817R08010
Interim Voluntary
Security Guidance
For Water Utilities
December 9, 2004
American Society of Civil Engineers
4\\
American Water Works
Association
Water Environment
Federation'
/^vxcn-hiff & F.ntxwcing
the (itfibaf Wetter Kntinmment
-------�
-------�
Contents
Section Page
Preface xi
Acknowledgements xiii
Executive Summary xv
Disclaimer xix
Abbreviation and Acronym List xxi
Section 1 Introduction 1-1
1.1 Overview 1-1
1.2 Reasons for Water Utilities to Enact Security Measures 1-2
1.2.1 Mission Statement 1-3
1.2.2 Regulatory and Legal Requirements 1-3
1.2.3 Other Reasons 1-5
1.3 Overview of Water System Security Issues 1-5
1.4 Vulnerability and Risk Assessment 1-6
1.4.1 Definition of Vulnerability 1-6
1.4.2 Definition of Risk 1-7
1.4.3 Objectives 1-7
1.4.4 Vulnerability Assessment Methodologies 1-8
1.5 Understanding the Threats to Water Systems
Before Developing a Security Strategy 1-10
1.5.1 Malevolent Acts 1-11
1.5.2 Generic Threat Levels 1-14
1.5.3 Threat Level Assessment 1-16
1.6 Developing a Security Strategy 1-19
1.6.1 Determining the Required Level of Security 1-19
1.6.2 Conducting a Risk Reduction Analysis 1-20
1.6.3 Conducting a Cost-Benefit Analysis 1-20
1.6.4 Conducting a Cost-to-Risk-Reduction Analysis 1-20
1.6.5 Comparing Security Risks to Other Risks 1-22
1.6.6 Developing a Balanced Plan 1-22
1.6.7 Prioritizing Security Investments 1-25
1.6.8 Documenting the Process 1-25
1.6.9 Sharing Information 1-25
Section 2 Management Considerations for Optimizing Physical Security 2-1
2.1 Overview 2-1
2.2 Governing Board 2-2
2.3 Customers and Other External Stakeholders... ... 2-3
-------�
contents
2.4 Financial Planning 2-4
2.4.1 Developing CIP Programs that Adequately Support Security Needs 2-5
2.4.2 Developing Funding Programs to Support Operating Fund Needs 2-6
2.4.3 Developing a Funding Program that
Governing Boards and Customers Can Support 2-7
2.5 Human Resources 2-8
2.5.1 Background Checks 2-9
2.5.2 Identification Badges 2-10
2.5.3 Employee Surveillance 2-11
2.5.4 Employee Response 2-11
2.5.5 Contractors 2-12
2.5.6 Training 2-12
2.6 Records Management 2-16
2.7 Policies and Procedures 2-18
2.7.1 Basic 2-18
2.7.2 Advanced 2-19
2.7.3 Suggested Policies 2-20
2.8 Procurement 2-21
2.8.1 Emergency Procurement 2-21
2.8.2 Procurement of Security-related Equipment and Services 2-23
2.9 Communications 2-24
2.9.1 Communications Equipment 2-24
2.9.2 Internal Communication Practices 2-25
2.9.3 External Communication Practices 2-26
2.9.4 Public Outreach 2-26
2.10 Interagency Coordination 2-27
Section 3 Operational Considerations for Enhancing Physical Security 3-1
3.1 Overview 3-1
3.2 General Considerations 3-2
3.2.1 Philosophy 3-2
3.2.2 General System Operational Practices 3-3
3.3 Source Water 3-7
3.3.1 Groundwater 3-7
3.3.2 Surface Water 3-8
3.3.3 Raw Water Intake 3-9
3.4 Raw Water Conveyance 3-10
3.4.1 General Considerations 3-10
3.4.2 Pump Stations 3-11
3.4.3 Pipelines and Appurtenances 3-11
3.4.4 Raw Water Storage Tanks 3-11
o
-------�
contents
3.5 Treatment Facilities 3-12
3.5.1 Treatment Processes 3-12
3.5.2 Chemical Delivery (Chemical Systems) 3-13
3.5.3 Facility-wide Treatment 3-15
3.6 Finished Water Storage and Conveyance 3-16
3.6.1 Storage Tanks/Reservoirs 3-17
3.6.2 Pump Stations 3-17
3.6.3 Transmission Mains 3-18
3.6.4 Distribution System Mains and Appurtenances 3-18
3.6.5 Increased Awareness 3-22
3.7 Support Services Facilities 3-23
3.7.1 Maintenance Shops, Warehouses, and Storage Facilities 3-23
3.7.2 Administrative Offices 3-23
3.7.3 Fleet 3-24
3.7.4 Laboratories 3-24
Section 4 Design Considerations for Developing
Physical Security at New Facilities and Retrofits 4-1
4.1 Overview 4-1
4.2 Security System Design 4-2
4.2.1 Design Team Requirements 4-2
4.2.2 Basic Design Considerations - "10 States Standards" 4-3
4.2.3 Balanced Approach to Security System Design 4-5
4.2.4 Layers of Protection 4-5
4.2.5 Cost Implications 4-7
4.3 Crime Prevention Through Environmental Design 4-9
4.3.1 Perimeter CPTED Strategies 4-10
4.3.2 Site CPTED Strategies 4-10
4.3.3 CPTED Strategies for Building Envelope and Other Structures 4-11
4.4 Recommendations by Threat Level 4-11
4.4.1 Countermeasures Against Vandal Threats 4-12
4.4.2 Countermeasures Against Criminal Threats 4-15
4.4.3 Countermeasures Against Saboteur Threats 4-17
4.4.4 Countermeasures Against Terrorist Threats 4-20
4.5 Water Quality Monitoring 4-23
4.5.1 Contaminants of Concern and Their Concentrations 4-24
4.5.2 Fate and Transport Models for Contaminants 4-24
4.5.3 Sampling Frequency and Integration with
Existing Water Quality Monitoring Programs 4-25
4.5.4 Selection of Instruments 4-25
4.5.5 Siting of Instruments 4-25
4.5.6 Data Analysis and Interpretation 4-26
-------�
contents
4.5.7 Communication System Requirements 4-27
4.5.8 Responses to Contamination Events 4-27
4.5.9 Operations, Maintenance, Upgrades, and Exercising the System 4-27
4.6 Recommendations for Source and Ground Water Facilities 4-28
4.6.1 Wells 4-28
4.6.2 Rivers, Lakes, and Reservoirs 4-29
4.6.3 Dams 4-29
4.7 Recommendations for Raw Water Conveyance Facilities 4-30
4.7.1 Pump Stations 4-31
4.7.2 Pipelines and Appurtenances 4-32
4.8 Recommendations for Water Treatment Facilities 4-32
4.8.1 Conventional Treatment Processes 4-34
4.8.2 Auxiliary Systems/Components 4-37
4.9 Recommendations for Finished Water Storage and Distribution System 4-40
4.9.1 Storage Tanks/Reservoirs 4-41
4.9.2 Pipelines and Appurtenances 4-42
4.9.3 Pump Stations 4-44
4.10 Recommendations for Customer Connections 4-44
4.10.1 Construction Meters 4-45
4.10.2 Meters 4-45
4.10.3 Backflow Prevention Devices 4-45
4.11 Recommendations for Support Services/Facilities 4-45
4.11.1 Maintenance/Equipment Storage/Warehouse Facilities 4-45
4.11.2 Remote Control Facilities 4-46
4.12 Recommendations for Administrative Facility Security 4-47
4.12.1 Control Access to Buildings 4-47
4.12.2 Safeguard Employees 4-48
Section 5 Cyber Security Management, Operations, and Design Considerations 5-1
5.1 Overview 5-1
5.2 Utility Cyber Networks 5-2
5.2.1 Business Network 5-2
5.2.2 Control Network 5-2
5.3 Cyber Security Threats 5-3
5.4 Management 5-4
5.4.1 Cyber Security Policies and Procedures 5-5
5.4.2 Cyber Security Training 5-5
5.5 Operations 5-6
5.5.1 Intrusion Defense 5-6
5.5.2 Internet Intrusion 5-6
5.5.3 Telephone System Intrusion 5-7
-------�
contents
5.5.4 Wireless Intrusion 5-8
5.5.5 Insider Intrusion 5-8
5.6 Design 5-10
5.6.1 General Design Best Practices 5-10
5.6.2 Internet Intrusion Design , 5-11
5.6.3 Telephone Intrusion Design 5-12
5.6.4 Wireless Intrusion Design 5-12
5.6.5 Insider Intrusion Design 5-13
Section 6 Choosing the Optimal Physical Security Equipment 6-1
6.1 Overview 6-1
6.2 Questions to Ask 6-2
6.2.1 Threat 6-2
6.2.2 Known Vulnerabilities and Key Assets 6-2
6.2.3 Areas of Coverage 6-2
6.2.4 Levels of Resolution 6-3
6.2.5 System Size and Device Quantity 6-3
6.2.6 Electrical Power, Wiring, and Transmission Methods 6-3
6.2.7 Viewing and Assessment 6-3
6.3 Basic Information About Physical Security Equipment 6-4
6.3.1 Power and Wiring 6-4
6.3.2 Visibility and Lighting Recommendations 6-6
6.4 Types of Physical Security Equipment 6-8
6.4.1 Access Control 6-8
6.4.2 Interior Intrusion Detection 6-11
6.4.3 Exterior Intrusion Detection 6-12
6.4.4 CCTV Camera Systems 6-14
6.5 Summary 6-19
Section 7 Emergency Response Planning 7-1
7.1 Overview 7-1
7.2 Emergency Response Background 7-1
7.2.1 Regulations 7-1
7.2.2 Purpose 7-2
7.2.3 Governmental Support for Emergency Response: NIMS and ICS 7-2
7.2.4 Additional Information for Developing ERPs 7-5
7.3 Key Components of an ERP 7-5
7.3.1 Introduction 7-5
7.3.2 Planning 7-5
7.3.3 Response 7-11
7.3.3 Recovery 7-12
7.3.4 Termination... ....7-13
-------�
contents
7.4 Revisions to ERPs 7-13
7.5 Sample ERP Outline 7-14
Section 8 Pulling It All Together Through Fully Integrated Security Planning and Design 8-1
8.1 Overview 8-1
8.2 Utility Case Studies 8-1
8.3 What is the Optimal Solution? 8-2
8.4 Multiple Benefits in Security Enhancements 8-3
8.5 Doing What is Best for Your Utility 8-4
8.6 Pulling It All Together 8-5
Glossary xxv
Bibliography xxix
Photo/Illustration Credits xlv
Figures
1-1: Interrelationships between Common Utility Programs and the Reduction of Risk 1-2
1-2: RAM-WTM Methodology 1-9
1-3: Vulnerability Self-Assessment Tool (VSAT™) 1-10
1-4: Examples of Adversaries 1-12
1-5: Sample Cost to Risk Reduction Curves 1-21
2-1: Sample Surcharge Language 2-4
2-2: The Code of Alabama 2-24
2-3: Case Study: CHIPS Program in Kennewick, WA 2-27
4-1: Sample Layered Security Recommendations for a Facility 4-6
4-2: Recommendations for Progressive Design Consideration 4-12
4-3: Example of Tamper-proof, Shackle-protected Lock 4-13
4-4: Entry Control Point with Protected Guardhouse 4-18
4-5: Perimeter Fence with Aircraft Cable Anchored to Concrete 4-19
4-6: Boom System 4-30
4-7: Turbidity Curtain 4-30
4-8: Secure Fencing with Aircraft Cabling 4-35
4-9: Fencing with Openings Too Narrow for Adversary to Get a Handhold or Toehold 4-36
viii
-------�
contents
4-10: Fencing with Openings Too Narrow for Cutters to Grip 4-36
4-11: Example of Vehicle Access Approach to Reduce Speed 4-37
4-12: Example of Drop-Arm Crash Beam Vehicle Barrier 4-37
4-13: Bollards Protecting a Fence from Vehicle Entry 4-38
4-14: Example of Sensitive Equipment Isolated by Secure Grills 4-39
4-15: Example of a Protected Access Ladder to a Storage Tank 4-41
4-16: Example of a Special Fire Hydrant Locking Wrench 4-43
4-17: Example of Hydrant Locking Caps 4-43
4-18: Example of Hydrant Locking Caps and Wrenches 4-43
4-19: Example of Special Fire Hydrant Locking Wrench in Use 4-43
4-20: Example of Locking Water Meter 4-45
6-1: Typical Card Reader System 6-9
6-2: Typical CCTV System 6-14
7-1: Incident Management Team Organizational Structure 7-4
Tables
1-1: Threats to Water Systems 1-6
1-2: Threat Level Characteristics 1-13
1-3: Actions Based on Threat Level as Announced by the Department of Homeland Security 1-14
1-4: Summary of EPA Water Utility Response, Recovery and Remediation Guidance
for Man-made and/or Technological Emergencies 1-15
2-1: Types of Security and Emergency Response Training Relevant for Water Utility Personnel 2-14
3-1: General Considerations for Operational Security at a Water Facility 3-3
3-2: Maintenance Building and Warehouse Threat and Operational Considerations 3-22
3-3: Administrative Offices Threat and Operational Considerations 3-24
3-4: Fleet Vehicle Threat and Operational Considerations 3-24
-------�
contents
4-1: General Considerations for Physical Security at a Water Facility 4-7
4-2: Source (Ground and Surface) Water Supply Threat and Security Design Considerations 4-28
4-3: Raw Water Conveyance Threat and Security Design Considerations 4-30
4-4: Water Treatment Facility Threat and Security Design Considerations 4-33
4-5: Finished Water Storage and Distribution Facility Threat
and Security Design Considerations 4-40
4-6: Customer Connection Threat and Security Design Considerations 4-44
4-7: Support Facility Threat and Security Design Considerations 4-46
4-8: Administrative Facility Threat and Security Design Considerations 4-47
5-1: Correlation Between Physical and Cyber Intruders 5-4
8-1: Example 1 - Treated Water Storage Tank 8-2
8-2: Example 2 - Raw Water Storage Reservoir 8-2
8-3: Multiple Benefits from Security Improvements 8-3
-------�
Preface
The common water system design practices and guidelines that exist today are the same ones under
which drinking water facilities were originally designed and constructed. Concerns about water
utilities' responses to emergency events primarily focused on natural, often weather-related, events
such as floods, tornadoes, and fires. With the new millennium, it has become apparent that
malevolent acts are unpredictable and can affect any type of facility with possibly greater impacts
than would be expected for most natural events.
Updates to water system design practices over the past several decades have not incorporated the
significant security measures that are now considered to be a requirement. As such, the American
Water Works Association (AWWA), the American Society of Civil Engineers (ASCE) and the Water
Environment Federation (WEF) have entered into a cooperative agreement with the U.S.
Environmental Protection Agency (EPA) to improve water infrastructure security. EPA agreed to
provide the funding to support the development of this effort.
The three organizations (AWWA, ASCE, and WEF) divided the project into the areas of water supply,
treatment, and distribution systems (led by AWWA); waste and stormwater collection, treatment,
and disposal systems (WEF), and methodology and characteristics pertinent to designing
contaminant detection and monitoring systems (ASCE). In early 2004, AWWA requested proposals to
develop a standalone guidance document focused on the reduction of risk to drinking water systems.
CH2M HILL was awarded the opportunity to develop this guidance.
This guidance document was prepared in close coordination with AWWA, especially with the
members of the Project Advisory Committee (PAC). Following the technical review of the document
by the PAC, members of the Water Infrastructure Security Enhancements (WISE) Standards
Committee and various AWWA divisions provided additional review. The comments offered by the
reviewers served as a "real-world" test for the guidance, ensuring that the ideas and suggestions
presented in the guidance would work for the various sizes and configurations of utilities across the
country.
The purpose of this guidance is to provide a centralized starting point for utilities as they incorporate
modern security practices into the construction or retrofit of their water systems. The guidance
focuses on these four common principles:
• Maintaining decision-making about security at the local utility level
• Developing a balanced approach to security by applying design, management, and operations
strategies
• Developing cost-effective solutions
• Successfully introducing security into the culture of water utilities
* Although the information in this document has been funded wholly or in part by the US EPA under assistance agreement X-83128301-0 to
the American Society of Civil Engineers, it may not necessarily reflect the views of the Agency and no official endorsement should be inferred.
-------�
preface
To enhance the value of this document, an annotated bibliography has been included in lieu of a
"References Cited" section. The bibliography contains not only a list of the materials and web sites
used in the preparation of this document, but also numerous other resources that may assist water
utilities as they design, operate, and manage their facilities.
With the same concept in mind, information has been included in this guidance that may seem to be
very basic or redundant. This purpose of this format is to ensure that all users of this guidance have
the same level of understanding on which the more advanced and complex concepts are built.
Where appropriate, concepts in this document are identified as basic and advanced. Each utility
should apply its own decision-making process as it determines which of the concepts most closely
meets its unique needs and situations.
xii
-------�
Acknowledgements
Completion of a document such as this requires significant effort and expertise, not only from those
who construct the text, but also those who, often at their own expense, review the document and
provide invaluable guidance. In addition, this document would not have been possible except for the
initiative, cooperation, and direction provided by members of the U.S. Environmental Protection
Agency and the American Water Works Association (AWWA). It is with appreciation that the
following individuals are acknowledged for their key contributions to this document.
CH2M HILL Primary Authors
Ralph N. Bell Michael K. Brandon
William E. Desing, P.E. Forrest M. Gist, P.E.
Yakir Hasit, Ph.D. Rex T. Hesner
Sam Irrinki, P.E. Alan B. Ispass, P.E.
Kenneth A. Thompson Linda P. Warren, P.E.
AWWA Standards Council - all members
AWWA Technical & Educational Council and its Divisions- all members
AWWA Water Utility Council - all members
AWWA Staff and Project Advisory Committee Members
John H. Bambei, Jr., Denver Water Department Edward E. Baruth, AWWA
Elizabeth Behner, AWWA Steve L. Burian, Advanced Engineering and Environmental
Services, Inc.
David A. Cornwell, EE&T, Inc. Clyde R. Dugan, Lansing Board of Water & Light
Mark Grace, AWWA Neil S. Grigg, Colorado State University
Rick L. Harmon, AWWA Todd A. Humphrey, P.E., City of Portland
Bureau of Water Works
Thomas J. Lane, Malcolm Pirnie, Inc. Thomas Linville, Contra Costa Water District
Kevin Morley, AWWA David E. Rager, Greater Cincinnati Water Works
Elvira Ramos, AWWA J. Alan Roberson, AWWA
Roy G. Robinson, City of Albuquerque James S. Wailes, AWWA
Public Works Department
xiii
-------�
preface
Water Infrastructure Security Enhancements (WISE) Standards Committee
Conrad G. Keyes, Jr., American Society of Civil Engineers Greg Welter, O'Brien & Gere Engineers
Technical Reviewers
Robert Berg, Long Beach Water Department Patty Barren, P.E., Birmingham Water Works and
Sewer Board
Scott Borman, Benton/Washington Regional Public Water Michael Clawson, P.E., U.S. Air Force
Authority
Dennis M. Diemer, East Bay Municipal Utility District Michael Dimitriou, ITT Industries
Alan Hais, U.S. Environmental Protection Agency Mary L. Howell, Backflow Management, Inc.
Carrie Lewis, Milwaukee Water Works John Mclaughlin, P.E., Brown and Caldwell
Kenneth C. Morgan, P.E., KCM Consulting Services, Inc. Irwin Silverstein, Ph.D., P.E., NHSRC
John P. Sullivan, P.E., Boston Water and Sewer Commission Kurt Vause, Anchorage Water & Wastewater Utility
xiv
-------�
Executive Summary
Introduction
Management:
Optimizing
Physical Security
Operations:
Enhancing
Physical Security
L
Design:
Developing
Physical Security
Cyber Security
Physical
Security
Equipment
L
Emergency
Response
Planning
Integrated
Security Planning
and Design
The purpose of this document is to provide water systems with an initial guide to the design of new
facilities or the re-design or retrofit of existing facilities to create better physical security and reduce
risk to the public water supply. To protect the public water supply, this guidance emphasizes the
management and operations of the facilities and the facility design considerations that can make the
installation and upgrade of physical security systems easier to implement.
Information and suggestions are included or referred in the text for improving security and reducing
the risks presented by man-made actions. The document is organized in the following manner:
• Introduction
• Management Considerations for Optimizing Physical Security
• Operational Considerations for Enhancing Physical Security
• Design Considerations for Developing Physical Security at New Facilities and Retrofits
• Cyber Security Management, Operation, and Design Considerations
• Choosing the Optimal Physical Security Equipment
• Emergency Response Planning
• Pulling It All Together Through Fully Integrated Security Planning and Design
Each of these sections begins with a summary of the section contents. The sections are followed by an
annotated bibliography that provides references to materials available for further review and
XV
-------�
executive summary
information in each of the areas addressed above. These references include items beyond the limits of
this guidance document.
Introduction
This section introduces the drivers that emphasize security. By identifying the missions of the water
utility, its customers, and its functions, a review of the system vulnerabilities can be performed. Once
the vulnerabilities that affect the utility's objectives have been addressed, the relative risk associated
with each vulnerability can be rated.
The section then reviews the threats to water systems, both in the types of threat and whether the
threat involves groups or individuals. This information, coupled with the vulnerabilities mentioned,
helps to focus the security design needs on areas such as these:
• Redundant systems • Operational design
• Operational backups • Backup power systems
• Water reserves • Building design and construction
Finally, information on assessing the level of threat and using that information to guide actions,
policies, procedures, and management of the physical security systems.
Management Considerations
for Optimizing Physical Security
This section reviews management and leadership levels and responsibilities, starting with the need to
establish a cultural change toward security in operations, continuous improvement, and matching
needs and technology.
Once policy and direction are under way, the care of the customers and stakeholders is
management's responsibility. Human resources, financial considerations, records management, and
governing polices and procedures are discussed.
Operational Considerations
for Enhancing Physical Security
This section focuses on overall system components, their design and operational consequences, and
methods to control disruptions to operations through operations and maintenance procedures and
functional flexibility. By blending the various security components and methods, the following areas
are addressed:
• Source water
• Treatment processes
• Distribution systems
and customer connections
• Raw water conveyance systems
• Finished water storage and conveyance systems
xvi
-------�
executive summary
In addition, support services, their facilities, and the maintenance roles and functions are discussed.
Special discussions on cyber and Supervisory Control and Data Acquisition (SCADA) security are
more fully covered in a separate section.
Design Considerations for Developing
Physical Security at New Facilities and Retrofits
The philosophy of matching the level of threat to the cost of improvements is discussed and
addressed in this section. The major functions of a water delivery system are addressed in turn to
provide more specific guidance on improvements to security and the reduction of risk. The use of the
Vulnerability Assessment rankings is very important to the implementation of change. To achieve the
best improvements for the available funds, the measurement of risk and benefits are matched with a
balanced approach to improving security and reducing vulnerabilities. Design considerations for
developing physical security incorporate facility hardening, security equipment, and redundancy for
the components of a water system.
Cyber Security Management,
Operations, and Design Considerations
Beginning with the management aspects, the cyber policies and procedures that are an integral part
of the ability to combat security infractions and vulnerabilities for the water system are reviewed.
Also, a short discussion of intrusion methods and consequences is provided.
In the operations portion, the ability to use the information from a Cyber Vulnerability Assessment is
discussed. Control network operations and intrusion defense mechanisms are reviewed. These
mechanisms defend against threats from insiders, outsiders, and hackers through telephones, the
Internet, and physical damage to equipment.
Training for cyber security design issues that address the potential threats listed above,
communications, alarm systems, and bulk data handling are also considered.
Choosing the Optimal Physical Security Equipment
General information on how to choose optimal equipment leads the discussion of performance and
protection levels to consider for the various parts of a water system. Included are access control
features, water quality monitoring, intrusion detection, and others.
Differences considered between new and existing facilities are presented. Groundwater and surface
water systems are discussed separately, as are the different parts of pumping stations, pipelines, and
treatment operations. Other discussions include support services, equipment, outside utilities,
laboratory capabilities, backflow prevention, equipment storage, maintenance, and warehousing. The
discussions are supplemented with figures and operational details. Physical security for the cyber
system is covered in the Cyber Security Management, Operations, and Design Considerations
section.
xvii
-------�
executive summary
Emergency Response Planning
This section emphasizes the use of the Incident Command System and how to best combine the
resources of local organizations to result in effective and efficient response to an emergency situation.
The advantages of formal mutual aid agreements and integrating with regional agencies for
coordinated emergency response to an event. The work referenced in the U.S. Environmental
Protection Agency's Response Protocol Toolbox (USEPA 2003) is incorporated here.
Putting It All Together Through
Integrated Physical Security Planning
This section summarizes the knowledge needed to develop the right solutions for an individual
utility. Examples for the types of threat addressed in previous sections are provided, along with the
protection, intrusion and control steps, and tools that can be used to counter intentional attacks on
the water supply.
xviii
-------�
Disclaimer
The information presented in this guidance is intended to assist water utilities as they strive to
improve the safety and security of their facilities, their employees, and the public. While the
strategies and methods described can reduce risk and enhance response and recovery actions, they
cannot guarantee that any possible act of vandalism, violence, or terrorism will be prevented or
stopped. As such, those responsible for the content and publication of this document can provide no
guarantees for the performance of any actions taken in response to this guidance.
xix
-------�
(This page intentionally left blank)
-------�
Abbreviation and Acronym List
AC Alternating current
ACL Access control list
AMSA Association of Metropolitan Sewerage Agencies
AMWA Association of Metropolitan Water Agencies
ASCE American Society of Civil Engineers
ASDWA Association of State Drinking Water Administrators
AWWA American Water Works Association
AwwaRF American Water Works Association Research Foundation
Ca(OCl)2 Calcium hypochlorite
CaO Calcium oxide
CaOHj Calcium hydroxide
CBR Chemical, biological, or radiological
CCTV Closed-circuit television
CFR Code of Federal Regulations
CHIPS Citizens Helping in Policy Service
CIP Capital improvement plan
CMMS Computerized maintenance management system
CPR Cardio-pulmonary resuscitation
CPTED Crime Prevention Through Environmental Design
DBT Design basis threat
DHS Department of Homeland Security
DoD Department of Defense
DoS Department of State
HOC Emergency Operations Center
EPA United States Environmental Protection Agency
ERP Emergency Response Plan
EWS Early warning system
FBI Federal Bureau of Investigation
FEMA Federal Emergency Management Agency
-------�
abbreviation and acronym list
FOIA Freedom of Information Act
GASB Government Accounting Standards Board
GETS Government Emergency Telecommunications Service
GIS Geographic information system
GPS Geographic positioning system
GSA General Services Administration
HAZMAT Hazardous Materials
HAZWOPER Hazardous Waste Operation and Emergency Response
HMI Human machine interface
HVAC Heating, ventilation, and air conditioning
IAP Incident Action Plan
ICS Incident Command System
ID Identification
IDS Intrusion Detection System
IED Improvised explosive device
HD Improvised incendiary device
IP Internet protocol
IS AC Water Information Sharing and Analysis Center
IT Information Technology
JPEG Joint Photographic Experts Group
K Kilobytes
LEPC Local Emergency Planning Committees
LIMS Laboratory Information Management System
MHZ Megahertz
MPEG Moving Picture Experts Group
Na2CO3 Soda ash
NaOCl Sodium hypochlorite
NaOH Sodium hydroxide
NFPA National Fire Protection Association
NIC NIMS Integration Center
NIMCAST NIMS Capability Assessment Support Tool
xxii
-------�
abbreviation and acronym list
NIMS National Incident Management System
NIOSH National Institute of Occupational Safety & Health
NRWA National Rural Water Association
O&M Operations and maintenance
OSHA Occupational Health and Safety Administration
PC Personal computer
PIN Personal identification number
PIO Public Information Officer
FIR Passive infrared
PLC Programmable logic controller
PRV Pressure reducing valves
PSN Public switched network
PTZ Pan, tilt, and zoom
RAM Random access memory
RAM-D Risk Assessment Methodology for Dams
RAM-W™ Risk Assessment Methodology for Water Utilities
RFID Radio frequency identification
RPG Rocket propelled grenade
RTU Remote terminal unit
SCADA Supervisory Control and Data Acquisition
SOP Standard Operating Procedure
TOC Total Organic Carbon
UL Underwriters Laboratory
UPS Uninterruptible power supply
VA Vulnerability assessment
Vac Volts alternating current
Vdc Volts direct current
VSAT™ Vulnerability Self-Assessment Tool
WTP Water treatment plant
Hill
-------�
(This page intentionally left blank)
-------�
SECTION 1
Introduction
Management
Optimizing
Physical Securi
! -erations:
Enhancing
Physical Security
i
D
r >
• Understand the reasons for enacting security measures
• Understand security issues
• Understand the vulnerabilities and risks facing water utilities
• Understand the threats to water systems
• Develop a security strategy
w ^
Planning
and Design
1.1 Overview
Improving the physical security of water systems in the United States has become a priority for utility
managers and governing bodies since the events of September 11,2001. Protection of water systems
from malevolent acts is also a very high priority for federal agencies such as the Department of
Homeland Security (DHS) and the U.S. Environmental Protection Agency (EPA). In 1998, Presidential
Directive 63 designated water systems as part of the nation's critical infrastructure. For water utilities,
however, enhancing physical security is just one of many priorities. Because of this competition for
limited resources, including personnel and financial, the security tactic that a utility takes needs to be
carefully thought out, applying a balanced approach including each of the three major areas available
to the utility manager: 1) management tools, 2) operational approaches, and 3) physical security
design features
Numerous other documents, guidance manuals, and standards of operations focus on the first two
areas. The purpose of this American Water Works Association (AWWA) Security Guidance is to
provide water utilities with a document that also includes physical security design options and how
they can be tailored to individual water systems. Because these three areas are not mutually
exclusive, but are in fact integrated and interdependent, this document incorporates all three. The
diagram in Figure 1-1 illustrates these interrelationships to assist in understanding the underlying
intent of this document.
1-1
-------�
introduction
Contamination Disposal On-line Monitoring
Cyber Security Site Security
Malevolent
Acts
Family Care
Unintentional
Evehts
Design Standards Risk Management
ERP Safety
Recovery Training
Risk Assessment
FIGURE 1-1
Interrelationships Between Common Utility Programs and the Reduction of Risk
This document provides guidance and a framework from which management, operations, and design
of a water system can be conducted to improve the security of the system. Additional information
that addresses threat mitigation, as well as general information on Homeland Security that may be
useful to water professionals, is provided in the annotated bibliography.
This section begins with the background and processes used to identify the priorities for the physical
security protection of a water system. Through vulnerability and risk assessment, utilities will
identify the level of threat that will drive development of a security strategy.
1.2 Reasons for Water Utilities to Enact Security Measures
There are a number of reasons that a utility would invest in the security of its system and facilities,
including meeting the goals defined in the utility's mission statement and regulatory and legal
requirements, among others. Investments can also serve the dual purpose of protecting the water
system from both malevolent and natural acts. For example, whether a pump station is disabled by a
criminal or a hurricane, it is in the water utility's best interest to have a plan that reduces the impact
of either event.
1 z
-------�
introduction
1.2.1 Mission Statement
The purpose of a water utility is articulated by its mission statement and further defined by its goals
and priorities. These mission statements have at their core the protection of public health and safety
due to water quality or reliability attacks on the public water system. Many utilities recognize that
their mission statement includes the need to:
• Provide high quality water in sufficient quantity to its customers
• Operate in a manner that protects against, detects, and responds to man-made threats and
natural disasters from both inside and outside the utility
• Provide a safe work environment for employees and safe, reliable water delivery for the public
• Identify and maintain assets that are critical to the utility's ability to meet its mission
To meet these goals, a utility can identify and take the measures necessary to reduce its risk in the
face of malevolent acts.
1.2.2 Regulatory and Legal Requirements
Regulatory and legal reasons are also motivations for water utilities to make security improvements,
including best practices or lessons learned considerations.
1.2.2.1 Regulatory Drivers
Public Health Security and Bioterrorism Preparedness and Response Act. In June 2002, Congress
passed the Public Health Security and Bioterrorism Preparedness and Response Act (PL 107-188),
which requires vulnerability assessments be performed and Emergency Response Plans (ERPs) be
created or updated for community drinking water systems that serve more than 3,300 people. There
could, in the future, be pressure from groups inside and outside of the government to make
mandatory the implementation of recommendations resulting from the assessments.
Chemical Security Act. As of this writing, there is pending legislation that could require water
systems to address the security of certain chemicals. The Chemical Security Act of 2003 (House of
Representatives Bill 1861 and a similar Senate Bill [SB 157]) direct the EPA to regulate facilities that
store certain toxic chemicals over a specified threshold amount. The act would require the facilities to
assess the vulnerability of a water source to an attack or other unauthorized release; to identify
hazards that may result from such a release; and to prepare a prevention, preparedness, and response
plan. Facilities that store chlorine in quantities over 2,500 pounds would be subject to the Chemical
Security Act as it is currently drafted. However, the legislation may use the chemical lists and
thresholds established by the Risk Management Programs (40 CFR Part 68) to determine
applicability.
1-3
-------�
introduction
1.2.2.2 Legal and Liability Issues
A basic tenet of legal liability may compel a water utility that is made aware of a condition to take
reasonable steps to eliminate or mitigate a hazardous condition. Publications such as this one that
discuss the need for water utility security, and the materials published by EPA and other entities,
could be considered notice that a hazardous condition may potentially exist. Once a vulnerability
assessment is complete, the resulting recommendations also could be considered as notice of a
dangerous condition. This notice could potentially result in liability if the recommendations are not
addressed. In some cases, water utilities may be able to claim immunity based on their charters or
municipal laws; however, some state laws waive or limit this immunity. A finding of negligence for
damages stemming from a security breach generally would require:
• Knowledge or reasonable ability to foresee the damages
• A duty to the injured person
• Violation of the duty proximately causing the injury
Generalized warnings of terrorism against water utilities may not impact liability, but a warning
relating to a specific plant or location could. The paraphrased axiom that, "the best defense is a well
thought out and implemented security program," can be applied here. Court rulings have found that
a water utility must exercise reasonable care in operating and maintaining its system. The definition
of "reasonable care" is key in determining liability. As more water utilities implement security
improvements, it could be argued that the definition of reasonable care is evolving to include
installation of security systems that only a short time ago were rarely found in water systems. This
document will include a two-tiered approach to security-related improvements using Basic and
Advanced categories. A water utility can identify those measures that actually provide security
improvements and that are a balance of the available resources, the utility's ability to execute the
improvements, and ongoing operational aspects of the utility.
The Basic category is a reasonable care approach to reduce identified risk levels at the most critical
assets. The Advanced category adds Best Business Practices to further lower risk levels across the
water utility, but at increased resource expenditures.
Benchmarking the security-related improvements that utilities have made can help define a standard
and provide guidance for other utilities struggling to determine which improvements to implement.
Utility staff can evaluate common practices in the water industry as one approach to making
decisions regarding the appropriate level of protection and investment for their systems.
1-4
-------�
introduction
1.2.3 Other Reasons
Other reasons that water utilities have cited for the implementation of security systems include:
• Providing protection against non-terrorism threats such as vandals, low-level criminals, and
disgruntled employees. Vandalism and theft are a problem for many utilities, especially those in
larger urban areas — one that installing security systems can help to mitigate or prevent.
• Protecting employees from outsiders entering plants.
• Providing operational benefits beyond heightened security. For example, installing backup
generators to provide power in the event of an attack on the power substation feed will also
provide mitigation for power outages caused by other events, such as natural disasters or
construction-related incidents. Similarly, as part of vulnerability assessments, utilities that add
redundant pumps for pumping systems would significantly reduce process-related consequences
if the main pumps are no longer operational.
• Assuming the responsibility to maintain public confidence in the water system and provide
service to the community.
1.3 Overview of Water System Security Issues
Interruption of water system service, whether from natural disasters or malevolent actions, can result
in widespread public health impacts and economic or environmental damages. Because water
systems have been identified as critical infrastructure, these systems may be a target for adversaries.
Some examples on how water systems could be attacked by adversaries are listed below and
summarized in Table 1-1:
• Introduction of volatile compounds to the raw water system, which can cause explosions and
shut down water treatment processes
• Large releases of chlorine gas from water treatment facilities or booster disinfection facilities to
cause injury and death to workers and public within and outside of the facility
• Physical destruction of the water system assets
• Introduction of toxic chemicals or biological contaminants to the water treatment, storage, and
distribution systems
• Water distribution systems used to transport chemical and biological contaminants to a major or
critical water customer
Misuse of the Supervisory Control and Data Acquisition (SCADA) or connected cyber systems, which
can cause chemical over- or under-dosing, system interruptions, and damage to the drinking water
system components.
1-5
-------�
introduction
TABLE 1-1
Threats to Water Systems
System
Source Water
and Water
Treatment
Facilities
Distribution
Systems
Pump
Stations
SCADA
System
Overall Issue
Source water
and delivery
areas are
sometimes
remote, not
typically
secured other
than by a fence
Numerous
facilities and
piping are easily
accessible and
are largely
unmonitored
Some locations
are remote and
unmanned
Hacking the
SCADA system
through
Internet or
interruption of
radio
frequencies
Examples of
Potential Threats
Damage to or disabling
of critical assets
Toxins introduced into
source or treatment
plant
Release of chlorine gas
Use of system as a
"conduit" for
adversaries
Improvised explosive
device set in facilities
or placed in vaults
Individuals driving or
walking up to a facility
to damage or disable
equipment
Shooting at pump
station panels
Disabling of alarms
Taking control of flow
and processes
Preventing operators
from knowing what is
occurring
Facilities
Damage to
structures and
equipment
Significant
disruption to
treatment processes
Damage to piping
and storage tanks
Damage to
structures and
equipment
Significant
disruption to
treatment and
distribution
processes
Impacts to
Personnel
Direct, potentially
fatal injuries to
workers from
explosives or toxic
substances
Direct, potentially
fatal injuries to
workers from
explosives or toxic
substances
Direct, potentially
fatal injuries to
workers from
explosives or toxic
substances
Indirect effects from
being unaware of
conditions
Community
Disruption of
service
Adverse health
effects from
contaminated water
or chlorine gas
plume
Disruption of
service
Adverse health
effects from using
contaminated water
Damage to
surrounding
buildings and
inhabitants
Adverse health
effects from lack of
water or
contaminated water
Disruption of
service
Adverse health
effects or lack of
access to account
information
1.4 Vulnerability and Risk Assessment
The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 has required
that all community drinking water systems serving populations greater than 3,300 conduct a
vulnerability assessment (VA). The VAs have helped utilities to understand the most likely threats,
the most critical facilities and assets, and the relative risk for those critical facilities and assets. The
results of the VA provide a framework for the utility to enhance the physical security of its water
system so that its mission may be achieved.
1-6
-------�
introduction
1.4.1 Definition of Vulnerability
As defined in the Sandia National Laboratories' RAM-W™ approach, "vulnerability" is an
exploitable security weakness or deficiency at a facility. Further definitions of vulnerability include
these:
• A characteristic of a critical infrastructure's design, management, or operation that renders the
infrastructure susceptible to destruction or incapacitation by a threat.
• A flaw in security procedures, software, internal system controls, or operation that may affect the
integrity, confidentiality, accountability, and/or availability of data or services. Vulnerabilities
include flaws that may be deliberately exploited and those that may cause failure due to
inadvertent human actions or natural disasters.
• Any weakness that can be exploited by an aggressor or, in a non-adversarial threat environment,
that can make an asset susceptible to hazard damage.
1.4.2 Definition of Risk
As defined in the Sandia National Laboratories' RAM-W™ approach, "risk" has two components: 1)
a measure of the potential damage to or loss of an asset and 2) the probability of an undesirable
occurrence to that asset. Further definitions of risk include these:
• The potential for realization of unwanted, adverse consequences to human life, health, property,
or the environment.
• The quantitative or qualitative expression of possible loss that considers the probability of a
hazard causing harm together with the consequences of that event.
Risk is usually expressed as a function of the probability of the occurrence of an adverse effect and
the consequence of the affect on the ability to maintain function.
1.4.3 Objectives
The objectives of vulnerability and risk assessments are to:
• Identify threats to the water system assets, including infrastructure, quality of water, employees,
information, finances, etc.
• Identify the specific assets that may be impacted by the identified threats, and the relative
criticality of these assets.
• Determine the likelihood that a threat may materialize.
• Calculate the consequences of losing part or all of the water system assets.
• Evaluate existing countermeasures.
• Analyze current risks associated with threats and assets.
• Identify additional countermeasures and prioritize based on a risk-reduction analysis.
1-7
-------�
introduction
The goals of the vulnerability assessments are to develop information that the utility could use to:
• Protect public health and safety
• Protect or ensure the supply of water
• Provide a secure workplace for employees
• Protect the facilities the identified Design Basis Threat (DBT)
• Provide security management practices
• Provide measures to minimize insider threat
• Protect computer access and data, communications, and SCADA
• Protect operational systems and building support systems
• Protect power supplies and emergency backup power
1.4.4 Vulnerability Assessment Methodologies
Several methodologies can be used to conduct a VA. The assessment itself is important, not
necessarily the specific method used. As long as the assessment is accurate for a utility's own
particular given risks, then any method that produces an accurate picture of vulnerability and risk is
acceptable. The two most common methods are:
• Risk Assessment Methodology for Water Utilities (RAM-W™) developed by Sandia National
Laboratories with funding from EPA.
• Vulnerability Self-Assessment Tool (VSAT™) developed by Association of Metropolitan
Sewerage Agencies (AMSA) with EPA funding.
Other methods that can be used to conduct and vulnerability and risk assessment include, but are not
limited to:
• Security Vulnerability Self Assessment Guide for Small Drinking Water Systems (May 30,2002)
by the Association of State Drinking Water Administrators (ASDWA) and National Rural Water
Association (NRWA) for populations less than 3,300.
• Security Vulnerability Self Assessment Guide for Small Drinking Water Systems Serving
Populations between 3,300 and 10,000 (November 13, 2002) by ASDWA and NRWA.
• The application of CARVER (Criticality, Accessibility, Recuperability, Vulnerability, Effect, and
Recognizability), a method used by the military to assess the attractiveness of a particular target.
Use of a hybrid model is acceptable if it establishes vulnerabilities and risks.
1.4.4.1 Risk Assessment Methodology for Water Utilities (RAM-W™)
The RAM-W™ methodology, illustrated in Figure 1-2, is a "consequence-driven" approach that
focuses on evaluating the effectiveness of a security protection system (Sandia Corporation 2002). As
such, it offers numerous benefits. First and foremost, it offers utilities a systematic, defensible
approach to security protection systems. RAM-W1M helps utilities to identify those system
1-8
-------�
introduction
components that are critical for the system to function and, in turn, helps them to prioritize security
upgrades and/or modify policies and operational procedures to mitigate identified risks. In turn, it
offers utilities a way to develop balanced security protection systems so that they can allocate the
appropriate resources to the areas where they are most needed to reduce risk.
Purpose, Objectives
Prioritize Facilities, PWC
Design Basis Threat (PA)
Prioritize Critical Assets (C)
Physical Protection and
Operating Systems (PE)
Facility
Characterization
Risk = Relative Risk
PA= Likelihood of Occurrence
0-PE) = Adversary Success
C = Consequence
RANGE OF VALUES
0.0 = None
1.0=Catastrophic
= PA(1-PE)C
Proposed Upgrades
End
FIGURE 1-2
RAM-W™ Methodology
1.4.4.2 Vulnerability Self-Assessment Tool (VSAT™)
VSAT™, shown in Figure 1-3, is a software-based tool for risk-based and cost-managed security
evaluation and planning. It is specifically designed to assist utilities in addressing the tasks necessary
to complete the six basic elements that the EPA requires for a water system vulnerability analysis.
VSAT™ imposes the rigor and logic necessary to perform an assessment that results in a
comprehensive analysis and that addresses these utility asset categories: 1) physical, 2) information
technology, 3) knowledge, 4) people/employees, and 5) customers/finances. A description of the
water system should be developed for each category to aid the utility in interpreting the results of the
assessment provided by the VSAT™. Additionally, the utility should review, and modify as
applicable, the software-generated language to ensure that the language is specific to the water
system being assessed. More information about VSAT™ can be found at www.vsahisers.net.
1-9
-------�
introduction
', '• W
-• i .) "'ai-'Sewage Pumping
;' '.i "'rdiminary Treatment
SI- IP Primary Treatment (Clarif iers)
9 Ip Biological Treatment
1 -^jl Structures
I -:--ۤ Electrical
:- J| Mechanical
! : @ Instrumentation
Secondary Clarification
Outfall
Equipment Management;
[+! A Administrative Office
siM | Control Room
(E ( ( Laboratory
5 ( ) ate
Disinfection (Chlonnation, UV)
Advanced Treatment (Reactors, filters)
Reclaimed Water System (Storage tanks, pumps)
-. • inosolids Management System
Wastewater Collection System
^ Gravity Sewers
S Pipes
Manholes
i } Pumping Stations
^ 5tormwater Sewers
|P Force Mains
D&M Support
Administrative
Laboratory
Warehouse
Maintenance Facilities
RolKng Stock
Business
Continuity Plan
* Readiness
# Response
* R«c-ov«ry
FIGURE 1-3
Vulnerability Self-Assessment Tool (VSAT™)
1.5 Understanding the Threats to Water Systems
Before Developing a Security Strategy
Threats to water systems have always included natural disasters, recurring events such as extreme
weather (e.g., flooding, lightning), and accidental (human-caused) events (e.g., chemical spills,
vehicle collision). Identified concerns for utilities from malevolent acts, such as vandalism, criminal
activity, and terrorism, exist. The use of water as a weapon, a means to defeat an enemy, or to affect a
population has historical precedent (see www.worldwater.org/conflict.htm).
The events of September 11, 2001 have heightened the way that utilities think about these malevolent
threats. Now, privately and publicly owned water utilities, along with other public infrastructure and
essential service providers, are clearly potential targets for destruction and disruption from domestic
and international adversaries. This concern has alerted water industry leaders, causing them to
recognize and address the potential consequences of threats such as vandalism and employee
misconduct to enhance their ability to maintain business continuity during these types of events.
1-10
-------�
introduction
1.5.1 Malevolent Acts
Deliberate, malevolent events are intended to affect as many people as possible in order to create
concerns among the public and promote distrust of the authorities. This, in turn, causes dissention
and division and makes it easier for adversaries to affect the political and economic well-being of the
community.
1.5.1.1 Types of Malevolent Acts and Adversaries
Physical attacks on raw water supplies, water treatment plants, and distribution systems can take
different forms, creating a variety of results. The bombing of critical treatment plant processes or a
pump station, for instance, would result in significant property damage. Similarly, destruction of
electrical power grids or chemical suppliers servicing a water treatment plant would significantly
reduce or halt water deliveries for an indefinite period of time.
