public health Impacts TEVA – Threat Ensemble Vulnerability Assessment; SPOT - Sensor Placement Optimization Toolkit Threat Ensemble Vulnerability Assessment: Tucson Water Study EPA’s Threat Ensemble Vulnerability Assessment and Sensor Placement Optimization Toolkit software (TEVA-SPOT) can be used to assist water utilities by: Recommending key sensor locations (e.g., water quality monitoring locations) in water distribution systems Identifying critical water utility and public health response times to minimize impacts Assessing the consequences of contamination incidents Helping improve water distribution system models TEVA-SPOT software can be used to determine the number and location of sensors that are needed to support a contamination warning system. The location of online sensors can be optimized to help achieve such a system’s primary goal: to detect contamination incidents in time to mitigate public health and economic consequences. TEVA-SPOT can also be used to meet additional design objectives — for example, minimization of costs, detection time, exposure to contaminants, and the spatial extent of contamination. In addition, the software can be used to demonstrate the importance of a fast response to a detected contamination incident. In order to use TEVA-SPOT, it is necessary to have utility-specific input. Often, through the application of TEVA‑SPOT, improvements to the distribution system models benefit the utility in other projects as well. ( Source: Steve Allgeier, Water Security Division, U.S. EPA 175

176 TEVA-SPOT Requirements
Extended period simulation water quality model Model must run correctly for a duration sufficient for the contaminant to propagate through the system Sufficient model detail and accuracy Representative model demands Sufficient computing power, which depends on model size and complexity, as well as the number of contamination scenarios Source: Steve Allgeier, Water Security Division, U.S. EPA 176

177 Water Quality Data Analysis and Event Detection

178 Essential Objectives of Data Analysis
Identify the presence and location of significant contamination in the system Determine time to tap Provide timely information to decision makers 178

179 Desirable Objectives of Data Analysis
Assess public health risk Identify the contaminant or its class with sufficient specificity to allow appropriate responses Characterize the contaminant concentration profile (fate and transport through the distribution system) Eliminate false negatives and minimize false positives 179

180 Challenges in Data Analysis
Noise and/or drift in monitoring instruments Variations in water characteristics (e.g., water age, particulate concentrations) Changes in measured parameters due to operational variations (e.g., amount of disinfectant, closing a valve) Educating decision makers in the interpretation of data These challenges are explainable and benign from a contaminant monitoring perspective 180

181 Event Detection Systems
To address these challenges, significant effort is being undertaken to develop event detection systems (EDS) EDS is a set of algorithms to identify anomalous conditions within noisy background water quality data Identify anomalies due to both contamination events and unexpected “normal” events, such as a sensor malfunction, pipe break, or cross-connections - Training can be done by utility using training module, or by tool developers Source: Katie Umberg, Water Security Division, U.S. EPA 181

182 Event Detection Systems
Operate in real-time Require no user intervention to monitor water quality data. For each time step, clearly indicate whether the water quality at a monitoring station is normal or abnormal Most have parameters that can be changed, such as alarming threshold or window size Among the EDS that EPA is testing are Canary and H2O Sentinel If you don’t know what’s normal, you can’t identify what’s abnormal Source: Katie Umberg, Water Security Division, U.S. EPA 182

183 Benefits of Online Water Quality Monitoring Systems

184 Some Operational Benefits
Optimizing Plant Performance Evaluating Significance, Effects, and Changes in Water Quality Determining Water Age 184

185 Optimizing Treatment Plant GAC Filter Performance

186 Evaluating Significance of Source Water Change (WTP)

187 Determining Short-Term Effects of Power Failure on Water Quality

188 Evaluating Water Quality Changes Between Two Locations

189 Using Spectral Fingerprinting to Determine Water Age

190 Key OWQMS References ASCE Interim Voluntary Guidelines for Designing an Online Contaminant Monitoring System EPA Interim Guidance on Planning for Contamination Warning System Deployment EPA WaterSentinel Online Water Quality Monitoring as an Indicator of Drinking Water Contamination (Draft) EPA Overview of Event Detection Systems for WaterSentinel (Draft) 190

191 Resources 191

192 Obtaining a Copy of the WISE Documents
WISE Documents are available at ASCE, AWWA, and WEF websites 192

193 For More Information Department of Homeland Security -
EPA Water Security - Water Environment Federation - Water Information Sharing & Analysis Center (ISAC) - Water Security Channel - National Association of Clean Water Agencies (NACWA) - 193

194 Questions? 194

195 Thank You for Attending
Mike Chritton (720) Gary Jacobson (617) x261 Bill Desing (414) Ken Thompson (720) Yakir Hasit (215) Raja Kadiyala (510) 195

196 Water Infrastructure Security Enhancement (WISE) Workshop
Presented by Mike Chritton Ken Thompson Gary Jacobson, PE Yakir Hasit, PhD, PE Bill Desing, PE Raja Kadiyala, PhD Atlanta, GA Reston, VA Dallas, TX Los Angeles, CA Seattle, WA August August August September September 23 196

Download ppt "Water Infrastructure Security Enhancement (WISE) Workshop"

Similar presentations

Ads by Google