HOW SAFE IS WATER AND WASTEWATER UTILITY SECURITY?

Fifteen years have passed since the events of September 11, 2001. One of the fallouts of that tragic experience was the rush by water and wastewater utilities to implement more strict security measures. Some went so far as to employ around the clock guards to protect facilities. Eventually, the federal government jumped in to require vulnerability evaluations, although implementation of measures to address vulnerability risks was left to each utility.

Now, fifteen years later, how effective is the present water and wastewater security? Is it time for a fresh vulnerability assessment?

It would seem that there are at least four possible security issues for utilities: grounds security, structure security, procedural security and cyber security.

Grounds Security. Presumably, any physical breach of security would begin with attempted entry onto a utility's property. Protective measures could likely include limited access gates, parameter fencing, lighting and television monitoring. One could assume that such measures have been in place for utilities for some time. However, it would be erroneous to assume that these measures may be all that are needed for security.

Structure Security. Buildings, tanks and the like may be vulnerable in a couple of ways-- physically, such as by ramming, or by way of entry through available doors. How are the structures secured and alarmed? Of particular concern may be how visitors are monitored upon seeking entry. How is identification of a visitor confirmed? Are items brought in by a visitor inspected? How are the movements of a visitor after entry monitored?

Procedural Security. There are at least three vulnerabilities in connection with activities within utility structures: First, how are new employees vetted? Is consideration given to possible security issues? Second, if a utility permits entry of members of the general public--a tour, for example--what security measures are applied? Third, every utility from time to time has outside engineers, consultants, accountants, vendors, suppliers, and contractors visit their premises. Have written security protective agreements been executed by all such visitors?

Cyber Security. Perhaps the major security threat to water and wastewater utilities at this time is from cyberattacks, particularly those concerning process control systems. There are measures available to resist hacking by implementing cyber hygiene in the work force and by developing virtualization of work stations and servers. For more information on this subject see Campbell, "Protect Your System From Cyberattacks",AWWA Opflow, August 2016, p.8 and the AWWA Cybersecurity Guidance Page, www.awwa.org/cybersecurity.

Finally, regardless how extensive security measures may be in place, do utilities also have in place contingency plans and procedures in the event of a security breach that causes interruption to operations?