Sabotage or physical damage to a utility's chemical inventory would cause consequences for plant
staff, emergency response personnel, and community within the zone of influence. Once the initial
consequences of such an attack are addressed, the secondary concern would be the facility's inability
to use that chemical until temporary measures are established or the system is repaired.
Other types of malevolent acts include:
• Physical damage and destruction to the infrastructure assets
Use of explosive devices
Arson
Introduction of a flammable liquid into the water system
Vandalism
Sabotage of valves, tanks, etc.
Introduction of a chemical agent that can permanently contaminate the interior of pipes and
storage tanks
Damage to the power supply
Destruction of vital infrastructure
• Disruption of the water system
Introduction of a toxin into the source water, treatment facility, or distribution system
Hacking into the SCADA system
Removing hardcopy files or deleting electronic files
Vandalism
Sabotage of valves, tanks, etc.
Interrupt operations supporting the public
• Harming the workers and public
Release of toxic substance (e.g., chlorine)
Personal assault with or without a weapon on employees
Use of explosive devices
1-11
-------�
introduction
- Arson
Kill, injure, or affect the health of large numbers of people
• Use of facilities for other malicious purposes
Access of customers' financial information
Equipment theft for personal gain
- Threat of contamination to invoke public fear
There are numerous types of adversaries as shown in Figure 1-4.
Threats may originate from an "insider" or from an "outsider." An
insider is a person with knowledge of the water utility and who has
access to the facilities or portions of the system as part of his or her
daily work activities. Insiders typically have access to information
systems as well. The appearance of an insider at a utility facility
does not typically cause suspicion. Examples of insiders include
employees, vendors delivering materials, and onsite contractors.
An outsider is a person who is not normally allowed access to any
of the water facilities. Suspicions might be raised if such a person is
seen on utility property. Outsiders typically do not have access
rights to buildings or information systems. Some outsiders,
• Current employee
• Former employee
' Spouse/partner of employee
• Vendor or contractor
• Customer
• Vandal
• Criminal
• Saboteur
• Terrorist
FIGURE 1-4
Examples of Adversaries
however, can have insider knowledge. These outsiders can include former employees, contractors, or
consultants who have some access or knowledge of the facility.
One way of differentiating these two is the manner of mitigation. For an insider, a utility is able to
apply insider risk reduction measures. The individuals need to fall under the utility's personnel
policies, procedures, and control. If they do not, the only remaining methods that can be applied are
those specific to an outsider.
The spectrum of malevolent acts is broad, and the actions to mitigate the risks associated with these
threats are more of a continuum than a discrete number of countermeasures. Consequently,
specifically in Section 2, "Management Considerations for Optimizing Physical Security," and to
some extent in Sections 3 and 4, "Operational Considerations for Enhancing Physical Security" and
"Design Considerations for Developing Physical Security at New Facilities and Retrofits,"
respectively, risk reduction actions are presented in the context of defined levels of threats.
In the sections that follow, threat levels are assumed to have the following defining characteristics as
shown in Table 1-2.
Prior to choosing a threat level on which to base a design, make operational changes, or revise
management policies, it is imperative to perform a vulnerability assessment and risk analysis on the
existing (or planned) water system. A thorough vulnerability assessment performed using either
RAM-W™ or VSAT™ (see Section 1.4.4, "Vulnerability Assessment Methodologies") will identify the
threats that should be addressed; a subsequent risk analysis will provide decision makers with the
data required to choose a strategy to reduce risks in the design, management, and operations of the
water system.
1-12
-------�
introduction
TABLE 1-2
Threat Level Characteristics
Characteristic
Planning
Access
Weapons
Contaminants
Asset damage
Theft
Injuries
Fatalities
Threat Level
Vandal
None
Stealth
None
None
Minimal
None
None
None
Criminal
Possible
Stealth
Knife or pistol
None
Minimal
Probable
Possible
Possible
Saboteur
Definite
Stealth
Explosives
Possible
Significant
Possible
Possible
Possible
Terrorist
Extensive
Stealth or overt
Any
Probable
Extensive
Possible
Extensive
Likely
1.5.1.2 Secondary Benefits of
Designing for Security Against Malevolent Events
Utilities that have incorporated security for malevolent events are also finding that they have
enhanced their response to natural disasters and unanticipated failures and can restore system
operation and service more quickly. Water utilities have traditionally done an excellent job in
developing strategies for responding to natural events and unexpected system failures. Natural
events can include acute events such as violent weather, earthquake, fire, or flood, as well as chronic
events such as drought or expansive soils.
Because natural disasters tend to be geographically specific, not all water systems face the same
threats. Water utilities typically have countermeasures in place to mitigate the threats from natural
disasters common to the geographic area because building codes and standard engineering practices
consider natural threats in design standards and regulations (e.g., structures designed to withstand
120 miles per hour winds in hurricane prone areas). In addition, water utilities usually have disaster
preparedness plans and, possibly, response and recovery plans as well.
Unanticipated failures that can have a great impact on a water utility can include hazardous material
release, power or telephone service disruption, infrastructure failure, or even a labor strike or
slowdown. Standard operating procedures, key contact lists, and a complete inventory of emergency
parts and supplies are ways in which water utilities can response to these types of crises.
1.5.1.3 Management, Operations,
and Security Design Enhancements to Mitigate Malevolent Acts
The plans, processes, and procedures used to mitigate malevolent acts, as well as natural events and
unanticipated failures, are many. Some of the typical security enhancements for water systems that
mitigate these events include the following:
• Redundant systems
• Operational flexibility in design
1-13
-------�
introduction
• Operational backups
• Backup power systems
• Alternate connectivity to other water supplies
• Uninterruptible power supply (UPS)/power filtration
• Increased treated water reserves
• Reduced quantities of hazardous materials (e.g., chlorine gas)
• Modified treatment process that is less hazardous
• Improved building design, construction, and materials
• Multiple sources
• Distributed treatment
1.5.2 Generic Threat Levels
The Department of Homeland Security has developed an advisory system that identifies the present
threat to the United States. In addition, the Water Information Sharing and Analysis Center
(WaterlSAC) advisory system (sponsored and developed by the EPA and AWWA) is another means
that can be used to communicate rapidly with water utilities about threats and threat levels. Utilities
need to be knowledgeable about how their operations and operational procedures should be adjusted
to coincide with these generic threat levels. Understanding the utility-level actions at the different
Homeland Security Advisory System levels (sample actions are shown in Table 1-3), reviewing
relevant materials, and planning are important for proper control and response actions. In support of
a utility's ERF, the EPA also provides guidelines for response in its Emergency Response Protocol
Toolbox (USEPA 2003). A summary of a portion of that guidance, provided in Table 1-4, demonstrate
good first steps.
TABLE 1-3
Actions Based on Threat Level as Announced by the Department of Homeland Security (DHS 2004, EPA 2004a)
Threat Level Announced Local Actions to Perform
Low (Green) Normal operations. Focus on facility assessments and ERPs. Review plans for
contingencies, and make sure checklists and other information are current.
Guarded (Blue) Normal operations. Advise employees of the status change; prepare to communicate
with first responders and other agencies; review ERPs.
Elevated (Yellow) Advise all employees of the status change. Have employees intercept and report all
visitors. Follow all utility-specific guidance for restricted access.
High (Orange) Double the frequency of checks on remote system operations. Review and re-stock
emergency use supplies as required. Fuel all vehicles, generators and equipment.
Charge all batteries.
Severe (Red) Cancel visits. Prepare for extended-hour work shifts. Stockpile reserves, such as fuel.
Maximize water storage.
1-14
-------�
introduction
TABLE 1-4
Summary of EPA Water Utility Response, Recovery and Remediation Guidance
for Man-made and/or Technological Emergencies
I. Contamination Threat to the Water System, Unknown Contaminant, Unknown Location
Source Water
Notify local law enforcement, local Federal
Bureau of Investigation (FBI) field office
Increase sampling at or near system intakes
Review ability to isolate water source(s)
Treatment Facility
Notify local/state emergency management
organizations, notify ISAC
Preserve latest full battery background test
as baseline
Increase sampling efforts
Review ability to stop treatment and notify
customers
Coordinate alternative water supplies
Storage/Distribution
Notify other associated system authorities
Review ability to isolate storage and
distribution zones
II. Contamination Threat or Occurrence at a Major Event, Stadium, Convention Center, Etc.
Source Water
Notify local law enforcement, Local FBI Field
office, National Response Center, WaterlSAC
Treatment Facility
Notify local/state emergency management
organizations, notify wastewater system,
notify Governor
Storage/Distribution
Notify local government officials
Coordinate system isolation plan
Assist in draining contained water
Assist in developing sampling plan
Provide alternative water sources
III. Notification from Health Officials of Potential Water Contamination, Public Cases Identified
Source Water
Request information on symptoms, potential
contaminants and potential area affected
Increase sampling at or near system intakes
Consider whether to isolate source water
supplies
Treatment Facility
Notify local law enforcement, local/state
emergency management organizations, FBI
Field Office, and National Response Center
Preserve latest full battery background test
as baseline
Increase sampling efforts
Consider stopping normal operations and
notifying customers
Coordinate alternative water supply if needed
Storage/Distribution
Notify other associated system authorities,
local government official, and the Governor
Increase sampling in the area potentially
affected
Increase sampling at locations where
contaminant might have migrated
Consider whether to isolate
Consider whether to increase residual
disinfection levels
IV. Electronic Intrusion of the SCADA System
Source Water
Notify local law enforcement and local FBI
Field Office
Increase sampling at or near system intakes
Consider whether to isolate the source water
Treatment Facility
Notify the National Infrastructure Protection
Center
Preserve latest full battery background test
as a baseline
Increase sampling efforts
Temporarily shut down SCADA and use
manual operation procedures
Consider whether to shut down system and
provide alternate water
Storage/Distribution
Notify other associated system authorities,
and employees
Monitor unmanned components of the
storage and distribution system
Consider whether to isolate portions of the
system
1-15
-------�
introduction
1.5.3 Threat Level Assessment
Identifying the threat level that faces a utility is a critical step in understanding the level of protection
required for its water system. The determination of a threat level is composed of two main
components:
• First, the type of threat
- Inside threats (employees, vendors, onsite contractors)
- Outside threats (vandals, criminals, cyber terrorists, domestic terrorists, foreign terrorists)
• Second, an assessment of the likelihood of a threat occurring at this utility
Capability of the threat (e.g., number of adversaries)
History of threats
Tactics and methods of attacks (including tools)
- Access to critical equipment (internal)
- Motivation of adversary
The threat level assessment process includes open dialogue with local law enforcement agencies. This
dialogue should include at a minimum conversations with the local Federal Bureau of Investigation,
the Sheriff, police department, and undercover task force personnel. Documented occurrences at the
utility, using the expertise and experience of the utility's employees, should be reviewed. It is also
worthwhile to talk to neighboring utilities regarding past experiences that they have encountered.
Capabilities. The capability of the threats identified is related to the likelihood that an event will
occur. Identification of a possible threat, such as a criminal or a terrorist, helps to identify the
capability of those individuals to be successful in causing disruptions. The more organized and less
spurious the intruder is, the more likely those adversaries will use more advanced equipment and
weapons. On the other hand, adversaries may be less likely to approach a facility where they could
be easily detected and stopped.
History. Research and discussion with local law enforcement is imperative. Awareness of national or
international level security alerts does little to provide a picture of what is happening in local
neighborhoods. Regular discussions and information-sharing with the local police, sheriff, and FBI
field offices can provide a much clearer potential for man-made activity against utilities. The presence
of local extremist groups and vocal activist groups can have a direct effect on calculating the
likelihood that an event will occur on utility property.
Utilities should frequently share their events, trespasses, and cyber intrusion cases with their local
law enforcement agencies. Sharing knowledge of activities and actions against different parts of the
nation's infrastructure aids the FBI, sheriff, and police to better disseminate and evaluate information
in each region of the country.
Tactics and Methods. Tactics of carrying out malevolent acts include overt actions and surreptitious
actions. Overt actions include direct attack on infrastructure, assault, and hostage taking.
Surreptitious actions include vandalism, theft, contamination, use of explosives, and cyber attacks.
1-16
-------�
introduction
Methods include unarmed individuals attacking individuals, damaging equipment, and shutting
valves, and using sewers as access-ways to otherwise secure sites unrelated to the utility. Other
methods include weapons such as knives, pistols, rifles, or submachine guns, and standoff weapons
such as rocket-propelled grenades and mortars. Explosives may be manufactured (e.g., hand
grenades) or improvised explosive devices (lEDs) that are placed at a location such as a pipe bomb in
a trashcan. TNT, C4, or other high explosive hidden in a vehicle that is parked or driven onto a site
and either manually or remotely detonated could be used. Adversaries may also use mail bombs or
bombs placed in packages or containers carrying materials that are delivered to the utility.
Contamination with chemical, biological, or radiological agents is a threat from two perspectives.
First, these agents may be used against utility personnel through dispersal in the air; through heating,
ventilation, and air conditioning (HVAC) systems; food; and the potable water supply. Second, these
agents can be introduced to the public through the source water system, directly into the treatment
system, or into the water distribution system. Depending upon the specific substances used, damage
may be acute and/or chronic.
Water systems also face malevolent acts to their information systems through cyber attacks. Such
attacks may originate internally or externally. Attacks directly on the utility may disable a SCADA
system and alarms, override process controls, or take over control of key points in the system
resulting in water outages or insufficiently treated water. Cyber attacks may also interrupt
communications, as well as intranet and Internet services.
Attacks on outside providers, such as power generators or power grid operators, can also
significantly affect the ability of water utilities to provide continuous and effective service.
Access. The VA process helps identify those parts of the water system that are critical to maintaining
operations. Protection of those key assets, without which the system would not be able to meet its
mission, is logical. Providing worker access to those critical assets is important, as is denying access
to others. If access to key locations can be achieved without detection and damage done or equipment
taken off line, key single points of failure can occur that affect other related and unrelated parts of the
process.
Motivation. The motivation of perpetrators ranges from the mischief of vandals to the desire of
adversaries to undermine the well-being of society. In between these two extremes are a variety of
motivating factors that include persons angry at the utility or individual of the utility. Disgruntled
employees who feel abused, belittled, unappreciated, or unrewarded may attack coworkers or
supervisors, damage infrastructure, destroy or change data, or steal equipment. Former employees
who believe they were wrongly terminated or desire to avenge a previous incident may return to the
workplace and commit an assault or murder, property damage, theft, or sabotage. Spouses and
partners of disgruntled employees and former employees may commit the same acts of revenge on
the utility or its management. Similarly, customers who believe they were wrongly treated,
overcharged, or who have experienced property damage may vent their anger in similar ways. It is
important to realize that the actions taken by these angry persons may be either planned or
impulsive.
1-17
-------�
introduction
Economic gain may motivate persons, including employees, to steal equipment, supplies, vehicles, or
money. Such thefts may be a single breaking and entering, making the crime obvious. On the other
hand, thefts may be insidious if committed by persons such as employees, vendors or contractors
who have access to the organization's facilities. Thefts may also be conducted through an ongoing
scheme that involves stealing of rarely used items or embezzling small amounts of money, and
covered up through unauthorized adjustments to inventory or financial records. Such crimes may
remain unnoticed for long periods of time. Thefts by employees are unfortunately common. It is
estimated 68.6 percent of employees who commit these crimes have no previous criminal record. 1
At the extreme end of the motivation scale are the driving forces of the terrorist. While remaining a
topic of debate, motivating factors may be political, religious, social, or symbolic; revenge, change, or
the desire to gain attention may instigate it. There are two categories of terrorists: international and
domestic. International terrorists act with the intent of undermining stability and instilling terror
through destruction of economically important and symbolic assets, and, potentially, by killing large
numbers of people. These terrorists almost always work in groups, and spend considerable time and
resources to select and learn about their targets, and plan their attacks. At the extreme end, the
motivation of terrorists is so strong that they will adopt different lifestyles, deceive and betray friends
and family, and sacrifice themselves for their cause. Domestic terrorists may have a well-financed,
loose-knit working organization focused around their cause, but usually work alone.
1.5.3.1 Locate Information on Most Probable Threats
There are a number of sources that utilities can use to obtain local information on most probable
threats. As discussed in Section 1.5.2, "Generic Threat Levels," Water ISAC, operated by the
Association of Metropolitan Water Agencies (AMWA), can be consulted for current information on
security intelligence in the water industry. Additionally, information to supplement the utility's
knowledge and experience can be obtained through communication with law enforcement and other
utilities.
1.5.3.2 Use the Information
to Review the Utility's Organizational Security Strategies
Utilities can use a variety of existing information as part of reviewing their current organizational
security strategies. Some of the typical information that is readily accessible to utilities includes the
following:
• Operations and operational capabilities
• Current policies and procedures
• General physical security capability
• Maintenance and testing of security systems
Detecting Employees Who Steal, Workforce Management, November 2002, page 31
1-18
-------�
introduction
1.5.3.3 Identify Response Capability and Actions
Response capability refers to a range of actions from appropriate water system operator responses to
police responses to the involvement of other public safety agencies. It also includes the built-in
operations responses within the water treatment and delivery system itself. It involves the
assessment of what is wrong and the decision of what to do about it. Response is based on the threat
identified in relation to the critical asset that is threatened.
1.6 Developing a Security Strategy
A security strategy is both a short-range list of activities and a long-range plan. Security strategy is
not developed as a stand-alone exercise, but requires an understanding of the information previously
introduced in this section.
Understanding system vulnerabilities, or critical "points of failure," that would keep a utility from
achieving its defined mission goals is the first part of a necessary strategy. How to keep in business is
the focus of the strategy. Any action to improve system redundancy, protect critical functions, back
up operations, train personnel, and organize business policies, procedures, plans, and functions
supports the goal of continuing the mission without interruption.
There are multiple parts to a good security strategy. Defining a goal of complete system
redundancy—of pumps, tanks, water sources, and other essential facilities—would be a long-range
plan. Addressing immediate issues identified in a security plan can help to reduce risk quickly by
focusing on management and operations activities under current control. When utilities perform this
analysis, it is important that they consider not only documenting the process, but also
communicating the assumed risk tolerance to policy makers and governing boards. It is critical for
utilities to have policy makers aware of and in agreement with utility management with respect to
the degree of risk tolerance selected. The level of acceptable risk tolerance that utilities can agree to is
subjective and can have considerable impact on the cost and degree to which utilities undertake
security improvements, change operating policies and procedures, and so on.
This guidance provides a broad range of tools and techniques to address water system security. Some
are simple and easy to implement; others are more complex and costly, possibly requiring a
significant involvement of time and resources. It is essential for utilities to realize that an effective
security plan is not necessarily complex or expensive. An effective security plan is one that makes
sense for and can be implemented within existing (and future) conditions. Utilities are encouraged to
apply the contents of this guidance in a commonsense and practical way.
The following sections can help with the development of a good security strategy.
1.6.1 Determining the Required Level of Security
As described in Section 1.2, a vulnerability assessment typically uses a risk-based approach to
prioritize potential security improvements. A vulnerability assessment does not, however, determine
the levels of risk, and thus security systems, that are acceptable and how the potential improvements
should be implemented. Many vulnerability assessments include determining the DBT, which
1-19
-------�
introduction
identifies the types of adversaries and their capabilities; however, the assessments generally provide
limited guidance regarding how to select the threat. Methods that can be used to determine the level
of security improvements that should be implemented are described below.
1.6.2 Conducting a Risk Reduction Analysis
Risk is best assessed and analyzed if quantified (e.g., 1 to 100). Because risk is related to the likelihood
of occurrence (probability) and the severity (criticality) of the consequence. To generate a quantified
result, both probability and criticality should be stated in the same scale. Risk reduction is then
accomplished by reducing either the likelihood of occurrence, the severity of the consequence, or
both. The approach should be to optimize risk reduction, that is, to reduce as much of the risk at the
least cost through a cost risk-reduction analysis that leads to prioritizing countermeasures.
1.6.3 Conducting a Cost-Benefit Analysis
A cost-benefit analysis can be performed for security improvements as is commonly done for other
engineering alternative evaluations. A cost-benefit evaluation is most robust if benefits can be readily
quantified. For example, the cost of improvements in physical security (such as improved locks,
alarms, and fencing) can be compared to the value of avoided vandalism damages. Establish baseline
information by collecting information on historical events, such as:
• "tagging" events, trespass events, and unescorted visitors
• frequency and cost of fence and gate repairs
• system breakdowns (e.g., pumps, valves, filters, etc.) and the duration of out-of-service events
• supply equipment lead times
• personnel overtime events due to system problems
When considering design changes to operations, procedures, or physical security, a continued review
of the baseline indicators can provide documentable comparisons to the cost of doing business before
and after implementing changes.
1.6.4 Conducting a Cost-to-Risk-Reduction Analysis
Security improvements can also be prioritized by comparing the cost to implement each security
measure against the degree of risk reduction that the measure would provide. For risk assessment
methodologies such as RAM-W™, the amount of risk reduction can be expressed numerically by
determining the risk score for each asset before and after the proposed security improvement. This
analysis typically shows that measures requiring a relatively low capital investment, such as
implementing security policies and procedures, result in a low cost-to-risk reduction ratio. As shown
in Figure 1-5, a cost-to-risk-reduction curve can be generated, and a determination can be made as to
what measures should be implemented by identifying the "knee of the curve," or the point at which
the risk reduction associated with implementing additional costly security measures is marginal.
1-20
-------�
Cost$
Cost$
Reduction in Risk Score
Policy & Procedure
improvements
SCAOA
Securiy
Background
Ch'«ks
KsyControi
Reduction in Risk Score
Operational Security
Improvements
iii System rests
improved Bench Stotik
kup Powef
Reduction in Risk Score
CostS
Physical Security
Improvements
iproved Contracts
Reduction in Risk Score
FIGURE 1-5
Sample Cost to Risk Reduction Curves
introduction
1-21
-------�
introduction
1.6.5 Comparing Security Risks to Other Risks
Utilities face many risks other than those from malevolent acts that could substantially disrupt their
ability to meet their mission. Another prioritization method that can be used is to compare security
risks to these other "non-security" risks using a common ranking scale. Failures of major facilities or
pipelines due to obsolescence, water quality violations, and unexpected losses of key staff are
examples of risks that utilities must actively manage.
A utility can put its security risks in context by conducting an overall operational risk analysis in
parallel with the vulnerability assessment. While one type of risk is usually not compared to an
operational facet, both can affect the mission of the utility. Risks and issues that affect the ability to
disrupt the mission can be ranked one above or below another. Although the consequences of a
malevolent act could be high, the probability of occurrence may be relatively low. 2
1.6.6 Developing a Balanced Plan
The concept of balanced approach to security involves more than physical additions like fences,
guards, and dogs. These design approaches to improved security can be grouped into two general
categories —Basic and Advanced. Basic changes are those that can be implemented more quickly or
with fewer changes, and can occur across the organization in terms of Procedures, Operations and
Physical Security improvements. Examples of such changes include:
• The design of new facilities and retrofits of existing water system facilities that build in security
features. The training of personnel to observe, control, and respond to deliberate actions against
the utility. Without staff commitment to the security program, which will require a cultural
change in the way that business is conducted, the program will not be effective.
• Procedures and checklists that allow for recognition of problems and specify proper reactions to
problems.
• Systems that are operated and maintained for depth of capability and ease of control, including
methods to assess an alarm situation though the use of intrusion sensors, cameras, and other
technologies. Detection of deliberate actions against a water system can be determined in a
variety of ways. On-line monitors and system parameter guidelines indicate when a parameter is
out-of bounds. Placing monitors so that they can quickly pin-point aberrations in operational
parameters provides real-time capability to mitigate intrusions.
• The proper response to mitigate activities designed to keep a utility from meeting its mission
objectives.
• The steps necessary to return to normal operations quickly, efficiently and in a manner that
allows everyone to learn and improve so as to avoid a future occurrence with the same impact to
operations.
2 It is challenging to quantify the probability of a high-level adversary attack given the absence of incident history, while it is relatively easier to
estimate the probability of low-level threats like vandalism given that there is more likely to be an incident history from which to draw.
1-22
-------�
introduction
These approaches can be organized into four categories — prevention, mitigation, response, and
recovery — with examples provided below. Detailed information can be found in subsequent sections.
1.6.6.1 Prevention
Proactive work by utilities on prevention can reap substantial benefits by securing their water
systems from malevolent attacks. Some examples of preventative measures for considerations follow.
1.6.6.1.1 Basic
Consider contracting with a computer security consultant to conduct a periodic audit of the firewall,
routers, and intrusion system. A consultant can relieve the burden of maintaining a high level of
expertise in this area. Balance the need to establish monitoring programs with the need for discretion
regarding water utility critical assets.
1.6.6.1.2 Advanced
• Continuously coordinate vulnerability assessment activities with other nearby utilities, including
organizations that control the source water used by the utility, and participate, to the extent
possible, in assessments conducted to determine that critical water sources and critical operations
are appropriately monitored and adequately protected.
• Work with chemical suppliers to initiate use of anti-hijacking technologies and to develop utility-
supplier protocols for preventing and responding to tampering during shipment.
• Establish a citizen's watch program and a law enforcement education program to help provide
monitoring of hydrants and water utility system sites with the intent of preventing unauthorized
use or entry.
As part of a long-range plan, some utilities may choose to upgrade the current backflow prevention
system by installing backflow prevention devices on commercial and industrial customers that pose
high risk to the water system. Utilities may also choose to eventually install backflow prevention
devices, such as dual check valves, on residential homes as part of a planned meter replacement
program that is part of their long-range Capital Improvement Programs.
1.6.6.2 Mitigation
The ability to prevent a deliberate and planned attack is always limited. The ability to control the
events offers a chance to mitigate the effects of a malevolent event. If water is contaminated or shut
off and the system has means to deliver potable water in other ways, then the effects of the attack
have been mitigated. Redundant delivery systems, backup power, and alternate treatment options,
for example, can mitigate a variety of man-made or natural disasters. To effectively mitigate, a utility
first identifies the parts of the operation that present the most risk or cannot be easily mitigated, then
conducts a risk reduction analysis. Risks and subsequent mitigations are identified and prioritized
until all have been considered.
Some malevolent events will be outside of the utility's control or just not practical to prevent from
occurring. Below are some ways that utilities can mitigate these types of events.
1-23
-------�
introduction
Basic
• If a utility uses groundwater, reconsider developing a wellhead protection program to provide
additional protection to the aquifer.
• To lower consequences of critical asset damage, standardize equipment and maintain spare parts
or identify contractors that can supply these parts on short notice.
• Back up computer system data routinely.
• Identify secondary location for the operating control room.
Advanced
• Develop a computerized water quality/hydraulic monitoring system of the distribution system
that is linked to an integrated geographic information system (GIS) database for critical facilities.
• Consider installing real-time monitoring equipment that has recently been developed to enable
the direct detection of chemical contaminants in water distribution systems.
• Improve the electrical power feeds to the facilities. Redundant electrical power systems
significantly reduce the vulnerability risk to essential operations. Options for providing
redundant systems include installing sufficient backup generator capacity to operate the majority
of the treatment processes or installing an electrical feed from another power provider.
1.6.6.3 Response
Utilities cannot initiate a response to an event until detection and assessment of an intruder alarm or
the actual intrusion has occurred. Initiating response will typically require the notification and
cooperation, and will benefit from a good working relationship with, law enforcement. Additionally,
EPA's Response Protocol Toolbox is a good source of planning information. Below are some
suggested tools that can be adopted by utilities to improve detection, assessment, and response to
malevolent events.
Basic
• Develop procedures to respond to a security breach located at any water treatment plant (WTP)
facility (including alarm systems). Coordinate with local law enforcement.
• Identify high-priority facilities and work with local law enforcement to improve response time to
these critical facilities.
• Institute a policy that operators and maintenance workers contact the SCAD A/alarm monitoring
stations when site buildings and alarmed doors are accessed for operational purposes.
Advanced
• Purchase a "panic button" system to be worn by the operators and maintenance staff that enables
the staff to send a distress signal to the local law enforcement agency in an emergency situation.
1.6.6.4 Recovery
Recovery is a critical part of a utility's balanced approach to securing its water system against
malevolent events. This part of the approach refers to the ability of the utility system to return to full
1-24
-------�
introduction
operation. The best outcome of a deliberate malevolent act is for the public to be unaware of the
event—that the systems, plans, and responses are able to restore services within the reserve capacity
of the system.
The goal of the recovery phase is to return the system to its optimal operational status as soon as
possible. Follow-up actions are also needed to learn and improve; document costs in resources, time
and labor; and to provide information to other agencies that can help to improve identification,
tracking, and prevention of future events.
1.6.7 Prioritizing Security Investments
Typically, developing a vulnerability assessment involves defining a relatively long list of
vulnerabilities and potential improvements, ranked according to the potential risk. When presented
with this list, utilities are able to contemplate how many of the recommendations to implement and
the level of protection that is acceptable. In prioritizing security investments, they need to consider
limited resources and balance the external demand for security with the internal resources available
to implement security measures. In addition to the legal considerations described earlier, there are
other considerations that may be addressed in answering this question.
1.6.8 Documenting the Process
Utilities need to thoroughly document the risk reduction analysis and mitigation decision process
and keep the documentation in a secure location with restricted access. The document is the utility's
roadmap to protecting its system.
1.6.9 Sharing Information
Utilities have a number of opportunities to share information that can reduce costs of enhancing
physical security of their water systems.
• Benchmarking and other industry activities. Participation in benchmarking or other related
industry activities can provide the utility with early access to best management practices that can
be cost-effectively integrated into the program.
• Provide cyber attack details to the local FBI office. The local FBI has established capabilities of
researching and investigating both successful and unsuccessful cyber attacks on utility systems.
• Coordinate/cooperate with contiguous utility systems. Coordination of security-related
programs with contiguous systems can provide additional redundancy and potentially reduce
the costs of securing the utility's water system.
1-25
-------�
(This page intentionally left blank)
-------�
SECTION 2
Management Considerations
for Optimizing Physical Security
Management:
Optimizing
Physical Security
Operations:
Enhancing
Physical Security
L
Desic
Develd
Physical 1
L
Emergj
Respc
Piann
Keep the governing board informed
• Involve all stakeholders
• Address financial resources
• Address human resources
• Manage records
• Update policies and procedures
* Plan for emergency procurement
* Ensure effective communication
Initiate interagency coordination
2.1 Overview
Many measures available to water utilities to reduce the risks associated with malevolent actions and,
to a great extent, natural disasters are those that can be developed and put into effect without
concrete, metal, or heavy equipment. While all utilities should make the development of security-
enhancing policies and procedures a priority, it is especially important that smaller utilities and those
with limited resources make the most from these low-cost/high-value actions, rather than being
frustrated by the inability to fund major infrastructure countermeasures. These actions include
organizational cultural changes, employee training, stakeholder awareness, and policies and
procedures that change business practices with the goal of a more secure workplace and better
protected facilities.
Utility management can implement these security enhancements for a relatively low cost and in a
manner designed to augment physical security measures that may be added at a later date. This
section provides concepts, strategies, and actions that water utility managers can consider when
contemplating how to possibly prevent and better prepare for both known and unknown challenges
that may arise.
2-1
-------�
management considerations for optimizing physical security
As with all sections in this guidance, this section is not designed to be prescriptive, but rather as an
aid based on best practices used by the most efficient, effective, and secure water utilities in the
United States. It is also designed to guide management as it applies security considerations, even
though physical security upgrades may not yet be in place.
A reminder, as mentioned earlier in this document, that physical security is related to, but not the
same as, protection from natural disasters. Planning for natural disasters has been part of
management's responsibilities for decades. Protecting utilities against malevolent acts has become a
higher priority due to recent events. Preparedness, mitigation, response, and recovery for the threats
and hazards of human-caused events are more complex, requiring continuous re-evaluation of the
motivation and mindset of the threat.
2.2 Governing Board
The governing board of a water utility, whether comprising elected or appointed persons, is the
policy-making body of the utility. The board is ultimately responsible to the utility's customers for
ensuring proper management of the water system to maintain public health and to protect the
environment. From this standpoint alone, it is important for utility management to provide
governing board members with, at a minimum, a high-level overview of water system threats and
vulnerabilities and management's approach to mitigating the associated risks. However, because it is
likely that governing board approval will be required to implement policy changes and physical
security improvements that may impact capital and operations budgets, utility managers should
consider providing board members with more detailed information about water system security.
Possibly, the biggest obstacle to implementing security measures will be convincing the governing
board that water systems are indeed vulnerable. Utility managers may find it helpful to reference the
nationwide emphasis on securing water infrastructure.
• Consider describing EPA's Strategic Plan for Homeland Security and the development of tools
and guides by AWWA, the American Water Works Association Research Foundation (AwwaRF),
and AMWA to assist in the assessment of water system vulnerabilities and in the reduction of
security-related risks.
• Use factual occurrences as examples — illegal entry in distribution system storage reservoirs,
intentional and accidental dumping into a river or lake upstream of a water treatment plant, loss
of equipment due to criminal activity, or vandalism at a remote pump station that could have
resulted in water outages or financial impacts to the utility —to emphasize the importance of
water system security.
• Discuss how a security breach can impact public health, place utility employees at risk, and
damage the environment.
• Examine the effect of an incident for which the utility was unprepared on the credibility of the
utility and the governing board.
2-2
-------�
management considerations for optimizing physical security
• Focus on opportunity cost versus the cost of not implementing security measures, including
possible liability and regulatory action, should the utility not address obvious vulnerabilities or
take reasonable security measures.
• Provide the governing board more than just the consequences; provide management's approach
to responding to the challenges by realistically forecasting short- and long-term needs and the
impact on resources, such as labor costs, other operation and maintenance (O&M) costs, and
capital, as well as on developing funding alternatives.
• Preparing and protecting against man-made events also serves the dual purpose of protecting
facilities against the effects of natural disasters.
While communication with the governing board is imperative, utility managers must be cautious
about those security details that might be revealed in public forums. Therefore, discussions about
water security with governing board members should be held privately if state and local sunshine
laws allow. Sunshine laws and the Freedom of Information Act (FOIA) stipulate the types of
discussions that can take place with board members outside of public meetings and how many board
members can meet without public notification. Sunshine laws are laws aimed at opening up
government procedures to inspection by the public, metaphorically letting the "sun shine" on the
procedures (http://WordIQ.com/definition). For example, the Ralph M. Brown Act governs open
meetings in California for local government bodies, such as boards, councils, and commissions. This
law guarantees the public's right to attend and participate in meetings of local legislative bodies.
Because laws vary from state to state, utility managers should seek guidance from their legal counsel
so that their efforts to keep discussions about security measures confidential do not violate the law. In
general, at public meetings, utility managers should refrain from long and detailed descriptions of
security needs and measures. If board members are briefed in closed sessions not open to public
participation, detailed public discussions should not be necessary.
Utility agencies should also consider formalizing these procedures, briefings, approval levels, and
responsibilities in a written security policy. A security policy can clarify what can and what cannot be
discussed in open forum, as well as outline the level of expectations of the city staff, the management
staff, and the utility staff in securing water facilities.
2.3 Customers and Other External Stakeholders
Utility managers may want to be prepared to respond to questions from customers, the media, and
other external stakeholders who may want to know if or why water security is an issue and what the
utility is doing to reduce risks to infrastructure, persons, and service. These external stakeholders
may include community organizations and environmental activists who are interested in the
countermeasures that the utility may use to prevent or mitigate the effects of events such as a
chemical or biological contamination, disruption of drinking water supply, and loss of fire flow.
Other external stakeholders may be government agencies, elected officials, and business owners who
want assurance that the utility has taken the appropriate steps to maintain service during malevolent
or natural disasters.
2-3
-------�
management considerations for optimizing physical security
Unlike other utility matters, proactive communications with all customers and external stakeholders
about security measures may not be necessary or even desired due to the confidential nature of the
subject. However, utilities can initiate discussions about water security with a few categories of
external stakeholders (such as law enforcement, and fire and health departments) to improve the
planning and implementation of countermeasures and emergency response.
Water utility managers should also initiate discussions with wholesale customers —those cities,
counties, or companies operating regional water systems that provide water to a number of
downstream retail water providers. Wholesale customers can be encouraged to protect their water
systems at the same level of protection as that used by the wholesaler's retail customers. New or
renewed wholesale agreements can include requirements for the wholesaler to institute
countermeasures to mitigate risk to the utility's water system.
Implementation of security measures could have substantial impacts on water system budgets, both
capital and operating. Whether the utility will fund security projects from debt sources or net
revenue, pressure on water rates may necessitate a rate increase. Thus, utility managers will need to
inform customers of the importance of security measures in providing uninterrupted service and
protection of public health and the environment,
without revealing significant details about the
approach to security or specific countermeasures.
Water utilities may want to consider a specific
surcharge on the base water rate to fund security
projects. An example of this strategy is shown in
Figure 2-1. (CleanWaterAtlanta 2004).
Proactive communication with other water
utilities, regulatory agencies, and first-responders
is also important to developing and maintaining a
secure system, as described in Section 2.9,
" Communications."
2.4 Financial Planning
When looking for opportunities to facilitate ways
improve security, financial planning presents a
very important opportunity to reduce risks. Key
areas include:
• Developing Capital Improvement Plan (CIP)
programs that adequately support security
needs.
City of Atlanta - Ordinance 03-0-2212
SECTION 7: (a) That the imposition of a
surcharge shall be placed on all domestic,
commercial, industrial and other users of the City
of Atlanta Water and Wastewater System to pay
for the cost to implement the security and
infrastructure requirements as described in the
Safe Drinking Water Act and Public Heath
Security and Bioterrorism Preparedness and
Response Act. (b) that for purpose of this
ordinance, the surcharge will be described as the
"Water and Wastewater Systems Security
Surcharge." (c) that the Water and Wastewater
Systems Security Surcharge shall be $0.15 per
hundred cubic feet for all billing cycles beginning
on and after January 1, 2004. Funds collected
from the surcharge shall be deposited in a fund
separate and distinct from other funds of the
Water and Wastewater System.
Enacted January 2004
FIGURE 2-1
Sample Surcharge Language
Integrating Government Accounting Standards Board Statement 34 (GASB 34) considerations
with the CIP planning for security and reporting purposes. The following is the time line for
actions in the near future (see www.GASB.org for latest requirement details):
2-4
-------�
management considerations for optimizing physical security
Phase 1 public entities - those with total annual revenues equal to or greater than $100
million; actions are required for fiscal years beginning after June 15, 2005.
Phase 2 public entities - with total annual revenues equal to or greater than $10 million but
less than $100 million; actions are required for fiscal years beginning after June 15, 2006.
With the exception of, "Public Institutions that report as special-purpose Governments
engaged only in business-type activities are required to report infrastructure upon
implementation, without regard to the phase-in periods included in this paragraph. The
transition period also does not apply to business-type activities for public institutions
engaged in both governmental and business-type activities."
• Developing a diversified strategy for funding both capital and operating needs that can be
supported by governing boards and customers.
Of these considerations the first three are described in more detail below.
2.4.1 Developing CIP Programs
that Adequately Support Security Needs
To meet normal customer demands on the systems and to accomplish security objectives, water
utilities invest in CIP programs and O&M programs to keep existing facilities at proper functioning
levels. Utilities may also need to modify or build additional facilities that have been identified as key
to improving security. Building facilities with improved security take a variety of forms, such as
providing redundancy where it currently may not exist, improving flexibility and management of
existing facilities, and restricting access to critical facilities.
It is obvious that having an adequate and integrated CIP and funding program is essential because
security-related projects often need to compete with many other capital projects, such as:
• System Growth Requirements. Many water systems with growing and developing population
bases need to spend substantial funding on capital projects to develop new raw water supplies,
expand treatment capacity, or extend distribution system networks to new areas.
• Correction of Identified Deficiencies Not Related to Security. Many utilities have neglected
aging assets. Inventory work and condition assessments conducted as part of asset management
programs have, in many cases, quantified the need for action to make up for past neglect.
• "Normal" Renewal and Replacement. Well-managed water utilities proactively plan to spend a
steady amount on the orderly renewal and replacement of aging system components. While these
projects contribute to the overall integrity of the systems in the long run, in the short run the
funding for these projects may compete with specific security-related investments that have high
priority.
These competing considerations make it increasingly important for water utilities to have sound
processes for identifying, prioritizing, and implementing their capital improvement programs.
Traditionally, water utilities have identified required projects but have not prioritized the projects or
documented how the projects relate to key goals and objectives of the utilities. Increasingly, utilities
2-5
-------�
management considerations for optimizing physical security
are turning to more systematic decision management methodologies that identify and weigh criteria,
and then explicitly "score" the performance of candidate projects. In such systems, security
considerations could be explicitly recognized as a criterion and weighed in relation to other
competing priorities.
The Capital Planning Strategy Manual, published by AwwaRF and AWWA in 2001, includes
instructions and tools for implementing these more systematic prioritization decision management
methodologies. These approaches are sometimes called multi-attribute utility models because scales
are created that measure the contribution (value) added using both monetary and non-monetary
criteria. In addition, cost-benefit relationships can be identified to guide the planning process. The
decision management process can then include the efficiency of candidate projects toward meeting
fundamental agency objectives such as security. By selecting the projects that most efficiently
contribute to stakeholder goals, it is possible to identify a 5-year, 10-year, or 20-year series of capital
expenditures that maximizes the value of security and other goals within identified annual levels of
capital expenditure.
For smaller utilities without a large CIP or operating budget, the increased attention on simple,
effective O&M procedures becomes more important in protecting crucial functions of the system
from threats.
To satisfy both normal renewal and replacement needs as well as security needs, normal activities can
include appropriate security improvements. For example, when a tank is taken out of service for
repair/repaint, use the opportunity to modify valves, vents, hatches, ladders, etc. to enhance the
security of the tank.
Implementing security considerations on existing and new facilities, and the construction of new
facilities to meet growing customer demands, are not mutually exclusive activities. Rather, they are
similar in planning the dollar investment requirements. Normal or routine maintenance and renewal
of assets can be coupled, where it makes sense, to changes in how systems operate or to include
physical security improvements. New system facilities can be designed with those changes already in
place as part of construction and operational functions that help promote security consciousness.
2.4.2 Developing Funding Programs
to Support Operating Fund Needs
Developing funding programs that support the operating funds of a water utility is also critical to
reducing risks related to security. Defining and securing stakeholder and governing board support
for operating budgets supports risk reduction in a number of ways. The labor budget (or contract
budget where operations are performed through a private vendor) literally provides the funding
support for the crews that maintain, operate, and monitor the water utility's assets. Inadequate labor
budgets present several labor-related risks, including:
• Possibility of facility breakdowns (e.g., loss of the WTP or a break in a major distribution system
segment) that escalate into emergency situations because the situations go undetected during the
period in which there is still an opportunity for recoverable intervention.
2-6
-------�
management considerations fnr optimizing physical security
• Risk that power failures, software system failures, computer viruses, or other system failures will
go undetected if there is inadequate or insufficiently trained staff to monitor and react to these
types of security threats.
In addition to providing the labor required to adequately staff the system, the operating budget
contributes to risk reduction/security enhancement by providing funding for operations and
maintenance of security systems, as well as general equipment and supplies needed to keep the
system in proper working order.
Beyond these basic labor and equipment/supply considerations, the operating budget contributes to
risk reduction/security by providing funding needed for the services listed below:
• Operating Reserves. Numerous utilities have set an internal goal of maintaining a minimum of
one billing cycle's worth of operating budget to be set aside in reserve so that utilities can make
payments required in the event of a crisis. Depending on the utility, as much as 90 to 120 days'
worth of operating budget may be required.
• Petty Cash/Liquid Funds. Cash on hand is needed to support immediate needs such as funding
emergency activities or allowing transactions with customers or vendors that do not have access
to alternate payment tools.
• Debt Service Coverage. Many water utilities fund at least a portion of their capital programs
through municipal bonds or through state revolving fund loans. In most cases, these funding
vehicles require that net revenues for the utility be adequate to provide some level of coverage
above the annual debt service payments. The required level varies but is often in the range of 1.10
to 1.25 times the annual debt payment. For utilities with substantial outstanding debt, the
coverage amount can represent millions of dollars. Water utilities that do not provide adequate
operating budgets to satisfy the coverage provisions for their bonds run the risk that their credit
ratings will decline and that they will not be able to incur additional debt for security-related
capital projects. In addition, bond covenants often require that utilities maintain specified levels
of funding such as debt service funds, debt service reserve funds, and emergency funds.
A sometimes overlooked element of operating fund adequacy relates to customer billing and
collection systems and processes. It is critical to long-term financial stability that utilities maintain
high collection rates for their bills or customers will stop paying the bills. Maintaining up-to-date
customer and collection records and taking prompt action to collect on unpaid bills are essential to
credibility. Therefore, it is important for utilities to consider the security and resilience of billing and
collection systems in their vulnerability assessments.
2.4.3 Developing a Funding Program
that Governing Boards and Customers Can Support
In addition to developing budgets that reasonably support the capital and operating funds that are
needed to improve security, water utilities need to develop budgets and funding programs that their
decision-making boards and customers will support. To gain support from governing boards, utility
staffs increasingly need to be able to document that:
1-7
-------�
management considerations for optimizing physical security
• Proposed capital programs are justified (i.e., supported by a prioritization process, such as a
vulnerability assessment, and integrated with other capital needs through an asset management
program such as the one described in Section 2.4.1, "Developing CIP Programs That Adequately
Support Security Needs").
• Proposed rate and fee structures are equitable and supportable.
• Proposed financing plans for capital programs are optimal. For example, boards increasingly
want an evaluation (e.g., degree of bonding vs. equity funding, level debt structure vs. balloon
payments) of several financial planning scenarios to determine whether the selected path is
consistent with the utility's goals and objectives.
• Adequate outreach to all segments of the customer base regarding proposed rate increases or
changes in the rate and fee structures has been performed.
Boards understand the value proposition in the utility's overall planning process. Instead of just
performing a standard rate or revenue requirements study, utility systems are increasingly deciding
to conduct strategic or business planning studies that consider the merits of expanding or contracting
the activities that are conducted by the utility.
Customers and other stakeholders are increasingly sophisticated in their attention and interest in
water rate and financial considerations. To obtain support for rates and charges that support the
capital and operating funds required to reduce risks, utilities need to demonstrate to their customers
that:
• Proposed rates and charges are fairly divided among the system's customers and customer
classes.
• Rates and charges are affordable in light of income within the community and in comparison
with rates and charges in neighboring communities.
• Proposed spending by the utility is justified.
For additional information on water rates, see the 2004 AWWA Water Utility Council-sponsored
study titled, "Avoiding Rate Shock: Making the Case for Water Rates."
2.5 Human Resources
Just as employees are critical to the successful operation of a water system, they are also critical to
ensuring a secure water utility. Employees are "insiders"; they have unique knowledge of the water
system's infrastructure, processes, and vulnerabilities. They are authorized to access both facilities
and information; if that access is used with malicious intent, the results could be catastrophic.
Consequently, water utility managers are taking measures to mitigate the risks posed by new,
existing, and former employees.
Numerous federal, state, and local laws pertain to employee rights and the employer-employee
relationship. These laws determine the security measures that water utility managers can and cannot
take when employees are involved. In addition, bargaining unit agreements will undoubtedly
address employer-employee relations and may restrict the employer's use of otherwise lawful
2-8
-------�
management considerations for optimizing physical security
security measures. It is imperative that a utility's legal counsel be consulted before any security
measures involving employees are implemented, including those discussed in this document.
Employees can provide a vital role in ensuring that the water system is kept secure thorough
heightened awareness and adherence to policies and procedures. To gain employee buy-in, consider
beginning with security awareness training for all employees as part of new employee orientation.
This training can provide an overview of the vulnerabilities faced by water utilities and the threats
that must be protected against. Employees can receive an explanation of new and proposed security
policies and be instructed on how they can assist in reducing security risks.
To integrate security concepts into the organizational culture, utility management can emphasize
security in its actions and communications. Some suggestions include:
• Discuss security with the staff during formal and informal meetings.
• Make security an agenda item at every staff meeting.
• Provide employees with adequate security training (see Section 2.5.6, "Training").
• Develop security policies and procedures and enforce them consistently and equitably.
• Include initial and recurring background investigations and quarterly employee reviews in
addition to annual performance reviews.
• Consider creating a position of utility security officer, or expand the responsibilities and
authority of an existing position (e.g., the safety officer).
• Give the individual(s) assigned responsibility for security the appropriate authority to correct
shortcomings and take necessary actions.
• Include articles on security in internal newsletters.
The approach to integrating security into the culture of the utility is similar to the process used to
integrate worker safety into all aspects of utility operations. While employees do not become security
guards (security guards are outside hires best suited for a temporary situation), full-time, permanent
employees offer the knowledge and awareness capability to detect, discern, and deny an outsider
from causing an emergency situation within the utility.
2.5.1 Background Checks
Utilities may want to consider adopting a practice of conducting basic background checks of
applicants for utility positions. Typically, such background checks can include confirming past
employment, education, professional certifications, and references, as well as any facts available
through public records. Advertisements and notices for positions should include a statement that
background checks are required, and applications for employment should include a waiver whereby
the applicant allows the background check and also authorizes the applicant's former employers to
speak with the utility. Background checks should be completed before job offers are made, or job
offers should be contingent on a background check. If lawful and if consistent with bargaining unit
agreements, background checks with periodic reviews should also be conducted for current
employees.
2-9
-------�
management considerations for optimizing physical security
Consideration should also be given to expanding the background check to include criminal and other
records such as driver's license, worker's compensation, military service, credit history, and possibly
character references. Be aware, however, that there may be significant legal restrictions and liability
associated with enhanced background checks. Whatever level of background check is conducted, it is
imperative that the utility maintains consistency for all applicants or for all who apply for a specific
position.
It should be noted that background checks are sometimes faulty and need to be confirmed through
other channels, if possible. For example, criminal background checks may be incomplete or
erroneous. Local law enforcement agencies may only have criminal records of those persons living or
convicted within their jurisdiction. On the other hand, national databases may not contain
information from cities and counties unless such data was input specifically into the national system.
Similarly, credit records may be incomplete or inaccurate.
A more thorough discussion on the subject of background checks is contained in the AMSA
publication entitled, "Legal Issues in a Time of Crisis Checklist."^
2.5.2 Identification Badges
Depending on the size of the utility operation, the use of employee identification (ID) badges may be
considered. If so, the following paragraphs provide important areas to consider. If employee badges
are not used, employees still need to understand and act on the presence of unauthorized individuals
on utility jurisdictions areas.
Employee ID badges provide instant verification of whether individuals are authorized to be at a
utility's facility or to handle utility equipment. Color-coded badges can be used to alert others if
employees are in an inappropriate area and can deter employees from straying into restricted areas.
ID badges can contain an up-to-date color photo of the employee, along with a date of expiration.
Both the photo and date of expiration, and color code if used, should be visible from a distance of
several feet. Renewal of ID badges may occur at a period not to exceed 2 years from the date of issue.
The badges may contain security features such as holograms, watermarks, as well as magnetic strips
or radio frequency identification (RFID) devices that permit access to designated areas and track
locations of employees.
All employees, including temporary and part-time employees, interns, and volunteers, should be
issued ID badges and be required to wear them in plain sight. Employees who forget their badges or
who are visiting other utility locations should be issued temporary ID badges. Such badges should, at
a minimum, be time-sensitive or light-sensitive so that the "age" of the badge is visibly apparent. In
addition, or as an alternative, authorized personnel may escort employees visiting locations outside
of their authorized areas.
Association of Metropolitan Sewerage Agencies. 2002. Protecting Wastewater Infrastructure Assets... Legal Issues in a Time of Crisis
Checklist.
2-10
-------�
management considerations for optimizing physical security
Removal and storage of employee badges when outside of the work areas should be a regular
practice, as well as when in public areas away from work. In terms of security, security badges
should not be visible to others who may want to copy the design.
2.5.3 Employee Surveillance
Employee surveillance serves two purposes: to enhance employee safety and to monitor potential
insider threats. While surveilling employees may seem to indicate that utilities' do not trust their
employees, this topic is included because the focus of this guidance is the increased security of
utilities and their assets.
Monitoring of employee activities at their workplace may be subject to federal and state privacy laws.
In general, however, it is acceptable to routinely monitor employee use of electronic media, such as e--
mail and Internet surfing. Depending on the size of the utility operation, the use of closed-circuit
television (CCTV) or other forms of video monitoring may be implemented. Monitoring of employees
through CCTV cameras is also typically acceptable, as long as the cameras are visible to employees.
One important prerequisite of employee surveillance is notifying employees that they are being
monitored; otherwise, the employees may have a reasonable expectation of privacy in their work
area, and the utility may face legal challenges to information obtained in this way.
Some utilities have taken a simpler approach and implemented a buddy system for entry into critical
facilities. However, to make this system effective, some type of recognition hardware needs to be in
place, such as cameras or access card readers.
2.5.4 Employee Response
Effective reaction to, and recovery from, malevolent or natural events depends upon a rapid and
thorough response by a knowledgeable and experienced workforce. Utility management should
develop policies and contingency plans to address problems that employees may have traveling to
utility sites and facilities during and after an incident. Additionally, management should be aware
that employees may decide to remain at home with their families or evacuate from the vicinity if a
disaster should occur, thereby leaving the utility without needed labor and expertise. Utility
management may want to consider developing a family shelter/evacuation plan that will provide
employees a level of confidence that their families are safe while they respond to their duties at the
utility. Human resource policies should address what will be considered an acceptable excuse for not
responding to work during an incident, or even if a severe malevolent act advisory is declared, and
what action should be taken for non-excused absences. It is important to note that such policies
should be determined with a thorough understanding of the utility's legal responsibilities governing
employee leave, including relief allowed employees under the Americans with Disabilities Act.
While many of these issues can be addressed in company human resources policies and procedures,
they can be repeated in the ERP, as discussed in Section 7, "Emergency Response Planning."
2-11
-------�
management considerations for optimizing physical security
2.5.5 Contractors
It is important that utility managers consider not only their own employees as a potential insider
threat, but also contractors who may have access to utility facilities and information at any given
time. Venders, delivery personnel, service providers and outside utility representatives can also be
considered potential insider threats.
Suggested contractor security procedures include:
• Establishing good sign-in and sign-out procedures (e.g., requiring a photo ID that matches the
individual and his or her signature) and limiting access to sensitive areas (such as chemical areas
and SCAD A controls).
• Requiring visitors to sign in and wear a visitor badge so contractor employees are easily
identified. All visitors and badges should be accounted for at the end of the day.
• Requiring escorts if physical barriers are not present.
• Limiting use of private vehicles at the utility's sites.
• Remote read meters could be installed to limit some outside access, and deliveries can often be
made to other locations not located near sensitive or critical operational areas.
• Evaluating the environmental, health, and safety record of contractors before signing contracts;
considering offering environmental health and safety training to contractors onsite.
• Performing background checks on contractor personnel assigned to project sites. While this is a
sometimes difficult activity, it could be considered depending on the situation.
In addition, for construction contractors the following could be considered:
• Locking construction gates at end of the day and when not in use; using interlocking padlocks
with utility locks.
• Evaluating potential misuse of heavy equipment and taking appropriate measures.
• Considering ways of securing heavy equipment each night.
• Considering additional fencing and separate entrance, separate parking areas, and guards to
coordinate construction staff.
2.5.6 Training
To ensure that a security program is effective, the staff can be trained in many aspects of security and
emergency response. With improved security actions comes a new culture for water professionals.
This section discusses types of training and training resources important for utility staff.
2.5.6.1 Types of Training Sessions
Utilities can make their own determinations regarding the variety and level of detail relevant to their
situations. Initial and recurring training sessions can also be scheduled to reduce impacts to
operational budgets.
2-12
-------�
management considerations for optimizing physical security
Table 2-1 lists training relevant categories that may be applicable to a complete spectrum of water
utility personnel. If a particular training is more important for one group of personnel, that group is
listed in the Notes column.
The main training type categories, as listed vertically in the first column, are subjects to which all
utility employees should be introduced. The specific areas, and the length and breadth of the training
may vary depending on size and scope of utility operations, and should be tailored to each situation.
Depending on budgets and schedules, a timetable should be established to have everyone reach basic
comprehension of the categories listed. Once achieved, further training, certifications or proficiency
levels, joint exercises, and the like can be planned on a more periodic basis.
2.5.6.2 Location of Training Exercises
Many state and local resources are available to conduct, and sometimes fund, training for utility staff.
When considering training, it is a good idea to check with city and county administration, police
departments, fire departments, local emergency planning agencies, local health departments, and the
Red Cross to inquire about available training. Nearby utilities may want to participate in training
sessions and contribute funding.
2.5.6.3 Staff Motivation
Staff often complain about attending training sessions, especially when their daily jobs are busy.
There are several incentives to help motivate staff to attend training:
• Provide certification toward professional development hours
• Require training as part of employee evaluations
• Further career goals/personal development
Providing lunch or snacks during a training session can also help to make the day more efficient and
enjoyable.
2.5.6.4 Cross-training
Training staff members in skills outside of their normal duties may be prudent so that multiple staff
members can perform needed tasks in times of emergency. For example, operators should
understand basic maintenance of pumps, motors, and electrical components. Likewise, maintenance
workers should understand the basics of treatment plant operations. A cross-training program
should involve treatment plant workers spending time with and learning the skills of distribution
system workers, as well as gaining knowledge of the raw water input system. A cross-training
program also provides a more flexible workforce that will not only improve response during an
emergency situation, but will also allow for improved efficiencies during normal operations.
Planning for a cross-training program may need to involve the utility's bargaining unit and human
resource professionals.
2-13
-------�
I
Q3
0
CO
1
Relevant for Wate
0)
'cE
'2
lergency Response Ti
t
1 1 1
-a
c
ra
;t±
O
O3
V ***
<* "o
"j CO
-r 03
m Q.
i— I—
_^_
'o
z
en
'c
'ra
£
09
'5
0
0
09
1
o
CO
03
DC
e
o
jo.
o
IE
09
C
o>
m
03
M
O
B.
I
09
a.
£•
O)
^
c
s
1 —
i
to
"ra
E
•2
03
E
•c
si
O CO
"o o
Q_ 0
•t co 5
Provides the means to identify potential seci
concerns on a daily basis. This may include
information on physical and cyber security, <.
well as suspicious persons. The course also
reviews basic security procedures in use by 1
utility.
-o
" ra
CO 01 S
oES
V DQ CO
Facilitates a security
culture at the utility.
operating procedure
foreground.
•& -=
•;= « .
ZJ 03 "
0 c= P
To provide staff with se
awareness basics and
familiarize staff with gei
utility security procedui
-o "H
™ "i 2
to ra z3
£ 01 "
ra c= 2
g -o Q.
'§ cB 2
0 ~C3 03
CD CZ O.
CO ^ O
CO .^
o 9J.-2,
r & i.
0 « ]c
a. -o .•=
E = S
-&• 2 t?
"ra CD zz
C3 ra ra
99 G" ••"
°- TO 3
CO J^ "t±
LJJ E .E
j_r
ra "CD
CO O
o L~
"cz" OT
O3 o
E — ^
"C o
a. CD
03 CC
Q _
s|
O =3
Q_ 31
CO
E 03 .2
Provides background in understanding hums
behaviors; teaches various methods to handl
upset customers; practices techniques in var
situations.
co~
ra
co en S
03 CZ ^
§3 f «
S. .E « S S co
co cz" ^ E"E "S
Minimizes complain!
customer satisfactio
positive customer re
minimizes internal ei
encourages consists
documentation proo
03
E. o
0 E
To assist the public in a
and effective manner; t<
effectively manage
employees.
•o
CD
CZ
E
O)
CO
Q
_cp
cz
ra
° "M.
5 o
O CD
I CL.
51
CD
CZ 03
-o E
CD 03
o ra
> 0
CO Ol
>% "^
p" S"
LU £
^
ra
±±
CO
o
O
i_-
o
p
o
0
o
f
*ra
CO
Includes a walk-through of sections; reviews
location of information.
CZ
CD
e
CD
E
CD
CZ
Enhances efficiency
response.
CD
.cz
To familiarize staff with
plan.
c
cZ
03
CO
CD o
— Q.
CO
O) CD
E nr
"S ^.
"en Q3
v2 CJ>
CD *—
-a ^
cz E
^ LLJ
CJ
03
O)
^ 1
11
| 0
CO O>
CD CZ
H^
-2 o
ifi £
03" >*
o o
"o as
Q_ 01
4-T
S J2
E g
t; a.
SCO
CD
SOC
>,
0> 0
i— CZ
"- oi
=" £
S E
co "ro
83
Presents a scenario with key players
participating. Advances participants through
scenarios; lessons learned are presented.
CO
CO -0
CD c
II
O '£1
CD ra
» 8
Increases efficiency,
and interagency coo
coordination.
CO
CO
CD O3
S 8
To familiarize staff with
emergency response pr
and participants.
CO
CD
2* CO
CD =
UJ *^->
8-1
» i.
_f*i CO
7fl 03
(— cc
o"
CD
O)
^ E
CO O3
> £-
o ra
> 0
CO C3)
03 CZ
II
.2 0
0. Q.
F— co
II
O 03
•i-T
CD £?
E g
t; a.
ra co
o_ 03
03 CC
Q >,
CD °
l— CZ
"- 01
S E
_ UJ
co ra
CZ fj)
0 0
O —J
s
Presents a scenario where the key players ar
located at their respective agency locations
during a mock emergency. Lessons learned i
presented.
co"
CO -0
O3 £Z
II
*£ g_
Increases efficiency,
and interagency coo
coordination.
cz
"O
cz 01
ra cz
To enhance knowledge
capabilities needed duri
emergency response.
&
c
CD
^ CO
CD —
CZ •>-
LLJ ^
-S Lo
P 1
CO
LL CC
T3
1 i
> <£
CO 03
in 03 cz
CD g. 03
-— O t—
C3 Q- ra
03 CZ 0
Q . _ O)
|ra c ~
0 o3 Q.
co z: 03
03 CT *-
Cu 2? .E
1
o
o.
CO
cc
o1
c
O)
CD
UJ
8
O
CD CZ
s a
CO <
O)
_CZ Q3
Includes modules designed to start with the
basic structure of ICS and progress to becon
an Incident Commander and understanding t
responsibilities associated with that position
cz
CO ™
c t c
*— ra
0 0.
01 |0
"O nj
Enhances understan
allowing for future p
emergency.
CO g;
o 'i "P
To teach the principles
and to become familiar
the structure and termii
E
CO
CO
^
ro
E
E
o
O
CD
~ co"
cz S=5
CD
ez
0
cz
CO
03 =
O =
> 2
-S §
o •*—
5 s
*o3 °
O3 CD
CO CL
^
CO
cz
ra
CO
o
O
co"
CO
0 ,_
oS
-o g
ll
O3 O
-£Z O
1- 0
oc
S Q_
Teaches basic first aid to provide initial care
an injured person.
Teaches the steps to baby, child, and adult C
cz
03
CO P?
g s
CO ^
8.1
o P"
Enables assistance f
injured prior to emei
CD
To provide care to anot
person.
j>,
ra
cz
o
fz
Cu Q-
.2 — •
ra .2
11
,
O3
CO
•JQ"
I
CO
CZ
0 >_
o o
-§ ^
cz o
CD O
> 0
CO
o *-:
Provides background on how the machine w
and a skills test on how to use the equipmen
CO
T3
M
Prevents potential hi
CO
g
"ra
To understand the oper
and limits of a machine
CD
CO
ID
CD
E
a.
"z:
cr
UJ
fZ
•c
a
CD
Q
03
LL.
CO CD
m Z-
Teaches the parts to an extinguisher and typi
of extinguishers; practice using an extinguist
on a fire.
CO
Eliminates small fire
S
ra
To effectively use a fire
extinguisher and associ
types with the proper
extinguisher.
CD
CO
c
"x
LLJ
03
LlZ
1
-------�
f
I
CL>
C
C
o
g
Relevant for Water Utility P
01
lergency Response Trainir
cz
LLJ
•o
CO
aj
•"H
Z3
O
CD
V w
~ "o
LU
i CO
CD
CO a.
< >;
P {-?
M
|
"B
'co
1—
09
•a
'>
o
£
o
i
9
O
W
a>
CC
B
0
|
U
M
a
*S
B
0)
GO
%
O
a.
1
09
a.
>•
1—
at
_e
'B
'«o
^
CO CO
2 S
so e
fit
to E =
o re
.•g-lo a.
™ M"CZ
§s|
ffi -3 «
15 « Q?
g ^ S
i_ -^ -a
o -— cz
u_ -a co
<
co
*:"
CO
CO
CZfl
_cz
1
CD
0
o
»z
'o
CD
s the use and maintenance of sp
Ing equipment.
CZ 0
C/l C
tu o
o: E
ll
Enables the utility to know abo
contaminant before it reaches 1
water plant or the distribution
system.
To teach use on-line
monitoring equipment
throughout the water
systems.
O)
c
•f—
o
0
2
V. -i
2 5
M ^
ll
O TO
0 CD ^
CO ^ 0
S i" «
S^ •— D)
£3 w Jr:
d ^ OJ
225
&
S
S1
^t
0>
c
C "£±
If
^
&a
PS
03 <"
S .r=
E LU.
_ CD
8^
S£
O>
El
CO =>
- CD
CO CJ
s the operations, channels, code
maintenance of the radio; practi
"CZ CO O
CO CD '-0
E £ Q
o_ CD TO
N
X
Ensures effective use of a 800
radio, which police and fire
departments use.
To teach the capabilities and
operations of a 800 MHz
radio.
N
X
fi
CD
.c:
o>
5.1
e—t "O
0 «
§ DC
|
S£
0
1
^
o
o
o
f
C/3
«
.C
^** CO
«- 03
CZ CO
;es the various types of equipme
g., breathing apparatus), their u
ties, and limitations.
1*1
CO .^ S.
^ X co
CD co o
CD
CO
Prevents a hazard event from
occurring by knowing how to i
safety equipment properly.
To learn about other types of
safety equipment, and
company and Occupational
Health and Safety
Administration (OSHA) laws.
>.
-t-? *->
03 C
S S
CO t
i_ Q-
« '5
S O"
0 LiJ
|
1
H
^
I
03 CO
i ."
o >-
§ s
CD £2
Q. E
4-- &
III
03 t
01 CO 01
CO o. CZ
m ^ '=
4? Q cz
if m S
g-uT1^
s^i"
rT) rf c
E?§ 03
CO ^ 01 „
E hH co ^
S & S S
UU C^ (g
>l LU ^-
CO Jj ZJ
03 CZ CO CO
-D CD 0 CZ
03 01 0 0
LL! < _l O
- o>
•*— ' Cf5 rvi
TO CM d-
£ 03 0 £ -2
sE£r.o-o:2.o3
HAZWOPER training requiremen
i conducted in accordance with "
Federal Regulations, Part 1910.
10.120). This training is requirec
lel who handle, ship, or dispose
ius materials, or who are assigm
ncy response teams for hazardo
Is. Both initial and annual refresi
is required.
^Soo>|°s«;
^zi"5frt0.;S22'co-=i
^ ^ O U— Q3 CO C r— {^
ii: E o o Q-.C » E i=
a
Fulfills federal regulations and
prevents hazards from occurril
O)
c
§•&
ia
1-Sa
'E 53 =
111
g „ £
ill
8-e I
-° s-o
o e6 c
J— -C CO
GO
-3
o -o -5T
^ CO CZ
5 » S
lit
i- "j~; *
"co CC
£8-1
O ° cB
^ OJ O)
S to 03
< 5 E
n: 5 LU
i—
*£
CO
0
is
=3 1-1
ct to critical f
lency operatii
•= e*
to w
03 E
CC CD
"c
B
1
g
i
1
c
o
go
•o
c
CO
s background information and h
to operate critical facilities.
03 O»
^ .E
> ^
£ S
I
Provides backup knowledge in
operation of critical facilities.
To familiarize employees witl
job responsibilities outside
their areas of responsibility.
cz
I
f^
1
o
0
r?
< -1
if
-53 S1 cz <
iMi
Ills
^^ 03
^ cz so S
CO « 5 f
CO -— 03 1
ll g$i
So > c O co
i > 1 •<=> -g
5 .E ^ ii 5
fel
£•£ ?
e°3 §,
1.3 g
i£ tS g £
-W-S d,
i« E?.i
S ° Z3 =
HH E ^zi 'to
e US
« « g S
2 cz E S
£_S£_£
O)
'E
s a concentrated emergency trai
ice.
co 53
"0 •*
> CD
O O.
>- X
LL O3
S
Improves coordination during ;
emergency.
>» o>
To provide general emergenc
management courses offeree
on the FEMA Emergency
Management Institute trainin
campus.
O)
& =
CZ 'r«
if
E?!3
22 cz
E 03
uu E
— - 03
2 O)
03 CO
CD S
e
.8
a
O)
CU
i
S
•a
c
o ^^~
Q. O3
CD C=
•- o
•K S2
E: aa
Li_ a.
1
J
=3
»
C
O
o
if
i
O)
c
"2
1
o
01 - 03-
~ « S
CZ ^ CO
s a tour and brief classroom trai
to the utility's system componei
conditions, chemicals stored on
ble points, etc.
111!
">•••= E !2
0 CO fc £
£ s § ?
01
Increases communication and
decreases response time durin
emergencies.
To familiarize emergency
personnel (e.g., police, fire)
with utility facilities
O 03
•*- cz
EZ CZ
0 0
~ co
75 *—
X O3
-S Q-
^3
e &
^ c
^ 5
S? -
.•S CD
5 E
5 uu
-------�
management considerations for optimizing physical security
2.6 Records Management
It is critical that utilities have policies in place that specify the documents that are sensitive, and that
the utilities manage their documents and records so that sensitive documents remain in a secure
environment. These actions are needed to prevent sensitive documents from being accidentally
released to the public, for example, in response to a FOIA request. Utilities should consider
developing levels of document security ranging from non-sensitive (available to the public without
restriction) to highly sensitive (available only to limited staff and maintained in a highly secure
environment). Examples of records and material that should be considered as sensitive include:
• Vulnerability assessments, including supporting documents and files
• Emergency response plans and disaster recovery plans
• Audit records related to security
• Security and emergency response training materials
• Plans and specifications for security systems
• Plans and specifications that show the locations of critical assets and security equipment
• Current and historical operating records
Suggested policies for consideration for securing sensitive documents include:
• Providing access to sensitive project materials to authorized staff only.
• Keeping all hardcopies of sensitive material in a locked metal file cabinets to which only
authorized project team members have access. Containers with locking bars could be used that
are similar to those specified by the federal General Services Administration (GSA) - minimum
Class 5 security containers. (See GSA specification AA-F-363D for more information regarding
these cabinets.)
• Shredding all discarded working copies and maintaining only the minimum number of hard
copies required. Shredding should take place onsite, and should not be contracted to an
outside vendor.
• Maintaining all electronic copies of sensitive material on a password-protected secure server.
Only authorized staff will be given access to this material. (See Section 5, "Cyber Security
Management, Operations, and Design Considerations," for additional information regarding
precautions that can be taken to prevent unauthorized access of electronically stored documents.)
• Attaching a confidentiality clause to all sensitive documents given to authorized outside agencies
and organizations. This clause can declare that these documents should not be reproduced nor
given to others without authorization. The confidentiality clause should be present on all pages
of a document, not just the covers.
• Prior to distributing sensitive documents, verify the identification of the recipient and determine
whether the need for the document is valid.
2-16
-------�
management considerations for optimizing physical security
• Requiring individuals from outside agencies and organizations who are given access to
documents to sign confidentiality agreements.
• Preventing transmission of sensitive material electronically (such as via e-mail and downloading
from servers).
• Including a confidentiality notice with electronic correspondence, such as:
Confidentiality Notice: This e-mail and any files transmitted with it are confidential and
intended for the sole use of the individual(s) to whom they are addressed. If you have received
this e-mail in error, please delete the original message from your system and destroy any
copies.
Utilities should consider how information about their facilities is distributed to potential contractors,
consultants, and other outside agencies and organizations. Plans, maps, and specifications can serve
as roadmaps and planning tools for malevolent actions. To control documents circulated to
contractors, all bid documents can be distributed on a CD-ROM (that cannot be duplicated).
Requiring a deposit for the CD-ROM can also provide an incentive for unsuccessful bidders to return
the documents, which can be destroyed at that time.
Project materials are to be kept confidential at all times on consultant and contractor projects. To keep
these materials confidential, a clear project chain of command is identified and followed rigorously so
that information is exchanged only as specified. Second, all electronic project working files are
isolated in a secure, encrypted project library with access provided only to authorized users with
appropriate levels of password protection. Also, periodic security surveys are conducted to
determine whether staff, outside agencies, and consultants are following the security procedures.
Because public agencies are subject to state and federal FOIA requests, it is important to have
established measures to prevent sensitive documents such as vulnerability assessments or security
plans from being subject to public requests. An exemption for security-related information was
added to the federal FOIA law and was included in the Public Health Security and Bioterrorism
Response Act of 2002, which required community drinking water systems to conduct vulnerability
assessments. Because state laws are generally not superseded or limited by federal law, utilities in
some states cannot rely on the federal FOIA exemption to protect sensitive information. As such,
many states have also included special provisions in their FOIA laws to exempt security-related
information. Find out what your state's rules are by consulting your state agency. For a summary of
security-related FOIA exemptions, see "Protecting Water System Security Information" by the
National Conference of State Legislatures (2003) or "State FOIA Laws: A Guide to Protecting
Sensitive Water Security Information" by the AMWA.
Computerized Maintenance Management Systems (CMMSs) and SCADA systems, when fully
integrated, offer database compilation of considerable amounts of data pertinent to water system
operations. This data, along with the other documents listed at the beginning of this section, contain
important information regarding the utility that can be useful in both normal or emergency operating
2-17
-------�
management considerations for optimizing physical security
conditions. Electronic databases offer benefits such as automatic backups and other security controls;
the policies and practices for managing electronic data should be comparable to those managing the
security of business files and other paper documents.
2.7 Policies and Procedures
Simple and effective changes to a utility's policies and procedures can often have just as great an
impact on risk reduction as capital improvements or installation of security devices. Policy and
procedure changes are generally quick to implement and low in cost, making them an extremely
effective way to improve utility security. The key to the success of any change is to make sure that the
staff understands and accepts the new policies and procedures. It is imperative that the staff is well
informed of the policies and procedures and the reason that these are important. Policies and
procedures can only be effective when they are consistently implemented. Some general policy and
procedural recommendations provided below.
2.7.1 Basic
• Track keys issued to personnel.
• Retrieve keys when no longer needed, including those instances when personnel are reassigned.
• Replace locks on an as-needed basis to reduce the likelihood of security breaches due to lost keys,
unauthorized duplicate keys, keys held by former employees, etc.
• Replace of the traditional key systems with a card reader system for better control options.
• Implement random, but frequent, inspections of the security perimeter at critical facilities
identified in the vulnerability assessment and designating appropriate review intervals for
inspections of security equipment at other facilities. Establish a minimum number of personnel in
the inspection crew in procedures, safety plans, etc.
• Implement a formal annual review of the adequacy of security plans, procedures, and equipment.
• Involve and cooperate with other organizations that can affect the utility's security. For example,
contact chlorine and other chemical suppliers to discuss the need for adequate security during
transport as well as to develop protocols to respond to missing or delayed shipments.
• Maintain replacement parts and emergency repair kits for critical assets, such as generators, that
are important during emergencies. Maintain redundant equipment, critical replacement parts,
etc. in a separate or isolated location. It can be on site or nearby, but not within the same building
or room.
• Develop a utility vehicle use policy (including locking vehicles and tool bins, securing tools, etc).
• Establish procedures for night shift workers at treatment facilities, including regular check-ins
with supervisors.
2-18
-------�
management considerations for optimizing physical security
• Establishing published guidelines so that all future procurements and designs address security
issues and incorporate solutions. All requests for proposals should include a security portion so
that responding consultants are reminded that security must be addressed in their work and in
their own operational practices.
• Continuing to monitor the visitor entrance. Establish a policy for facility tours delineating who is
authorized to approve access, areas that can be accessed, and the times that tours are allowed.
• Establish and implement a system of chemical receipt checks as both a safety and security
measure. Detailed information on topics such as purchasing, pre-unloading verification,
sampling, and testing can be found in the September 2001 issue of Journal AWWA in the article
titled, "Improved Chemical Handling Procedures."
•
2.7.2 Advanced
• Compartmentalizing access to various parts of the water system so only necessary personnel are
granted access to specific areas. For example, limit access to SCADA cabinets to appropriate
personnel.
• Placing alarms at remote facilities into a non-alarm mode for temporary access when authorized
entry is made. This temporary mode will automatically revert to a secure mode after a preset
time.
Program this feature into card-key access systems.
Require call-in to alarm station prior to entry for facilities without card-key access.
• Supporting citizen crime-watch committees in areas around utility facilities.
• Establishing a maintenance program to keep alarm equipment, hardware, and fence lines
properly maintained. Maintenance of all security equipment, including physical systems such as
fences, is a vital part of the security of the water system. Dedicate required resources for proper
oversight of the security systems and maintenance program.
• Establishing distribution system contingency plans. Utilities can consider the use of distribution
system modeling for emergency response to isolate the distribution system and flush and contain
the contamination.
• Maintaining security incident, alarm, and audit logs.
• Ensuring that generators are exercised regularly under realistic loading scenarios so that their
reliability is ensured in an emergency.
The following is a list of general policy and procedural recommendations specifically for laboratory
facilities:
• Secure laboratory reagents and limit access only to authorized personnel.
2-19
-------�
management considerations for optimizing physical security
• Continue to create and maintain an inventory of reagents kept at the laboratory. Such an
inventory would alert the plant manager if someone is buying dangerous chemicals (e.g., metals,
cyanide, etc.) each week for a few months and accumulating a large enough quantity to cause
serious problems at the plant.
• The laboratory manager should perform random checks to catch unusual patterns of excessive
purchase of dangerous chemicals. Currently, scientific chemical suppliers do not have limits on
quantities that can be ordered. The laboratory manager should arrange with the suppliers to limit
the amount of chemicals that can be ordered at one time. Also, the plant manager should arrange
with the chemical vendors to ship only those orders requested by authorized staff.
2.7.3 Suggested Policies
The following checklist can be used as a starting point for developing policies to address security at
the utility:
• Human Resource Policies
- Who is subject to background checks and what checks are made
Requirements for employee identification, including badging
- Protocol for contacting off-duty and on-call employees for emergency response
Management succession
• Training Policies
- Definition of appropriate training
- System of selecting staff for training
Cross-training goals
• Vehicle and Heavy Equipment Policies
Definition of authorized use, especially in emergency situations
- Circumstances under which vehicles and equipment can be taken home
- How and where vehicles and equipment are to be parked or stored
Requirements for locking vehicles and securing equipment
• Facility Access Policies
Key, card key, and lock control
Limiting access to facilities or portions of facilities by security level
Handling of visitors, tour groups, vendors and deliveries, chemicals, construction materials,
packages, mail
Construction site security
Alarm and CCTV monitoring protocols
Guard service
2-20
-------�
management considerations for optimizing physical security
• Information Access Policies
SCADA
Management information system, facilities information system, laboratory information
management system, computerized maintenance management system), etc.
User name assignment and password protection
Internet and intranet use
• Records Management Policies
Storage and retrieval of documents
Archiving and long-term storage
Employee access to FOIA-exempt documents
Clear-desk and clear-screen issues
Bid plans and specifications
• Materials Management Policies
Responsibilities and authorities
Inventory frequency
Emergency purchasing authorization
2.8 Procurement
For the most efficient response and recovery to an emergency, utilities may want to be familiar with
both standard and emergency procurement procedures.
2.8.1 Emergency Procurement
To undertake rapid and effective response to and recovery from catastrophic events, it is imperative
for the staff of a water utility under specific circumstances to be able to procure supplies, materials,
and services quickly and outside the normal procurement process. Utility managers should
familiarize themselves with existing procurement policies to determine whether provisions exist for
emergency procurement and, if necessary, proceed with instituting changes that may be needed to
address malevolent acts in addition to the natural threats typically covered by procurement
regulations.
Emergency procurement of supplies, equipment, materials, even contract labor, are part of and
should be detailed in the ERP issued by a utility to ensure business and operational continuity.
Section 7, "Emergency Response Planning," contains additional discussion on ERPs.
Most water utilities have, or are covered by, policies of their parent governments that address
emergency procurement; however, these existing policies may not provide the flexibility needed to
effectively respond to the types of incidents that utilities may be facing today. Many procurement
policies allow for emergency purchases of materials and supplies, and possibly services, through an
abbreviated procedure that usually postpones the need for the highest level of approval typically
required for purchases. For example, approval of a purchase or an award of a contract that normally
2-21
-------�
management considerations for optimizing physical security
requires governing board approval may be authorized by a utility staff member and brought to the
board for an "after-the-fact" approval once the emergency is over and with the expectation that
sufficient justification for the procurement action is required.
Procurement policies may require the declaration of an emergency by an elected official or the
highest level of the organization before the standard procurement steps can be waived. Other
procurement policies may delegate the authority to make an emergency purchase to a department
manager if that manager can justify that the purchase is necessary to immediately protect life, health,
and safety that would otherwise be jeopardized if the normal procurement procedures were
followed.
While most emergency procurement provisions have met the needs of water utilities over the years,
the malevolent acts now being faced create some new challenges that existing procurement policies
may not be able to meet. For example, an event may result in injuries, fatalities, and interruptions in
both communications and power. It may be impossible for local authorities to declare an emergency
condition, or if declared, utility staff may not receive the declaration in a timely manner. Similarly,
approval of an emergency procurement by a high-level official may not be possible within the
timeframe necessary to react to a life-threatening condition.
Consequently, procurement policies should address emergency purchases that may be necessary
under extreme conditions where high-level approvals may not be achievable and where
communication networks are out of service. The following provisions should be considered for
inclusion in a utility's procurement policy:
• Allow for the procurement of construction services, engineering services, and personnel services
in addition to the purchase of materials, equipment, and supplies.
• Permit emergency procurement to protect imminent harm to the environment and property and
maintain water service in addition to the protection of life, health, and safety.
• Authorize emergency procurement to protect "employees" in addition to the "public" to avoid
ambiguity.
• Eliminate the requirement of an official outside of the utility to declare an emergency as a
prerequisite to invoking emergency procurement procedures, and provide a chain of decision-
makers authorized to approve emergency purchases. For example, if the Utility Director is
unavailable or unreachable, the Water Operations Manager can give approval; if both are
unavailable or unreachable, the Maintenance Superintendent may give the approval.
• Authorize approval of emergency procurement to management and supervisory personnel at
different locations (facilities) throughout the utility.
• Provide for an automatic waiver of standard procurement procedures should a certain level of
threat be declared for the utility's location by a government agency (e.g., DHS raises the Threat
Advisory to "red").
• Include the need to strive for integrity and fairness in the procurement process, even during
emergency situations.
2-22
-------�
management considerations for optimizing physical security
• In addition to making emergency procurement procedures more attuned to the threats faced by
water utilities, leverage other procurement methods to provide flexibility to prepare for, react to,
and recover from disasters. On-call contracts are an effective method to acquire materials or
services as needed without having to go through multiple procurements or invoking emergency
purchasing procedures. On-call contracts are procured through normal procedures at annual,
biennial, or even 5-year intervals.
• Have contractors and suppliers bid on a "basket" of items or services developed by the utility.
More than one contractor or supplier can be selected for the same items or services to allow the
greatest flexibility to the utility when the need arises. On-call contracts should require availability
of service 24 hours a day, 7 days a week, every day of the year. In selecting a contractor or
supplier, balance the need for a quick response that is better met by a company in proximity to
the utility with the fact that being in proximity may mean that a company may not be able to
respond if a regional catastrophe occurred.
• Use existing contractors to provide immediate availability of equipment and labor to respond to
an emergency. Utilities typically have a number of ongoing construction projects as part of their
CIP and annual maintenance activities. These existing contracts can be successfully used to
quickly bring in construction equipment and expertise to supplement the utilities' workforces.
• Initiate cooperative purchasing agreements to provide increased flexibility for procurement.
Cooperative purchasing allows a utility to procure items and services through contracts that exist
between other organizations (e.g., other utilities, government agencies, industry associations) and
their suppliers and contractors. In most states, municipalities and counties can make purchases
from state contracts, and state and local governments can make information technology
purchases from federal GSA contracts. Utilities may wish to coordinate with other utilities and
local governments in their states and adjacent states and cooperate on developing specifications
and allowing purchases from each other's contracts.
2.8.2 Procurement of Security-related Equipment and Services
Utility managers may be concerned about following standard procedures when procuring
equipment, materials, and services that relate to the security of assets. The requirement of public
advertising for bids on security equipment and projects with detailed plans and specifications may
jeopardize the very security being put into place. While states may enact laws exempting security-
related documents and drawings containing security information from FOIA requests, at least one
state has begun to address this issue of exempting the procurement of security-related materials or
projects from the requirement to publicly advertise and receive formal bids. As shown in Figure 2-2,
the State of Alabama recently did take such action by amending its State Code to exempt security-
related procurements. (Legislative Reference Service of the State of Alabama 2004).
While an exemption from public advertisement and bidding procedures provides a utility the
greatest flexibility, there are other methods that may reduce the risk of exposing a utility's security
strategy in its process of procuring equipment and construction services. Some steps that may be
taken for security-related projects include:
2-23
-------�
management considerations for optimizing physical security
Allowing for soliciting of price quotes from vendors and contractors without widespread public
notice.
Pre-qualifying contractors, consultants,
and suppliers and allowing only those
meeting specific criteria to bid on
security-related projects.
Requiring that officers and staff of any
company desiring to do security-related
business with the utility sign
confidentiality agreements.
Allowing viewing of plans and
specifications only within a secure
room instead of distributing plans to
potential bidders or providing access to
a central "plan room."
Dividing projects so that no one bidder
has a complete view of the project.
The Code of Alabama
H39-2-2(g) "In the event of a proposed public works
project acknowledged in writing by the Alabama
Homeland Security Department as (i) having a direct
impact on the security or safety of persons or facilities
and (ii) requiring confidential handling for the
protection of such persons or facilities, contracts may
be let without public advertisement but with the taking
of informal bids otherwise consistent with the
requirement of this title and the requirements of
maintaining confidentiality. Records of bidding and
award shall not be disclosed to the public, and shall
remain confidential."
H41-16-51(a) "....the competitive bidding requirements
of this article shall not apply to: ...(15)Contractual
services and purchases of product related to, or having
an impact upon, security plans, procedures,
assessments, measures, or systems, or the security of
persons, structures, facilities or infrastructures."
Enacted May 2004
FIGURE 2-2
The Code of Alabama
• Considering design-build contracts
where one company is selected to both
design and construct the facilities, or in
the case of security equipment, both develop the specification and be responsible for its
installation.
2.9 Communications
When it comes to safety, security, and emergency response, effective communication is the single-
most important concept that can assist in repair of a problem and restore public confidence. It is also
a concept that is not often initially considered by the technical staff involved in an emergency event.
The benefits of effective communication include increased efficiency, improved coordination to
accomplish a goal, and more available resources, such as equipment and technical knowledge, from
other agencies. Furthermore, communication improves emergency response efforts by decreasing
response times and allowing utilities a sense of confidence based on anticipated assistance from other
agencies. Lastly, effective communication can create a sense of teamwork and camaraderie among
utility personnel and the outside agency personnel who assist them.
2.9.1 Communications Equipment
Many types of radios and phones can be used to communicate with utility employees or with outside
agencies such as the fire department utility management can consider using any of the following
options:
2-24
-------�
management considerations for optimizing physical security
• Two-way radios4 are a highly effective means of standard communication between dispatchers
and field vehicles. Extra charged batteries can be carried at all times to prevent loss of contact.
• Cellular phones4 are becoming more popular, especially those with two-way radios built in.
Again, extra batteries and/or a charger should be readily available. Keep in mind that, during
large scale emergencies, cell networks can become overloaded and useless, or the repeater towers
and equipment are off-line.
• 800 MHz radios are used by fire and police departments; a utility is encouraged to have at least
one 800 MHz radio to facilitate communication with first responders. Training is required to
understand how to use this technology and communicate with responders. Training is often
available through local fire, police, or emergency managers.
• Volunteer Amateur (ham) Radio Operators offer an alternate distance communication channel.
Research the capabilities that may be available in your community.
• Government Emergency Telecommunications Service (GETS) Program (http://gets.ncs.gov/)
allows utility staff to obtain a telephone line by dialing an access code during an emergency. This
line can prove very useful in a situation when telephone and cellular phone lines are typically
busy. It is free to sign up and receive calling cards for selected staff. During use, there is a
minimal charge per minute. Utilities must sign up for this service prior to the actual emergency
or need to use the service.
2.9.2 Internal Communication Practices
Internal communication practices are important in preparing, identifying, and responding to security
concerns. Following standardized procedures when communicating with fellow staff during an
emergency is extremely valuable. It allows for efficient responses and decreased conversation time,
both beneficial during an emergency.
Utility management should provide personnel with a clear protocol for reporting security concerns.
This procedure is utility-specific and could simply be a telephone number to the utility manager or a
detailed procedure for notifying security staff or police.
Emergency contact lists are essential for contacting staff after hours for emergencies. Many utilities
maintain on-call schedules, with associated home, cell phone, and pager numbers. Utilities should
ask all personnel required for after hours service to provide an after hours contact number or ask that
they be willing to carry a utility cell phone for communication after hours. Contact lists should be
reviewed at least every 6 months, and updated as necessary. Managers must be aware of privacy
concerns, and they should restrict access to employee personal information to only those with a need
to know.
' Cell phones and two-way radios should not be used during a bomb threat because their signal may set off the bomb.
2-25
-------�
management considerations for optimizing physical security
Methods of developing internal communication include holding employee meetings, posting weekly
newsletters, and conducting internal workshops. External activities, such as company picnics and
travel, also promote team building.
2.9.3 External Communication Practices
Prevention and emergency response involve many agencies beyond the water utility.
Communication between the utility and outside assistance is crucial both during planning for and
responding to an emergency. Initiating communication with outside entities should be addressed
during planning phases and should not wait for an actual emergency to begin.
Some benefits of communicating with local emergency service providers, government agencies, and
neighboring utilities include:
• Increased efficiency in daily operations and during an emergency
• Increased available resources
• Increased knowledge base
• Smoother coordination and recovery during an emergency
2.9.4 Public Outreach
Public outreach is required for a utility to develop a successful relationship with those it serves. A
utility may handle security and emergency response in a technically solid manner, but if the public is
not properly informed, then any situation can develop into a disaster.
Under normal conditions, public relation considerations can be necessary when performing day-
to-day operations and maintenance, such as installing physical protection. These considerations
can include:
• Informing citizens of upcoming work effects
• Gaining public acceptance before installing fencing and lighting in neighborhoods
Citizens need to feel that local government officials are listening to them and taking their concerns
into account. Local citizens can be extremely helpful in watching for suspicious activities, as shown in
the Citizens Helping in Police Service (CHIPS) program case study (Figure 2-3). To further consider
this issue, the measure of confidence that the public has in a utility has much to do with how it
communicates during normal times, and not just during emergencies. Maintaining standard methods
and regular instances of providing information to the local community can establish expectations of
current and valid information from the same source during an emergency. Using neighborhood
awareness programs, such as "Neighborhood Watch," can also create a sense of awareness and, thus,
confidence in the utility operations, strategy, and agenda.
During an emergency there are other key points to consider, such as when and how to notify the
public. This emphasizes the importance of a Public Information Officer (PIO).
2-26
-------�
management considerations for optimizing physical security
The PIO is prepared to interact with local citizens
and provide appropriate messages from the utility.
It is vital that the person designated to interact with
the public and the media be trained to do so.
Choose this person before an emergency occurs. To
instill confidence during an emergency, use
personnel in uniform when TV cameras are present.
Having planned messages can provide the public
with organized and concise information, also
facilitating public confidence.
Distributing information to the community quickly
is essential. Waiting until all facts are known may
be counter-productive, as news agencies will
provide interpretations into the vacuum of
information not provided by the local government
and utility. Be prompt, frequent, and reliable. A
good article regarding public outreach for review
concerns the Tylenol poisoning crisis from 1982: "The
Tylenol Crisis - How Effective Public Relations Saved
Case Study: CHIPS Program in Kennewick, WA
Citizens Helping in Police Service (CHIPS) is an
organization of Citizen Volunteers that has been
a part of the Kennewick, Washington Police
Department for many years. The CHIPS group is
a formally structured non-profit organization
with elected officers, regular meeting dates,
operational procedures, and designated
uniforms. These citizen volunteers, working
together with common goals, provide a valuable
service to the Department and to the City of
Kennewick. The volunteers participate
in a number of tasks on a regular basis as well
as being an "on-call" group ready to
perform tasks on an "as-needed" basis.
One of the CHIPS projects, named "Operation
Camel," provides a daily physical check of
all water storage/pumping facilities
in the City of Kennewick.
FIGURE 2-3
Case Study: CHIPS Program in Kennewick, WA
Johnson & Johnson," by Tamara Kaplan, Pennsylvania State University
(http://www.personal.psu.edU/users/w/x/wxkll6/tylenol/crisis.html).
2.10 Interagency Coordination
Part of protecting utility infrastructure involves interaction with other agencies. By reaching out to
neighboring utilities, a utility may gain use of equipment and technical resources that lower costs.
Coordination with city or county offices such as emergency management agencies (e.g., Local
Emergency Planning Committees [LEPCs]) and health departments may open doors for existing
equipment, grants, and other assistance that the utility did not previously know existed.
Coordination with other major utilities such as electric and telephone companies prior to an
emergency can also prove beneficial during an emergency event.
• Think regionally and begin quarterly or monthly meetings regarding coordination, emergency
response, and other relevant topics with other utilities in the area.
• Invite police and fire to have a tour of facilities; learn to use their 800 MHz radios.
• Share telephone lists with key outside agencies; minimally, provide a single point of contact for
all agencies that may be involved in a security problem or emergency response action for the
utility to use during an emergency.
• Attend training workshops with other agencies and intermix employees so their primary
interactions are with people outside of their daily work environment.
• Hold emergency response exercises and invite external agencies to attend.
-------�
management considerations for optimizing physical security
Prior to an incident, it is important to have mutual aid agreements in place with other utilities and
agencies. These agreements often save time, money, and confusion and should address:
• Interconnection with other water systems, if possible (with established rates and charges)
• Sharing of laboratory facilities and resources (with established rates and charges)
• Borrowing of supplies and materials (with the understanding that the borrowing utility will
replace the materials with like materials after the emergency is over)
• Borrowing of personnel and heavy equipment (with established rates and charges)
Not all interagency coordination should be performed locally because a large-scale disaster may
render local utilities and public works agencies unable to respond. Therefore, some coordination and
agreements should be established with utilities and agencies several hundreds of miles away.
2-28
-------�
SECTION 3
Operational Considerations
for Enhancing Physical Security
Introduction
Management:
Optimizing
Physical Security
x
Operations:
Enhancing
Physical Security
Design:
Deveioping
Physical Security
L
Emergency
Response
Planning
Apply operations and maintenance
measures to enhance physical security
- Overall approaches
- Source water
- Raw water conveyance
- Treatment facilities
- Finished water storage and conveyance
- Support services
3.1 Overview
Water managers and operations staff have traditionally considered security to be an enhancement
provided for a limited number of facilities, and have focused on electronic access control systems and
CCTV monitoring. Today, water system managers, engineers, architects, and operations staff not only
consider natural acts and accidents, but also security issues as an integral operational consideration
for all aspects of their water systems that may potentially be threatened by acts of violence, such as
vandalism, crime, sabotage, or terrorism. The objective of this section is to provide guidance that
enables water utility managers, operators, and decision-makers to identify and apply operational
improvements to their systems. The purpose of these improvements will be to increase the safety of
utility facilities and to protect people, information, property, and assets related to the mission and
goals of the utility. That universal mission is to effectively provide water that meets quality and
quantity requirements for the community.
Operational changes often provide some of the more cost-effective approaches for utilities to enhance
the physical security of their systems. This section provides a variety of operational approaches that
water utilities may adopt to improve the security of their above ground and underground
3-1
-------�
operational considerations for enhancing physical security
infrastructure and support facilities. It also evaluates the applicability of different operational
approaches to security for the four major threat levels from an outsider—vandals, criminals,
saboteurs, and terrorists —as well as threats posed by an insider. An added benefit to addressing
these threats is the enhanced capability of the water utility to respond to natural disasters and
unanticipated events.
It is important to note that utilities adhering to industry-standard O&M practices contribute to their
security enhancements when the operational measures identified here are included in utility O&M
programs. The sources used in this section include Water Treatment (AWWA1995), Water Transmission
and Distribution (AWWA 1996), Maintaining Distribution System Water Quality (AWWA 1986),
Distribution System Maintenance Techniques (AWWA 1987), Guidance for Management of Distribution
System Operation and Maintenance (Deb et al. 1999), and The Design and Evaluation of Physical Protection
Systems (Mary Lynn Garcia 2001). Other sources are included in the bibliography.
3.2 General Considerations
In addition to operational considerations specific to the various portions of the water system, a
number of general considerations apply to water systems in general.
3.2.1 Philosophy
Physical security through operations should be addressed in a layered approach similar to the design
concept of protection in depth, as described in Section 4.2.4, "Layers of Protection." The layered
approach starts with the outer perimeter of the facility and goes inward to the facility site, the
buildings, structures, other individual assets, and finally to the contents of those buildings,
structures, and assets. Approaching security in this manner allows utilities to incorporate additional
layers of operational security to match the threat that may be associated with specific assets at the
facility.
• The perimeter of the facility typically includes the fence and access gates that surround the site.
The perimeter is considered the first line of the physical security system that, through operational
practices, can be sufficient for basic threats such as poorly equipped vandals and criminals.
• The site is the area between the perimeter and the buildings, structures, and other individual
assets. This area provides a unique opportunity for early identification of an unauthorized
intruder on the site and initiation of early response.
• The buildings and structures within a facility, such as a treatment plant or pump station, provide
the next physical barrier for stopping intruders. The discussion of buildings and structures is
limited to the external features, such as doors, windows, walls, materials, and skylights.
• Building systems refer to the internal features of buildings and other structures that can protect
critical assets or processes from intruders. Examples of these types of features include internal
walls and doors, equipment cages, and redundant equipment.
3-2
-------�
operational considerations for enhancing physical security
For these layers to be effective, the proper maintenance of each layer is critical. For example, the
fences and locks have to be maintained properly so that the associated layers can provide the
physical security expected from them. Similarly, the proper security procedures have to be followed
so that unauthorized entry is not permitted as discussed in Section 2.7, "Policies and Procedures."
The proper maintenance of infrastructure and the implementation of procedures are especially
important for the distribution system because there are fewer layers between a potential intruder and
the infrastructure.
3.2.2 General System Operational Practices
Table 3-1 provides general considerations for operational practices for the different layers within a
facility for the key threat levels.
TABLE 3-1
General Considerations for Operational Security at a Water Facility
Threat Type
Perimeter
Site
Building
Building Systems
Vandal
Keep site illuminated
Criminal
Keep gates locked
during non-working
hours
Repair breaks in fence
Ensure all locks are
functioning
In addition to the above: Keep site illuminated
Post guards at
access locations
during non-working
hours
Lock buildings during
non-working hours
Keep windows closed
and locked during non-
working hours
Follow intrusion alarm
response protocol
In addition to the above:
- Restrict access to
building
Supply employee/
visitor ID badges
Employ motion detector
alarms
Saboteur/
Terrorist
Insider
In addition to the above:
- Conduct perimeter
security inspections
Post guards 24/7
In addition to the above:
- Conduct video
monitoring 24/7
In addition to the above:
- Restrict access to
critical areas
In addition to the above:
- Conduct video
monitoring 24/7
Apply dual employee
requirement for critical
areas
3.2.2.1 Basic
Utilities may want to consider the basic general operational practices to improve physical security as
they identify ways in which to make their unique facilities more secure.
• Application of Visitor Control Policy. Visitors to facilities can include a number of different
groups such as employee guests, the public (tour groups), vendors, and contractors. All visitors
should be accompanied by an employee when they are going to sensitive areas. Site tours should
be accompanied by an employee at all times, and should also be restricted to non-sensitive areas
3-3
-------�
operational considerations for enhancing physical security
of the facility. Some utilities have recently started requiring background checks on visiting
international groups.
Vendors and contractors who have been cleared through background checks and have been
assigned badges could sign a log when entering and exiting the utility. In all cases, prior to
granting entry to a visitor, a security staff member can collect the following information from the
visitor: the visitor's name, identification, company, the name of the employee being visited, and
the purpose of visit. Additional guidance is provided below under "Delivery Access Control."
• Alarm Response Protocols. Utilities can develop alarm response protocols for security-related
alarms. Utility staff can be trained in these protocols to understand their specific roles and
responsibilities. By following the alarm response protocol for each category, staff members with
proper training can then address the problem upon receipt of alarm notification.
Alarm response protocols should provide guidance to identify false alarms, unverified alarms,
panic and distress alarms, etc. Otherwise, false or non-urgent alarms will eventually render
responses to alarms ineffective as the staff will start to ignore them. The interrelationship
and interaction between security alarms and operational systems needs to be recognized
and understood.
• Application of Key Control Policy. A strict key control policy can be implemented by water
utilities. Features of the policy should include: 1) a limit to the number of employees with keys,
2) a ban on providing keys to contractors, 3) a prohibition on the duplication of keys, 4) use of
patented keys that prevent the unauthorized duplication of keys (patented key blanks are
protected and proprietary), 5) periodic and random change of keys, and 6) return of all utility
keys from employees when terminating employment with the utility.
Use of coded or cipher-based alternative keyless locks could also be considered. These include
(Garcia 2001, U.S. Department of Commerce 2003) mechanical combination, electromechanical
combination, mechanical entry control, and electromagnetic keyless control locks. Their main
advantages are simple operation and ease of code change, thus they are especially suitable for
smaller utilities. However, they are used primarily for access control and do not provide a high
degree of security when used alone. Some models have time-penalty and error-alarm features
and can be tied to alarm systems.
• Alarms and Set-points. Doors and windows that provide access to critical areas can be alarmed
so that any unauthorized entry will alert security personnel. Responses to such alarms should be
addressed in the alarm response protocols discussed above.
• Lock Control. Utility facilities often have multiple locks hooked together in a daisy chain to allow
easy access for other groups, such as contractors or other groups. The removal of daisy chains
and the development of an operational procedure for utility personnel to coordinate facility
access with non-utility groups is recommended.
3-4
-------�
operational considerations for enhancing physical security
• Scheduling of Annual Maintenance Activities. The most critical times of operations occurs
during peak demand periods. During these times, operations require as much system
redundancy as possible to allow for reacting to both simple and complex operational issues.
Large annual maintenance activities should be scheduled during periods when the demands of
the system are at their lowest. This schedule should also include major shutdowns related to
construction activities at the water treatment plant or other impacted critical facilities.
Coordinating major annual maintenance activities, such water main flushing and valve exercising
in distribution systems, during low-demand periods reduces the system vulnerability because the
system has redundant capacity available.
• Application of Access Control Policy. Utility personnel, as part of their functional duties, have
different access requirements to the various facilities. Employee access to each facility should be
restricted based on job requirements. Limits to access can be accomplished through simple key
control or more sophisticated access control systems. Highly sensitive areas, such as those with
SCADA equipment and the operational control room, could have additional operational controls
requiring two-employee identification prior to allowing access.
• General Maintenance. Utilities need to keep the general facilities in repair, including lighting,
fencing and gates, doors, and windows. Similarly, distribution system air relief valves and air
vents in storage tanks need to be regularly maintained. Poorly maintained facilities can increase
the ease of unauthorized access.
• Clearzone Areas. An important concept in perimeter access control is a clearzone on both sides of
a fence. A clearzone is an area surrounding the perimeter of a facility that is free of shrubs and
trees and features well-maintained landscaping that does not provide hiding places for an
adversary. Similarly, no materials should be stored by the utility near the fence to obstruct view.
Clearzones enhance visual observation by security personnel and create a demarcation zone that
makes unauthorized persons more noticeable. Clearzone distances will vary based on siting
constraints; clearzone areas ranging from 50 to 100 feet from perimeter fence to building exterior
are common for new facilities and are typically smaller for existing facilities that are space-
limited. In either case, utilities are encouraged to maximize the space available.
Lighting is frequently is enhanced within clearzone areas, making it easier for employees and
passersby to observe and identify intruders. Within the clearzone space surrounding the critical
buildings, motion detection is sometimes installed, with instant-on, high-visibility lighting (3 to 5
foot-candles of illumination) that activates when people approach the building.
Critical facilities located within neighborhoods may be affected by zoning rules or neighborhood
covenants that, for example, specify or prohibit certain landscaping and fencing features. Utilities
can work with their governing municipalities to have the perimeter of critical facilities zoned as
clearzone areas, as is the case with military installations and airport runways.
3-5
-------�
operational considerations for enhancing physical security
• Fences. Security fences, such as chain-link fences, typically do not prevent intrusion to a facility.
Even the use of barbed wire or barbed tape concertina may not provide significant delay for
intruders. However, by posting signs on the fence that trespassing is a criminal offense, fences
can provide some deterrence to vandals. Thus, fences need to be inspected, maintained, and
repaired as necessary to maintain their level of deterrence from vandals.
• Delivery Access Control. Deliveries present a difficult security challenge for facilities.
Particularly for water systems that have regular chemical and other material deliveries,
additional access control policies may be warranted:
- Physically inspect vehicles before allowing them to enter a facility perimeter.
• Construct a pull out area to stage delivery vehicles outside of the fence line.
• Require the supplier to provide the manifest and driver name, and coordinate delivery
time in advance.
• Adopt a procedure that requires faxed or electronically transmitted copies of delivery
bills-of-lading information and driver identification sent to the security office prior to the
truck arriving onsite.
• Have a trained security staff member meet the vehicle; physically inspect the driver,
vehicle, and cargo for contraband; and test the cargo for correctness, concentration, and
purity (if applicable) before it is allowed onsite. Unverifiable, unscheduled, or late
deliveries should be refused.
• Training security personnel regarding the necessity of keeping detailed logs of deliveries
and pick-ups, including driver information and destination.
The same procedure can be accomplished prior to allowing a vehicle to depart the facility,
checking for short deliveries, theft, or contraband.
Consider adding a CCTV video surveillance system. Deploy cameras to capture the vehicle
license plate and driver facial features.
Implement a procedure for ensuring that a driver who regularly picks up or delivers
hazardous materials, such as hazardous chemicals, is previously identified, given proper
identification badges, and trained in the facility security requirements.
• Vehicle Checkpoints. A vehicle checkpoint area for detaining vehicles for identification is
recommended in a perimeter access control system. The purpose is to screen all vehicles or
pedestrians prior to accessing the property. The key to this practice is that the perimeter fencing
must be as strong as the gate facility, based on the old concept that a chain is only as strong as its
weakest link.
- In a simple system, a vehicle checkpoint can consist of a gate with an intercom and video
surveillance system. When a vehicle approaches, the driver requests permission to enter the
facility using the intercom. After security staff has visually identified the visitor, access may
be granted or denied from within the facility. Adding an exterior card reader on a pedestal
outside the gate can serve to grant access to employees.
3-6
-------�
operational considerations for enhancing physical security
In more elaborate security installations, a guardhouse facility may be located at the entrance
to a facility. A security officer, who screens all vehicles entering the site, staffs the
guardhouse. Vehicles that are not permitted to enter the site are turned back.
High-security applications use vehicle sally ports to detain and screen incoming vehicles. A
vehicle sally port consists of interlocking gates within a fenced area. Incoming drivers pass
through the first gate and stop at the second gate. Once both gates are closed and the vehicle
is captured within the sally port, a security guard may confirm the identity of the driver and,
if necessary, search the vehicle to confirm the contents. Once the vehicle and driver are
approved, the second gate opens and the vehicle may drive onto the facility.
3.2.2.2 Advanced
• Reevaluation of Minimal Accepted Personnel Staffing Levels. If the facility cannot be operated
in a manual mode with the existing staff, this is a significant operational vulnerability that must
be addressed. The utility ERP should have an emergency staffing plan that should include hiring
of temporary employees or contractors for the duration of an emergency. This plan should also
include staffing of facilities that are operated remotely. (For additional information about
protecting remote facilities, see Section 5, "Cyber Security Management, Operations, and Design
Considerations.")
3.3 Source Water
Source water marks the beginning of the utility water system and provides the first opportunity for
disruption of water service to customers. Loss of source water supplies through contamination or
disrupted delivery will have varying degrees of impact on a utility based on the utility's redundancy
of raw water supplies, delivery capabilities, and finished water storage in the distribution system.
Contamination of actual source water supplies is difficult to accomplish because of the large volumes
of water involved. The most vulnerable areas are typically associated with the transmission mains
that deliver water to the treatment facility or directly into the system (groundwater wells). The raw
water intake from lakes, reservoirs, dams, or wells can be monitored for entry control and access if
feasible and practical. Intake water characteristics can be monitored for changes, such as the presence
of petro-chemical contaminants. If a flammable or toxic substance is introduced into the intake
system, it is possible that this contamination may be discovered by plant operations personnel who
monitor water quality. Changes in the constituents of the water, such as color, pH, and odor, may
also be identified by operations, maintenance, or lab personnel. During periods of elevated security
risk, operators should make such inspections frequently and randomly throughout the day.
3.3.1 Groundwater
Groundwater supplies can be divided into two categories: 1) groundwater originating from a
protected aquifer and 2) groundwater under the influence of nearby surface water. These systems
have different vulnerabilities.
3-7
-------�
operational considerations for enhancing physical security
3.3.1.1 Protected Groundwater Supplies
Protected groundwater supplies are unlikely to be intentionally contaminated through the
environment (e.g., spills) because of the depth of the groundwater, protective clay lenses, and the
volume of water. On the other hand, a well head provides a more vulnerable target. The two
intrusion points of a well head are the site inspection tube and the wellhead sample port. Either
component can act as a potential conduit for the introduction of contaminants.
Wellheads equipped with intrusion alarms can trigger an automatic shutdown of the well. This
would allow operations staff to inspect the facility for potential contamination prior to introducing
the well water back into the system.
3.3.1.2 Unprotected Groundwater Supplies
Unprotected groundwater supplies can be potentially influenced by nearby surface water sources
and percolation of contaminants through the soil. These sources typically lack protective clay lenses
and are relatively shallow supplies, which make them more vulnerable to contamination events. The
vulnerable components of these unprotected groundwater supplies are the water source, the site
inspection tube, and the wellhead sample port. Each of these components can be a conduit for the
introduction of contaminants.
Unprotected groundwater supplies typically go through additional treatment similar to surface water
sources prior to distribution. Online monitoring could be used for unprotected groundwater supplies
to provide early detection for unusual water quality changes that could be associated with a
contamination event. In addition, the wellheads can also incorporate the same types of operational
approaches identified above for protected wellheads.
3.3.2 Surface Water
The two common types of surface water supplies are reservoirs/lakes and streams/rivers. Both of
these types of supplies require treatment at water treatment plants. Operational considerations to
enhance security in both type of supplies include:
• Continuous raw water monitoring for surrogate parameters (such as pH, conductivity, total
organic carbon [TOC], and toxicity). The implementation of this measure will greatly depend on
the financial resources of the utility, as some of these monitors currently have relatively high life-
cycle costs. Furthermore, the interpretation of the measurements depends on an intimate
familiarity with baseline water characteristics and behavior under different conditions.
Regardless, the development of a raw water baseline sampling program followed by the
installation of inexpensive monitors for surrogate parameters would be a good start for most
utilities. After establishing baseline water characteristics, utilities might enhance their monitoring
with more advanced monitors, resources permitting. Information on online monitoring systems
both for source water and the distribution system can be found in Grayman et al (2001),
Hergesheimer, et al. (2002), and Pikus (in press).
• Site inspections are conducted at random times of the day.
3-8
-------�
operational considerations for enhancing physical security
3.3.2.1 Reservoirs/Lakes
Reservoirs and lakes are typically large bodies of water, significantly reducing the potential for
introducing a contaminant at a dose high enough to be of concern. Additional operational
considerations to enhance security include those listed below.
Basic
• A neighborhood watch program with local park staff and other community users of the
reservoir/lake observing conditions at the site
• Inspection of dams under a dam safety program managed by FEMA or the appropriate state
agency to identify the vulnerabilities of the dam
Advanced
• Source water watershed protection agreements with other agencies (state or local watershed
districts) in which source water protection is a top priority for district managers
3.3.2.2 Streams/Rivers
Streams and rivers have a higher potential for short-term contamination events due to intentional
dumping or accidental releases of contaminants upstream of the raw water intake structures.
Additional operational considerations to enhance security include these:
Basic
• Coordination with local police departments, sheriff's departments, and other agencies, including
the Coast Guard and Harbor Patrols, where appropriate, to develop early warning systems
(EWSs) for reporting illegal and accidental discharges into the river or stream
Advanced
• Development of an integrated water quality monitoring response program that evaluates
surrogates that are indicative of an unusual and unanticipated change in water quality
3.3.3 Raw Water Intake
Raw water intake structures for both reservoirs/lakes and streams/river systems are among the
vulnerable facilities in the raw water system. The intake structures are typically located in remote
locations (resulting in a slow response time), are gravity fed (allowing easier introduction of
contaminants), and are often single of points of failure for the raw water delivery system (easily
allowing disruption of raw water deliveries). Some operational considerations for ensuring the
security of raw water intake structures include those listed below.
3.3.3.1 Basic
• At random times of the day, site inspections conducted of screens and bars by operations staff
during elevated alert periods, and temporary use of guards during emergencies
• Coordination with other agencies and community groups to develop an "alert" program
3-9
-------�
operational considerations for enhancing physical security
3.3.3.2 Advanced
• Fencing installed on the land side of the intake structures with intrusion alarms and CCTV
cameras for utilities that have the resources.
• Hatches and valves secure from tampering and entry attempts into the intake structure
• Daily, randomly timed site inspections of screens and bars by operations staff during elevated
alert periods, and temporary use of guards during emergencies
• Coordination with other agencies and community groups to develop an "alert" program
3.4 Raw Water Conveyance
Raw water conveyance facilities are sometimes located in remote locations, making supervision of the
facilities relatively difficult for operations staff. Some typical operational practices include improved
awareness, site visits by operations staff, and physical protection system monitoring. These practices
are described below.
3.4.1 General Considerations
General security considerations for raw water conveyance facilities are divided into Basic and
Advanced categories.
3.4.1.1 Basic
Increased Awareness. A heightened awareness of utility staff, other local government employees,
and the public observing trespass and physical disturbance is critical to keeping remote facilities
secure.
Operator Visits. Although the trend over the last one to two decades has been to reduce the
frequency of utility staff visiting remote facilities, for high-level threats reversing this trend may be
reasonable. Coordinating with local police on facilities critical to the water system can add to the
routine presence of authority and reduce the response time, if notified. This is especially true for
master pump stations, tanks, or reservoirs that serve significant portions of the service areas. Site
visits by operations staff should be scheduled at random times of day.
3.4.1.2 Advanced
Physical Protection and Monitoring. Remote pump stations, tanks, and reservoirs should be
monitored by intrusion alarms, SCADA systems, and CCTV if threat levels warrant. Utilities should
have procedures to ensure perimeter fences are maintained, gates are locked, and hatches are secure.
Security audits of remote facilities can be performed every 6 months, or more often for critical
facilities or if high threat levels exist.
3-10
-------�
operational considerations for enhancing physical security
3.4.2 Pump Stations
Raw water pump stations are typically located in remote areas and are unmanned, increasing the
vulnerability of these facilities to malevolent acts. Operational considerations specific to raw water
pump stations are provided below.
3.4.2.1 Basic
• Routine testing of stand-by pumps
• Maintenance of a spare part inventory for critical components in secure location apart from the
pump station
3.4.2.2 Advanced
• At random times of the day, site inspections conducted by operations staff during elevated alert
periods
• Automatic shutoff for pump stations with open wet wells that are susceptible to introduction of a
contaminant
3.4.3 Pipelines and Appurtenances
Raw water pipelines create a unique problem in terms of protection from malevolent acts. The
pipeline typically extends for many miles, realistically cannot be fenced off and protected, and
provides a number of areas of exposure (e.g., exposed pipeline sections, airvacs, and vent pipes).
Operational considerations for raw water pipeline security can include daily pipeline inspections by
operations staff during elevated alert periods, including inspection and repair, as necessary, of air
vent screens.
3.4.4 Raw Water Storage Tanks
Raw water delivery systems often include storage tanks upstream of the pump stations to serve as
wet wells for the pumps. The major vulnerability for the tanks is intentional contamination through
hatches and vent structures. The general operational considerations for raw water conveyance listed
above can also be applied to raw water storage tanks. Additional operational considerations are
provided below.
3.4.4.1 Basic
• Daily site inspection by operations staff during periods of high alert
• Response protocol for bypassing the tank when unauthorized intrusions have been detected
3.4.4.2 Advanced
• Hatch and vent intrusion alarms that automatically activate the tank effluent valve to isolate the
tank
3-11
-------�
operational considerations for enhancing physical security
3.5 Treatment Facilities
Water treatment facilities are designed to include multiple barriers to malevolent acts by
incorporating redundancy in treatment processes. The advantage of the multiple barrier approach is
that if one barrier is breached, the plant will still have the capability of producing water that meets
regulatory requirements. Additional information on operational measures for treatment facilities can
be found in Water Treatment (AWWA 1995).
3.5.1 Treatment Processes
The typical treatment processes in a water treatment facility include:
• Pre-treatment, which includes screening to remove debris (in a surface water source),
presedimentation to remove sand, addition of chemicals such as chlorine for slime control and
oxidation of some metals and organics present in water, and potassium permanganate for taste
and odor control
• Coagulation, flocculation, and sedimentation, which involve the addition of chemical coagulants
(e.g., aluminum salts, ferric salts, and polymers), rapid mixing, and sedimentation to enhance
removal of solids from the raw water
• Filtration, which is accomplished using conventional media filters (e.g., sand, garnet, and
anthracite) or membrane filters (microfiltration or ultrafiltration) to provide final solids and
microorganism removal, and polishing of the water
• Disinfection, which is typically accomplished using gaseous or liquid chlorine to deactivate any
remaining microorganisms in the water prior to delivery to customers for consumption
• Treated water clearwell and pump stations, which deliver the treated water to the water
distribution system
Each of the unit processes typically has redundant trains that allow periodic maintenance to be
performed while the water treatment plant remains in operation. Operational security considerations
for water treatment facilities include:
• Routine maintenance performed during low-demand periods of the year to ensure continuous
operations during emergency events
• Construction-related shutdowns scheduled during low-demand periods of the year to ensure
continuous operations during emergency events
• Cross-training of operations staff for improved response capabilities
• Development and testing of response protocols for unit process failures and upsets to verify the
potability of water leaving the water treatment facility
• Restriction of access to critical facilities and utilization of the buddy system if insider threat is a
concern
3-12
-------�
operational considerations for enhancing physical security
• Ban on public tours in critical areas of the facility
• Staff escorts to accompany visitors (e.g., vendors, contractors, and tours) while inside the
boundaries of the facility
3.5.2 Chemical Delivery (Chemical Systems)
Water treatment facilities use a variety of chemicals as part of the treatment process. There are four
major areas of concern regarding chemical feed systems: 1) loss of chemical feed systems that can
result in the inability to properly treat the water, 2) introduction of contaminated chemicals into the
process, 3) release of chemicals into the environment endangering the safety of workers and the
public, and 4) mixing of certain chemicals, such as ammonia with liquid chlorine, on site where
hazardous conditions are created. These events have the potential to impact public health and the
environment. General operational security considerations for chemical storage and feed systems
include those listed below. Following the general considerations are more specific considerations for
gaseous and liquid chlorine (hypochlorites), the most common disinfectants used in water treatment,
and other water treatment chemicals.
3.5.2.1 Basic
While chemical shipments are outside of utilities' direct control, utilities can work with their
suppliers (especially chlorine suppliers) to identify ways to address potential hazards.
• Reject or batch test chemical deliveries that are suspect (e.g., those with a broken seal or late
delivery). When possible, screen deliveries before offloading into storage tanks.
• Contact the vendor if chemical delivery has not occurred at the specified time to verify the status
of the shipment, both for utility security as well as the safety of delivery personnel.
• Develop protocols with chemical suppliers minimize the potential for tampering during transit
and to identify whether tampering has occurred upon arrival at the facility.
• Continuously monitor chemical feed systems and development of operational response to
system failure.
3.5.2.2 Advanced
• Continuously monitor performance surrogates for processes using treatment chemicals to
identify trends in reduced performance.
• Develop procurement specifications that require use of anti-hijacking technology and proof of
compliance with the security guidance developed by the Chlorine Institute.
3.5.2.3 Gaseous Chlorine
Gaseous chlorine is stored in 150-pound cylinders, 1-ton cylinders, tanker trucks, or, at times, railcars.
The highest area of concern for gaseous chlorine is a sudden release into the atmosphere due the
failure of a tank or valve placing employees and nearby public at risk. The second area of concern is
3-13
-------�
operational considerations for enhancing physical security
the loss of chlorine disinfectant for use in finished water, which could potentially cause a public
health problem. Operational security considerations for water treatment disinfection include
the following.
Basic
• Continuous monitoring using a chlorine gas leak detector and trained operations staff available
for small leak response.
• Coordination with local hazardous materials (HazMat) teams for response to large chlorine gas
releases.
• Continuous monitoring of chlorine residual and testing of operational protocols to respond to
loss of residual.
• Minimal amounts of gaseous chlorine stored onsite.
Advanced
• Change of the type of disinfecting chemicals to a less volatile type.
• Safety devices, such as self-contained breathing equipment, emergency repair kits, and adequate
ventilation equipment, provided at every chlorination facility. Furthermore, these devices are to
be regularly checked for proper operation and repaired as necessary.
3.5.2.4 Hypochlorite
In the past hypochlorination was typically used by smaller systems. However, due to security and
safety concerns, larger plants have shifted from gaseous chlorine to hypochlorite. The most common
forms are calcium hypochlorite (Ca(OCl)2 in dry granules, powder, or tablet form) and sodium
hypochlorite (NaOCl in liquid form). Operational security considerations for hypochlorite include the
following:
• For Ca(OCl)2, special storage must be provided to avoid contact with organic materials. Contact
with organic material can generate enough heat and oxygen to start a fire. Similarly, when
mixing with water, heat is generated; therefore mixing of with water to generate liquid chlorine
must be done by adding the calcium hypochlorite to water to minimize the generation of heat.
Thus, storage areas must be secure and must not contain any organic matter or water that
adversaries can use to start a fire.
• For sodium hypochlorite (which has a pH of between 9 and 11), attention must be given to its
corrosivity. Sodium hypochlorite must be stored away from equipment susceptible to corrosion
damage. Otherwise, adversaries can use it to damage plant equipment.
3.5.2.5 Ammonia
Ammonia is used in the chloramination of finished water to maintain a disinfectant residual.
Ammonia and chlorine added to water form chloramines, which remain in water for a longer
duration than free chlorine as disinfectant. Ammonia can be added to water as anhydrous or aqueous
ammonia (liquid form) or ammonium sulfate (powder form). The liquid form is volatile and
3-14
-------�
operational considerations for enhancing physical security
explosive, and is thus considered a safety hazard. Spills or leaks may require evacuation of the
treatment plant, warehouse, or surrounding areas. Thus, operators must inspect ammonia tanks at
every shift to ensure that there are no leaks.
3.5.2.6 Fluorides
Fluoride is added to water to reduce tooth decay in children. Fluoride compounds used in water
treatment include sodium fluoride (powder or crystal), sodium fluorosilicate (powder or crystal) and
fluorosilicic acid (liquid). As an acid, the liquid form is of special concern as it is very corrosive and
can cause skin irritation. It is clear, colorless to yellowish, and generates fumes with a pungent odor.
Fluoride is available in 13-gallon and 55-gallon drums for small users, and in tank cars or trucks for
large users. Operators must handle it with caution and must inspect containers for leaks at every
shift. For the powder forms, operators must ensure that any spillage is quickly cleaned up to avoid
the inhalation of the dust. In addition, because fluoride overdosing would not be detected by taste or
odor, its potential as a hazard is increased. Utilities may want to verify that their water treatment
facilities' feed systems have been designed to make accidental (or intentional) overdosing unlikely.
3.5.2.7 Lime Softening
Water softening is used to precipitate the naturally occurring minerals found in water. The chemicals
most commonly used for this purpose are lime (either as hydrated lime [i.e., calcium hydroxide,
CaOH2] or as quicklime, [i.e., calcium oxide, CaO]), soda ash (Na2CO3), and caustic soda (sodium
hydroxide, NaOH). Hydrated lime, quick lime, and soda ash come in powder or granular form.
When lime is slaked for addition to water, great amounts of heat is generated, creating potential
safety hazards. Corrosivity of softening chemicals is also of concern, one requiring that they are
handled with care. Similarly, their dust can pose a health hazard. Dust control equipment must be
well maintained and used while handling these chemicals.
An additional chemical that is sometimes used to stabilize softened water is sulfuric acid. It has the
same safety issues of other corrosive chemicals used in water treatment plants.
3.5.3 Facility-wide Treatment
There are a number of operational considerations that can be applied to typical water treatment plant
processes. A brief description of key operational practices is provided below.
• HatcVVaults. Hatches and vaults can be locked when plant staff is not using them. These
appurtenances often provide direct access to critical processes or assets that, if attacked, could
provide significant damage to the facility operations. The integrated use of remote detection
devices, covered in Section 6, "Choosing the Optimal Physical Security Equipment," can help
utilities to monitor portions of the system that are not regularly checked by utility personnel.
• Valve/Sluice Gate Operators. Valve and intake gates can be locked out in the normal operating
configuration to avoid malicious tampering or an unintentional action by an employee. Utilities
have used chains and locks effectively for years for this use.
3-15
-------�
operational considerations for enhancing physical security
• Electrical Panels, Control Boxes, and Motor Control Centers. These devices can have locking
mechanisms that, when kept locked at all times, can help to prevent unauthorized access.
Unrestricted access to this equipment could allow an immediate shutdown of unit processes and
control systems, creating a high-level operational emergency. The integrated use of remote
detection devices for these items is covered in Section 6.
• Standby Equipment. Standby equipment (e.g., generators, tanks, and pumps) should be rotated
into operating mode routinely. The advantage of rotating equipment is to allow minor
maintenance activities to be conducted routinely so that standby capacity is readily available.
• Spare Equipment. Critical spare equipment, such as pumps, should be stored in a location away
from the operating equipment (e.g., in another building). This protects the equipment from a
malevolent act that is directed at damaging the operational systems and allows the utility to
quickly restore operations after an event occurs.
• Power Supplies. Loss of power can result in the failure of a water system to achieve its mission.
Operational approaches to rapidly respond to localized or large power failures include these:
Power Failure Emergency Plan. Response to a power failure is an essential component of the
emergency operations plan. The plan needs to identify the strategy that the utility will take (a
systematic shutdown or continuous operations). The strategy selected will help to determine
the requirements of secondary power needs. This, in turn, will identify the best way to
supply alternate power, either through a secondary power supply or backup generation.
Backup Generators. Utilities can either purchase backup generators or rent generators using
standing, guaranteed contracts with local equipment providers. Advance preparation for the
use of backup generators includes installing and testing switchgears and pre-wiring the
system to accept the alternate source of power. Switchgears are generally critical assets with a
high vulnerability to risk, requiring special protection to prevent the loss of facility power.
• Security Guards. Temporary use of security guards during emergencies should also be
considered during periods of high alert for those assets that do not have remote detection devices
attached.
3.6 Finished Water Storage and Conveyance
Finished water storage and conveyance is the backbone of supplying treated water to customers.
Failure of storage and conveyance facilities would have a major impact on customers. The finished
water storage and conveyance systems comprise water storage tanks, pump stations, transmission
mains, distribution system lines, service lines, and various appurtenances. Additional information on
operational measures for finished water storage and conveyance systems can be found in Water
Transmission and Distribution (AWWA1996), Deb et al (1999), and Von Huben (1999). Operational
security considerations for these areas are discussed below.
3-16
-------�
operational considerations for enhancing physical security
% 3.6.1 Storage Tanks/Reservoirs
Treated water is stored in water storage tanks at key locations in the water distribution system for a
multitude of reasons. These include (AWWA 1996):
• Equalizing supply and demand
• Increasing operating convenience
• Leveling pump requirements
• Decreasing power costs
• Providing water during power source or pump failure
• Providing large quantities of water to meet fire demands
• Providing surge relief
• Increasing detention times
• Blending water sources
Storage tanks typically supply water to the water system either by gravity or pump stations. Areas
that provide access to the water stored in the reservoirs include hatches and cleaning pipes. Cleaning
pipes are installed on the roofs of some tanks for vacuum cleaning by divers. These access points are
typically 1l/2- to 2-inch pipes with simple galvanized, unsecured screw caps. Removal of the cap
provides direct access to treated water. Operators need to ensure that these caps are locked and
cannot be removed by unauthorized persons.
Another access point in storage tanks is air vents that provide free flow of air in the tanks during
filling and draining cycles. Their protection is limited to simple mesh screens. Depending on the
design of the tanks, these vents may be directly accessible or accessible only by climbing the
reservoir. Inspection of the screens needs to be included during the inspection of the tanks.
In general, operational security considerations for water storage facilities include:
• Development of a protocol for hydraulically isolating a storage reservoir when intrusion alarms
are activated and tampering at the tank is verified
• Integration of intrusion alarms with automatic isolation valves for discharge lines when activated
• Development of a protocol for identifying contaminants, cleaning the tank, and restoring service
• Establishment of a neighborhood watch program in the community surrounding a storage
facility
3.6.2 Pump Stations
Treated water pump stations are placed at key parts of the water distribution system to boost water
to higher elevations for direct delivery to customers or storage reservoirs. Pump stations that supply
water directly to customers without backup storage are often identified as critical facilities. The
criticality of other pump stations in the water distribution system is dependent on the water demand
3-17
-------�
operational considerations for enhancing physical security
on the system and the amount of storage available to meet short-term fire flow requirements. Because
an unmanned pump station can be an effective injection point for a large-scale intentional
contamination, utilities may want to closely evaluate the security at critical pump stations.
Operational security considerations for pump stations include the following.
3.6.2.1 Basic
• Maintenance of a spare pump and critical replacement part inventory in a location away from the
pump station
• Routine testing of standby pumps and rotation of the standby pumps into service
3.6.2.2 Advanced
• Development and testing of an operations protocol to run the distribution system in a pressure
mode in the event that a water storage tank is out of commission
• Development and testing of a protocol for turning off the pump when intrusion alarms are
activated and tampering at the pump station is verified
3.6.3 Transmission Mains
Transmission mains are generally large diameter pipelines with no service connections. They are
commonly greater than 24 inches in size and convey finished water from the water treatment plant to
the distribution system or wholesale customers. Transmission mains are primarily located outside the
service areas, placing them in more isolated areas. Depending on the topography and the distance
covered, stretches of the mains may be alternately buried, exposed, suspended, or elevated. These
exposed stretches pose a particular vulnerability to physical, vehicle, and outsider access. Access to
transmission mains can also occur through air- and pressure-relief valves when the valves are
exposed. Thus, routine, periodic inspection of exposed areas and air and pressure relief valve screens
is suggested.
3.6.4 Distribution System Mains and Appurtenances
Distribution mains convey water from the transmission main to service lines and typically are less
than 24 inches in size. These mains are located within the service area and are rarely exposed at
ground level. However, access to the distribution mains can occur at numerous locations such as fire
hydrants, air-relief valves, storage or surge tanks, pump stations, pressure-relief valves, and service
connections within buildings. Access through fire hydrants and other appurtenances described above
provides a potential means of contaminating particular services areas. Because of the lack of control
and the inability to secure the different components, the distribution system is considered to be the
most vulnerable part of a water system.
3-18
-------�
operational considerations for enhancing physical security
3.6.4.1 General Considerations
In general, the following operational considerations apply to distribution systems and their
appurtenances. Note that most of these items are often part of industry-standard practices for utility
O&M programs.
Basic
• Protective covers for all appurtenances, secured at all times
• Development of an emergency isolation and flushing protocol for the distribution system
• Development of a disinfection and testing protocol for distribution system pipelines
• Maintenance of a replacement part inventory for critical pipeline appurtenances and a
replacement pipe inventory or a standing, guaranteed contract for emergency delivery
Advanced
• Locking covers for fire hydrants installed in coordination with fire departments
• Backflow devices on appurtenances to reduce the potential for intentional or accidental back
siphoning into the distribution system
3.6.4.2 Construction Meters
Utilities often maintain little or no control over construction meters used by contractors throughout
the distribution system. Construction meters provide direct access to the water distribution system
and, in uncontrolled situations, can create confusion over authorized use areas. Some of the effective
operations approaches that have been used by utilities include the following:
Basic
• Installation of all construction meters by the utility and tracking of the locations of current meters
installed.
• Use of Reduced Pressure Principle Devices (attached to construction meters) to prevent
accidental contamination from backflow into the water system.
• Inspection of construction meter activities on a routine basis promotes compliance with utility
requirements.
• Establishment of standard points of use and possible establishment of water stations controlled
by the utility for contractor supply.
• Use of utility personnel, other local government employees, law enforcement, and
"Neighborhood Watch" groups to maintain vigilance with respect to permitted construction
meters. Section 3.6.5, "Increased Awareness," provides additional discussion on such approaches.
Advanced
• Implementation of "construction meter" program elements developed by utilities that have
implemented comprehensive security programs. These elements include 1) regulating the
issuance of such meters, 2) controlling access to hydrants for construction use through a permit
program, 3) inspecting and approving all permittee equipment to be used to connect to utility
3-19
-------�
operational considerations for enhancing physical security
infrastructure, and 4) establishing a labeling system for permittee's equipment that clearly
identifies the equipment that may be connected to utility infrastructure.
3.6.4.3 Meters
Most utilities in the United States meter the finished water delivered to residential and commercial
customers. In areas of the United States where freezing temperatures are common, water meters are
often located inside and openly accessible to the occupant. Locking lids on water meters can provide
greater security. Limited operational security considerations for water system meters are adding
locking lids to meters. In addition, the implementation of industry-standard practices for utility O&M
programs, which include meter testing and replacement, important enhances the security of a utility.
3.6.4.4 Backflow Prevention Devices
Utilities have routinely practiced backflow prevention on industrial and commercial facilities that
pose a risk to the domestic water system. Residential meters have not traditionally been backflow-
protected because they have been considered to be low risk to water systems and the high cost to
implement an effective program.
Most state drinking water programs have regulations in place with regard to cross-connection
control. Utilities should be, and should continue to be, in compliance with state and local cross-
connection regulations. Those that are not in compliance need to enforce these regulations to protect
one of the most vulnerable areas of the water systems.
Another operational security consideration for backflow protection is the continued use of an
industrial/commercial backflow protection program. This program employs the appropriate types of
devices for the annual inspection of high-risk applications. Implementing industry-standard practices
for utility O&M programs that include cross-connection surveys and backflow prevention programs
is critical in enhancing the security of a utility.
3.6.4.5 Valves
Multiple types of valves for various purposes are found in a distribution system. These include:
• air/vacuum-relief valves • globe valves
• butterfly valves • needle valves
• check valves • pinch valves
• control valves • plug valves
• diaphragm valves • pressure relief valves
• gate valves
The value of system valves is their function in operating the system, especially in the event of an
emergency. Valves serve many purposes, including regulating or shutting off flow, releasing pressure
or air, allowing air to enter the system, preventing flow reversals, separating zones of different
pressures, and regulating tank levels. Most valves do not present an avenue for introduction of
-------�
operational considerations for enhancing physical security
contaminant into the distribution system; however, due to their criticality in system operations, their
proper operation is of utmost importance, especially when trying to isolate sections of the system
during emergencies. Operational security considerations for valves include:
• Routine exercise and replacement programs for water distribution system line valves
• Maintenance of a replacement inventory for critical valves
3.6.4.6 Hydrants
Fire hydrants are typically located at street intersections or intermediate points. Hydrants provide
adversaries the opportunity to introduce large volumes of contaminant directly into the distribution
system. As mentioned above, the implementation of industry-standard practices for utility O&M
programs that include the inspection and testing of hydrants is important in enhancing the security of
a utility.
3.6.4.7 Blow-offs
Blow-offs are small diameter pipes (2 to 4 inches) extending from mains to above the ground surface.
Used to flush water mains where there is not a hydrant, they often are located at distribution system
dead ends and at low points for sediment removal. Blow-offs are direct points of access for injection
of contaminants into the distribution system; therefore, they are to be inspected periodically for
tampering and to examine the condition of their screens.
3.6.4.8 Access and Inspection Hatches
Access hatches and vaults are part of most assets of a distribution system such as large mains, storage
tanks, and pump stations. These vaults are secured either by padlocks or bolts. At a minimum,
utilities could harden these access points with better locks and inspect them on a regular basis.
3.6.4.9 Service Lines
Ranging in sized, service lines convey water from distribution mains to the customers. Because they
are connected to the customers' piping, they provide a point of access into the distribution system.
This access can occur at the customer meters or taps, providing an intentional or unintentional source
of contamination of the water system. Unintentional contamination can occur through cross-
connections. Residential customers may have cross-connections from chemical dispensers on garden
hoses, water softeners (drain connected to sewer), sprinkler systems, submerged garden hoses (such
as filling a pool or hot tub) or taps (particularly those extended with hoses), etc. Commercial
customers may have cross-connections at chemical vats and laboratory washing equipment, for
example. Intentional contamination can occur using commonly available equipment to exceed service
pressures and pump contaminant into the distribution system.
3-21
-------�
operational considerations for enhancing physical security
3.6.4.10 Sample Taps
Sample taps for water quality monitoring are located at various locations within the distribution
system, sometimes next to fire hydrants and within pump stations, buildings, storage tanks, and
vaults. Operators can check the locks of the sampling station boxes or vaults to determine whether
there has been tampering.
3.6.5 Increased Awareness
Increased public awareness of water distribution system operations is an effective way to increase the
utility's knowledge of unauthorized activities and potential malevolent acts. The two primary groups
that can be effectively engaged in this process are utility employees and the public.
3.6.5.1 Employees
Given that distribution systems are underground and can cover wide areas, it is impossible to
constantly monitor a distribution system. Consequently, it is important to rely upon the utility staff to
be cognizant of anomalies that may indicate a breach of security in the distribution system or
pumping stations. While traveling along daily routes or from job to job, employees should take notice
of any security discrepancy. Any persons or equipment, other than those of the utility or utility
contractors, around water facilities should raise suspicion and be reported according to standard
operating procedures.
In addition to utility employees monitoring the security of the distribution system, management
should work with other local government departments and agencies to train their employees to be
aware of any unauthorized entry into water system vaults, pump stations, or tampering with fire
hydrants. In addition to the police, refuse haulers and road crews can also be made aware of water
system security because of their frequent travels across a municipality.
3.6.5.2 Public
Given the large number of points of entry to a water distribution system, heightened awareness by
the public is valuable for identifying unauthorized access to these systems. Water utility managers
should work with those involved in community policing programs, such as Neighborhood Watch, to
educate citizens on distribution system security. Identification of unauthorized tapping of fire
hydrants, vandalism, and open or damaged fences and hatches should be reported. Individuals who
note suspicious behavior and know how to contact the authorities can act as a deterrent and
significantly reduce the risk to the system. In areas of low visibility or in remote areas, however,
installation of fire hydrant locks and anti-theft devices, in coordination with the local fire
departments, are recommended.
3-22
-------�
operational considerations for enhancing physical security
3.7 Support Services Facilities
Support service facilities include maintenance shops, warehouses, and storage facilities;
administrative offices; fleet; and laboratories.
3.7.1 Maintenance Shops,
Warehouses, and Storage Facilities
Utility maintenance facilities provide a central location for the utility to conduct routine repair and
maintenance of equipment. Especially critical maintenance facilities include ones that store the
various chemicals discussed above and large amounts of fuels such as gasoline, diesel, natural gas, or
propane. For large facilities, temporary use of security guards during emergencies should be an
option.
Similarly, warehouse facilities are used to store supplies for utility operations. These facilities serve
an important function for providing key supplies during emergency events. Loss of the utility
warehouse will impair the ability of staff to rapidly respond and correct system problems. Table 3-2
describes the potential threat and operational considerations for maintenance shops and warehouses.
TABLE 3-2
Maintenance Building and Warehouse Threat and Operational Considerations
Threat Type Threat Operational Considerations
Vandal Malicious damage Keep facility locked during non-working hours
Employ intrusion alarm response protocol
Criminal Equipment theft Provide employee and visitor identification badges
Injury to employees Lock tools in protected cages
Saboteur/Terrorist Use of equipment or fuels to Establish emergency contracts with local businesses and
destroy or damage property suppliers
Establish operational procedures to isolate and shut off fuel
valves in maintenance buildings
Post guards
Insider Revenge, personal gain Restrict access to maintenance buildings and warehouses
3.7.2 Administrative Offices
Utility administrative offices provide the business functions (e.g., human resources, billing, and
purchasing) that are required to keep the utility operating. The administrative offices contain
sensitive information about employees, customers, and utility operations. Many of the utility
administrative functions are not easily contracted out and need to be functional quickly after an
incident occurs. Table 3-3 describes the potential threat and operational considerations based on the
adversary type.
3-23
-------�
operational considerations for enhancing physical security
TABLE 3-3
Administrative Offices Threat and Operational Considerations
Threat Type
Threat
Operational Considerations
Vandal
Criminal
Saboteur/Terrorist
Insider
Malicious damage
Property theft
Injury to employees
Destruction or disabling of utility
operations
Damage to revenue stream
Injury to employees
Revenge, personal gain
Keep facility locked during non-working hours
Employ intrusion alarm response protocol
Provide employee and visitor identification badges
Store sensitive documents in secure location
Establish back-up locations to quickly restore business
functions
Isolate the management system and use third-party billing
and collections
Post guards
Restrict access to sensitive documents and areas
3.7.3 Fleet
The utility fleet typically includes personal vehicles (e.g., trucks and cars) and large construction
machinery (e.g., backhoes and tractors) that are critical for routine operations and emergency
response. Although the utility fleet is an essential component for operations, in most cases, local
business can supply short-term rentals in the case of emergencies. Table 3-4 describes the potential
threat and operational considerations for the four types of outsider threat.
TABLE 3-4
Fleet Vehicle Threat and Operational Considerations
Threat Type
Threat
Operational Considerations
Vandal
Criminal
SaboteurATerrorist
Insider
Malicious damage
Property theft
Injury to employees
Disruption of ability to operate and
respond
Injury to employees
Revenge, personal gain
Keep facility locked during non-working hours
Employ intrusion alarm response protocol
Provide employee and visitor identification badges
Lock vehicles in protected compound
Install geographic positioning system (GPS) tracking in
vehicles
Establish emergency contracts with leasing companies
Post guards
Restrict access to vehicle keys
Install GPS tracking in vehicles
3.7.4 Laboratories
Water quality and process laboratory facilities provide operational and regulatory testing for the
utility. These facilities are considered to be less critical because the work can sometimes be
outsourced to contract laboratories on a short-term basis, if needed. Security considerations for
laboratories include those listed below.
3-24
-------�
operational considerations for enhancing physical security
3.7.4.1 Basic
• Use a chemical receipt log that indicates the name of chemicals received and the name of the
person to whom the chemical is released.
• Create and maintain an inventory of chemicals kept at the laboratory.
• Remove chemicals that are consumed in process, disposed, or shipped from laboratory inventory
logs.
• Secure laboratory reagents and limit access only to authorized personnel.
• Store highly toxic materials and hazardous materials in locked cabinets, freezers, or refrigerators.
This applies to sodium cyanide, potassium cyanide, arsenic compounds, select agents, and other
materials that may be readily recognizable as poisons.
• Limit the number of staff that are authorized to purchase chemicals and supplies.
• Establish arrangements with other laboratories to be used in situations where the utility's lab
does not have a certain analytical capability, is overloaded with work, or is unable to provide
service. Maintain an up-to-date list other laboratories and the types of analyses performed.
3.7.4.2 Advanced
• Limit the amount of chemicals that are stored at the facility.
• Protect laboratory gas cylinders, service and spare, in secure wire mesh cage.
• Limit the amount of chemicals that suppliers can provide at one time.
• Establish a secondary location at the treatment facility for conducting process control-related
analysis.
• Consider the use of RFID tags for valuable instrumentation such as the gas chromatograph/mass
spectrometer.
3-25
-------�
(This page intentionally left blank)
-------�
SECTION 4
Design Considerations for Developing Physical
Security at New Facilities and Retrofits
Management:
Optimizing
Physical Security
^
Operations:
Enhancing
Physical Security
Design:
Developing
Physical Security
Cyber Security
Physical
Security
Equipment
Understand water system security design
Apply Crime Prevention Through Environmental Design strategies
Consider appropriate measures based on Design Basis Threat
Monitor water quality
Evaluate specific measures based on facility type
4.1 Overview
The objective of this section is to provide guidance that enables water utility decision-makers and
designers to develop secure sites and facilities. Because water systems cannot be made immune to all
possible attacks, system design needs to address issues of critical asset redundancy, monitoring,
response, and recovery to minimize risk to the utility. All public water supplies can identify and
address security needs in the design and construction of new projects and retrofits of existing
systems.
The considerations presented in this section are for the purpose of increasing security and reducing
risk, and are applicable to designs of new facilities, water infrastructure upgrades, expansions of
existing infrastructure, and retrofitting of existing infrastructure. This section addresses the delay and
denial protective measures that should be coupled with detection and assessment technology.
Attacks targeting command, communications, and control systems, referred to as cyber attacks, are
addressed in the Section 5, "Cyber Security Management, Operations, and Design Considerations,"
although physical attacks by those adversaries to gain access to the facilities housing cyber systems
can be protected using measures described in this section.
4-1
-------�
design considerations for developing physical security at new facilities and retrofits
The significant capabilities of an adversary pose challenges to any security system. Though complete
protection against an attack may not be achievable, actions taken to lessen the effects of an attack can
significantly reduce the damage caused by less capable adversaries.
4.2 Security System Design
Criteria for the design of security systems are based on identification of critical assets that may
become potential targets and threat related to those assets. The vulnerability assessment characterizes
and prioritizes those assets that may be targeted, evaluates where they are vulnerable to attack, how
they are currently protected, and considers the consequences of a successful attack. The threat
assessment determines which threats are credible and likely against a particular asset.
Identification and characterization of assets is based on consideration of the mission and the
resources required for performance. For example, an administration building may house a number of
different types of assets: people, records, money, tools, keys, computers, controls, and security or
process monitoring systems. Once the assets have been identified, they can be characterized (i.e., their
characteristics described with respect to their attractiveness to various types of adversaries) and
prioritized based on their criticality. For example, records, money, tools, and computers may be most
attractive to criminals interested in theft; security and utility monitoring systems may be more
attractive to saboteurs and terrorists interested in compromising the system to accomplish their
objectives.
This section provides a number of key design considerations and criteria to be used when designing a
security system for large, medium, and small water utilities. Design considerations are divided into
Basic and Advanced Categories, with future considerations included where applicable. It includes
information about the criteria used to evaluate designs as well as recommendations for the design
team based on threat level and adversary.
4.2.1 Design Team Requirements
The utility should consider including design team members with demonstrated knowledge of, at a
minimum, the following methods of protecting a facility:
• Securing the site perimeter.
• Regulating the avenues of approach to the building through the use of architectural design
elements such as barriers and obstacles.
• Creating sufficient setback.
• Building hardening to mitigate potential blast damage.
• Using progressive collapse mitigation measures.
• Addressing envelope security appropriate openings, hardware, and site flow.
• Applying HVAC mitigation measures versus the risk associated with chemical, biological, and
radiological threats.
4-2
-------�
design considerations for developing physical security at new facilities and retrofits
• Protecting utility systems (indoor and outdoor) from intentional or unintentional damage,
tampering, and accidents. This also includes safeguarding communications systems so they can
be used in an emergency.
• Controlling building access by using barriers, keys, keypad systems, access cards, smart cards, or
biometrics, as appropriate.
• Protecting high-risk spaces within the building, such as hazardous material storage rooms,
loading docks, and laboratories.
4.2.2 Basic Design Considerations - "10 States Standards"
Utilities may want to consider applying the following water system security design guidance taken
from the "Recommended Standards for Water Works" developed by the Great Lakes - Upper
Mississippi River Board of State and Provincial Public Health and Environmental Managers. This
document, which is also known as the "10 States Standards," may be considered an industry
standard that utilities can implement to potentially limit liability.
• Security should be an integral part of drinking water system design. Facility layout should
consider critical system assets and the physical security needs for these assets. Requirements for
submitting, identifying, and disclosing security features of the design, and the confidentiality of
the submission and regulatory review should be discussed with the reviewing authority.
• The design should identify and evaluate single points of failure that could render a system
unable to meet its design basis. Redundancy (geographically separated) and enhanced security
features should be incorporated into the design to eliminate single points of failure when
possible, or to protect them when they cannot reasonably be eliminated.
• Critical components that comprise single points of failure (e.g., high volume pumps) that cannot
be eliminated should be identified during design and given special consideration. Consideration
should be made to ensure effective response and timely replacement of critical components that
are damaged or destroyed. Design considerations should include component standardization,
availability of replacements and key parts, re-procurement lead times, identification of suppliers,
and secure retention of component specifications and fabrication drawings. Readily replaceable
components should be used whenever possible and provisions should be made for maintaining
an inventory of critical parts.
• Human access should be through controlled locations only. Per the 10 States Standards, intrusion
deterrence measures (e.g., physical barriers such as fences, window grates, and security doors;
traffic flow and check-in points; effective lighting; and lines of sight) should be incorporated into
the facility design to protect critical assets and security sensitive areas. Effective intrusion
detection should be included in the system design and operation to protect critical assets and
security sensitive areas. All cameras and alarms installed for security purposes should include
monitors at manned locations.
4-3
-------�
design considerations for developing physical security at new facilities and retrofits
• Vehicle access should be through controlled locations only. Physical barriers such as moveable
barriers or ramps should be included in designs to keep vehicles away from critical assets and
sensitive areas. It should be very difficult for a vehicle to be driven either intentionally or
accidentally into or adjacent to finished water storage or critical components without facility
involvement. Designated vehicle areas such as parking lots and drives should be separated from
critical assets with adequate standoff distances to eliminate or minimize impacts to these assets
from possible explosions of material carried in vehicles.
• Sturdy, weatherproof, locking hardware should be included in the design of access for all tanks,
vaults, wells, well houses, pump houses, buildings, power stations, transformers, chemical
storage, delivery areas, chemical fill pipes, and similar facilities. Vents and overflows should be
hardened through use of baffles or other means to prevent their use for the introduction of
contaminants.
• Computer-based control technologies such as SCADA should be secured from unauthorized
physical access and potential cyber attacks. Wireless and network-based communications should
be encrypted as deterrence to hijacking by unauthorized personnel. Vigorous computer access
and virus protection protocols should be built into computer control systems. Effective data
recovery hardware and operating protocols should be employed and exercised on a regular basis.
All automated control systems should be equipped with manual overrides to provide the option
to operate manually. The procedures for manual operation include a regular schedule for
exercising and ensuring an operator's competence with the manual override systems should be
included in facility operation plans.
• Per the 10 States Standards, real-time water quality monitoring with continuous recording and
alarms should be considered at key locations to provide early warning of possible intentional
contamination events.
• Facilities and procedures for delivery, handling, and storage of chemicals should be designed to
minimize the chance that chemicals delivered to and used at the facility can be intentionally
released, introduced, or otherwise used to debilitate a water system, its personnel, or the public.
Particular attention should be given to potentially harmful chemicals used in treatment processes
(e.g., strong acids and bases, toxic gases, and incompatible chemicals) and on maintenance
chemicals that may be stored onsite (e.g., fuels, herbicides, paints, and solvents).
In designing physical protection systems, it is important NOT to interfere with life safety,
occupational safety, and fire protection provisions. Security systems can be balanced with and
complementary to other design criteria and requirements as well as the overall operability and
maintainability of the water system.
-------�
design considerations for developing physical security at new facilities and retrofits
4.2.3 Balanced Approach to Security System Design
When developing a security design, it is important that a balance between hardware and procedural
elements be adopted. A balanced approach would consider the following:
• To be effective, physical protection (doors, alarms, cameras, etc.) should also include policies and
procedures designed to keep the physical protection systems functioning as intended. For
example, an alarm system on doors does little good if the doors are routinely propped open.
• As discussed in Section 2, "Management Considerations for Enhancing Physical Security," and
Section 3, "Operational Considerations for Enhancing Physical Security," security policies and
procedures can be cost-effective in reducing risk.
• Without staff commitment to the security program, the program will not be effective.
4.2.4 Layers of Protection
Layered security systems are essential. They are built on the "protection in depth" principle, which
requires that an adversary defeat several protective barriers or security layers to accomplish its goal.
In addition, balanced protection implies that no matter how an adversary attempts to accomplish his
goal, he will encounter effective elements of the physical protection system.
For example, as depicted in Figure 4-1, an effective security layering approach requires that an
adversary penetrate multiple, separate barriers to gain entry to a critical asset at a water facility.
Protection in depth helps to ensure that the security system remains effective in the event of a failure
or an adversary bypassing a single layer of security. If funding is a limitation, utilities can add
multiple layers as funds are available to increase security at each critical asset.
For each facility, multiple layers of security protection should be considered. To provide multiple
layers, perimeter intrusion detection methods should be placed at the outer edges of the asset
boundary, and delays should be located as close to the edge as possible. In this way, the security
system can generate an early alarm in the event of intrusion of a facility, while delaying an adversary
as it attempts to reach the intended target.
The layered approach starts with the outer perimeter of the facility and goes inward to the facility
site, the buildings, structures, other individual assets, and finally to the contents of those buildings,
structures, and assets. Approaching security in this manner allows utilities to incorporate additional
layers of physical security to match the threat that may be associated with specific assets at the
facility. For example, the perimeter of the facility typically includes the fence and access gates that
surround the site. The perimeter is considered the first line of the physical security system that,
through operational practices, can be sufficient for basic, low-level threats such as vandals.
The site is the area between the perimeter and the buildings, structures, and other individual assets.
This open space provides a unique opportunity for early identification of an unauthorized intruder
and initiation of early response. This space is used to calculate the standoff distance, that is, the
distance between the outside perimeter (the public areas) to critical facilities or buildings inside the
perimeter (the restricted access area).
4-5
-------�
design considerations for developing physical security at new tacilities and retrofits
.P.
Perimeter Fence
Security Layers
Site Perimeter:
" Perimeter Fence
' Landscaping
© Vehicle Barriers
[ I Secured Gate
© Signage
Inner Perimeter:
-------�
design considerations for developing physical security at new facilities and retrofits
TABLE 4-1
General Considerations for Physical Security at a Water Facility
Type Threat
Vandal
Criminal
Saboteur/
Terrorist
Perimeter
Site
Building Envelope
Building Systems
Fencing with barbed
wire
Locked gates
No Trespassing signage
In addition to above:
Well-lit parking areas
In addition to the above:
Increased fence height
Perimeter vehicle
barriers
Increased CCTV at site
perimeter
Clearzone
Standoff distance
Illuminated site areas with
6:1 light-to-dark ratio
In addition to the above:
Emergency telephones
In addition to the above:
Increased standoff
distance
Secondary fencing around
assets/facility
Vehicle inspection entry
with guard house and sally
port
CCTV at vehicle inspection
entry
Secured utility connections
Key-locked buildings 24/7
Illuminated building
exterior
Door ajar status alarm
monitoring
In addition to the above:
Signage that does not
describe assets
Visitor waiting area
Facility access control
CCTV at vehicle gate
CCTV at building
entrances
In addition to the above:
Turnstile personnel entry
Motion-activated lighting
Area presence sensors
Increased CCTV at
building perimeter
CCTV at building interior
Vandal-resistant materials,
such as composite
plastics, lights with low-
profile lenses, locks, cages
In addition to the above:
Bars on windows
Security deadbolts on door
locks
Shatter-resistant glazing
on glass
In addition to the above:
Forced-entry resistant
materials
Bomb-resistant glazing and
door materials
Blast walls at large
windows and entrances
Protected HVAC intakes
4.2.5 Cost Implications
Utilities, like most organizations, are required to use their financial resources wisely. This section
focuses on the considerations for effectively applying a utility's resources on security.
4.2.5.1 Threat Levels versus Cost
Threats are described based on type of adversary and severity of attack; anticipated tactics (such as a
theft or moving vehicle bomb); weapons, tools, explosives, and/or contaminant agents; and
likelihood of attack. Protective measures against high-level threats may (or may not) provide
sufficient protection against low-level threats, but utilities may want to consider all types of threats
during a threat assessment because the protective measures may differ for each type of threat
regardless of severity level. The summation of this information is referred to as the Design Basis
Threat (DBT). The DBT provides the information needed to design a physical protective system to
detect and delay an attack for the most probable adversary.
4-7
-------�
design considerations for developing physical security at new facilities and retrofits
The vulnerability assessment considers the routes and means used to attack and to protect the asset
from attack. A vulnerability assessment may consider features and effectiveness of a existing facilities
or, as a design tool for new facilities, may consider how access can be gained to an asset, how the
asset may be compromised or destroyed, and similar considerations. The consequences of a
successful attack can also be considered when weighing the cost and impact of implementing
appropriate physical protective measures. For example, if vandals using spray paint is the DBT, it
may be costly to replace existing building finishes with materials that resist paint adhesion. If the
likelihood of the attack is low and consequences minimal (i.e., no loss of life, no mission disruption,
nor depletion of functionality anticipated after spray painting the building walls), the utility may
determine that the consequences do not justify the investment to address that DBT. In another
example, a successful theft may be disrupted after removal of the asset but before the thief
successfully escapes the site. This allows the delay factor to include "getaway" time as long as the
asset is still intact when the adversary is apprehended.
Identification of the DBT for a facility/asset/organization is an important management decision that
requires the input of various operational and management level personnel. The DBT has a potentially
significant impact on the cost and complexity of a security program that supports the utility's
mission.
4.2.5.2 Ensuring Security Investments are Effective
Typically, developing a vulnerability assessment involves defining a list of vulnerabilities and
potential improvements, ranked according to the potential risk. When presented with this list,
utilities contemplate what level of protection is acceptable and how many of the recommendations to
implement. In prioritizing security investments, utilities typically attempt to balance the external
demand for security with the limited internal resources available to implement security measures. In
addition to the legal considerations described in Section 1, "Introduction," there are other
considerations that may be addressed in answering this question.
A cost-benefit analysis can be performed for security improvements, as is commonly done for other
engineering alternative evaluations. A cost-benefit evaluation is most robust if benefits can be readily
quantified, and it is less effective when benefits are not easily converted to monetary terms. For
example, the cost of improvements in physical security (such as improved locks, alarms, and fencing)
can be compared to the value of avoided vandalism damages, yet it is difficult to quantify the value
of lives saved.
Security improvements can also be prioritized by comparing the cost to implement a security
measure against the degree of risk reduction that the measure would provide. For risk assessment
methodologies such as RAM-W™, the amount of risk reduction can be expressed numerically by
determining the risk score for an asset before and after the proposed security improvement. A cost-
to-risk-reduction curve can be generated (as shown in Figure 1-5), and a determination can be made
as to the measures that should be implemented by identifying the "knee of the curve," or the point at
which the risk reduction associated with implementing additional costly security measures becomes
marginal.
4-8
-------�
design considerations for developing physical security at new facilities and retrofits
Reducing all components of a water system's risk in the case of a terrorist attack to low is, therefore,
not practical. Rather than attempt to reduce all risks to low, the utility would be better served by
implementing improvements that reduce risk to all critical facilities to medium. The resources saved
could be used to improve response in the case of an event. Thus, protection of the water system
mission could be strengthened by a combination of physical protection improvements to prevent an
attack and improved response, helping to ensure continued delivery of quality water in the event of
an attack.
A utility may choose to implement a security plan over multiple years, depending on funding
demands and current revenues. Utility management teams need to develop an implementation plan
that fits the projected financial conditions relative to the timeframe chosen for implementation.
Implementing security policies and procedures such as background checks, key control, and alarm
response procedures are usually relatively low in cost and often implemented first as part of a holistic
approach. When designing physical security for a new facility or a facility retrofit, improvements can
be prioritized in the following order, working from the outside perimeter to critical assets: perimeter
(e.g., fence, signs), site (e.g., additional lighting, video surveillance for alarm assessment), facility
(e.g., buildings and valve vaults with locks, alarms, and motion sensors), video surveillance for alarm
assessment, and building systems (e.g., to fix glass doors and windows, install tamper-resistant door
hardware).
4.3 Crime Prevention Through Environmental Design
Crime Prevention Through Environmental Design (CPTED) strategies deter crime by reducing the
opportunity to commit crimes, the likelihood that a crime will occur, and fear of crime generated by
experience related to certain environmental conditions. Deterrence is typically not considered in
vulnerability assessment methodologies such as RAM-W™, but deterrence can be a method to reduce
risk. The concepts embodied in CPTED strategies may be applied to all facilities, regardless of specific
threats, resulting in enhanced security as an integral part of design. Because CPTED strategies may be
widely and cost-effectively implemented as prudent measures regardless of specific threats, they
should be considered among the basic design considerations for new, upgraded, and expanded water
facilities of any size. CPTED strategies can be considered within the following four categories:
• Access control. Physical guidance of vehicles and people going to and coming from a space
through judicious placement of entrances, exits, landscaping, lighting, and control devices (e.g.,
guard stations and turnstiles).
• Territorial reinforcement. Physical attributes that express ownership, reinforce territoriality,
designating a gradient from public to restricted spaces. Examples include natural markers
(landscaping, choke points), symbolic markers (signage, stickers), physical barriers (fences), and
procedural barriers (receptionist, guard).
• Surveillance. The placement of physical features, activities, vehicles, and people to maximize
visibility by others during their normal activities. Surveillance may be natural or electronic,
informal (office windows placed to facilitate surveillance of entry roads) or formal (continuous
monitoring).
4-9
-------�
design considerations for developing physical security at new facilities and retrofits
• Image and maintenance. Vigilant site and facility maintenance indicates that the space is being
used and regularly attended to, and possibly occupied. Proper ground maintenance also sustains
surveillance. Image and maintenance activities are most often related to management and
operations rather than design.
The following CPTED strategies should be considered for the design of water system facilities. As
with the other strategies in this document, each should be evaluated for its specific applicability to a
utility's needs before implementation.
4.3.1 Perimeter CPTED Strategies
• Provide outside access via no more than two designated and monitored entrances.
• Position all pedestrian entrances next to vehicle entrances.
• Control access with fences, gates, and/or attendants (guards).
• Provide sufficient lighting at all entrances.
• Create gateways or formal entrances delineated by plantings, different paving materials, fencing,
and gates to separate public areas from controlled areas.
• Define vehicle entrances by different paving materials and signage.
• Avoid opaque fencing, landscaping, and walls that might provide hiding places along the
perimeter.
4.3.2 Site CPTED Strategies
• Avoid dead-end driveways and pathways.
• Provide outside access to both the front and back of buildings to facilitate patrols.
• Provide close-in parking spaces for third-shift workers.
• Restrict access to roofs from adjacent buildings, dumpsters, loading docks, poles, and ladders.
• Place approach and parking as to be visible by building occupants, especially from a reception
area (if one is planned), operations center, and/or guard shacks.
• Use walls only where necessary; consider stretched aircraft cable as an alternative for maximum
visibility.
• Prevent creation of hiding places (e.g., blind pathways or storage yards).
• Plan storage yards for visual and/or vehicular access by patrol cars and/or facilities staff, but
limit access to personal vehicles.
• Use landscape plants that mature within the available space and do not obstruct light fixtures.
4-10
-------�
design considerations for developing physical security at new facilities and retrofits
• Use plant materials that prevent easy passage as boundary delineators (e.g., crown of thorns and
other thorned shrubs, hollies, and Spanish bayonet).
• Include highly visible, appropriate signage, but do not describe the asset or facility function on
the signs. Use building numbers rather than names that could identify potential asset locations.
4.3.3 CPTED Strategies for
Building Envelope and Other Structures
• Design entrances to be well-lit, well-defined, and visible to public areas, facilities staff, and/or
patrol vehicles.
• Place elevators close to main entrances. The entire interior of the elevator should be in view from
the entrance when the doors are open; in addition, the entire entrance should be visible from the
interior of the elevator.
• Design stairways to be visible without solid walls.
• Position all employee entrances next to employee parking.
• Position restrooms to be observable from nearby offices or work areas.
• Design interior windows and doors to provide visibility into hallways.
4.4 Recommendations by Threat Level
The measures discussed in this section can provide specific and measurable results if implemented as
part of a comprehensive physical protection system. As noted, detection, delay, and response are the
basic elements of a physical protection system. This section addresses those physical security
elements that support detection (such as fencing that delineates a boundary at which detection is
provided) and delay or prevent the attack through application of target-hardening enhancements.
This section recommends protective measures that may be most appropriate for the specific threats
identified in Section 1: vandal, criminal, saboteur, and terrorist.
The measures indicated within this section were selected based on minimum measures being
implemented for many federal facilities, including Department of Defense (DoD), Department of
State (DoS), and General Services Administration (GSA) facilities. They relate to assumed threats
such as stationary vehicle bombs carried in trucks parked near targeted facilities, various levels of
forced entry, and ballistics threats. In addition, some recommended measures were developed from
the following: The Design and Evaluation of Physical Protection Systems by Mary Lynn Garcia and
course materials presented in the "Physical Protections Systems Training Course," offered by
CH2M HILL.
These measures are listed as general guidelines. The specific DBT for a facility affects the
implementation or selection of these measures, which in turn impacts implementation cost. For
example, a minimum 25- or 50-foot standoff distance from an asset is included as a default distance
where space allows. For high threat levels (very large quantities of explosives), this distance may be
insufficient; for extremely low quantities of explosives, such as what can be carried by a pedestrian or
4-11
-------�
design considerations for developing physical security at new facilities and retrofits
bicyclist, a lesser standoff distance is possible. Explosive threats require specific design to balance
standoff distances (the least costly means of increasing survivability of structures against blast
threats) with hardening of construction assemblies.
The following considerations are in addition to those listed in the section above on CPTED strategies.
These protective measures are considered design and construction enhancements that "harden"
facilities to resist various types of attacks. Because the threats are in order of severity, protective
measures listed for each lower-level threat are not repeated for the higher-level threats but assumed
to be considerations for the higher levels as well. Figure 4-2 depicts the recommendation that the
design of all water facilities include CPTED strategies, and that for increasing threats additional
considerations are recommended to be added to the design.
f
\
>r \
Countermeasures
against vandal
threats
Section 4.4.1
v ^j
I*
Countermeasures
against criminal
threats
Section 4.4.2
rf-
Countermeasures
against saboteur
threats
Section 4.4.3 .
rf
Countermeasures
against terrorist
threats
Section 4.4.4
All ,
designs
1 Designs for ,
vandal threats
Designs for
i
criminal threats '
. Designs for
i
saboteur threats 1
, Designs for
FIGURE 4-2
Recommendations for Progressive Design Consideration
4.4.1 Countermeasures Against Vandal Threats
Vandals typically use basic hand tools, such as pliers, wire cutters, hammers, crowbars, and baseball
bats, to gain access to assets. They may also damage facilities using fire crackers, fuel to start fires,
improvised incendiary devices (IIDs), and spray paint. To prevent vandals from accomplishing their
objectives, numerous materials, assemblies, and components have been developed for areas that
attract significant vandalism and graffiti. These vandal-resistant items include:
• Composite plastics that resist graffiti, shattering, and scratches
• Lights with low-profile lenses or recessed lenses
• Security cameras and equipment
• Switches and controls
• Locks
• Valves
• Cages or other protective fittings
4-12
-------�
design considerations for developing physical security at new facilities and retrofits
In addition to implementing vandal-resistant materials and components, the following physical
protection measures can be considered.
4.4.1.1 Perimeter Zone
• Provide 6-foot perimeter fencing with three-strand
barbed wire and break-away stanchions. Consider
high-quality fencing, but it does not have to be
specifically rated for vehicle crash-resistance.
• Establish a 25-foot minimum (preferably 50-foot or
greater) standoff distance from perimeter fencing
to the facility structure.
• Establish an 8-foot clearzone region on either side
of fence. This should be an important consideration
of the landscaping design.
• Within the clearzone region adjacent to the fence,
there should be no planted material or landscape
feature that is taller than 24 inches or wider than 15 inches at full maturity.
• If visual screening of the facility is desired outside the fenced perimeter, provide appropriate
landscaping no closer than 10 feet from fence. Verify that vegetation at full maturity will not
provide climbing advantage to an adversary attempting to enter site property.
• Provide 12-foot double swing gates for vehicle access, manually opened (non-electric).
• Close entrance gates and lock with a
shackle-protected padlock (as shown in
Figure 4-3).
• Provide exterior shackle-protected
padlocks that are weather resistant, with
4,500 Ibs. of resistance against pulling
Tips for Small Utilities
If a particular facility experiences
frequent acts of vandalism, consider
renting and temporarily mounting a
small CCTV system. The camera images
may then be shown to police and parents
in the area. In many cases, the
troublemakers live nearby and will stop if
the police confront them with camera
evidence. When the
vandalism stops, the system
may be removed and
returned or used at another site.
Hootenedtonm
Superior protection
against costing
shackle attacks and resistant to 10,000 Ibs.
minimum pressure from bolt cutter
attacks.
Solid Metal Shroud
Amiored protection
against be* cu»ws,
StaWess Steel
Bearing Lot kino
ProtecSofi rjgairar
prying and hammering.
Triple «ated, So«d Steei
Three layea of plating
provides high resistance
to rus? and corrosion.
High Security Minder
wtti Spool Mm
Provide high resistance
to pitting.
Reinforced interiodcing
construction lor high
impart resatonca.
Permits fast and easy
cylinder replacement
lo restore security.
FIGURE 4-3
Example of a Tamper-proof, Shackle-protected Lock
Post "No Trespassing" signage at
appropriate intervals (a minimum of
every 50 feet) on perimeter fencing. Install
signs that read "Trespassers Will Be Prosecuted" and "Video Surveillance." Follow local
municipal ordinances, and state and federal regulations in installing signs. Depending on the
diversity of the population, multi-lingual signs may be required. (Signs mainly serve as
deterrence to low-level threats such as vandalism.)
4-13
-------�
design considerations for developing physical security at new facilities and retrofits
4.4.1.2 Site Zone
• For the standoff region between facility exterior and perimeter fence, use appropriate
landscaping vegetation, i.e., no taller than 24 inches or wider than 15 inches, with a density of less
than 15 percent of landscaped region at full maturity.
• No specific vehicle control measures are recommended because a locked main gate prevents
public vehicles from accessing site.
• Provide lighting in the site yard area between the facility and the fenced perimeter that is 1 foot-
candle, minimum.
• Provide lighting at entrance gates, roadway, and perimeter door entrances that is 2 foot-candles,
minimum.
• Provide a minimum light-to-dark illumination ratio of no greater than 6:1, and preferably 4:1, for
all lighting.
4.4.1.3 Building Envelope and Other Structures
• Lock exterior doors with a deadbolt cylinder keylock during business and after hours.
• Use hardened steel inserts on keylocks to protect plug face, shell, and sidebar, and for drilling
attack resistance.
• Provide facility exterior lighting that is 1 foot-candle, minimum.
• Locate door status switches at perimeter doors to monitor for door ajar and door forced-open
conditions. Use a high-security, balanced magnetic switch.
4.4.1.4 Building Systems
• Use non-removable bolts, hinges, screws, and other attachments to prevent removal of locks,
fittings, and other items that are attached to surfaces.
• For surfaces that may be subject to vandalism, use glazed concrete masonry units or glazed
ceramic tiles. Special vandal-proof tiles that look attractive but will not readily mark or scratch
are also available.
• Apply non-stick, non-mark polyurethane-based paints and coatings for internal or external
surfaces that are subject to graffiti.
• Use solvents specially designed to remove graffiti made using paint, lipstick, felt-tip pens, and
oil; solvents are available for easy-to-clean or untreated surfaces.
• Use rough-textured bricks, blocks, or rough concrete surfaces to resist damage. These could
present a challenge to vandals, although they are difficult to clean.
• Use climb-resistant cages around exterior ladders.
• Locate luminaries beyond reach, placing them on high posts or high on building walls.
• Locate lighting equipment away from hidden corners or behind buildings to discourage
tampering.
4-14
-------�
design considerations for developing physical security at new facilities and retrofits
)• Select lighting and other exposed equipment with scratch and vandal-resistant finishes that
prevent corrosion, bending and deforming, and with locked and/or concealed fittings and
controls.
• Consider shatter-resistant plastic materials such as polycarbonate instead of glass.
• Select exterior furnishings of strong, vandal-resistant construction that are free of easily removed
or projecting parts and are easily repaired. Anchor items to concrete if possible.
• Locate signs beyond reach, where possible and feasible.
• Use vandal-resistant plastics in illuminated bollards, light fixtures, and traffic lights.
• Locate pipes, valves, and other appurtenances that may be damaged behind sturdy fencing or
panels with tamper-proof fastenings.
• Use materials that are nonflammable.
4.4.1.5 Critical Assets
• Provide locked security cages around meters and exposed valves or fittings. Use vandal-resistant
locks.
• Fence the top of smaller site elements to completely enclose critical areas within the site.
• Provide status switch alarms on all hatches or vault covers to monitor for forced-open conditions.
4.4.2 Countermeasures Against Criminal Threats
The criminal threat includes weapons such as knives and handguns, as well as hand and power tools.
To accomplish criminals' objective of using stealth, power tools are unlikely to be employed except
by criminal threats that fall into the saboteur category. Criminals are generally assumed to be less
interested in creating damage than they are in obtaining an asset and leaving the crime scene
undetected. In addition to security systems considered to deter vandalism, consider the following.
4.4.2.1 Perimeter Zone
The measures that can be applied to the perimeter zone for a criminal threat are the same as those
that can be applied for a vandal threat (see Section 4.4.1.1, "Perimeter Zone").
4.4.2.1 Site Zone
• Provide emergency telephones throughout site, enabling staff to summon emergency help.
Another option would be to provide operations staff with panic buttons that immediately
summon emergency help when activated.
• Bury or otherwise protect conduits and wires carrying electric supply, telecommunications, and
alarm signals.
4-15
-------�
design considerations for developing physical security at new facilities and retrofits
4.4.2.2 Building Envelope and Other Structures
• Minimize signage that may guide adversaries to specific asset locations. Refer to room numbers
rather than asset locations.
• Provide warning signs to restrict access, but avoid describing the asset or reason for the
restriction.
• Provide a waiting area for visitors.
• Provide a facility access control system that:
- Monitors perimeter openings (personnel doors, rollup doors, and roof hatches) and locked
interior doors for door ajar status.
- Establishes a primary entrance door and adds access control, a visitor intercom, and video
surveillance equipment.
- Identifies critical exterior circulation doors. These doors should be designated as access-
controlled doors and should be accessible only by employees. Access-control methods could
consist of adding key locks, keypads, or card readers with or without entering a personal
identification number (PIN) for entry.
Designates remaining doors without exterior access control as exit-only. Exterior door
hardware from exit-only doors is removed. Appropriate exit hardware remains on the
interior side of the doors, allowing free egress under emergency conditions.
Establishes a secure lobby area, with hardened doors capable of being activated by security to
go to "lock-down" mode.
• Consider adding layered access control to high-value areas within the facility (such as SCADA
rooms).
• Segment access control such that only employees requiring access to high-value areas are
permitted access, rather than all employees having access to all areas.
4.4.2.3 Building Systems
• Locate door locks minimum of 40 inches from adjacent windows.
• Use single-cylinder dead bolt locks with minimum 1-inch throw on primary ground floor exits.
• Equip solid exterior doors with 180-degree door viewers.
• Minimize windows, including those in glazed entrance doors.
• Use shatter-resistant glazing materials.
• Use two locking devices on all windows.
• Consider installing bars or grilles inside windows.
• If DBT includes the potential to threaten people with handguns, provide bullet-resistant
construction assemblies (e.g., walls, windows, and doors) in those areas. For example, provide
bullet-resistant prefabricated guard shelters, control rooms, or bill-paying booths for accounts
receivables areas.
4-16
-------�
design considerations for developing physical security at new facilities and retrofits
4.4.2.4 CCTV Surveillance
• Provide CCTV camera system, with integration to security access control system. In an ideal
setup, CCTV video images would be viewed directly on the access control computer workstation
monitors, with alarm images called up and displayed automatically during security events using
a single program. =^^====^^^^^
Tips for Small Utilities
. Suggested Camera Locations: When contemp|atjng a sma|, CCTV
Vehicle Gate: Provide a minimum of one color, camera system at a remote site,
fixed-position camera viewing each vehicle entrance C0^idfr ca™ras havin9 '"*^
hard disks which can store images
gate. Position camera to view car, driver, and |oca||y at the ^ reducjng the need
vehicle license plate. Image target (incoming for costly cabling and
vehicle) typically occupies a minimum of communications back to the security
25 percent of image scene. headquarters. During an alarm
condition, these cameras can signal
Building Entrances: Provide a minimum of one the securjty Qr SCADA system that a
color, fixed-position camera at each exterior door security alarm event is occurring,
viewing incoming personnel entering facility. Image «*nd responders can view
., and retrieve video onsite.
target (entering personnel) to occupy minimum of ^^^^^^^^^^^^^^
25 percent of image scene.
4.4.2.5 Critical Assets
• Locate critical assets and functions to the interior of facilities to maximize layers of delay between
access points and assets. The assets should be in view of areas occupied 24 hours per day
if possible.
• Locate critical assets and functions in areas of buildings where they may be difficult to find. For
example, locate control rooms or accounting areas away from lobby areas.
4.4.3 Countermeasures Against Saboteur Threats
Saboteurs intent on destruction, disruption, or contamination will avail themselves of an almost
unlimited variety of hand, power, and thermal tools (including construction tools such as cutting
torches), contaminant agents, lEDs, and IIDs, as well as higher-level ballistic weapons. This
represents a significant threat level and effective protection measures can be very costly. Consider the
following security systems in addition to those for the vandal and criminal threats.
4.4.3.1 Perimeter Zone
• Increase fencing height to 8 feet, with 3-strand barbed wire and helical razor wire as top dressing
with break-away stanchions.
• Provide secondary secure fencing (anti-climb) around critical assets or primary facilities.
4-17
-------�
design considerations for developing physical security at new facilities and retrofits
• Increase standoff distance. If conventional building construction is used, the standoff zone is
generally a minimum of 45 meters (148 feet)5 from asset location to provide survivability against
vehicle bombs. However, depending upon the DBT, the standoff distance necessary may be
substantially greater. Refer to DoD's Unified Facilities Criteria6 and the Army's IED Safe Standoff
Distance Cheat Sheet7 for further guidance.
• Control access to sites by unauthorized vehicles through use of an entry control point for
vehicular and pedestrian traffic (Figure 4-4). An effective entry control point provides these
features:
Means to associate vehicle with driver, such as validation of the drivers' identification prior
to authorizing access
Mechanism to turn away unauthorized vehicles or pedestrians
Location, including bomb detection equipment, for inspection of vehicles and their contents
Location to detain unauthorized persons and their vehicles
Bullet-resistant guardhouse with toilet facilities and weather protection
Turnstile for pedestrians that can entrap potential adversaries failing validation of
identification
Barrier to prevent a vehicle from
penetrating the gate or crashing into the
guardhouse
Crash-resistant gate
A telephone or intercom
Dual-vehicle entrance gate to eliminate
tailgating (where a second vehicle,
bicycle, or person on foot enters after the
first vehicle)
• Design entry control points to provide
unimpeded access by emergency vehicles
(e.g., fire-rescue, police, ambulance).
• Provide vehicle barriers surrounding
FIGURE 4-4
Entry Control Point with Protected Guardhouse
perimeter of site, capable of stopping a 4,000-pound vehicle traveling at 30 miles per hour within
5 feet or less.
- Vehicle barriers to resist moving vehicles can be designed for the vehicle weight, including
explosives carried, and the speed at which the vehicle may be traveling. The location of
the barrier can consider the time to activate and fully deploy the barrier before the vehicle
reaches the barrier, as well as the acceleration opportunity that distance allows for
the vehicle.
5 DoD Minimum Antiterrorism Standards for Buildings.UK 4-010-01, October 8, 2003
6 Ibid.
7 Improvised Explosive Device (IED) Safe Standoff Distance Cheat Sheet, U.S. Army
4-18
-------�
design considerations lor developing physical security at new facilities and retrofits
Vehicle barriers to resist moving vehicles may be active or passive depending on the
application requirements. If unrestricted access is generally required with deployable barriers
available to stop unauthorized vehicles, active barriers can be used.
Active barriers that resist ramming include: ^_____^_.^^_^
Tips for Small Utilities
• "Pop-up" bollards
• Hydraulic ramp, wedge, and plate barriers
• Manual plate barriers
• Portable crash barriers
Passive barriers that resist ramming include:
Installing landscaping
boulders around perimeter
areas can serve as a cost-
effective and attractive yet
practical vehicle barrier.
• Aircraft cable barriers that may be integrated into the perimeter fence. Aircraft cable should have
anchorage and foundation systems designed to resist the forces of moving vehicles loaded with
explosives (Figure 4-5).
• Landforms and landscaping
elements such as ditches, berms,
heavy vegetation, boulders,
bollards (designed to resist
vehicle ramming), and concrete.
• Provide remote meter reading
devices or locate meters outside
of the perimeter barrier to
eliminate the need for electric,
gas, and water meter readers to FIGURE 4-5
come onto the facility site. Perimeter Fence with Aircraft Cable Anchored to Concrete
4.4.3.2 Site Zone
• Control the potential for vehicles to gain speed between the entry control point and assets by
chicanes, speed bumps, or other traffic-calming devices.
• Select sites for critical assets that allow minimum 100 feet stand-off distance around occupied
facilities and the critical assets that may be subjected to attack.
• Consider placing critical assets below grade or using earth-sheltered buildings to protect assets.
• Provide redundant critical utility connections, such as power service, communications, water,
and wastewater, for high-security assets.
• Secure exposed exterior valves, hydrants, manholes, pipes, or other appurtenances.
• Enclose exterior areas housing critical assets with expanded metal mesh enclosures, reinforced
grouted concrete block, or reinforced concrete walls with roof grilles to prevent access to assets.
• Locate fuel tanks, natural gas lines, or fueling stations as far from critical assets as possible.
4-19
-------�
design considerations for developing physical security at new facilities and retrofits
4.4.3.3 Building Envelope and Other Structures
• Use forced entry-resistant window and door assemblies. Assemblies can be rated for forced-entry
resistance commensurate to the DBT level anticipated (rated assemblies are tested for minutes of
resistance to attack using various combinations of hand, power, and thermal tools) and should
include the entire assembly: window/door, frame, anchorage to wall, and lock and hinge
hardware.
• Provide high security, forced entry-resistant hardware, including locks, lock bolts, and hinges.
• If a magnetic lock is installed at a facility door, the 2000 edition of National Fire Protection
Association (NFPA) 101, Life Safety Code, Section 7.2.1.8.2 requires a request-to-exit motion
sensor and a push-to-exit button at the door. The security panel should have a connection to the
facility's fire alarm panel (if there is one onsite).
4.4.3.4 CCTV Surveillance
No cameras are provided for general site surveillance. However, if general surveillance capabilities
are desired, provide one pan/tilt/zoom color camera with a minimum of three presets for viewing
site conditions from a remote location.
Suggested camera locations for vehicle gates and building entrances are the same as those that can be
applied for a criminal threat (see Section 4.4.2.4, "CCTV Surveillance").
4.4.4 Countermeasures Against Terrorist Threats
Unless a terrorist is intent on stealth, detection is relatively easy and of little importance to the
terrorist. Depending on the specific DBT, the following tactics may be employed by terrorists:
stationary vehicle bombs parked near targeted facilities; moving vehicle bombs; carried explosives
and lEDs; rocket propelled grenades (RPGs) and mortars; IIDs; any type of hand, power, or thermal
tools; automatic assault-type weapons; and contaminant agents.
Protective measures to resist blast threats are intended to prevent or minimize casualties; more costly
systems may result in greater survivability and reusability of structures. Blast threats require specific
blast engineering to develop appropriate resistance levels to various explosives threats. The greater
the distance a blast can be kept from assets, the less likely the asset will be injured or damaged, so
standoff distance is paramount where space allows. In addition to appropriate protective measures
listed for the vandal, criminal, and saboteur threats, consider the following improvements relative to
the utility's DBT.
4.4.4.1 Perimeter Zone
• Establish a "no stopping" zone along the roadway serving the facility, with appropriate signage.
Security personnel or local law enforcement can monitor and patrol the roadway and have
stopped or parked vehicles towed.
• Provide a security checkpoint with guards and electronic access control equipment to search
vehicles travelling within the standoff zone.
4-20
-------�
design considerations for developing physical security at new facilities and retrofits
The security checkpoint can consist of a guardhouse adjacent to a vehicle sally port where
vehicles can be detained until the driver identity can be confirmed and the vehicle contents
and undercarriage can be examined.
Provide bullet-resistant guardhouses with toilet facilities and weather protection. Barriers can
prevent a vehicle from penetrating the gate or crashing into the guardhouse.
Install a video surveillance system at the sally port.
• To reduce search requirements, exempt authorized personnel with appropriate credentials
(personal and vehicle IDs that are linked in databases for validation) and who have had
background checks.
• Require pedestrians to pass through a high-security turnstile (which may be used to entrap
potential adversaries failing validation of identification). Other options include providing a
location to detain unauthorized persons and their vehicles.
• During unmanned periods, crash-resistant gates can be used. A telephone can be provided for
use by on-call personnel for entry, if required.
4.4.4.2 Site Zone
• Locate assets away from vantage points from where weapons such as RPGs may be fired.
• Provide pre-detonation screens at site perimeter between assets and vantage points. If provided,
pre-detonation points should be as far as possible from assets, including parking areas and
occupied buildings.
• Consider circulation and access to site facilities, including service and mail deliveries. Provide
sufficient area to allow location of receiving areas to be a minimum of 100 feet away from
occupied facilities or assets in the event bombs are delivered in service or delivery vehicles.
• Prevent parking adjacent to and under/over facilities (such as rooftop parking or parking under
occupied sections of buildings). Keep unrestricted parking areas as far from buildings as possible.
• Park vehicles in publicly accessible spaces at least 100 feet from the structure.
• Locate areas for dumpsters and trash barrels as far away from asset locations as practical.
• Provide motion-activated lighting at the building perimeter and site yard for "instant-on" from
nominal 1.0 foot-candle illumination to 5 foot-candle illumination under motion activity.
• For alarm assessment, provide a minimum of one color, fixed-position camera viewing each
alarmed site element (hatch, substation, etc.). Position camera to view protected asset and
attacker. Image target (attacker) to occupy 30 percent of image scene.
• For parking lot surveillance, provide a minimum of two color, low-light capable, fixed-position
cameras for viewing parking areas. Position camera to serve an approximately 200-foot by
100-foot field of view. Provide sufficient cameras to monitor entire parking lot areas.
4-21
-------�
design considerations for developing physical security at new facilities and retrofits
• For site surveillance, provide a minimum of one color, low-light capable, pan/tilt/zoom camera
with a minimum of three presets for viewing site conditions from a remote location. Camera to
serve approximately 200-foot by 200-foot region. Add cameras as necessary to serve entire site.
• Provide site intrusion detection system, using one of three sensor technologies as applicable to
site conditions: microwave, buried cable, or fence-mounted.
4.4.4.3 Building Envelope and Other Structures
• Provide area presence sensors within the interior spaces to monitor for unauthorized presence of
personnel within the building. Presence sensors to be dual technology (passive infrared and
microwave) high-security sensors.
• Install area presence sensors approximately every 75 feet within the building interior and at
critical corridor intersections.
• Install interior detector sensors that meet Underwriters Laboratory (UL) Standard UL639,
Intrusion Detection Units (http://ulstandardsinfonet.ul.com/scopes/0639.html).
• Provide push-button duress system for signaling operator assistance. When an operator who is
threatened or under attack presses the duress button, the security system is notified that there is a
security condition alert, and response personnel are dispatched to the scene to investigate.
4.4.4.4 Building Systems
• Locate blast walls behind entrances and large windows to prevent glass shards from penetrating
building interiors.
• Design building systems to resist blast and aerosol contamination attacks that may be included in
the DBT.
• Isolate areas where bombs could be received, including loading docks, mail rooms, storage areas,
and lobbies. If provided, isolation should be accommodated in both structural and mechanical
systems. Provide vestibules at entries.
• Locate air intakes high (a minimum of 10 feet above grade) in building walls to prevent
contaminants from being introduced. Verify that equipment, loading docks, trash receptacles,
ladders, and other building or site appurtenances do not allow access to air intakes. Where
locating air intakes away from these items is not feasible, move air intakes to higher elevations.
• Provide breathing mask dispensers in convenient locations.
• Protect openings to air intakes with sloped mesh screens to prevent objects from being tossed
into intake openings.
• Install low-leakage dampers to minimize penetration of introduced contaminants after HVAC
system is shut down.
• Where a chemical, biological, or radiological (CBR) release at some distance from a facility is part
of the DBT, design facility for air tightness or pressurize facility to limit infiltration.
4-22
-------�
design considerations for developing physical security at new facilities and retrofits
Establish a protected clearzone around ground-level or low air intake openings with entry
restricted to authorized personnel only. Clearzone may be fenced or walled (provisions for air
circulation required by air intake and HVAC equipment should be considered). Illuminate and
monitor the clearzone (guard patrols or CCTV).
Provide grilles with openings no larger than 6 inches in diameter (both intake and return air).
Grilles should be forced-entry resistant and anchored firmly into the building structure to
prevent penetration through ductwork or openings.
Prevent unrestricted or public access to rooftop areas where mechanical equipment is located.
Other roof openings, including skylights and roof scuttles, should be locked and replaced with
forced entry-resistant assemblies.
Restrict access to mechanical equipment yards and rooms to authorized personnel only.
Illuminate and monitor entrances to these areas.
Evaluate building control programs to consider isolation and zoning of various areas of facilities
that house critical assets, especially with respect to egress areas, and that may be targeted by
contamination tactics, automatic shut-off switches to zones or facilities, and pressurization and
airflow control. "Shelter in Place" concepts require a single point of control to immediately shut
down all HVAC systems when a contamination event has been detected or is anticipated (i.e., if a
cloud is moving toward a facility). This switch should also be readily accessible to building
personnel or facility manager.
Install back-draft dampers on exhaust fans.
Provide safe rooms with separate, dedicated HVAC systems to provide secure areas for
personnel to move to when the facility may be exposed to contaminants. Safe rooms should
include indoor air purifiers.
Use ducted returns to limit access points from which CBR contaminant agents may be
introduced.
Minimize mixing between HVAC zones.
Evaluate adsorbent filtration options with respect to specific DBT contaminants. Higher efficiency
filtration may be beneficial for certain exposures, but not effective against chemical vapors or
gases used in chemical attacks, and will likely be extremely costly, require extensive area to
accommodate filters, and reduce airflow. Refer to National Institute of Occupational Safety and
Health (NIOSH) guidelines for more considerations and information.
4.5 Water Quality Monitoring
The use of water quality monitoring systems for security purposes is a relatively new and, currently,
relatively rare application among water utilities. Thus, guidance for the design of water quality
monitoring systems, that is, early warning systems (EWSs), is rather limited. Despite the extent of
information gaps in the design of EWSs, some utilities are proceeding in installing EWSs in their
4-23
-------�
design considerations for developing physical security at new facilities and retrofits
utilities. These can be considered best-in-class utilities and their experiences are helping the
development of industry-standard practices and guidance for other utilities.
As mentioned in Section 3, "Operational Considerations for Enhancing Physical Security," there are
three key documents that provide information on the subject. They are Grayman, et al. (2001) for
source water, Pikus (in press) for distribution systems, and Hergesheimer, et al. (2002) for both. These
documents provided information for the guidance provided here.
The reasons for installing EWSs can be summarized as follows:
• They should detect accidental or intentional contamination of the water supply by chemical
(including biotoxins), biological, and radiological contaminants early enough to take
countermeasures, if possible.
• The consequences of contamination would put public and employee health, public confidence,
and regulatory compliance at risk.
• There should be as few false positives and false negatives as possible.
• They should be affordable and cover as many customers as possible.
To meet these objectives, the factors discussed below need to be considered in the design of EWSs.
4.5.1 Contaminants of Concern and Their Concentrations
A comprehensive list of potential contaminants that include chemical (including biotoxins),
biological, and radiological contaminants would be large and unrealistic to tackle. Lists of potential
contaminants have been developed (Pikus 2004). Utilities should not take any general list as
definitive for the specific purposes of its use. Contaminants that are more readily available in a
specific region or that seem for any other reason to be more appropriate for the utility in question to
consider should be added. Utilities, using their DBTs, are responsible for identifying the
contaminants for which they should design their EWSs.
Although there is no consensus on the concentrations that need to be detected, it appears that
concentrations above NOAEL should be considered. NOAEL is defined as "the greatest concentration
or amount of a substance, found by experiment or observation, which causes no detectable adverse
alteration of morphology, functional capacity, growth, development, or life span of the target
organism under defined conditions of exposure." (Pikus 2004).
4.5.2 Fate and Transport Models for Contaminants
In the selection of the instruments and their locations, utilities need to understand where the
contaminants travel and what kinds of changes occur during their transport. For surface waters spill
models are typically used to estimate the fate and transport of contaminants, while distribution
system network models are used for distribution systems. Water utilities need to have access to
appropriate models to apply to their water supply systems.
4-24
-------�
design considerations for developing physical security at new facilities and retrofits
4.5.3 Sampling Frequency and Integration
with Existing Water Quality Monitoring Programs
Water systems monitor water quality for both regulatory and operational performance purposes.
Water samples are collected at specific locations and, depending on the parameters, are either tested
at the field or in the laboratory. These grab samples are collected periodically from a relatively small
number of locations. Because a contamination event may last a relatively short period of time, grab
sampling may miss contamination events of concern. Furthermore, regulatory samples are typically
sent to laboratories, adding more lag time to the detection of a contaminant.
As such, continuous or near continuous monitoring (in-line or on-line) is recommended for EWSs.
Most utilities already collect continuous samples at their plants, monitoring parameters such as flow,
pH, turbidity, and chlorine residual, so there is already a foundation for continuous monitoring in
water systems. The challenge is selecting meaningful parameters, instruments, and locations for
sampling. At this time, due to technological limitations, the presence and properties of contamination
are inferred from changes in surrogate parameters. Unfortunately, the sensitivity and accuracy of
these parameters by which the contamination event can be detected is still questionable.
In designing an EWS, a utility should integrate it with its existing monitoring program by using staff
already knowledgeable in sample collection, analysis, and instrumentation.
4.5.4 Selection of Instruments
Until further advances occur in instrumentation, the emerging practice is the use of Tier 1
instruments for detecting contamination and its location. Tier 1 instruments typically measure
changes in some of the basic properties of water, such as pH, oxidation reduction potential, chlorine
residual, TOC, and adsorption of light. These measurements should be followed by Tier 2
instruments for identifying the contaminant and its concentration (including the use of laboratory
analysis).
In the selection of instruments, consider the following:
• parameters measured, sensitivity, accuracy, reliability, ruggedness, cost
• characteristics of the instrument location (see Section 4.5.3, "Sampling Frequency and Integration
with Existing Water Quality Monitoring Programs")
• O&M characteristics such as maintenance requirements, down time, calibration and testing
requirements, housekeeping, and data reporting capabilities
4.5.5 Siting of Instruments
Identifying where to place an instrument is relatively easy for source water, but very complex in
distribution systems. In source waters the pathway of water is known, so the instruments are
typically placed upstream of the intakes with the distance and location somewhat determined by the
use of surface water spill models. In the case of distribution systems, as the intrusion point and time
of the contaminant are not known, there is an infinite number of potential locations that the
4-25
-------�
design considerations for developing physical security at new facilities and retrofits
instrument could be placed. A utility needs to identify the best locations and number of instruments
that will cover the largest number of consumers within its budget. Depending on the technical and
financial resources of a utility, these locations could be identified either by using staff intuition, or
distribution system network simulation models, or distribution system network optimization models.
Because optimization models are too complex for routine utility use, the other options should be
considered. While simulation methods are better than intuitive methods (because they incorporate
some of the intuitive factors), there is no implication that sensors located there will 1) detect the
contaminants 2) in a timely fashion. EPA's PipelineNet model can be used for this purpose.
Regardless of the method used, both local and system-wide factors need to be considered in the
selection of candidate sites (Pikus 2004).
4.5.5.1 Local Factors
• Easy access to the instrument site by authorized personnel
• Available space for the instruments and auxiliary equipment
• Suitability of candidate instruments or sample collection method for the sampling site
• Physical security of the instrument site
• Hydraulic conditions at sampling sites
• Existing water quality sampling sites
4.5.5.2 System-wide Factors
• Potential areas or entry points of contamination
• Likely contaminants
• Contaminant transport time and concentration
• Vulnerable populations (such as children, elderly, sick) at different parts of the network
• Relative water demand and associated flow characteristics
• Frequency of sampling, i.e., periodic vs. continuous sampling,
4.5.6 Data Analysis and Interpretation
Pikus lists the following objectives for analyzing the data from EWS instruments:
• To identify the presence and location of significant contamination in the system (essential)
• To identify the contaminant or its class with sufficient specificity to allow appropriate responses
(desirable)
• To characterize the contaminant concentration profile (pulse morphology) (desirable)
• To determine time to consumer (essential)
• To eliminate false negatives and minimize false positives (essential)
4-26
-------�
design considerations for developing physical security at new facilities and retrofits
• To assess public health risk (highly desirable)
• To provide timely information to decision maker (essential)
To properly interpret the data from instruments, reasons for water quality parameter variations need
to be well understood. The sources of variation include:
• noise in the instrument
• variations in the actual properties of the water
• variations in the measured parameters from changes in operating conditions
To determine whether a set of readings is an indication of contamination, a utility needs to
distinguish between a contamination event and the other possible causes of the measured changes.
For this reason, the utility needs to identify the baseline water quality characteristics of its source
water and its potable water in the distribution system. This baseline will require at least one year of
water quality sampling and analysis of parameters monitored via an EWS, enabling the utility to
better interpret whether the variations in water quality are due to contamination or other reasons.
4.5.7 Communication System Requirements
An EWS typically consists of a number of instrument platforms located throughout the water system
that are operating continuously and producing large quantities of data. The data would be sent to a
central data analysis facility at which they would be processed and interpreted.
The data can be transmitted to the data analysis center over existing SCADA linkages or over
separately configured and managed linkages. Most utilities would probably prefer to use an existing
SCADA system for these communications. For security reasons, it is better to encrypt the data.,
although this might create compatibility problems with an existing SCADA system.
Proper guidance for such communications is provided in Section 5, "Cyber Security Management,
Operations, and Design Considerations."
4.5.8 Responses to Contamination Events
This factor is covered in Section 7, "Emergency Response Planning."
4.5.9 Operations, Maintenance, Upgrades,
and Exercising the System
Pikus (2004) provides extensive recommendations regarding these factors. They cover topics such as
unscheduled and scheduled downtime, preventive maintenance, built-in testing and diagnostics,
integration with SCADA, supplies, spare parts, and training for staffing.
4-Z7
-------�
design considerations for developing physical security at new facilities and retrofits
4.6 Recommendations for
Source and Ground Water Facilities
In the security evaluation of water facilities, the raw water system, composed of the raw water
supply, intake, pumping, and transmission to the main plant, are typically considered to be critical
components of the water supply system.
Table 4-2 provides general security design consideration for surface and groundwater facilities. The
following subsections provide more specific measures by facility.
TABLE 4-2
Source (Ground and Surface) Water Supply Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Vandal Malicious damage Harden facility using cage, fencing, locks
Use appropriate signage and lighting
Provide intrusion alarm
Criminal Equipment theft Chain and lock portable equipment
Install card access system
Saboteur/Terrorist Destroy or disable facility systems Install CCTV at facility perimeter
Contaminate water Install alarmed entry
Injure employees Install alarmed interior presence sensors
Use multi-parameter water quality probe
Restrict boat access to intake
Insider/Additional Revenge, personal gain Restrict access by job function
Considerations
4.6.1 Wells
Consider the following security design measures for wells:
• Enclose the wellhead with cages or buildings that restrict access to avoid physical destruction or
intentional contamination of well water supply. Cages can be of simple construction, such as a
reinforcing bar.
• Protect gravel chutes and chemical application points with a cage to avoid intentional
contamination of the water supply.
• Use shackle-protected locks to prevent the lock from being cut by a bolt cutter.
• Post warning signs on the perimeter fence for deterrence and to protect the utility from liability.
Follow local ordinances when signs are installed. Depending on the diversity of the population,
multi-lingual signs may be required.
• Increase site lighting to allow suspicious activity to be easily noticed by citizens or passing law
enforcement. Motion-detecting lighting can be used in area where local residents are sensitive to
external lighting in facilities.
4-28
-------�
design considerations for developing physical security at new facilities and retrofits
• Dual utility power supplies from different substations or a backup power generator will provide
a continuous supply of water even when the primary utility power supply fails.
• Provide redundancy for treatment, disinfection, and water quality monitoring structures, which
typically consists of aeration, pH adjustment, and disinfection.
• Use a multi-parameter probe to measure contaminants such as pH, oxidation-reduction potential,
conductivity, turbidity, chlorine residual, and dissolved oxygen in the aquifer or well discharge
for early detection of chemical/biological contamination. Major deviations from the baseline of
these parameters would indicate potential biological or chemical contamination of the water.
4.6.2 Rivers, Lakes, and Reservoirs
Design considerations to protect water supply from rivers, lakes, and reservoirs include:
• Source water watershed protection.
• A multi-parameter probe to measure contaminants such as pH, oxidation-reduction potential,
conductivity, turbidity, chlorine residual, and dissolved oxygen in the river for early detection of
chemical/biological contamination. Major deviations from the baseline of these parameters
would indicate potential biological or chemical contamination of the water.
• A fence around the facility or site. However, this may not be feasible depending on the size of the
facility/site and may also be opposed by the public because it will not be aesthetically pleasing.
• Consider an aquarium-type fish tank where small portion of raw water is directed to the fish
tank. Effects to the fish will indicate water contamination. This is a basic system that requires
operator attention, although there are more sophisticated units available to alert the operator.
4.6.3 Dams
Dam breach can have a significant impacts downstream: flooding, loss of life and property and loss of
water supply source. Vulnerability assessments for dams can be conducted using the RAM-D tool
developed by Sandia National Laboratories. Based on the results from the assessment, some of the
following security improvements can be applied. Design considerations to improve security at dams
include these:
4.6.3.1 Basic
• Restrict access to the spill way, overflow, and intake to avoid placement of explosives at these
structures.
• Restrict vehicle access on the dam using locked gates or bollards.
• Warning signs on the perimeter fence for deterrence and to protect the utility from liability.
4-29
-------�
design considerations for developing physical security at new facilities and retrofits
4.6.3.2 Advanced
• Use boom systems or turbidity curtains, as shown in Figures 4-6 and 4-7, to restrict boat access to
the intake to avoid contamination of water.
• Use video cameras for alarm assessment to verify whether the
alarm is real or a nuisance alarm so that the utility can take
appropriate action.
• Limit switches on gate operators to alert the operator when
someone is closing or opening the gates on dams.
FIGURE 4-6
Boom System
Increase lighting so that
suspicious activity can be
easily noticed by citizens or
passing law enforcement.
Web Strips
White or Yeltcw flaat Collar
Brass
Grommets
Optional 5/16"Chain curtain ballast
FIGURE 4-7
Turbidity Curtain
Design considerations to improve
security at intake, pretreatment,
and water quality monitoring structures include:
• If the utility is considering a second intake, it is recommended to spatially separate the two
intakes so that an impact on one intake does not affect the other.
• An intruder alarm can alert an operator when an unauthorized person gains access to the facility.
• Video camera for alarm assessment can verify whether the alarm is real or a nuisance alarm so
that the utility can take appropriate action.
4.7 Recommendations for Raw Water Conveyance Facilities
Table 4-3 provides general security design considerations for raw water conveyance facilities. The
following subsections provide more specific measures by facility type for utilities to consider.
TABLE 4-3
Raw Water Conveyance Threat and Security Design Considerations
Threat Type
Threat
Security Design Considerations
Vandal
Criminal
Cause malicious damage
Steal equipment
Harden facility using cage, fencing, bolting
Use appropriate signage
Provide intrusion alarm
Lock access
4-30
-------�
design considerations for developing physical security at new facilities and retrofits
TABLE 4-3
Raw Water Conveyance Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Saboteut/Terrorist Destroy or disable facility systems Implement alarmed entry
Contaminate water Implement CCTV at pump station
Injure employees Install pipelines below ground
Insider/Additional Seek revenge, personal gain Restrict access to facility by job function
Considerations
4.7.1 Pump Stations
Redundant units and adequate capacities under peak flow conditions with at least one unit out of
service is generally considered a standard for design of pump facilities. Pump stations can be
designed to enable removal of pumps and motors for repair while maintaining the operability of the
facility at full capacity. If possible, at least two discharge pipes and two discharge locations should be
considered in the design to provide additional redundancy. Consider restricting access to the pump
station using access control systems.
4.7.1.1 Perimeter/General Site Security
• Install chain-link fence with three strands of barbed wire, break-away stanchions, and signs
50 feet apart.
• Use shackle-protected locks to prevent the lock from being cut using a bolt cutter.
• Use video cameras for alarm assessment to verify whether the alarm is real or a nuisance alarm
so that the utility can take appropriate action.
• Increase lighting so that suspicious activity can be easily noticed by citizens or passing law
enforcement.
4.7.1.2 Electrical Supply and Equipment
• Provide a redundant utility power supply from a different
Tips For Small Utilities
substation, pre-wired connection for a backup generator, or a
Smaller utilities can
portable backup generator. coordjnate ^ ^ |o(ja|
• Match the plug on the portable generator to the emergency Utilities Of rental
companies for generators
power receptacle at the pump station.
and pre-wire the facility to
accept the generator.
4.7.1 .3 Control Room _==_
• Use card access to restrict access to the control room to authorized personnel.
• Install a door status switch and motion sensor to alert operator when an unauthorized person
gains access.
4-31
-------�
design considerations for developing physical security at new facilities and retrofits
4.7.1.4 Pumps and Appurtenances
Consider redundancy of critical components.
4.7.2 Pipelines and Appurtenances
When adding a second pipeline to meet additional demands, bury the second pipeline in a trench
that is physically separated from the first pipeline.
4.7.2.1 Underground and Aboveground Pipelines
• Reduce the area of aboveground exposure for the pipeline.
• Use high-pressure pipeline material (such as ductile iron) in exposed areas if the DBT includes
small explosive capabilities. If a significant threat exists, consider using Schedule 80 piping.
4.7.2.2 Pipelines on Bridge Crossings
• Use high-pressure pipeline material (such as ductile iron) in exposed areas if the DBT includes
small tools or small explosive capabilities. Consider using Schedule 80 pipe if a significant threat
exists.
• Protect the pipeline with fan structures or concrete encasement to restrict access.
• Replace overhead pipelines with pipelines in tunnels under the river or creek if the DBT includes
significant explosive capabilities.
4.7.2.3 Distribution System Appurtenances
• Add bolts that require a special wrench to unlock (where generally available screw drivers and
wrenches would not work) for access hatches and valve vaults.
• Add protective cages over aboveground appurtenances to restrict access.
4.8 Recommendations for Water Treatment Facilities
Two key design approaches for limiting negative impacts to treatment plants are redundancy and
adequate capacity. Redundancy in design that is geographically distant provides multiple tanks,
basins, treatment units, pumps, and conveyance piping and channels to minimize the potential for
single points of failure, which are likely to be key targets for knowledgeable adversaries. Whenever
feasible, consider providing multiple trains for each process unit with bypass systems to enable an
individual process train to be removed from service. Similar redundancy for auxiliary and support
processes and equipment such as chemical feed pumps should be evaluated. Redundancy can be
extended to entire treatment trains of multiple process units that are, if possible, separated by a
physical distance but connected for maximum operational flexibility.
4-32
-------�
design considerations for developing physical security at new facilities and retrofits
Flexibility to respond rapidly to unplanned shutdowns of process units should be considered during
design by allowing channels, gates, pumps, valves, and piping to enable tanks and pumps to be used
for different processes. Critical valves, gates, and transfer pumps can be automated to allow for quick
shutdown or diversion of flows. However, in the event that automated controls or SCADA systems
are compromised or inoperable, a means to operate the processes manually is recommended.
On-the-shelf spares, such as process pumps, motors, valves, meters, and controllers, provide
redundant critical components. Redundant utilities, particularly electrical power, are vital to a secure
operation. In addition to the need for at least two independent main power supplies to the treatment
facility, looped power distribution networks within the treatment plant should be considered to
enable rapid isolation and removal of a damaged power feed or inoperable electrical equipment from
the power net.
The approach for adequate design capacity works in tandem with redundant unit processes. At a
minimum, the design for individual processes should be conservative and meet peak demands with
one unit out of service. For treatment plants with multiple trains, consider peak demands with one
train out of service. Higher redundancies should be considered for critical processes, such as
disinfection systems, where redundancies are often 100 percent of design capacity.
Where practical and feasible, tanks and open channels should be covered, and the access doors and
hatches should be secured. Critical components such as pumps, motors, motor control centers, and
SCADA components can be secured within enclosures and hidden from view. Where feasible, piping
and appurtenances can be installed below ground or within secured structures. Locking mechanisms
can be considered for critical valves and gate operators.
However, designers should consider the impacts of limiting access to normal O&M activities.
Adequate access and room for routine maintenance and repair can be considered in the layout of
individual unit processes. The ability to remove enclosures may be necessary to replace or repair
equipment.
Table 4-4 provides general security design considerations for water treatment plants. The following
subsections provide more specific measures by facility type.
TABLE 4-4
Water Treatment Facility Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Vandal Cause malicious damage Harden facility using fencing, locks, and bollards
Install appropriate signage and lighting
Provide intrusion alarms
Criminal Steal equipment Lock access ladders, hatches, buildings, and gates
Install a card access system for building entry
Harden windows, doors, and other entry points
Provide signage with no asset information
4-33
-------�
design considerations for developing physical security at new facilities and retrofits
TABLE 4-4
Water Treatment Facility Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Saboteur/Terrorist Destroy or disable facility Install CCTV at facility perimeter
systems install alarmed entry
Contaminate water install alarmed interior presence sensors
Injure employees use multi-parameter water quality probe
Provide vehicle inspection area
Install vehicle barriers
Install redundant power connections
Install tamper-switches on SCADA panels
Install duress switches for operators
Install bolting for critical valve vaults
Insider/Additional Seek revenge, personal gain Restrict access to areas by job function
Considerations Provide secure fence to isolate critical assets within facility
4.8.1 Conventional Treatment Processes
The WTP unit processes for conventional treatment usually consist of pretreatment; flocculation and
sedimentation and filtration (supplemented by the backwash of the filters using a backwash supply
tank); and disinfection (including the use of a clearwell for storage and contact time).
4.8.1.1 Pretreatment System
Special considerations are required where the DBT includes adversaries with explosives. Individual
concrete structures, such as splitter boxes and pump stations, may serve as single points of failure
that can be hardened against the threat, or duplicated and separated to preserve functionality if one
unit is damaged.
4.8.1.2 Flocculation/Sedimentation and Filtration
• The redundancy of the flocculation/sedimentation trains reduces the criticality of each individual
train; however, loss of flocculation system could adversely impact water quality. The flocculation
basins are potential points of contamination. Limiting access, intrusion detection
• Maintain the effectiveness of filtration through an effective backwash or cleaning system.
Interconnected, dual backwash systems, each with a capacity for 50 percent of the peak flow, can
provide the redundancy desired. Chemical systems used to enhance filtration can also include a
measure of redundancy. Consider storing replacement media in a secured storage building away
from the filters.
• If pneumatic valves are used for the filter inlet/outlet control valves, consider a backup air
compressor for the pneumatic valves. Also, a pressure transmitter on the air supply to detect loss
of air supply to the valves can be added.
• Consider a backup power supply for key electrical valves.
4-34
-------�
design considerations for developing physical security at new facilities and retrofits
4.8.1.3 Backwash Supply Tank
For plants with one backwash tank, obtain redundant backwash supply from tapping the finished
water discharge with appropriate pressure-reducing valves (PRVs).
4.8.1.4 Disinfection - Chlorination, Ozonation, Ultraviolet
Typically, the final step of water treatment is the disinfection process, a key process in the treatment
train. Adversaries may target this process in an effort to discredit the utility and promote concerns
and fear within the general public about the quality of the finished water. Increased security
approaches, such as more restrictive access control and hardened physical protective systems, are
warranted for this process. Regardless of the type of disinfection system used (i.e., chemical or
ultraviolet light), provisions or plans can be considered for a backup disinfection system using a
liquid disinfectant such as sodium hypochlorite. This backup system could consist of temporary
pumps, tanks, and piping.
For treatment plants using gaseous chlorine and/or gaseous ammonia, special design considerations
are required if the DBT includes saboteurs and terrorists, as these chemicals are highly toxic and have
the potential for significant and dramatic impacts on employees and area residents if released into the
atmosphere. Standard design considerations for handling and use of these chemicals include, but are
not limited to, separate rooms and ventilation systems or independent buildings for storage and feed
equipment, leak detection and alarm systems, automatic shut-off valves if leaks are detected, and air
scrubbers for containment and neutralization of a release of the entire contents of the largest cylinder
or tank in the storage room. For threats including saboteurs and terrorists, countermeasures can
include an additional layer of security that includes secure fencing, detection devices, and monitoring
as described below.
In addition to very restrictive control of individuals authorized to enter these facilities (if deemed
appropriate to the threat), the design can include sufficient stand-off distances (parking lots are away
from these areas) and structural hardening to prevent damage and rupture to the gas cylinders or
tanks. Delivery areas and loading areas can also be tightly controlled and monitored. The following
security features can also be considered.
• Install a security fence to isolate toxic chemicals to
prevent unauthorized access to these sensitive
areas. Figures 4-8 through 4-10 show desirable
secure fencing characteristics.
• Use shackle-protected locks prevent the lock from
being cut using a bolt cutter.
• Install motion-sensors to alert the operator when
there is an unauthorized person onsite.
• Use a video camera for alarm assessment to verify
whether the alarm is real or a nuisance alarm so
that the utility can take appropriate action.
FIGURE 4-8
Secure Fencing with Aircraft Cabling
4-35
-------�
design considerations for developing physical security at new facilities and retrofits
• Increase site lighting so that suspicious activity can be
easily noticed by utility employees.
• Use a card reader or key pad to limit access to only
authorized utility employees.
The best defense may be to avoid the use of extremely
hazardous chemicals (chlorine and ammonia), replacing them
with less dangerous chemicals (sodium hypochlorite and liquid
ammonium sulfate), and installing physical treatment processes
where possible.
FIGURE 4-10
Fencing with Openings
Too Narrow for Cutters to Grip
FIGURE 4-9
Fencing with Openings Too Narrow for
Adversary to Get a Handhold or Toehold
4.8.1.5 Clean/veil
• If there are two or more clearwells, ensure that one
can be isolated if it is contaminated to provide
finished water from the other clearwells. The utility
should consider installing a multi-parameter probe to
measure contaminants such as pH, oxidation-
reduction potential, conductivity, chorine residual, and dissolved oxygen in the clearwells for
early detection of chemical/biological contamination. Major deviations from the baseline for
these parameters may indicate potential biological/chemical contamination of water.
• For clearwell hatches, use unique shackle-protected locks and not locks that use a master so that
only authorized utility staff have access to minimize an insider threat.
• For clearwell vents, consider installing goosenecks with thick, double-meshed, offset screens that
cannot be easily cut to prevent chemicals from being introduced through the vents. For greater
protection, add internal baffles and a structure around the vent that would make chemical
addition more difficult while still providing an opening for ventilation.
• Use tide valves on clearwell overflow pipes in lieu of a flapper valves to minimize the ability to
introduce chemicals into the pipe.
• Add intrusion alarms on clearwells that are coupled with automatic effluent shut-off valves for
immediate isolation.
4-36
-------�
design considerations for developing physical security at new facilities and retrofits
4.8.2 Auxiliary Systems/Components
Utilities have numerous opportunities to increase security throughout a facility as shown below.
4.8.2.1 Perimeter/General Site Security
• Install chain-link fence with three strands of barbed wire. Consider a fence detection system such
as fiber optic or taut wire.
• Post warning signs on the perimeter fence
for deterrence and for liability to protect the
utility. Follow local ordinances when signs
are installed. Depending on the diversity of
the population, bilingual signs may be
required.
• Install aircraft cable for perimeter fence
where the fence is potentially exposed to
adversaries in high-speed vehicles to
prevent forceful entry onto plant site.
• Add concrete vehicle barriers at the entry
gate to slow traffic to prevent vehicles
crashing into the property, as shown in
Figure 4-11.
• Lock entry gate operator enclosures with a shackle-protected pad lock.
• Provide a system, such as a Knox box, to allow emergency response personnel to gain access to
the facility during an emergency when utility employees are not at the site or are unable to open
the entry gate. Consider a small side-entry man gate.
• Install drop-arm crash beam type vehicle barriers
at the vehicle entry gates to restrict forceful entry
of unauthorized vehicles, as shown in Figure 4-12.
• Add fixed security cameras at the main gate to
record entry/exit events (e.g., date and time) and
to provide a means for the receptionist to verify
(e.g., call to find out if there is supposed to be a
delivery) or record (e.g., in case there is a question
about a delivery later) who is at the gate before
opening the gate.
• Increase site lighting so that suspicious activity
can be easily noticed by citizens, law enforcement,
or utility employees. This is discussed in detail in
Section 3.
FIGURE 4-11
Example of Vehicle Access Approach to Reduce Speed
FIGURE 4-12
Example of Drop-Arm Crash Beam Vehicle Barrier
4-37
-------�
design considerations for developing physical security at new facilities and retrofits
4.8.2.2 Finished Water Pump Station
• Consider redundant (stand-by) pumps and other critical components.
• Provide intrusion detection on doors to alert operator when there is an intruder.
• Provide access control on doors to restrict access to authorized personnel only.
• Design backup or redundant power supply.
4.8.2.3 Chemical Storage and Feed Systems
Utilities typically use numerous chemicals at a WTP; these include liquid ferric sulfate or alum, liquid
oxygen, aqueous or anhydrous ammonia, chlorine gas or sodium hypochlorite, sodium hydroxide,
hydrofluorosilicic acid, and polymer. Depending on the specific chemical in use, the chemical and its
feed equipment can be targets of saboteurs and terrorists. Based on the DBT, chemical buildings or
chemical rooms within buildings can be provided with a higher security, as can outside chemical
storage areas, using methods such as these:
• Consider visual access so that chemicals can be observed from outside without going into the
building.
• To provide adequate redundancy, keep at least two storage tanks per liquid chemical on hand.
• Provide adequate spill containment and control or all storage tanks, and separate containment
structures for each chemical. It is standard practice to design the containment to hold the volume
of the largest tank within the containment.
• Include spill detection systems in the design of storage and feed areas to assist in detecting theft
or release of the chemical. Typical systems include liquid levels in containment sumps.
• Include instrumentation to alert the operator when there is an overdosage of chemicals.
4.8.2.4 Electrical Supply and Equipment
The following considerations can be taken into account to improve security for electrical supply,
which is one of the most critical assets at a treatment plant:
• Redundant utility power supplies from
different substations or a backup generator.
Provide bollards to protect intentional or
accidental damage of power transformers, as
shown in Figure 4-13.
FIGURE 4-13
Bollards Protecting a Fence from Vehicle Entry
4-38
-------�
design considerations for developing physical security at new facilities and retrofits
• Isolate critical electrical components
such as switchgear from the rest of
the plant using secure grills, as
shown in Figure 4-14. Tampering
with switchgear can result in a loss
of power failure for an entire facility.
4.8.2.5 SCADA/
Control System Equipment
• Provide lock and intruder switch on
control panel.
• Provide signal supervision and
tamper alarms to detect loss of
signal and tamper attempts.
FIGURE 4-14
Example of Sensitive Equipment Isolated by Secure Grills
4.8.2.6 Control Room
• Limit access to the control room with a card reader or key pad.
• Provide employee-activated as well as "deadman" duress switches to alarm station operator,
control room operator, personnel working alone in remote facilities, and other key personnel.
4.8.2.7 Administrative Area
• Limit access to the administrative areas with a card reader or key pad.
• Upgrade door hardware on mission-critical facilities as follows:
Install tamper-resistant hinges (tack-weld hinge pins at minimum) and security pins into
doorjamb or use Z-strip (a protective shroud that safeguards hinges and doors from
tampering).
Use shackle-protected locks that are hardened to provide delay values consistent with other
door delay values.
Install balanced magnetic switches tied into central alarm system to alert the operator.
Install expanded metal grating on interior of door louvers and 3/8-inch (or thicker) Lexan®
on interior of door windows to prevent forceful entry into a room through these openings.
Install tamper-resistant panic door hardware on all exterior doors to provide additional delay
in forceful entry.
Replace doors that have glass windows with solid metal doors to provide additional delay.
• Upgrade windows:
If windows must be capable of opening for ventilation, install a securely-attached expanded
metal grating on interior. One-quarter inch anchor bolts inserted a minimum of 1 inch into
the window frame is recommended. Anchor bolt head should incorporate a tamper-resistant
fitting so that a specialized socket is required for removal.
-------�
design considerations for developing physical security at new facilities and retrofits
If windows are not required to open, install an expanded metal grating or 3/8-inch Lexan®
on interior of windows.
- If a room is alarmed, install glass-break sensors to provide earlier detection of penetration
attempts at highly critical facilities such as chlorine storage.
4.8.2.8 Laboratory
A water utility's laboratory typically contains sophisticated and valuable analytical equipment, as
well as computer hardware and software that may be a target of vandalism and theft. In addition,
laboratories have various hazardous reagents and, consequently, may be targets of saboteurs or
terrorists. As with the other security measures described in this document, the design considerations
discussed in this section should be employed based upon the identified DBT. If the laboratory is
located within the perimeter of a treatment facility, consideration should be given to enclosing the
laboratory within a higher security layer. Chemicals or gases (in cylinders) that are stored outside of
the laboratory can be secured with lock and chain and enclosed in a cage in accordance with the
determined DBT.
4.9 Recommendations for
Finished Water Storage and Distribution System
Table 4-5 provides general security design considerations for the finished water storage and
distribution system. The following subsections provide more specific measures by facility type.
TABLE 4- 5
Finished Water Storage and Distribution Facility Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Vandal Cause malicious damage Harden facility using cage, fencing, locks, and bolting
Install appropriate signage and Lighting
Provide intrusion alarms
Criminal Steal equipment Lock access ladders, hatches, and hardened entry points
Saboteur/Terrorist Destroy or disable facility Install CCTV at facility perimeter
systems Install alarmed entry
Contaminate water |nsta|| a|armed interior presence sensors
Injure employees Use mu|ti-parameter water quality probe
Install tamper-switches on SCADA panels
Install motion-sensor (dual technology) for storage tank
ladders
Insider/Additional Seek revenge, personal gain Restrict access to areas by job function
Considerations Provide electronic key that provides access to only authorized
personnel
-------�
design considerations for developing physical security at new facilities and retrofits
4.9.1 Storage Tanks/Reservoirs
• Use locks or hatches on storage tanks/reservoirs.
• Consider security cameras only at mission-critical sites for
alarm assessment.
• Consider intrusion alarms on control panels that are mounted
outdoors to alert operator.
Tips for Small Utilities
Small utilities can consider
welding a bar over hatches to
restrict access into tanks.
Consider intrusion alarms on hatch covers that are interconnected with automatic shut-off valves
on tank discharge line.
Increase site lighting so that suspicious activity can be easily noticed by citizens or passing law
enforcement.
Replace existing non-bolted covers on valve vaults with bolted covers or add bolts that require a
special wrench to secure the existing covers.
Consider an anti-climb shield, such as the one shown in
Figure 4-15, with lock-on storage tank ladders. Add a
bulkhead (e.g., a reinforced door) to stairs to restrict access to
top of the storage tank. Alternatively, ladders can be
removed so that a portable man lift or ladder is required for
utility staff to access the top of the storage tank for
maintenance.
Consider a dual technology motion sensor (both microwave
and passive infrared) on storage tank ladders. This sensor is
designed to pick up any intruder approaching the top of the
tank, and would not generate nuisance alarms from birds or
other objects.
4.9.1.1 Perimeter/General Campus Security
FIGURE 4-15
Example of a Protected Access Ladder
to a Storage Tank
Provide shackle-protected locks or an electronic lock that can be programmed to open only for
authorized utility staff for the entry gate. Use locks or hatches on storage tanks/reservoirs.
Consider non-duplicate keys that are specifically made for the utility.
Post warning signs on the perimeter fence for deterrence and for liability to protect the utility.
Follow local ordinances when signs are installed. Depending on the diversity of the population,
multi-lingual signs may be required.
4-41
-------�
design considerations for developing physical security at new facilities and retrofits
4.9.1.2 Hatches
• Provide shackle-protected locks.
• Weld bar on top of hatch to restrict access (for tanks that require infrequent access).
• Interconnect intrusion alarms to automatic tank discharge shut-off valves to isolate the tank if
there is an indication of a potential threat to water supply.
• Consider dual hatches for additional delay on critical valve vaults for higher level DBTs.
4.9.1.3 Air Vents
• Consider installing thick, double-meshed, offset screens on vents.
• Install baffles to prevent insertion of contaminants into tank.
4.9.2 Pipelines and Appurtenances
Underground and aboveground pipelines are discussed in this section, as well as pipelines on bridge
crossings, appurtenances, fire hydrants, and monitoring equipment.
4.9.2.1 Underground and Aboveground Pipelines
• Reduce area of aboveground exposure for pipelines.
• Use high-pressure pipeline material (such as ductile iron) in exposed areas if DBT includes light
explosive capabilities. Consider using Schedule 80 pipe if the threat level warrants.
4.9.2.2 Pipelines on Bridge Crossings
• Use high-pressure pipeline material (such as ductile iron) in exposed areas if DBT includes light
explosive capabilities.
• Protect pipeline with fan structures of concrete encasement to restrict access.
• Replace overhead pipeline with a tunnel under the river or creek if the DBT includes substantial
explosive capabilities.
4.9.2.3 Appurtenances
• Add bolts that require a special wrench to unlock (where generally available screwdrivers and
wrenches would not work) for access hatches and valve vaults.
• Secure transfer valve vaults with bolting between pressure zones.
• Add protective cages over aboveground appurtenances.
4.9.2.4 Fire Hydrants
To minimize tampering of fire hydrants, install special nuts or caps, such as the ones shown in
Figures 4-16 through 4-19. These devices require wrenches that are only sold to fire departments and
water utilities.
4-42
-------�
design considerations for developing physical security at new facilities and retrofits
To minimize the risk that firefighters would be unable to use the hydrant during a fire, consider these
actions:
• Training on the use of specialized equipment should be provided to 100 percent of the personnel
in local fire departments and all other fire departments with which there are mutual aid
agreements or that would respond to an emergency.
• Provide the appropriate wrenches to all fire departments that may use the hydrant when
responding to an emergency.
FIGURE 4-16
Example of a Special Fire Hydrant Locking Wrench
FIGURE 4-17
Example of Hydrant Locking Caps
FIGURE 4-18
Example of Hydrant Locking Caps and Wrenches
FIGURE 4-19
Example of Special Fire Hydrant Locking Wrench in Use
4.9.2.5 Monitoring Equipment
The technologies for distribution system monitoring are rapidly advancing. Simple techniques such
as measuring chlorine residual and pressure loss can sometimes be effective in determining if a
chemical contaminant has potentially affected the system or if the system has been physically
compromised. With new technologies being developed, utilities can determine if it is necessary to
upgrade their existing monitoring systems after evaluating new technologies and case studies.
• Install a multi-parameter probe to measure pH, oxidation-reduction potential, conductivity,
temperature, chorine residual, and dissolved oxygen in the distribution system for early
detection of contamination in storage tanks.
4-43
-------�
design considerations for developing physical security at new facilities and retrofits
4.9.3 Pump Stations
Security information regarding pump stations includes site security, electrical supply and equipment,
SCADA/control system equipment, the control room, pumps, and appurtenances.
4.9.3.1 Perimeter/General Site Security
Post warning signs on the perimeter fence for deterrence and for liability to protect the utility. Follow
local ordinances when signs are installed. Depending on the diversity of the population, multi-
lingual signs may be required.
4.9.3.2 Electrical Supply and Equipment
• Provide an emergency receptacle for the backup power supply that matches the plug on a
portable generator.
• Provide a redundant utility power supply from a different substation, a pre-wired connection for
rental generators, or a backup portable generator.
4.9.3.3 SCADA/Control System Equipment
Provide signal supervision and tamper alarms to detect loss of signal and tamper attempts.
4.9.3.4 Control Room
Provide employee-activated as well as "deadman" duress switches to alarm station operator, central
control room operator, personnel working alone in remote facilities, and other key personnel.
4.9.3.5 Pumps and Appurtenances
Secure sampling point stations with an enclosure and a shackle-protected lock.
4.10 Recommendations for Customer Connections
Table 4-6 provides general security design considerations for customer connections. The following
subsections provide more specific measures by facility type.
TABLE 4-6
Customer Connection Threat and Security Design Considerations
Threat Type
Vandal
Criminal
Saboteur/Terrorist
Insider/Additional
Considerations
Threat
Cause malicious damage
Steal equipment
Destroy or disable systems
Contaminate water
Seek revenge, personal gain
Security Design Considerations
Install locks
Install special bolting
Install backflow protection
Install dual check valves with residential meters
(advanced practice)
Restrict access to areas by job function
Provide electronic key that provides access to only
authorized personnel
-------�
design considerations for developing physical security at new facilities and retrofits
4.10.1 Construction Meters
Install integrated reduced-pressure backflow devices to prevent intentional or accidental
contamination of water through this temporary meter connection.
4.10.2 Meters
• In high-risk areas for commercial properties such as hotels and
motels, consider meters that have an appropriate level of backflow
protection and anti-tamper devices to prevent the introduction of
chemicals through a sink.
• Secure the water meter with a special bolt or use a locking meter, as
shown in Figure 4-20, to protect from tampering.
• Consider automatic meter reading to continuously monitor flow for
detection of unusual flow patterns. FIGURE 4-20
Example of Locking
4.10.3 Backflow Prevention Devices WaterMeter
Backflow prevention devices for the following areas can be considered to prevent intentional or
accidental contamination of water.
• Evaluate appropriate backflow protection for all high-risk industrial and commercial facilities.
• Consider installing backflow protection c on residential properties in conformance with the
Universal Plumbing Code for high-risk applications (e.g., pools, irrigation systems).
• Consider installing dual check valves with residential meters for additional backflow protection
in high-risk areas. Meter installations will require the use of an expansion chamber downstream
of the backflow device for protection of the residential water system.
4.11 Recommendations for Support Services/Facilities
Protecting utilities' support services and facilities can be equally as important as protecting the more
high profile water system components.
4.11.1 Maintenance/Equipment Storage/Warehouse Facilities
Criminal theft of equipment, chemicals, and tools should be the minimum DBT for maintenance
shops, warehouses, and storage facilities. At the threat levels of saboteur and terrorists, consideration
should be given to providing a higher layer of security for these facilities and locating them a
substantial distance from the treatment processes that they serve. Thus, should damage occur to the
treatment process units, repairs can still be made — spare parts, replacement equipment, and
materials such as filter media will still be available for use.
• For saboteur and terrorist threat levels, design delivery areas for equipment and supplies, as well
as for chemicals and fuel, to consist of an inspection area that is separated from the eventual
4-45
-------�
design considerations for developing physical security at new facilities and retrofits
destination to allow for inspection of the delivery vehicles and contents of the delivery. The
inspection area can be designed to allow multiple inspections should more than one delivery
vehicle be detained for inspection. The inspection areas can also include appropriate equipment
to allow for the sampling of chemical and fuel deliveries so that a chemical assay can be done
prior to accepting the delivery.
• Utilities with vehicle fueling stations should be located at a sufficient standoff distance of 200 to
300 feet from treatment process units and inhabited buildings based upon the DBT.
Table 4-7 provides general security design considerations for support facilities. The following
subsections provide more specific measure by facility type.
TABLE 4-7
Support Facility Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Vandal Cause malicious damage Keep doors locked
Install appropriate signage and lighting
Provide intrusion alarms
Criminal Steal equipment Install card access system for building entry
Harden windows and entry points
Use signage that provides no asset information
Saboteur/Terrorist Destroy or disable facility systems Install CCTV at facility perimeter
Contaminate water Install alarmed entry
Injure employees Install alarmed interior presence sensors
Install duress switches for operators
Insider/Additional Seek revenge, personal gain Restrict access to areas by job function
Considerations
4.11.2 Remote Control Facilities
• Provide employee-activated as well as "deadman" duress switches to alarm station operator,
control room operator, personnel working alone in remote facilities, and other key personnel.
• Upgrade door hardware on mission-critical facilities:
- Install tamper-resistant hinges (tack-weld hinge pins at minimum) and security pins into
doorjamb or use Z-strip (a protective shroud that safeguards hinges and doors from
tampering).
- Harden locks to provide delay values consistent with other door delay values.
Install balanced magnetic switches tied into the central alarm system.
Install expanded metal grating on interior of door louvers and 3/8-inch (or thicker) Lexan®
on interior of door windows. One-quarter inch anchor bolts inserted a minimum of 1 inch
into the window frame is recommended. Anchor bolt head should incorporate a tamper-
resistant fitting so that a specialized socket is required for removal.
4-46
-------�
design considerations for developing physical security at new facilities and retrofits
Install tamper-resistant panic door hardware on all exterior doors.
Replace doors that have glass windows with solid metal doors.
• Upgrade windows:
If windows must be capable of opening for ventilation, install a securely-attached expanded
metal grating on interior.
Install glass-break sensors to provide earlier detection of penetration attempts through
windows.
4.12 Recommendations for Administrative Facility Security
Loss of the business functions provided in administrative facilities may not necessarily disrupt the
water supply, but may instead disrupt the ability to handle the financial and management duties that
keep the utility running smoothly. Table 4-8 provides general security design considerations for
administrative facilities. The following subsections provide more specific measures by facility.
TABLE 4-8
Administrative Facility Threat and Security Design Considerations
Threat Type Threat Security Design Considerations
Vandal Cause malicious damage Keep doors locked
Provide intrusion alarms
Criminal Steal equipment Install card access system for building entry
Install harden windows and entry points
Install CCTV at parking areas
Saboteur/Terrorist Destroy or disable facility systems Install CCTV at facility perimeter
Contaminate water Install CCTV at building interior/public areas
Injure employees Install lock-down means at building lobby
Install alarmed entry
Install alarmed interior presence sensors
Install duress switches for operators
Insider/Additional Seek revenge, personal gain Restrict access to areas by job function
Considerations Install card access
4.12.1 Control Access to Buildings
The minimum DBT for administrative offices will most likely be theft, although a saboteur or terrorist
may target the utility's management and administrative staff as well as the treatment plant
infrastructure. Administrative offices of any organization are typically the target for an insider threat
on management. Thus, consideration should be given to an increased threat level for administrative
offices, even if the DBT of the surrounding facility is at a vandal or criminal threat level.
If applicable, designs for administrative offices should include space for gatekeepers such as
receptionists or guards at the entrance to the buildings and possibly at key locations on other floors.
Silent panic alarm buttons can alert local law enforcement of malevolent acts.
4-47
-------�
design considerations lor developing physical security at new facilities and retrofits
4.12.2 Safeguard Employees
• Provide employee-activated as well as "deadman" duress switches to alarm station operator,
control room operator, personnel working alone in remote facilities, and other key personnel.
• Provide a public address system to contact employees in a timely manner when there is
imminent threat.
4-48
-------�
SECTION 5
Cyber Security Management,
Operations, and Design Considerations
Operations:
Enhancing
Physical Security
Management:
Optimizing
Physical Security
ntroduction
Design:
Developing
Physical Security
Physical
Security
Equipment
Cyber Security
• Understand cyber security system components
• Identify threats against the system
• Implement appropriate policies, procedures, and training
• Institute preventive operational controls
• Design with cyber security in mind
5.1 Overview
Cyber security is the protection of enterprise information systems from outside or inside attack. The
reliance of a water utility on its automated systems can be substantial: the SCADA system runs the
plant, the financial system maintains fiscal equilibrium, and several systems facilitate most business
processes. Competitive financial pressures have decreased the staff at most facilities to the point
where few, if any, utilities can run in "manual mode" for long. In short, if the information systems do
not work, the enterprise will not operate.
Unfortunately, security was largely an afterthought in the developing computer industry. The
Internet has gone from a trusting network of academic colleagues to daily world-wide alerts for
destructive viruses. By virtue of their isolation, SCADA systems have typically been the least
defended systems of all. Proactive prevention and response plans can provide utilities with
substantial levels of protection from both external and internal adversaries.
5-1
-------�
cyber security management, operations, and design considerations
This section first describes the components of a cyber system and then identifies existing threats
against the system. Management, operations and maintenance, and design guidance that applies
specifically to cyber security is then included. Keep in mind that, as in the rest of this document, the
intent of the guidance is to provide suggestions and ideas for consideration by utilities as they each
create their own customized security plan.
5.2 Utility Cyber Networks
A water utility often deploys an array of specialized information systems. This document will
distinguish between those systems residing on the business network versus those on the control
network.
A valuable tool for management to understand those portions of the enterprise system that are at
greatest risk is the cyber security vulnerability assessment. This type of vulnerability assessment is a
focused examination of the entire business and control network from a security perspective. Each
component is evaluated for its degree of susceptibility to outside or inside attack. Based on analysis
of the utility's DBT, specific recommendations are developed aimed at preventing the most likely
types of attacks. (This information can be found in Section 5.6.1, "General Design Best Practices."
5.2.1 Business Network
The business network hosts software applications and databases that facilitate enterprise business,
scientific, and engineering processes. These include:
• Enterprise Resource Program. A comprehensive financial program that includes modules for
General Ledger, Accounts Payable, Accounts Receivable, Payroll and possibly Human Resources.
• LIMS. A repository of laboratory result information and process data to support regulatory
compliance and treatment plant operations.
• CMMS. A work order system to provide preventative maintenance on assets, such as pumps,
pipes, hydrants, and valves.
• Customer Information System. A system that facilitates customer invoicing and resolving
customer complaints.
• Internet/Intranet. A tool that provides customers and employees with the ability to interact
around-the-clock with the utility from any computer.
• Other Systems. E-mail, permitting, geographic information system, and fuel usage.
5.2.2 Control Network
The SCADA system consists of numerous electronic components distributed in the plant and over a
large, sometimes very large, geographic area. The system's main function is to oversee and operate
the pumps, valves, and instruments that control the intake, treatment, and distribution of finished
water to customers. Operable elements of the SCADA system are located in a wide range of facilities,
including the intake facilities, the treatment plant, pump or booster stations, tanks, reservoirs, wells,
5-2
-------�
cyber security management, operations, and design considerations
and other remote facilities. Though SCADA systems vary widely in their composition, the following
represents a typical list of components, grouped by function:
• Computers
SCADA servers
SCADA Human Machine Interface (HMI) programming workstations
SCADA HMI workstations and view nodes
• Networking
Switches (optical and Ethernet)
Routers
Hubs
Firewalls
Modems
Serial interfaces (connecting telephone lines to SCADA devices)
• Data Conveyance
Ethernet cabling
Optical cabling (e.g., plant loop)
Telephone lines (leased or owned)
Radio transmitters and antennas
Wireless transmitters and antennas
• Distributed Control Components
Programmable Logic Controllers (PLCs)
- Remote Terminal Units (RTUs)
5.3 Cyber Security Threats
There is no shortage of potential intruders to the enterprise from the Internet. For the purposes of the
following cyber security discussions, intruders are defined as:
• Outsider Hackers. The primary goal of hackers is unauthorized entry; their motivation is thrill-
seeking or criminal opportunity.
• Outsider Attackers. The primary goal of attackers is to destroy enterprise operations; their
motivation is often political.
• Insider Attackers. The primary goal of an inside attacker is to disrupt enterprise operations; their
motivation is personal gain or vengeance.
To maintain consistency with discussions of physical security in other sections of this document,
Table 5-1 correlates physical intruders and cyber intruders.
5-3
-------�
cyber security management, operations, and design considerations
TABLE 5-1
Correlation Between Physical and Cyber Intruders
Physical Intruder Equivalent Cyber Intruder
Vandal Outside Hacker
Criminal Outside Hacker
Saboteur Outside Attacker
Terrorist Outside Attacker
Insider Insider Attacker
Information systems are more vulnerable than ever before. Today's information management trends
point to a technology convergence resulting in a standardized system architecture. A demanding
regulatory environment and the need for defensible decision-making push today's utilities to
integrate previously isolated information systems onto standardized platforms. In addition,
employees increasingly request 24 hour-per-day access to internal information systems. Taken
together, these trends create more, not fewer, opportunities for intruders to access and affect the
entire enterprise information structure.
Gaining unauthorized entrance to an organization's information infrastructure is no longer the
province of a small cadre of skilled intruders. The specific vulnerabilities of widely used platforms,
like Microsoft Windows™, are detailed on numerous web sites. An arsenal of hacking tools is readily
available on the Internet at no cost. These "freeware" programs are easy to operate and effective at
gaining entrance to organizations via the Internet, radio, telephone, or wireless devices. Novice
hackers can generate destructive virus code from special applications with no knowledge of
programming. This shorter learning curve benefits attackers intent on intrusion and destruction.
Cheap laptops, anonymous Internet accessibility, and readily available hacking tools offer political
organizations a potent tactical weapon.
As the result of the existence of these adversaries, utilities have realized the need to become more
vigilant to protect their valuable infrastructure. Information system failure can have catastrophic
repercussions to a utility. Compromise of the financial system can result in millions of dollars of lost
revenue. Corruption or destruction of operational data can lead to fines due to late or inaccurate
regulatory reporting. A sabotaged web site has the potential to shake public trust during a time of
crisis. Interruption of the plant process because of SCADA malfunction can lead to a wide range of
health implications for the community.
5.4 Management
Management considerations for cyber security provides the policies and procedures that tie
operational practices and system designs into an integrated approach for utilities. Key areas of
concern focus on SCADA system access, passwords and other IT interface points within the utility.
5-4
-------�
cyber security management, operations, and design considerations
5.4.1 Cyber Security Policies and Procedures
The most effective course of action available to utility management is the creation of a cyber security
plan (often within the context of a physical security plan). A cyber security plan provides the policies,
procedures, and direction for system enhancements that minimize intrusion risk as well as insider
malfeasance. It is, however, an unfortunate reality that even the most vigorous anti-intruder security
may not thwart a determined attacker.
For water utility operators, the SCADA system is of particular concern. Any disruption to the
accurate operation of the SCADA system could have adverse health repercussions to the community.
As such, specialized assessment of the SCADA system is indicated due to its marked difference from
a more traditional information technology (IT) system. It is worth noting that the trend in automation
systems is to use a more "open architecture" that does not rely on proprietary vendor protocols. The
result is a more publicly available standardized operating platform, which increases the odds that its
vulnerabilities are more widely known.
The centerpiece of a cyber security plan is its policies. Publicized and enforced policies can reduce the
opportunity for an insider to anonymously sabotage any portion of the information system. Elements
of this plan should include:
• a process for granting/revoking access to information systems
• password policies
• restricted information flow between the business and control networks
• comprehensive system documentation
• outlawing of unauthorized wireless or modem connections
• a Disaster Recovery Plan
• incident response goals
A forward-looking plan also provides a method for continuous security improvements. In this
rapidly evolving field, it is essential to stay current. Several organizations are in the process of
formulating cyber security standards. At the time of this writing, for example, the National Institute
of Standards and Technology, a federal standards agency, maintains a highly informative web site
that publicizes best practice security guidelines (csrc.nist.gov).
5.4.2 Cyber Security Training
Training activities can result in a higher level of cyber security in the workplace. User acceptance is
an important part of adherence to security policies. Training sessions help to review security
procedures and impart to all employees the importance of individual responsibility. Basic examples
of the types of training to perform include these:
5-5
-------�
cyber security management, operations, and design considerations
• Training for the general user population so that they understand all security policies and
procedures. Specific items to be discussed should include:
Not to share passwords with others.
Not to write passwords down.
- Not to set up wireless networks or wired connections between networks without
authorization.
To password-protect home personal computers (PCs) used to connect to the enterprise.
• Training network administrators to analyze server and network log files to pinpoint
unauthorized activity.
• Training operators should be trained to log out of the HMI whenever leaving the control room to
prevent unsupervised access to the SCADA system.
5.5 Operations
Cyber security addresses the need to for the continuous functioning of the information systems
serving the utility. Of special concern to water utilities is the SCADA system, whose distributed
components maintain the process. Given the complex and interrelated nature of the SCADA system,
a detailed approach is recommended to safeguard its reliability.
5.5.1 Intrusion Defense
Cyber intruders can gain access to an enterprise network via one of four broad avenues:
1. Internet
2. Telephone system,
3. Wireless (including radio)
4. Inside attacks
The following subsections outline methods of preventing unauthorized entry from each avenue.
5.5.2 Internet Intrusion
Internet access to the enterprise is not always under the control of utility IT staff. It is common for the
umbrella municipality to administer all security aspects of the Internet gateway, including firewall
configuration and Intrusion Detection System (IDS) oversight. In that case, it is important that the
utility IT staff participate in municipal IT matters via technical committees or similar intra-
organization forums.
5-6
-------�
cyber security management, operations, and design considerations
5.5.2.1 Outside Hacker
The outside hacker is most easily deterred at the firewall. If no entry point is penetrable, the hacker
will likely move on and choose an easier target. Thus, utilities may want to:
• Coordinate with the enterprise or utility IT department to conduct penetration tests on the
Internet firewall. These tests are designed to uncover "open ports" commonly used by hackers to
gain entrance to the enterprise network. Once inside, a hacker is free to access any computer on
the business network, including SCADA computers if the business and control networks are
connected.
• Restrict general user access to critical applications. For example, segregate financial servers by
locating them on a separate network segment with tightly restricted access.
5.5.2.2 Outside Attacker
Even the most daunting security at the Internet gateway may succumb to the efforts of a determined
attacker. Additional steps are necessary to further secure the SCADA system if connections exist
between the business and control networks. Thus, basic steps that utilities may want to consider
include these:
• Identify and disconnect all connections between the business and control networks that have no
security controls, such as a router or firewall. Network traffic between the two networks should
be strictly controlled to allow only legitimate connections.
• Conduct server and workstation software audits to verify that the operating systems have been
"hardened" with the most current upgrades and security-related patches. The Microsoft
Windows™ operating system, for example, is a favorite target of hackers because of its
widespread use and well-documented security flaws. Some basic activities associated with this
audit might include the following:
Verifying that anti-virus software is updated with the latest virus patterns.
Verifying that all servers have latest security patches applied for applications (e.g., database
programs, email, etc.) as well as the operating system.
Reviewing system logs for inappropriate activity.
Confirming that every administrator password for the operating system and HMI have been
changed from the default passwords.
5.5.3 Telephone System Intrusion
The most common method of telephone system intrusion is via dial-up modem. Most SCADA
systems employ a modem to facilitate operations and maintenance of the HMI by vendor or in-house
SCADA technicians. Traditionally, these modem connections have little or no security; they are an
attractive target for "war-dialing," a common technique used by telephone hackers that uses a
software program to automatically call thousands of telephone numbers to look for any that have a
modem attached.
5-7
-------�
cyber security management, operations, and design considerations
5.5.3.1 Outside Hacker
These basic suggestions can provide increased cyber security at little or no cost to the utility.
• Configure modems to allow dial-up access from a restricted set of telephone numbers.
• Leave modems connected to the SCADA system turned off. Turn on only for use by verified
personnel (vendor or SCADA technician).
• Use a timer to turn off modems after a preset period of time (e.g., one hour) if not in use.
• Coordinate with the enterprise IT department to verify security on non-SCADA modems
connected to the business network.
5.5.3.2 Outside Attacker
Utilities should instruct employees not to divulge user information—especially passwords — over the
telephone. Hackers have a high success rate of obtaining passwords from unwary employees by
posing as an IT technician needing user account information. This technique is known as "social
engineering." Employees can be made aware of any authorized need for this information and asked
to report any attempt to elicit password information without the proper authorization.
5.5.4 Wireless Intrusion
The explosion of wireless networking at home and in the workplace has created an enormous
security risk for network administrators. Many wireless installations in the workplace can exist
without the knowledge of the IT group. These installations generally have little or no security and
can be accessed by anyone within signal range.
5.5.4.1 Outside Hacker
Utilities should eliminate unauthorized wireless networking (use wireless detection software and
appropriate antenna/laptop software to identify unauthorized installations). A wireless access point
using the default settings is open to network attack. Many wireless products are capable of
configuration to acceptable levels of transmission security.
5.5.4.2 Outside Attacker
Modify and configure authorized wireless networking to the highest encryption levels. Minimize
broadcast range and consider turning off "beaconing" features.
5.5.5 Insider Intrusion
Although an inside attacker has a decided advantage by possessing access privileges to the enterprise
system, a stringent security environment renders operational staff activities less anonymous. A well-
designed cyber security plan seeks to minimize inadvertent or intentional damage to the SCADA
system by former or current employees and contractors. At the core of any security plan is an
enforceable security policy and accompanying procedures that promote operational accountability
and auditability.
5-8
-------�
cyber security management, operations, and design considerations
The water utility industry is often staffed by long-term employees. The introduction of more
stringent security procedures can rankle as untrusting. The current security-minded national
environment, however, supports the perception that procedural changes to protect the enterprise are
inevitable.
5.5.5.1 Management and Operational Security of the SCADA System
Several security practices that promote accountability and auditability are part of this mainstream
movement, including these basic operational security considerations:
• Development of security policies that are posted in all control rooms
• Requirement for individual logon credentials to access the SCADA system
• Configuration of HMI logon privileges to match responsibility level
• HMI log files that are associated with user logon credentials with actions and changes made to
HMI (creating a non-refutable audit trail of operator actions)
• Requirements for appropriate password strength rules for user access (i.e., more "complex"
passwords for those with higher access privileges, such as an administrator)
• Immediate removal of a user account from the HMI if the account becomes inactive due to
voluntary, and especially involuntary, termination
• Configuration of an inactivity timeout logout (or proximity sensor logout) to protect the control
system if no one is present in the control room or the operator has stepped away from a remote
workstation
• Requirement for a password to make software programming changes to RTUs/PLCs
• Programming of set point ranges to reject potentially harmful out-of-range adjustments
Advanced operational security considerations include these:
• Install third-party software—or upgrade current HMI version—to enable change propagation
capability that monitors revisions to programming by date/time and login credentials. This
software can also "undeploy" programming changes and revert to a previous version.
• Install safeguards for laptops used for onsite programming of remote PLCs or RTUs against theft
or unauthorized use.
5.5.5.2 Physical Security of SCADA Components
Sensitive electronic SCADA components are often completely accessible to anyone in the plant.
Utilities can reduce crimes of opportunity through these basic operational security considerations:
• Backup of SCADA servers and programming workstations to tape every night. Appropriate
tapes should be stored offsite to ensure disaster recovery.
• Lockable PLC cabinets.
• Protective, lockable casing for exposed outdoor RTUs.
5-9
-------�
cyber security management, operations, and design considerations
SCADA servers secured in locked, climate-controlled areas.
Restriction of access to the control room (and network/server room) with an entry system that
stores information about who has entered and departed.
5.6 Design
Design considerations for cyber security should be coordinated with planning for the physical
security of the organization. For example, card-reader access systems can be specified in the physical
security plan to regulate access to restricted areas. Card readers can also benefit cyber security by
doubling as a logon device that can record who has logged in and out of a computer.
Consistent with the previous intrusion defense discussion, design considerations will fall under the
main areas of unauthorized entry: Internet, telephone system, wireless, and insider.
5.6.1 General Design Best Practices
Several design elements are recommended to bolster both insider and outsider defense, as well as to
minimize less malicious levels of unauthorized entry. Utilities should evaluate implementation of the
following basic activities:
• Identify and characterize all connections between the business and control networks. Though
business and control networks have traditionally been separate, current demands for enterprise-
wide data access dictates intra-network communication. By designing a secure connection
between the networks, the enterprise can reap the benefits of data extraction from the control
network and transport to the business network without compromising the mission-critical
SCADA system. All network traffic between the two networks should be strictly controlled.
Methods of securely segmenting the business and control networks include these:
Virtual Air Gap. Allows one-way data traffic from a control network server to a business
network server by means of an optical isolator.
Dual-homed Server. Directs SCADA process data into a database server via one network
card on the control side; allows access to the database only from the other network card on
the business network.
Router. Restricts traffic to a small number of destinations as regulated by an Access Control
List (ACL). A firewall is appropriate here as well, especially if control of the Internet gateway
is not under the utility IT purview.
Firewall. Of particular value in the case where utility IT has no control over the enterprise
Internet gateway.
• Review the policy governing entries on the router ACL so that only appropriate Internet Protocol
(IP) addresses (such as a designated printer or the email server) can be accessed across the
business and control system networks.
• Implement restricted access (and policies) to the SCADA control room. Consider biometric
devices for areas requiring the highest levels of security.
• Provide a climate-controlled, locked enclosure for SCADA servers and networking components.
5-10
-------�
cyber security management, operations, and design considerations
• Install and use a lock and intruder switch on control panels.
.
• Configure identical SCAD A servers for "fail-over" redundancy.
• Install anti-virus software and configure for daily virus pattern updates on all servers and
workstations.
• Reset all operating system and HMI passwords away from default settings.
• Verify that the backup system consistently captures a "snapshot" of designated servers and
workstations. Provide offsite storage of selected tape backups necessary for disaster recovery
purposes.
• Routinely back up all SCADA programs for PLCs, distributed control units, RTUs, SCADA
servers, and similar programmable devices to provide for rapid recovery in the event of loss of
program or need to install new devices. Store programs offsite.
• Provide individual UPSs for critical SCADA devices not protected by the main UPS system.
The following advanced activities can also be considered:
• Provide a UPS for all servers, networking components, and vital workstations. Consider addition
of diesel-powered generator if warranted by system criticality.
• Provide a backup method to collect the data from the remote systems in case of communications
failure. If, for example, a spread-spectrum radio network is the main method of remote SCADA
communication, then telephone lines could be used for dial-up access in case of radio failure.
5.6.2 Internet Intrusion Design
Enterprise Internet security for municipal utilities is often under the stewardship of a municipal IT
department. Given its level of specialization, training may be required for the IT staff who maintain
security at the Internet gateway. Regardless, the principles are the same whether applied at the
Internet gateway or between the utility and municipal networks.
Devices such as firewalls and routers, if properly configured, can effectively insulate a utility's
network from outside attack. It is recommended that the utility appoint an appropriately skilled staff
member or hire a consultant to determine the current best practices in Internet intrusion design
because these technologies are evolving rapidly. Important basic design elements at the time of this
writing are listed below:
• Contract for periodic evaluation of firewall and IDS effectiveness by a third-party security
specialist to continuously maintain and improve operational performance.
• Consider using a Virtual Private Network solution to prevent unauthorized access into the
enterprise from the Internet.
• Ensure that the firewall is either "stateful packet inspection" or "proxy" served.
5-11
-------�
cyber security management, operations, and design considerations
Advanced design elements include these:
• Implement both types of firewalls in a "layered" approach.
• Install an IDS at the Internet gateway and regularly audit IDS logs for evidence of unauthorized
entry. An IDS, properly monitored, can identify when a firewall is under attack and provide
valuable information about intrusion attempts. Other IDS tools can detect system configuration
changes and log file anomalies.
5.6.3 Telephone Intrusion Design
The telephone system is vulnerable to unauthorized access through modems. Typically, modems are
often found in three areas: attached to the SCADA server for maintenance purposes, attached to
remote access servers on the business network to facilitate employee dial-in, and "informal" modems
attached to workstations so that the individual employee can work from home. This last type of
modem is difficult to track down and usually has no security configured. A basic design element to
reduce risk from modems is to :
• Create policies designed to prevent the installation of unauthorized modems on enterprise
equipment. Those modems are often used in conjunction with remote control software to
facilitate working from home. The security risks to the business usually outweigh the
convenience for the individual.
Advanced design elements to reduce risk from modems include:
• Use commercial telephone-scanning software that can usually identify modem connections not
sanctioned by the utility.
• Equip all SCADA modems with "lock and key" hardware devices. Distribute the "keys" to
SCADA technicians and trusted vendors only. This solution provides flexibility as well as a
higher degree of security. Technicians needing access can call at any time and from any telephone
(e.g., a SCADA technician on travel).
• When telephone lines are used to connect to RTUs from the field, consider encrypting commands
to prevent interference from attackers "tapping" into leased or owned lines.
5.6.4 Wireless Intrusion Design
Many utilities rely on radio transmission to interact with remote SCADA components in the field.
RTUs in the field exchange, monitor, and control information in "plain text." These unencrypted
broadcasts can be intercepted and retransmitted with different—potentially harmful — information.
As a basic method of risk mitigation, utilities may want to:
• Provide "hardened," lockable enclosures for all remote control system units. Many of these units
are in isolated areas with few protective measures to deter vandalism.
• Provide signal supervision and tamper alarms to detect loss of signal and tamper attempts.
5-12
-------�
cyber security management, operations, and design considerations
More advanced methods of risk mitigation for wireless components include:
• Encrypting radio traffic between RTUs (or PLCs with radio units) to master unit with
scrambler/descrambler devices. As an alternative, modify radios with appropriate capabilities to
spread spectrum frequency-hopping.
• Specifying wireless networking configurable to an appropriate security level.
• Turning off "beaconing" and minimize reception area through a combination of antenna type
and wireless access point configuration.
5.6.5 Insider Intrusion Design
The difficulty in designing a secure enterprise against an insider attack is evident—the insider
already has direct access to information systems. The key to deterrence is a strong and enforced
security plan that:
• Reduces the chances of acting anonymously.
• Restricts potential damage through limited access privileges, both physical and electronic.
5-13
-------�
(This page intentionally left blank)
-------�
SECTION 6
Choosing the Optimal
Physical Security Equipment
Introduction
Management:
Optimizing
Physical Security
Operations:
Enhancing
Physical Security
L
Design:
Developing
Physical Security
Cyber Security
,._.
Physical
Security
Equipment
L
* Determine the type of equipment needed
* Identify the required equipment features
• Match needs with available security equipment
6.1 Overview
The previous sections of this document identified applications for which utilities may want to
purchase and install electric and electronic security devices. Utilities should base their decisions on
their DBTs, as well as other operational and design considerations.
A variety of security systems and components are commercially available. Before implementing a
security system, it is important to understand the characteristics and requirements of the area and
facility to be protected. With this understanding in hand, detailed criteria can be developed to specify
exactly how the security system should be implemented.
This section provides an overview of issues and situations that should be considered, as well as basic
information, when determining the type of electric or electronic security system to install once the
decision has been made that such a system will be employed. Included are descriptions of three major
categories of security equipment: intrusion detection systems (both interior and exterior), access
control (card reader) systems, and closed-circuit surveillance camera systems. Each of these sections
provides information on recommended security devices, including interior and exterior intrusion
detection systems, card readers, biometric readers, camera lens and equipment requirements, digital
6-1
-------�
choosing the optimal security equipment
video recording and CCTV compression. Lighting, power, and security wiring standards are also
discussed.
6.2 Questions to Ask
To determine the type of security system to install, it is important to understand the characteristics of
the area to be protected, as well as the security expectations and requirements. This section describes
the information that should be obtained and questions that should be asked to help utilities plan and
implement a security system.
6.2.1 Threat
The types of security equipment employed will be dependent on the utility's DBT. Questions to
consider include:
• Is the anticipated adversary an outsider, an insider, or an outsider collaborating with an insider?
• What tactics, motivation, skills, knowledge, tools, or weapons might the adversary use?
Protecting a facility from a skilled, trained adversary with knowledge of the facility requires a
different tactic than protecting against a teen-aged vandal.
6.2.2 Known Vulnerabilities and Key Assets
A utility's vulnerability assessment identifies the assets that are most critical to meeting its mission.
The types of assets to be protected influence the types of equipment recommended to protect them.
6.2.3 Areas of Coverage
The characteristics of the area that the equipment will be expected to cover are critical factors that
need to be taken into account. Questions to consider include:
• What is the area or region to be protected?
• Does the area occupy a level surface?
• Is the area enclosed? Is the area indoors or outdoors? Indoor areas typically have lower nuisance
alarm rates and are easier to protect.
• If indoors, what ambient noise levels, thermal conditions, or vibrations may exist?
• If outdoors, what humidity, temperature conditions, and wind conditions exist?
• Are small animals or children living near the protected space?
• How large is the area?
• What is the configuration and physical layout of the area to be protected?
• What are the existing lighting conditions within the area?
• Are there any restrictions that limit placement or levels of site lighting, such as neighborhood
zoning requirements?
6-2
-------�
choosing the optimal security equipment
• Are the assets visible from the perimeter fence or property line?
6.2.4 Levels of Resolution
To accurately specify the required security hardware, it is important to define the required level of
resolution that the security system must achieve: detection, classification, or identification.
• Detection. The capability to determine the presence of an intruder (but not necessarily classify as
a human, animal, or object).
• Classification. The capability to determine the classification of an intruder as human.
• Identification. The capability to determine the identity of a human intruder.
6.2.5 System Size and Device Quantity
Before selecting equipment, it is also important for a utility to think about the size of the area that it
wants to cover and the number of devices it will need. Understanding the potential growth of the
water system also allows the designer to provide a security system that scales with a minimum of
cost and effort as the system size and requirements expand.
6.2.6 Electrical Power, Wiring, and Transmission Methods
Availability of electrical power will also influence selection of security devices. Questions to consider
include:
• What electrical power is available for the security hardware, if any?
• What backup power is provided for security?
• Are lightning strikes a consideration? Is a lightning protection system advisable for new
electronic equipment?
• Will all wiring be protected within conduit?
• How are alarm signals transmitted back to a monitoring system?
• Will hardwired systems be used or are wireless communication methods being considered?
• What bandwidth is available for transmitting security alarms and video images? For example,
dial-up telephone modems or radio telemetry systems provide limited bandwidth for
transmitting video images, whereas high bandwidth broadband connections allow higher rates of
transmission and smoother video image playback.
6.2.7 Viewing and Assessment
Utilities also need to consider how information transmitted by security devices will be used.
Approaches to viewing and assessing camera images and responding to alarms should be part of the
criteria when making decisions on equipment selection. Questions for consideration include:
• What areas need surveillance? What camera surveillance systems may be required? Is there a
need to have CCTV camera coverage at the entire site perimeter?
6-3
-------�
choosing the optimal security equipment
• What monitoring system is in place to receive the alarms: a SCADA system or a separate
intrusion detection system? For example, it is advisable to separate SCADA from security alarms
whenever possible so that an adversary cannot disable both simultaneously.
• Who will monitor the alarms? Will the system be monitored on a continuous basis, or as alarms
come in?
• Who will view the security alarms and assess them?
• Where is the monitoring system located?
• What is the security response once an alarm occurs?
• Is the response onsite or offsite?
• What is the response time?
6.3 Basic Information About Physical Security Equipment
Before determining the type of physical security system that would be the best for a utility, it is
important to understand the basic components, features, and requirements on which a utility will
have to decide.
6.3.1 Power and Wiring
Without a reliable power source and intact wiring, a security system cannot function. Indeed, cutting
the power to a security device may be an adversary's first course of action. Recommendations for
reliable power and security wiring are presented here.
6.3.1.1 Power Supplies
Typically a security system includes items that require 120 Vac (volts alternating current) power and
low-voltage (12 Vac, 24 Vdc [volts direct current]) power. If an auxiliary power supply is included for
supplying low-voltage power, be sure that calculations are performed on the load and voltage drop
of the system. Load and voltage drop should meet the following criteria:
• The power supply should be loaded to no greater than 75 percent of capacity to allow for future
expansion.
• Worst-case voltage drop should be no greater than 10 percent for the longest length low-voltage
circuit from power supply to device.
6.3.1.2 Lightning Protection
In many parts of the country, a lighting protection system is essential for the protection of electronic
devices. The goal of a lighting protection system is to:
• Limit step or contact voltage and induced voltage.
• Limit fire propagation.
• Reduce the effect of surges on sensitive equipment.
6-4
-------�
choosing the optimal security equipment
Typically, a lightning protection system utilizes a separate grounding system that is tied to the facility
ground system. Consider the following when planning for a lightning protection system:
• Coordination is required with roofing, parapet, and interior building design to allow for
installation of air terminal or riser cables.
• Criteria for lightning protection may involve the utility's insurance company.
For more specific information, refer to NFPA 780, Standard for the Installation of Lightning
Protection Systems.
6.3.1.3 Power Backup
For all electronic components of the security system, some method of power backup is recommended.
With automatic generator-backed systems, if normal alternating current (AC) power fails, there is a 5-
to 10-second lag before the generator backup engages. With manual systems this time period can be
much longer.
Some basic backup power considerations are as follows:
• UPS systems are recommended for security devices requiring 120 Vac power, such as computers
and video monitors.
• Batteries are cost-effective and reliable for low-voltage
devices, such as cameras and card reader systems. Provide Consjder usjng battery bac|(up
automatic charging means to automatically maintain and a small self-charging UPS
battery charge under normal power conditions. for backup power to smaller
security installations.
• Battery recharge circuits should automatically recharge ^^==^^^^=^^^^^=
batteries within 24 hours after the batteries have been discharged.
• Modular battery backup systems provide an advantage because they may be expanded by simply
adding more components and batteries. As backup power requirements increase, the battery
system capacity can be adjusted to meet current needs.
• When considering UPS systems, compare the cost and flexibility of using smaller point-of-use
UPS units against a large system-wide UPS. In some cases, greater flexibility and cost-
effectiveness may be achieved using point-of-use UPS units. Additionally, the cost of maintaining
a spare point-of-use UPS unit is much lower then providing a redundant system-wide standby
UPS unit.
6.3.1.4 Security Wiring
Basic
• All interconnecting wiring between security system components should be monitored for
integrity so that an abnormal condition (e.g., wire-to-wire short, wire break, or wire ground-fault
condition) is automatically indicated when arming the system.
• Coaxial cable RG-59U, the most common coaxial cable style is rated for up to 750 feet. Use fiber-
optic cable for CCTV runs farther than 750 feet.
6-5
-------�
choosing the optimal security equipment
Advanced
• Fiber optic cable offers several advantages over coaxial cable; it is impervious to electromagnetic
interference, radio frequency interference and offers good security against eavesdropping. For
new CCTV installations, fiber is recommended over coaxial cable, except for very short runs
(under 50 feet).
6.3.1.5 Sample System Performance Criteria
Utilities may want to consider including performance standards such as these when determining the
type of basic physical security system to purchase and install:
• Four-hour battery backup, at a minimum, should be provided for security equipment.
• All exposed security wiring should be installed in conduit.
• No splices or wire nuts should be used within wiring circuits. All wiring terminations should be
made via mechanical termination blocks.
• All wiring shall comply with the NFPA 70, National Electrical Code, specifically Articles 725 and
800, as appropriate.
• Security panels shall be UL listed as meeting standard UL804.
6.3.2 Visibility and Lighting Recommendations
Visibility and lighting are critical elements of a successful security system.
6.3.2.1 Visibility
Within a parking lot, trees and shrubs should not obstruct viewing. Tree branches and leaves should
not be lower than 10 feet above the lot surface. Interior shrubs and bushes should not be higher than
18 inches so as not to obstruct vision or conceal an adversary.
6.3.2.2 Lighting
A significant part of visibility is lighting. Lighting should enable people parking to note individuals
at night at a distance of 75 feet or more and to identify a human face at about 33 feet. These are
distances that will allow them, if necessary, to avoid the individuals or take defensive action while
still at a safe distance.
Security lighting increases the effectiveness of guard forces and closed circuit television by increasing
the visual range of the guards or CCTV during periods of darkness. It also provides increased
illumination of an area where natural light does not reach or is insufficient. Lighting also has value as
a deterrent to individuals looking for an opportunity to commit crime. Normally, security lighting
requires less intensity than lighting in working areas. An exception is at normal doorways.
6-6
-------�
choosing the optimal security equipment
Exterior lighting for areas such as parking lots should provide a minimum level of visibility when
guards perform inspection of the protected area. Guards and CCTV surveillance systems must be
able to:
• see badges, people, and other guards at gates
• observe activity
J
• inspect vehicles
r
• observe illegal entry attempts
• detect intruders in the protected area
• observe unusual or suspicious circumstances
•
Each parking lot presents its own particular security challenges based on physical layout, terrain,
atmospheric conditions, and security requirements. The goals of direct illumination are to provide a
specified intensity throughout the area for support of guard forces or CCTV, provide good visibility
for customers or employees, and have a minimum of glare.
The most severe problem is illuminating the small narrow "corridors" formed by adjacent parked
cars. To get light into these areas, it is recommended that any point in the entire parking lot be
provided with illumination from at least two and preferably four lighting (pole) locations. The lights
should be mounted at a minimum height of 20 feet.
6.3.2.3 Example System Performance Criteria
• Provide lighting that is a minimum of 0.2 foot-candles around key assets for observation by
unaided eye.
• Provide minimum of 1 foot-candle (the average maintained horizontal to the surface) for self-
parking areas.
Tips for Small Utilities
Lighting at entry and exit points should be at least 1.5 to 2.0 Low-pressure sodium
foot-candles for safety and for adequate observation by lights are reasonably
employees or CCTV. efficient and provide a
uniform lighting ratio.
Two foot-candles of lighting should be provided for attendant =======
parking areas because of liability and potential damage to automobiles.
Where additional lighting for business attractions or customer convenience is a consideration,
lighting of 5.0 foot-candles and higher is often used.
The light-to-dark ratio should be designed such that the lowest value of illumination on the
pavement is not less than one-fourth of the recommended average (a 4:1 light-to-dark ratio). The
lighting should be maintained at no worse than 6:1.
RP-20-98, Lighting for Parking Facilities, published by the Illumination Engineering Society of
North America (IESNA), provides recommended illumination levels for parking facilities.
6-7
-------�
choosing tho optimal security equipment
6.4 Types of Physical Security Equipment
Once the utility understands the characteristics of the area to be protected and the security
expectations and requirements (as described in the previous section), the utility can determine the
type of security equipment to use. There are many different types of security equipment. These types
include:
• Access control systems (card readers, PIN access, and biometrics)
• Intrusion detection (interior and exterior)
• CCTV surveillance
Each of these types of security equipment is described in this section.
6.4.1 Access Control
An access control system allows the movement of authorized personnel and material into and out of
facilities while detecting and possibly delaying movement of unauthorized personnel or contraband.
Entry control elements may be found at a facility boundary or perimeter, such as at vehicle gates,
building entry points, or doors into rooms or other special areas within a building.
Access control systems make a verification decision and then determine whether to grant or deny
access to a person. This verification decision is usually based on determining whether the person:
• carries a valid credential, such as an access card.
• knows a valid PIN.
• possesses the proper unique physical characteristic that matches the person's characteristic
recorded at enrollment. This is called biometrics and includes characteristics such as a fingerprint
or hand geometry.
These three concepts, from basic to advanced, can be thought of as "what you have," "what you
know," and "what you are."
6.4.1.1 Credentials (Access Card Types)—What You Have
There are a number of different types of credentials (or
access cards) used in personnel access control, Tips for Small Utilities
including photo identification, exchange, stored-image
Single door card reader systems are
badges, and coded credentials. There are many available that include everything necessary
techniques available for coding a badge or card. The to control a single door. These may be cost-
most common techniques include magnetic stripe, bar effective for a small utility having few doors
j rr, or staff. Also available are single-door
codes, proximity, and smart cards. The most commonly
access control systems that use a PIN
used card readers are magnetic stripe or proximity for door entry but can be
technology. integrated into a networked
card reader system in the future.
Card reader access control systems provide the most ^^__^_^^^_^_^^^^_^^___^^^_
reliable, flexible method of controlling access to a
6-8
-------�
choosing the optimal security equipment
facility. Card reader systems come in many configurations, from stand-alone systems that control
only one door to scaleable systems that can provide enterprise-wide control for an entire corporation
spanning multiple continents. Newer card reader systems offer sophisticated database intelligence
that allows integration with payroll, information technology, and human resources databases. If an
employee is terminated, his or her access privileges can be revoked within the access control system
instantaneously. Some access control systems offer seamless integration with video surveillance
systems, where access control alarms and video surveillance images are displayed on common
PC workstations.
As shown in Figure 6-1, the card reader system typically consists of:
• a computer server or workstation that displays alarm conditions and allows programming of
the system
• a badge station,
allowing creation
and programming of
badges
• local control panels
that control the
doors, card reader
units, and access
cards
• a printer unit that
prints each event
and alarm condition
Under normal operation, BylkJtag A Building 8
the system grants access
at doors with card
readers by comparing
the time and location of any attempted entry with information stored in memory. Access is
granted only when the security card used has a valid entry code at the card reader for a
designated time frame.
Significant advantages of the card reader system include the capability for event tracking and
programmable software functions, such as these:
• Event tracking/event logs are lists of security events recorded by the access control system that
indicate the actions performed. Each event log entry contains the time, date, and other
information specific to the event.
• Two-man rule software is software programming that is optional on many card reader systems. It
prevents an individual cardholder from entering a selected empty security area unless
accompanied by at least one other person or exiting if only one person will remain in the area.
FIGURE 6-1
Typical Card Reader System
6-9
-------�
choosing the optimal security equipment
Once two cardholders are logged into the area, other cardholders can come and go individually
as long as at least two people are in the area. Conversely, when exiting, the last two occupants of
the security area must exit together.
• Anti-passback software prevents users from giving their cards to someone else to use. This
feature is sometimes available with keypads. To prevent the same PIN from being used by many
people, a time element can be programmed in—the PIN will not work again until that time
expires. Some anti-passback systems require that if a card is used to enter an area that card must
be used to exit that area before it can be used to gain access to a different or unrelated area. This
feature also helps eliminate "piggy-backing" or tailgating by unauthorized persons.
6.4.1.2 PIN—What You Know
There are two primary considerations for selecting a secure PIN. First, the PIN should be long enough
and have enough digits to prevent easy guessing. Second, the PIN should not be a number that is too
meaningful to the individual to whom it is assigned (e.g., birthday or nickname). If a person is
allowed to choose his or her own PIN, he or she should be discouraged from choosing a PIN that is
too meaningful and could be easily guessed.
Some systems provide a maximum number of PIN entry attempts before disallowing the credential
or generating an alarm to the central control system.
6.4.1.3 Biometrics—Who You Are
Commercial equipment is available that uses hand or finger geometry, handwriting, eye pattern,
fingerprints, speech, face, and various other physical characteristics to identify an individual. When
selecting or deploying biometric devices, consideration of the security objectives is required so that
the optimal device is selected and that it will operate as desired.
Hand readers and fingerprint readers are the most common biometric access control applications.
Fingerprint reader stations are physically smaller in size and have a lower cost than hand geometry
readers. Fingerprint readers are best suited for installations with smaller user populations (such as a
lab area accessed by approximately 20 people), whereas larger user populations are better served by
hand geometry readers.
Not everyone can use biometric devices. Fingerprint readers have a higher false-rejection rate than do
hand geometry readers. For example, a portion of the population cannot use fingerprint readers
because of dry skin. Manual labor staff who routinely use their hands may have worn fingerprints or
scars on their fingertips, making it difficult for effective fingerprint reading. In addition, physical
changes occur with age or injury that can impact biometric reader effectiveness. In these cases, a hand
geometry reader might be a more effective technology.
Training on the capabilities and limitations of the selected biometric device is essential. The
procedures need to provide for the periodic update of biometric data for each person tracked by the
device; enrollment of staff into a biometric reader is not a one-time action.
6-10
-------�
choosing the optimal security equipment
6.4.2 Interior Intrusion Detection
Many types of interior intrusion detection systems are in use today, including volumetric sensors and
boundary penetration sensors.
6.4.2.1 Interior Volumetric Sensors
Volumetric sensors monitor an internal area to detect the presence of an intruder. There are several
types of volumetric sensors, including microwave, ultrasonic, passive infrared (PER), and dual-
technology (microwave and PIR). The most commonly used are dual-technology sensors.
Dual-technology sensors use both microwave and PIR sensor =^^=^^==s^=
Tip for Small Utilities
circuitry within one housing. An alarm condition is generated if
Designs for smaller
either the microwave or PIR sensor generates an alarm condition. In
utilities might consider an
some dual-technology sensors, alarm settings may be adjusted to exterior door contact(s)
require that both the microwave and the PIR unit detect an intruder and interior dual-
presence before an alarm condition is generated. technology sensor
connected to a SCADA
Dual-technology sensors have some drawbacks; for example, the alarm point.
PIR channel is relatively vulnerable. An elusive burglar may use an
infrared emission-blocking cloak or screen to camouflage his infrared radiation. In addition, in hot
climates when air-conditioning is off, there is a serious problem of misdetection with high ambient
temperatures. Some dual-technology sensors attempt to overcome this limitation by having installer-
selectable logic, where detectors from either channel are enough to trigger an event. However, this
mode is not very popular because it suffers from the false alarm weaknesses of both technologies.
6.4.2.2 Interior Boundary Penetration Sensors
Boundary penetration sensors detect the presence of an intruder across an interior boundary, such as
a door, window, or hatch. The most typical boundary penetration sensors are door switches, glass-
break sensors, and linear-beam sensors.
• Door switches. The workhorse of the security intrusion detection field, door switches include
contact switches, magnetic switches, and balanced magnetic switches. These switches may be
used in a variety of applications, from monitoring doors to monitoring hatches, vaults, and panel
enclosures. By far, the most effective is the balanced magnetic switch. This switch has internal
circuitry that resists tampering or defeat from strong magnetic fields. By comparison, standard
magnetic switches have been defeated by applying a strong magnet to the exterior of the door to
bypass an alarm and force the door open.
• Glass-break sensors. There are three basic types of glass-break sensors: acoustic sensors (listens
for an acoustic sound wave that matches the frequency of broken glass), shock sensors (feels the
shock wave when glass is broken), and dual-technology sensors (senses acoustic and shock
vibrations). Because glass-break sensors do not sense motion or intrusion from entering a door or
hatch, the sensors should be used in conjunction with other methods (such as volumetric
sensors). It is recommended that glass-break sensors not be placed directly on a glass surface.
6-11
-------�
choosing the optimal security equipment
• Linear-beam sensors. Also referred to as a photoelectric beam or photoelectric eye, linear-beam
sensors consist of a transmitter that emits a beam of light that is invisible to the human eye and a
receiver that receives the beam of light. If the beam of light is interrupted or broken by motion
from an intruder, an alarm is triggered. Linear beam detectors can be surface mounted or
recessed. These sensors require a straight line of sight between the transmitter and the receiver.
6.4.3 Exterior Intrusion Detection
Several types of exterior intrusion detection sensors exist and may be classified according to type,
method of use, style, and mode of application. The following exterior systems are most applicable to
water system applications and are listed in order from basic to advanced in the following paragraphs:
freestanding sensors, buried-line sensors, and fence-mounted sensors.
6.4.3.1 Freestanding Sensors
Freestanding sensors are the most common style of exterior sensor ^^^^^^=^^^^^==
., ,, „ . , ,_• • r_ j nm Tips for Small Utilities
available. Types include active infrared, FIR, microwave, and dual-
technology sensors. Microwave and dual-technology detectors are Monostatic microwave
sensors work well for
frequently used as freestanding sensors. monitoring reservoir
• Microwave sensors come in two styles: bistatic and monostatic. ladders or other small
D. areas. The device can be
Bistatic microwave sensors use a transmitter and receiver pair. ajmed dowp a ^^
Monostatic microwave sensors use a single sensing unit that ladder toward the ground,
incorporates both transmitting and receiving functions. With for example. Make sure the
both bistatic and monostatic sensors, the sensors operate by device is rated for Outdoor
,. .. „ , . . , use before installing.
radiating a controlled pattern of microwave energy into the _^_____^___^_^_
protected area. The transmitted microwave signal is received,
and a base level "no intrusion" signal level is established. Motion by an intruder causes the
received signal to be altered, setting off an alarm. Microwave signals pass through concrete and
steel and need to be applied with care if roadways or adjacent buildings are near the area of
coverage, otherwise nuisance alarms may occur. Many monostatic microwave sensors feature a
cut-off circuit, which allows the sensor to be tuned to cover only a selected region to reduce
nuisance alarms.
• Dual-technology sensors use a combination of FIR and microwave technology, as discussed
previously.
6.4.3.2 Buried-line Sensors
Buried-line sensors include pressure/seismic sensors, magnetic field sensors, buried-ported coaxial
cable, and buried fiber-optic cable sensor systems. Each of these systems relies on sensing the
presence of an intruder by means of a buried cable system within the ground.
A factor that must be considered when using buried-line sensors are the presence of underground
utilities. Underground utilities, such as gas, water, and sewer lines, must be sufficiently below the
6-12
-------�
choosing the optimal security equipment
detection zone, or false alarms may result. Typically, 3 feet is sufficient to prevent false and nuisance
alarms. Underground electrical wires must also be considered.
Other factors also need to be considered when using a buried-line sensor. Rodents have been known
to cause maintenance problems by gnawing on the sensor cables. Installations also should not be in
areas where running water will either wash away the soil that buries the sensor, cause nuisance
alarms during a heavy rain, or result in standing water or pooling issues.
A drawback to the buried-line sensor system is that it may have different sensitivities when buried
below different surfaces. For example, if a continuous system is buried below a concrete surface as
well as under a lawn, the sensitivities required for each surface may be different. A good sensitivity
adjustment for concrete may be too sensitive for grass. In this case, it may be best to individually zone
those areas so that the sensitivities may be adjusted for each.
6.4.3.3 Fence-mounted Cabling Sensors
With fence-mounted systems, it is critical that the fence construction ==^==^=^=
be of high quality, with no loose fabric, flexing, or sagging material. Tlps for Sma" Utlllties
The fence should also have solid foundations for posts and gates. Fence-mounted sensor
systems work well
Otherwise, nuisance alarms may occur. in afeas
Several types of fence-mounted perimeter intrusion detection systems animals or passersby;
otherwise nuisance alarms
exist. These include electro-mechanical vibration sensing, coaxial rp
-------�
choosing the optimal security equipment
Possible defeat measures include tunneling, jumping, or bridging across the fence system. Careful
climbing at corner posts also may not generate sufficient vibration to generate an alarm condition.
6.4.4 CCTV Camera Systems
CCTV camera surveillance systems are integral to effective assessment of alarms. This section
describes some of the requirements and components comprising a CCTV system.
As shown in Figure 6-2, a
CCTV system typically
consists of:
• one or more cameras
• transmission media (fiber
cable, coaxial, or twisted-
pair cabling)
• a monitor for viewing
incoming camera images
• a matrix switcher or
multiplexer that receives
incoming video streams
and directs them to
monitors and recording
equipment
Video Recording
FIGURE 6-2
Typical CCTV System
• a means to record each event and alarm condition
6.4.4.1 Camera Characteristics
There are several key performance characteristics of a video surveillance camera. Among these are:
• Camera resolution. The amount of detail that the camera can distinguish and produce. The higher
numbers indicate better resolution.
• Minimum illumination. The minimum amount of light needed for the camera to display images.
For illumination, the lower the number, the better.
• Lenses. The lens size and type required for the camera.
Other important considerations of CCTV camera systems are
whether the cameras are fixed-position or pan, tilt, and zoom
(PTZ) cameras:
• Fixed-position camera mounts. The camera is mounted in a
fixed position and cannot rotate or pan. A good application
for fixed cameras is detection surveillance, because video
motion detection can be more readily applied to the static
field of view.
Tips For Small Utilities
Because pan/tilt cameras are
three to four times the cost of
comparable fixed cameras,
consider using multiple
fixed cameras in place of
one pan/tilt camera.
6-14
-------�
choosing tho optimal security equipment
• PTZ camera mounts. These camera mounts allow the camera to rotate, pan, tilt, and zoom.
Because of the drive motor and housing, PTZ cameras are often four times more expensive than
fixed cameras. PTZ cameras are often used for surveillance applications to view and assess alarm
conditions.
6.4.4.2 Other Camera System Elements
Matrix switchers are components that provide switching capability between cameras and viewing
monitors. They typically offer functionality that allows programmable settings such as camera
naming, guard-tour camera sequences, and salvo switching.
Digital video recording provides a great improvement in camera image storage. Benefits include
eliminating consumable media (tapes), reducing physical storage space, ease of search-and-playback
functions, and the capability to add watermarks for documenting evidentiary recordings.
Video motion detection systems permit detection of entry or intrusion using video images. This new
technology is based on computer algorithms that analyze the received video image and compare it to
stored images in the system memory. The incoming video is analyzed for the direction of the object's
movement and changes in images and background "texture."
6.4.4.3 Low-light Cameras
Several technology solutions are available to permit viewing under low light conditions, including
black/white switching cameras, infrared illuminators, or thermal imaging cameras. It is important to
design illumination specifically for the CCTV camera being used. The range that the camera will see
in the dark depends on the sensitivity and spectral response of the camera and lens combination.
Color - black/white switching cameras. Some cameras will automatically switch from color during
daytime to black/white at night, which permits viewing under low light conditions. This can be an
effective solution in situations where the existing illumination levels are too low during night
conditions to permit color camera use, but color camera use is desired during daytime conditions.
Numerous CCTV camera manufacturers offer auto-switching black/white cameras.
Infrared Illuminators. The human eye cannot see infrared light. Most mono-CCTV cameras,
however, can. Thus, invisible infrared light can be used to illuminate a scene, which allows night
surveillance without the need for additional artificial lighting. Infrared also provides many other
benefits above conventional lighting, including:
• IR beam-shapes that can be designed to optimize CCTV camera performance
• Extended bulb-life
• Covert surveillance, no visible lighting to alert or annoy neighbors
• Lower running costs
A number of camera manufacturers produce a variety of beam patterns, such as 10° and 30° spot
(precise) illuminators and 60° flood illuminators.
6-15
-------�
choosing the optimal security equipment
Thermal imaging cameras. Thermal imaging cameras use special technology that senses heat
signatures rather than visual information. These cameras operate under complete darkness. Thermal
imaging cameras are best used in long-range detection and surveillance applications. Because they
register a heat signature, it is not possible to resolve the identification of the adversary; instead, these
cameras are best used to indicate the presence of an adversary.
6.4.4.4 CCTV Assessment
Utilities need to consider how they will assess incoming security alarms. It is particularly important
to assess alarms quickly, accurately, and without compromising the entire process. Visual
observation or CCTV camera surveillance is imperative for assessment. If frame-grabber technology
is used (recording pre-and-post alarm video images upon alarm conditions), then CCTV assessment
is simplified and can be nearly automatic.
6.4.4.5 CCTV Compression Standards
Digital images and digital video are always compressed to save space on hard disks and make
transmission faster. Typically, the compression ratio is 10 to 100. An uncompressed image with a
resolution of 640 x 480 pixels is approximately 600K (kilobytes) (2 bytes per pixel). Compressed 25
times, the image is approximately 25K. There are a number of common compression standards:
• Joint Photographic Experts Group, more commonly known as JPEG, is a good and very popular
standard for still images that modern programs support. This is the preferred standard for many
network cameras. The JPEG compression ratio is approximately 10:1.
• Motion-JPEG is a variation of JPEG where still images are shown at a high frame rate. It results in
very high-quality video, but unfortunately, consists of a lot of data, with a compression ratio of
approximately 20:1.
• Moving Picture Experts Group (MPEG) 2 is a standard for video. Many variations are possible,
but normally MPEG 2 performs at 720 x 480 pixels, 30 frames-per-second. Only modern
computers (such as Pentium III with adequate random access memory [RAM]) can decode
MPEG 2, as it requires larger computing capacity. The compression ratio is approximately 20:1
or better.
• MPEG 4 is a new standard for video. It provides better performance than MPEG 2, but it is not
commonly used. Compression ratios for MPEG 4 can be 200:1 or better.
6.4.4.6 CCTV System Recommendations
Consider these recommendations when purchasing a CCTV system:
• Look for ease of use.
• Investigate the scalability of the system. If more cameras are needed locally or remotely, what is
the effort required to add new cameras?
6-16
-------�
choosing the optimal security equipment
• Ask the dealer if the new system or device is compatible with existing devices such as cameras,
matrix switches, and multiplexers. Rewiring for new cameras and devices is labor-intensive and
can be expensive.
• Understand the service plan. Manufacturers provide service and maintenance programs, and
some have premier service plans that provide feature upgrades and enhancements on computer-
based video recorders.
• Consider how the images will be viewed, the number of monitors needed to support the system,
and how multiple camera scenes will be multiplexed onto a common monitor (not every camera
requires an individual monitor).
Considerations when implementing a CCTV system include these:
• Use ample light. The most common reason for poor quality images is that the light level is too
low. Generally, the more light, the better the images. With lighting levels too low, images become
noisy and blurry with dull colors.
• Avoid backlight. Try to avoid bright areas in the images. Bright images might become over-
exposed (bright white) and objects might appear too dark. This problem typically occurs when
trying to capture an object in front of a window.
• Reduce the contrast. A camera adjusts the exposure to obtain good average light level in the
image. A person in front of a white wall tends to appear too dark. If a gray wall is used instead,
this problem does not exist.
• Sensor size. The lens must make an image large enough for the sensor. The larger the sensor, the
more expensive the lens. A lens made for a a/2-inch sensor will work for 1/2-inch, 1/3-inch, and
1/4-inch sensors, but not for a 2/3-inch sensor. If a lens made for a smaller sensor is used on a
bigger sensor, the image will have black corners.
• Lens and field of view. The lens selection and alignment should be established so that a
reasonable width of the alarm sector (8 to 10 yards minimum) can be seen at the near field of
view. The far field of view should be no more than 45 yards wide at the far end of the alarm
sector to allow at least 4.5 pixels to cover a 1-foot square target. This minimum resolution is
needed to classify the intrusion source as being a person versus an animal or debris, and requires
that the camera be mounted several yards outside the zone being assessed.
• Focal length. Wide-angle lenses have a better depth of field than telephoto lenses. This means
that you can focus both close to the camera as well as at a distance. Telephoto lenses require a
more precise focus adjustment.
• Iris. Always use auto-iris lenses for outdoor applications. The iris automatically adjusts the
amount of light reaching the camera and thereby optimizes its performance. The iris also protects
the image sensor from being damaged by strong sunlight. With an auto-iris lens, always set the
focus in low light. If the adjustment is made in sunlight, it is very easy to focus, but then at night
the iris diameter increases and the image is no longer in focus. Special dark focus filters are
available that reduce the light up to ten times.
6-17
-------�
choosing the optimal security equipment
6.4.4.7 Mounting a Camera Outdoors
When mounting a camera outdoors, remember that lighting changes depending on the time of day
and the weather. Because of this, consider the following for outdoor cameras:
• As discussed previously, always use auto-iris lenses with outdoor cameras.
• Use caution when mounting a camera behind glass. If you mount a camera behind glass, such as
in a housing, make sure that the lens is close to the glass. If the lens is too far away from the glass,
reflections from the camera and the background will appear in the image.
• The mounting height for the camera should be high enough to angle the camera down to avoid
sunglare, yet low enough so that no lamps are visible in the camera field-of-view.
• Avoid direct sunlight. Direct sunlight blinds the camera and may permanently bleach the small
color filters on the sensor chip, causing stripes in the image. If possible, position the camera so
that it is looking in the same direction as the sun.
• When using a camera outdoors, avoid viewing too much sky. Due to the large contrast, the
camera will adjust to achieve a good light level for the sky, and the interesting landscape and
objects might appear too dark. One way to avoid these problems is to mount the camera high
aboveground. Use a pole if needed.
• Always use sturdy mounting equipment to avoid vibrations caused by strong wind. Wood poles
should NOT be used for cameras, and the use of cantilevered-arm mounts or poles is discouraged
because of stability concerns in wind. Metal triangular antenna tower sections are ideal for
stability.
6.4.4.8 Sample System Performance Criteria
• For cameras used to detect an intruder (that is, the capability to determine the presence of an
intruder but not necessarily classify as a human, animal, or object), the area of interest should
occupy a minimum of 10 percent of the field of view, with a maximum field of view of 300 feet in
length or less.
• For cameras used for classification of an intruder (that is, the capability to determine the
classification of an intruder as human), the area of interest should occupy a minimum of 15 to 20
percent of the field of view, with a maximum field of view of 200 feet in length or less.
• For cameras used for identification of an intruder (that is, the capability to determine the identity
of a human intruder), the area of interest should occupy a minimum of 25 percent of the field of
view, with a maximum field of view of 75 feet in length or less.
• Exterior cameras should have minimum resolution of 470 horizontal lines.
• Exterior cameras should be rated for use at 0.05 foot-candles.
• CCTV cameras should be listed in accordance with UL 3044, Surveillance Closed Circuit
Television Equipment.
6-18
-------�
choosing the optimal security equipment
The camera should provide adequate onsite digital recording capacity for all cameras at 30 days
of continuous storage at 1 frame per second.
CCTV equipment should have integral digital video motion detection capabilities. The system
should be programmable to degree of motion, range of motion, speed, number of pixels to cause
motion, and area of motion detected.
To conserve bandwidth and storage requirements, the CCTV equipment should be capable of
providing a video compression ratio of 20:1 (or better).
6.5 Summary
A variety of different security systems and components are commercially available. Before
implementing a security system, it is important to understand the characteristics and requirements of
the area and facility to be protected. With this understanding, detailed and specific criteria can be
developed to specify exactly how the security system should be implemented.
Technology and manufacturers of security devices are rapidly changing. Therefore, web resources are
useful for getting the latest information on security products. EPA has published guidance for water
and wastewater utilities on security devices and equipment in the form of its Security Product
Guides. This guides are kept up-to-date on EPA's web site at
http://www.epa.gov/safewater/security under the Primary Topic of "Security Enhancements,
Research, and Technology." At the time of writing, guides are available for security products, cyber
protection products, physical asset monitoring products, and water monitoring products.
6-19
-------�
(This page intentionally left blank)
-------�
SECTION 7
Emergency Response Planning
Introduction
Management:
Optimizing
Physical Security
Operations;
Enhancing
Physical Security
• Understand the context of the plan
• Specify an incident command system
• Develop the components needed to support the system
• Update the system components on a regular basis
Emergency
Response
Planning
Integrated
Security Planning
and Design
7.1 Overview
A security system can never prevent all events, thus a utility needs to be prepared to respond and
recover from malevolent acts and unintentional events (such as natural disasters and accidents).
Emergency response is divided into four types of actions: planning, response, recovery and
termination.
This section presents information for water utilities to consider when planning for and responding to
incidents in order to rninimize disruption of service and to protect employees and the public. The
issues discussed provide the basis for development of an Emergency Response Plan (ERP). General
information and resources on emergency response are provided in this section; references listed in
Section 7.2.4, "Additional Information for Developing ERPs," and the bibliography should be
consulted for emergency response plan specifics.
7.2 Emergency Response Background
To prepare an effective ERP, it is important to understand its background and purpose.
7.2.1 Regulations
As discussed in Section 1.2.2.1, "Regulatory Drivers," the Public Health Security and Bioterrorism
Preparedness and Response Act requires the creation of or an update to an ERP for all community
7-1
-------�
emergency response planning
drinking water systems serving populations greater than 3,300. The focus of this guidance is to help
utilities to incorporate the responses needed in the face of man-made threats as well as those
responses already included for natural disasters and accidents.
Many states have created regulations in parallel with or in response to the Act. Utilities are
encouraged to ask their state regulatory agencies and local public health districts to provide those
prescribed requirements for water emergency plans.
Emergency plans are an important tool in planning and recovery for all utilities. Joint utilities (water
and wastewater) should consider combining the ERP efforts for the required water system emergency
plan with a wastewater and stormwater plan to gain additional value for the time and money
invested on the water plan.
7.2.2 Purpose
The purpose of an ERP is to provide a utility with a standardized response and recovery protocol to
prevent, minimize, and mitigate injury and damage resulting from emergencies or disasters of
human-caused or natural origin. There are two types of data needed to develop an ERP: detailed
information about the risks to critical water system facilities and knowledge of emergency response
protocols, personnel, and resources.
Water utilities performed vulnerability assessments (VAs) before ERPs were developed or revised as
part of complying with the Act. The VA identified and prioritized the types of risks to the utility's
critical assets, as well as listing ways to reduce risk to these assets. This information is used to
develop an ERP that focuses on response to and recovery from these risks.
The ERP is also developed using knowledge obtained through workshops and consultations with
local emergency management personnel and first responders; this communication provides the utility
with specifics about local resources and begins the agency coordination necessary to successfully
respond to an emergency. With this information, the ERP can clearly outline the communication and
coordination that will occur between the utility and local emergency response personnel, including
police, fire, and public health officials. The ERP will also define procedures, identify available
equipment and personnel resources that can assist the utility in response and recovery.
7.2.3 Governmental Support
for Emergency Response: NIMS and ICS
On March 1, 2004, the DHS established the National Incident Management System (NIMS) pursuant
to Homeland Security Presidential Directive-5. NIMS consists of five major subsystems that
collectively provide a total systems approach to risk incident management. These five elements are
the Incident Command System (ICS), Training, Qualifications and Certification, Publication
Management, and Supporting Technology.
7-2
-------�
emergency response planning
On September 8,2004, the DHS sent a letter to state governors that outlines the requirements of NIMS
as our nation's first standardized approach to incident management and emergency response. The
minimum FY 2005 requirements for local jurisdiction support of NIMS are:
1. Completing the Introductory NIMS Awareness Course, available online at
http:/ / training.fema.gov/EMIWeb/ IS/ is700.asp.
2. Formally recognizing the NIMS and adopting NIMS principles and policies. The NIMS
integration center (NIC) has tools to help with NIMS (www.fema.gov/nims).
3. Establishing a NIMS baseline by determining which NIMS requirements the jurisdiction already
meets. There is a NIMS Capability Assessment Support Tool (NIMCAST) under development
from NIC.
4. Establishing a timeframe and developing a strategy for full NIMS implementation.
5. Institutionalizing the use of the ICS.
ICS is a standardized response management system that is a key component of NIMS. It is an "all
hazard/all risk" approach to managing crisis response operations as well as non-crisis events by
enhancing command, control, and communication capabilities. In the early 1970s, ICS was developed
to manage rapidly moving wildfires and to address the following problems:
• Different emergency response organizational structures
• Unclear or unspecified incident objectives
• Too many people reporting to one supervisor
• Lack of reliable incident information
• Inadequate and incompatible communications
• Lack of structure for coordinated planning among agencies
• Unclear lines of authority
• Terminology differences among agencies
Information and training on ICS can be obtained online at http://training.fema.gov/emiweb/
is/crslist.asp.
7.2.3.1 Benefits of ICS
The adoption of ICS offers these benefits:
• A flexible, but formal, response management system that allows for the cultivation of response
management expertise at all levels of applicable response organizations.
• Increased coordination between utilities, their personnel, and other first responders such as
police, fire, public health, and public works departments
• Application to any response situation ("all hazard/all risk")
• Logical and smooth organizational expansion and contraction
• Autonomy for each agency participating in the response
7-3
-------�
emergency response planning
• Increased support of trained personnel during major incidents
• A "public domain" system that allows unrestricted distribution by commanding officers to
improve capabilities and unify the local response community into a more effective organization
7.2.3.2 ICS Command Structure
The Incident Management Team, as shown in Figure 7-1, consists of the Command Staff (incident
commander, public information officer, liaison officer, and safety officer) as well as the operations,
planning, logistics, and financial sections of the utility. Not all positions may be activated during an
emergency. Based on this structure, the ERP describes the utility personnel who will fill each role (at
least two people for each position on the team) and their roles and responsibilities.
Command Staff
Incident
Commander
Public Information
Officer
Operations
Planning and
Intelligence
Finance and
Administration
FIGURE 7-1
Incident Management Team Organizational Structure
During an emergency situation, the Incident Management Team members will, at a minimum:
• Identify an Incident Commander to manage the Operations, Planning/Intelligence, Logistics,
Finance/Administration Sections, and related sub-functions of the ICS.
• Set priorities and implement previously developed Incident Action Plans (lAPs).
• Control and mitigate emergency situations.
• Coordinate and support all field-level incident activities within the utility service area.
• Gather, process, and report information to stakeholders within the utility service area and to
other levels of the ICS.
• Coordinate with local governments, organizations with which the utility has mutual aid
agreements, or regional Emergency Operations Centers (EOCs) as appropriate.
7-4
-------�
emergency response planning
• Coordinate the transition of expanded ICS responsibilities to outside agencies when the scope
and parameter of emergency response exceeds jurisdictional capability.
• Request resources from appropriate agencies.
• Organize recovery and cleanup of emergency response activities.
7.2.4 Additional Information for Developing ERPs
It is not the intent of the ERP section of this document to supplement the exhaustive research already
conducted by AWWA and the EPA on emergency planning, but only to emphasize a few areas for
further consideration. Additional information can be found at the following web sites: http://
www.awwa.org/advocacy/learn/security/ and http://www.epa.gov/ebtpages/emergencies.html.
• EPA has developed "Emergency Response Plan Guidance for Small and Medium Systems," and
"Large Water System Emergency Response Plan Outline: Guidance to Assist Community Water
Systems in Complying with the Bioterrorism Act." These documents can be downloaded from
the Water Security Page on the EPA's web site (http://cfpub.epa.gov/safewater/watersecurity).
Select "Emergency/Incident Planning" under Primary Topics.
• VSAT™, described in Section 1.4.4.2, has an ERP module that can be used to guide a water utility
through ERP development.
7.3 Key Components of an ERP
The basic components of an ERP address the four types of actions involved in emergency response:
planning, response, recovery, and termination. The sections below describe the ways in which each
action can be included in an ERP.
7.3.1 Introduction
To familiarize the reader of the ERP with ideas relevant to the development and use of the plan, it is
helpful to include an introduction to the document. The introduction describes how the four actions
are integrated into the ERP, as well as its purpose, goals, underlying regulatory requirements, and
overall document organization.
7.3.2 Planning
Planning is integrated into the ERP in a number of areas, including in the overview of utility facilities,
concept of emergency operations, emergency facilities and equipment, the crisis communications
plan, incident management, document management, training, water contamination and
decontamination.
Planning is also part of the utility's emergency response partnerships, mutual aid agreements, and
emergency response policies, procedures, and documents that summarize the scenarios from the
vulnerability assessment that are addressed in the ERP.
7-5
-------�
emergency response planning
7.3.2.1 Overview of Utility Facilities
An overview of a utility's facilities is needed to identify that the essential information on which to
base decisions is ready in the event of an emergency. The overview can include a description of the
raw water supplies, treatment and distribution systems, storage capability, and design standards.
Tables can be useful in displaying the volume of information concerning critical facilities, such as
pump station locations. System maps, site plans, flow diagrams, hydraulic profile schematics, and
data tables can either be part of the overview or readily available to aid in the understanding of
system capacities and the interrelationships between system components.
7.3.2.2 Concept of Emergency Operations
The concept of operations lays out the plan for emergency response. This section can include
descriptions of emergency direction and control, the incident management team, and mutual aid
agreements. The emergency direction and control portion discusses the ICS, unified command, and
initial and sustained operations.
The incident management team portion describes the roles for utility personnel (at least two people
should be prepared to assume each position on the team) and their associated responsibilities. The
team normally consists of an incident commander, public information officer, liaison officer, and
safety officer, as well as the operations, planning, logistics, and financial representatives (see
Figure 7-1). Not all positions may be activated during an emergency. In some cases, depending on the
size of the utility or the severity of the event, one individual may fill multiple roles.
Mutual aid agreements describe the additional resources that the utility can expect to receive from or
provide to other organizations in the event of an emergency.
This section also includes other relevant planning materials, such as the utility's polices and
procedures, and plans to mitigate emergency incidents, such as how the utility will respond to
threats. It describes activation of the Emergency Operations Center (described in the following
section), response capabilities, personnel safety provisions, and protective action protocols.
A relevant source of information for utilities as they plan to assess and respond to threats is the EPA's
Emergency Response Protocol Toolbox (http://www.epa.gov/safewater/security). Utilities can refer
to the Toolbox for guidance on handling the various stages of threat assessment, including the
possible stage, credible stage, and confirmed stage, as well as site characterization and use of
laboratories that are capable of detecting a broad range of contaminants.
7.3.2.3 Emergency Facilities and Equipment
The emergency facilities and equipment section discusses the EOC, emergency equipment, and
communication resources. An EOC is a pre-designated facility where the overall response and
support for an emergency will be coordinated. The EOC can be a portable or fixed separate room
equipped and designated for emergencies only or one that can easily be equipped for use during
emergency events. Primary and secondary EOC locations for the utility are designated, as well as city
7-6
-------�
emergency response planning
or county HOC locations. A map showing the relationship between these EOCs, as well as their
addresses and telephone numbers, is a helpful tool during an emergency.
The HOC should have sufficient administrative and office supplies, including the items listed below:
• Communication equipment (telephones, computers, fax, two-way radios, etc.)
• Copies of the ERP, system-related maps and drawings, and operational procedures
• Chalk or white boards, paper, pens, calendars, logbooks, printers, etc.
• Tables and chairs
Consideration should also be given to providing overnight accommodations at or near the HOC
including cots and bedding, a supply of food and water, and bathrooms with showers.
Emergency equipment addresses the recommended equipment, from safety gear to office supplies, to
be stored in the EOC, along with references to available field equipment such as vehicles and portable
generators. The communication resources related to facilities and equipment consist of available
intra-agency and inter-agency communication methods available during an emergency, such as cell
phones, two-way radios, and the GETS service (previously described in Section 2.9.1,
"Communications Equipment").
7.3.2.4 Crisis Communications Plan
During a crisis, clear and timely communication can save lives, property, and credibility. The crisis
communications plan details communication procedures and capabilities within the incident
management team and with stakeholders, crisis communications tools, and key messages for the
public. If there is a need to communicate to the public directly or through the media, this role should
be performed by a person designated by the Incident Commander.
Planning communications with stakeholders, both internal and external to the utility, includes
identifying who should be notified during crisis situations and the procedures for such notifications.
This section often includes primary and alternate emergency contact information (such as current
telephone numbers and the order in which contacts are made) for, at a minimum, the following
groups:
• Utility's Incident Management Team
• Crisis communications team
• Utility personnel and next-of-kin
• Local, state, and federal organizations, including emergency response and regulatory agencies
• Chemical and equipment suppliers or other vendors
• Contractors and consultants
• Mutual-aid partners
• Media
• Sensitive customers
7-7
-------�
emergency response planning
The crisis communications plan discusses the various tools for disseminating information to internal
and external audiences. The key messages section emphasizes the importance of facilitating rapid
communication during an emergency event, providing press release templates and guidance on
interaction with the media and the public. Communication resources (such as those included as part
of "Facilities and Equipment") can also be included in this plan.
Section 2.10, "Interagency Coordination," of this document discusses the importance of coordination
and communication with emergency responders and local emergency management agencies, health
departments, and neighboring utilities, and provides tips on improving coordination. The better the
coordination and communications protocols are established before an emergency, the more efficient
and successful the response will be in a crisis.
7.3.2.5 Incident Management
Incident management planning specifies how utilities will respond to, recover from, and terminate an
emergency, including the way in which operations will proceed and how damage will be assessed
and repaired.
Emergency response checklists can be used to guide the operation of affected facilities during and
after the emergency. The types and content of the checklists can vary depending on location and
nearby agencies. For example, utilities may want to develop response checklists for:
• activation and deactivation of the utility's EOC
• evacuation
• sheltering-in-place
• power failure
• severe weather
• earthquakes
• medical emergencies
• fire/explosion
• chemical release
• destruction/failure of any part of the system
• dam failure
• bomb threat
• unauthorized entry
• workplace violence
• civil disorder/terrorism
• contamination threat to the system
• SCADA attack (both electronic and physical)
7-8
-------�
emergency response planning
Many of the events may occur in conjunction, requiring the use of more than one checklist. For
example, a fire or explosion may also result in a medical emergency and chemical release.
7.3.2.6 Document Management
Document management plans consider records preservation and storage, and the documentation
required for insurance coverage. Records preservation stresses the importance of the incident
commander's responsibility to compile all records associated with an emergency event and to
arrange for record storage in accordance with standard utility procedures. Records storage identifies
the security requirements for the documents, including how the records are handled and by whom,
and the physical security of the storage location.
One type of essential records to be collected and preserved are the handwritten or electronic logs
generated during the emergency. Developed and controlled by the Incident Management Team,
these logs become official documentation of the emergency and can serve as the basis for the post-
incident review.
The insurance coverage section describes how additional funding for emergency response and
recovery from major disasters may be obtained. To file claims with FEMA, other governmental
agencies, the utility's insurance carrier, or private organizations, specific supporting documents must
be created and provided. A description of the documents needed and how they should be processed
can be included here.
Because it is important to track the location of copies of the ERP so that all are updated when changes
to the plan are made, utilities may want to consider developing a tracking log. This log can identify
the copy by number, the individual who has been assigned that copy, as well as that individual's
address and telephone number.
7.3.2.7 Training
The ERP also contains a section that discusses the utility's emergency response training program.
Training and drilling are critical to successful emergency response. The quality of the ERP will not
matter if utility personnel are not trained to use it, or if utility personnel and emergency responders
are not used to working together.
The training section covers both internal and external training methods. Internal training methods
may include employee awareness training, classroom training, tabletop exercises, drills, full-scale
exercises, electronic mail response training, and emergency response coordination with federal and
state emergency response organizations. External support training can include such subjects as
hazardous waste training by HAZWOPER, use of a fire extinguisher, and CPR/first aid. (These
methods are addressed in more detail in Section 2.5.6, "Training.")
Training programs, such as those that follow, can be specifically related to emergency response:
• Orientation sessions. Orientation sessions include basic instruction and explanation of the ERP
and IAP procedures. Written tests may be used to verify a specified level of comprehension by
the attendees.
7-9
-------�
emergency response planning
• Table-top exercises. Table-top exercises are extremely helpful in testing emergency procedures
and enabling communication between personnel who would respond to an emergency.
Participants are presented with a fabricated major event and are asked to discuss their potential
responses. Table-tops involve many players acting out an emergency situation in an indoor
setting within one or more rooms. An exercise director facilitates the exercise and develops a
plausible scenario with a "trusted agent" from the utility. After the exercise is complete, the
exercise director conducts a review of the exercise and lessons learned with the participants.
Information on FEMA's training program is located at
http://www.fema.gov/fima/education.shtm.
• Exercises drills. Larger-scale field drills that involve the utility and other agencies are an eye-
opening exercise for participants. These dress rehearsals for emergencies are an excellent way to
find flaws in communication, equipment, response times, and many other areas that are critical to
recovery during a real emergency. These exercises are the most expensive of the possible training
methods, but are very worthwhile if a community can afford to coordinate them.
7.3.2.8 Water Contamination and Decontamination
Utilities can develop response plans for water contamination and decontamination with information
provided in the EPA Emergency Response Protocol Toolbox modules. Plans can discuss incidents
that include threat warnings, the threat evaluation process, site characterization, and laboratories.
The threat warning section can describe the various types of threat warnings and references threat
documentation forms that may be included in an ERP appendix.
As discussed in the Module 2 of the Emergency Response Protocol Toolbox, the threat evaluation
process includes three stages: possible, credible, and confirmed. The possible stage section defines
how to determine the threat should be investigated or dismissed as impossible. The credible stage
section defines whether there is enough information and evidence to indicate a contamination event
may have occurred and the actions that should be taken. The confirmed stage is based on definitive
information demonstrating that the water has been contaminated, which is preferably through a
laboratory analysis that proves the presence of contaminants.
The laboratories section discusses the contact and protocols that utilities should have when working
with laboratories that are capable of detecting a broad range of contaminants. It also discusses the
various guidelines that the laboratories should follow.
Knowledge of decontamination is evolving quickly, as are other topics in the security arena. The EPA
Water Security web site (http://cfpub.epa.gov/safewater/watersecurity/) has documents to assist
utilities in understanding contamination and decontamination, and how to plan for these types
of actions.
7-10
-------�
emergency response planning
7.3.2.9 Appendices of Related Information
The appendices to the ERP can include various documents relevant to emergency response of the
utility, such as those listed below:
• EPA-suggested measures for responding to emergencies at water utilities (e.g., Table 1-4,
"Summary of EPA Water Utility Response, Recovery and Remediation Guidance for Man-made
and/or Technological Emergencies")
• Maps and other relevant system information
• Copies of mutual aid agreements
• Contamination and/or bomb threat documentation forms
• Contamination threat evaluation worksheets
• Generic site characterization plans
• Site characterization report forms
• Equipment lists
• Example public notices and press releases
• Damage assessment reporting forms
7.3.3 Response
Response to an emergency event includes containment and control of a situation; mitigation of the
emergency situation; damage assessment, in which the utility determines the extent of damage, and
estimates repair or replacement costs; prioritizing actions, in which the utility identifies the resources
necessary to return the damaged system to full operation; and implementing actions, in which the
utility works to stabilize the system and return to normal. The response actions are based on the
information provided in the ERP.
Numerous agencies have published information providing assistance for utilities in formulating
ERPs. Some of the more widely known are included here.
• FEMA has developed extensive information relating to emergency prevention and response. A
number of these documents are listed in the references section of this document. Additional
information and documents can be found on the FEMA web site at http://www.fema.gov.
Locate the FEMA Library for information on "Preparation & Prevention," "Disaster and
Emergencies," and "Response and Recovery."
• The EPA's Response Protocol Toolbox: Planning for and Responding to Contamination Threats to
Drinking Water Systems contains six modules designed to help the water sector effectively and
appropriately respond to intentional contamination threats and incidents. The Toolbox files can
be downloaded in PDF or Microsoft® Word format at http://www.epa.gov/safewater/
watersecurity. Locate the information by selecting the primary topic of "Emergency/Incident
Planning," then selecting the toolbox from the list of "Emergency Response Tools and Guidance
Documents."
7-11
-------�
emergency response planning
• Also available from the EPA is a "Laboratory Compendium" database of laboratories with water
testing capabilities. This database was populated through voluntary information from
laboratories nationwide. It can be used to determine where to send contaminated water samples
for testing. With permission from EPA, a utility can access the compendium at
http://www.epa.gov/safewater/watersecurity. Locate the information by selecting the primary
topic of "Emergency/Incident Planning," the selecting the compendium from the list of
"Emergency Response Tools and Guidance Documents."
• The American Society of Industrial Security (ASIS) published an "International Disaster
Preparation Guide" in 2003. This easy-to-read overview of emergency response that is useful for
utility employees is available on-line at http://www.asisonline.org. Select the guide title from
the Crisis Response list.
7.3.3 Recovery
Planning helps a utility to continue to meet its mission during and following an emergency. The
recovery plan emphasizes the importance in appointing a recovery manager who then selects a
recovery team to develop a strategy prior to emergency termination. The types of activities that could
be conducted during recovery include determining repair costs and contracts, conducting an
environmental consequence assessment, considering long-term operational changes, undertaking
facility and/or environmental restoration, and the disseminating information. This section identifies
plans that can help to ensure continuity during recovery from an emergency event.
7.3.3.1 Water System Operations Centers
It is recommended that the essential operations centers establish alternate location(s) for the
continuation or resumption of normal business operations. This includes establishing alternate
locations for computer, communications, and SCADA systems, as well as equipment storage and
supplies. Alternate work locations should include the necessary telephones, computers, and other
office-related machines and supplies.
Alternate business operations should be tested and exercised as part of the training program.
7.3.3.2 Electronic Records
The storage and retrieval of records is an integral part of a good recovery plan. Onsite backup storage
of computer files is problematic and can be devastating. Options include the establishment of real-
time backup and offsite storage of computer information. In the absence of real-time backup, daily
backup and offsite storage of records can be considered a basic recommendation. Backup operating
systems and software are recommended if needed for the alternate operations locations to be used
properly.
7-12
-------�
emergency response planning
7.3.3.3 Communications, Control, and Coordination
Managers and supervisors require continuous information to react as best suits the emergency
situation, especially in the case of the relocation of the operations centers. Communication with other
water operations staff may be necessary through the use of alternate radios and cell-phones.
Support from outside agencies can be planned and anticipated during alternate and recovery
operations. Sharing of communications and control equipment and services can be arranged ahead of
time, and such activity tested in the atmosphere of exercises.
7.3.3.4 Lessons Learned
Immediately following a table-top exercise, field exercise, or actual emergency response, the ICS
leaders should convene a Lessons Learned review. The lead representatives in the ICS organization
can review the response actions with their personnel immediately following the exercise or event.
These key staff members can then meet to discuss updates and upgrades to the ERP and follow-on
actions. From this review, changes to procedures, actions, and supporting information can be
streamlined. Changes to existing ERP documents should be coordinated, then tested at the next
scheduled exercise.
7.3.4 Termination
There are impacts and costs incurred during emergency operations. Consequently, steps can be
planned and established that will facilitate a resumption of normal operations and the formal
cessation of emergency operations.
• Make a determination as to the time, materials, and equipment necessary to return original
structures to operating condition.
• Complete the documentation of internal and external labor costs, supply costs, equipment costs,
infrastructure costs from power and telephone, and the opportunity costs resulting from the loss
of routine activities during the emergency.
• Maintain and safeguard such summary records to support subsequent reimbursement claims, to
critique the emergency response; and to make them available for future study to determine
whether response modifications should be made.
• Identify the equipment needed or to be replaced due to loss or improvements learned as a result
of the emergency.
7.4 Revisions to ERPs
An ERP is never a final document. ERPs should be revisited and revised often. A utility staff member
can be assigned responsibility and given utility-wide authority for keeping the ERP up-to-date,
including maintaining contact lists and equipment information. A review of the ERP should take
place annually at a minimum, and should be based on the operational and procedural
recommendations of the most recent vulnerability assessment, results of training exercises, and
lessons learned from actual emergency responses. The vulnerability assessment identifies and
7-13
-------�
emergency response planning
prioritizes risks to the utility, and the ERP should contain procedures for responding to and
recovering from these risks. The ERP should also be updated to include procedures involving new
security equipment and technology used at the utility.
7.5 Sample ERP Outline
The following outline is an example of an ERP for a medium-sized utility. The contents of the outline
have been based on EPA guidance documents. Many types of response plan formats are available, as
discussed in Section 7.2.4, "Additional Information for Developing ERPs."
I. Plan Development Introduction
II. Overview of Facilities
III. Concept of Operations
Emergency Direction and Control
Incident Management Team
Mutual Aid Agreements
TV. Emergency Facilities and Equipment
HOC Location (Primary and Alternate)
Emergency Equipment and Supplies
Physical Communication Resources
V. Crisis Communications Plan
Communicating within Your Team
Communications with Stakeholders
Crisis Communications Tools
Key Messages
VI. Incident Management
Emergency Response
Damage Assessment
Recovery Organization
Recovery Plan
Termination and Review
VII. Document Management
Records Preservation
Insurance Coverage
7-14
-------�
emergency response planning
VIII. Training
Internal
External
IX. Water Contamination and Decontamination
Threat Warnings
Threat Evaluation
Site Characterization
Laboratories
Appendices
Summary of Mutual Aid Agreements
Emergency Contact Lists
Emergency Response Checklists
7-15
-------�
(This page intentionally left blank)
-------�
SECTION 8
Pulling It All Together Through
Fully Integrated Security Planning and Design
Operations:
Enhancing
Physical Securitx
management:
Optimizing
Physical Security
itroduction
• Develop a balanced approach tailored to the utility
• Identify benefits in addition to increased security
Emergency
Response
Integrated
Security Planning
and Design
8.1 Overview
Water utilities throughout the United States have enough differences that the idea of developing a
single physical security solution for protecting their systems is not realistic nor practical. The purpose
of this AWWA Security Guidance is to provide utilities with a toolkit full of ideas ranging from
design approaches and operational strategies to management practices. The best approaches that
utilities have developed for their water systems have been those that integrate best practices from
each of the three areas into an integrated approach.
8.2 Utility Case Studies
Table 8-1 and Table 8-2 provide examples of how utilities have applied this balanced approach to
protecting different facilities in their water systems. The names of the utilities and water systems
have not been identified to protect their confidentiality.
8-1
-------�
pulling It altogether through fully integrated security planning and design
TABLE 8-1
Example 1 - Treated Water Storage Tank
Utility A
Utility B
Design Basis Threat
Design Approach
Operational Approach
Management Approach
Vandals
Boundary - Chain-link fence and
hardened locks on gate
Hatches - Welded steel bar
Vents - Double-screened vents
Daily site visits
Key control policy
Saboteur/Terrorist
Boundary - Chain-link fence and hardened locks on
gate
Hatches - Hardened steel lock and intrusion alarm
Vents - Double-screened vents
Outlet pipeline - Automatic shutoff valve
Daily site visits
Standard operating procedure (SOP) - Automatic
isolation of reservoir with hatch intrusion alarms
SOP - Reverse pressure zone pumps to hydraulically
isolate storage tank with hatch intrusion alarm
ERP - Response protocol to place system on
pressure operation when storage tank isolated
Key control policy
Local neighborhood watch program
TABLE 8-2
Example 2 - Raw Water Storage Reservoir
Utility A1
Utility B2
Design Basis Threat
Design Approach
Operational Approach
Management
Approach
Vandals
Accidental/Intentional Dumping
Containment structure around intake structure
Vehicle containment fence around reservoir
Monitoring system at stream inflow point
Response protocol to respond to spills in
reservoir
Daily site inspections
Community watch program with Park Ranger
Work with upstream gas wells to add
containment onsite
Vandals
Accidental/Intentional Dumping
Monitoring system at the Water Treatment
Plant influent line
SOP to switch raw water sources during water
quality events
Daily site inspections
Community watch program with Lake Ranger
1 Utility A owned and operated the reservoir.
2 Utility B did not control operations of reservoir and leased storage capacity.
8.3 What is the Optimal Solution?
There is no right or wrong approach for water utilities to implement physical security for their water
systems. The solution needs to be consistent with a number of factors, such as those identified below,
and is often independent of the size of the utility:
• Financial ability to pay for security improvements
• Design basis threat
• Community restrictions
8-2
-------�
pulling it all together through integrated physical security planning
• Political pressures
• Water system redundancy
• Sophistication of utility staff
Utility managers need to understand the internal and external factors prior to developing a plan for
their water systems. Often, a utility manager will be asked to compare his utility's approach with the
approaches of other utilities or directed to protect his system from an attack from international
terrorists by the utility's governing body. This is when the utility manager needs to work with the
utility's legal council to identify the most appropriate method to communicate to the governing body
in a manner that does not jeopardize the overall water system approach to security.
8.4 Multiple Benefits in Security Enhancements
Utilities are faced with numerous funding requirements ranging from compliance with regulations to
annual maintenance of their system. Competition for funding can be difficult when the requirement,
such as security system compliance, may be perceived as just another unnecessary and poorly
thought out federal requirement. An effective approach that utilities have used to tackle this dilemma
has been to identify multiple benefits associated with the planned security improvements. Table 8-3
below provides some examples of security improvements that utilities have incorporated that have
also improved other parts of their business.
TABLE 8-3
Multiple Benefits from Security Improvements ^^
Security Improvement
Security Benefit
Operational/Management Benefit
Two operators per shift at WTP
New treated water
storage reservoir
New parallel pipeline
Integrated water quality
monitoring system
Expanded backflow
protection program
Security awareness training
Purchase spare parts for
critical components
Back-up power
Employee background checks
Improved monitoring capabilities of
security equipment
Added ability to bypass reservoir
during breach of tank
Added ability to maintain service if
pipeline is disrupted.
Added ability to detect, respond, and
mitigate water quality contamination
events
Protected against intentional
contamination acts against water
system
Promoted cultural acceptance of
security into utility
Improved response to restoring
service during malevolent event
Protected critical facilities from
intentional acts against power feed
Protected against malevolent acts
against system by insider
Improved safety of operators for off-hour
operations
Improved delivery service for service area with
additional storage capacity
Added operational flexibility to deliver water
into system
Improved operational knowledge of water
quality in system, and improved ability to
identify and correct an operational problem
before system is in violation
Protected water system during operational
problems associated with sudden pressure
loss in the water system
Improved employee awareness of water
system operation and safety
Improved operational ability to restore service
associated with a maintenance failure
Provided operational flexibility during power
outages associated with natural events
Reduced financial losses from insider theft
8-3
-------�
pulling it altogether through fully integrated security planning and design
8.5 Doing What is Best for Your Utility
Utility managers have many tools available to put together the best solution for their water systems
to enhance overall physical security. Utilities do not need to buy "luxury" when "economy" will
accomplish the same task.
Example One. Utility A had a number of high-quality steel doors with glass windows in its water
treatment facility. The initial thought was to replace them with steel doors with safety glass at a cost
of $1,000 to $1,500 each. The utility also had a simpler solution —install a Lexan® PC resin plate on
the inside of the window to provide the security required and still maintain the visual capabilities.
The cost of the solution was less than $50 per door. The utility asked the question—does practical have
to be pretty? In the end, the utility went with the practical solution, saving thousands of dollars.
Example Two. Utility B had a number of wellheads in a local golf course that had open, unhindered
access. The community would only allow decorative special fencing to be used around the golf
course. The cost of the fencing was significant, so the utility came up with a more cost-effective
solution. A small concrete pad was constructed around the wellhead and a heavy metal grating
slipped over the wellhead to prevent tampering. The metal grates were constructed in the utility
maintenance shop and installed for less than $100 per wellhead.
Example Three. Utility C was concerned about undetected hatch entry into its distribution system
storage tanks, but it did not have the funds to add detection devices or automatic shut-off devices to
each tank. The utility identified the tanks that had no history of water quality problems and only
required cleaning every 3 to 5 years. The utility welded shut the hatches to these tanks, which was
sufficient for the DBT of kids and vandals. The cost of this solution was less than $100 per tank.
Example Four. Utility D was concerned with its inability to track meters that were provided to
contractors for construction water. The solution was to have utility staff to install the meters, then
mark and lock in place backflow-protected construction meters. Contractors were charged a fee to
cover these costs. Construction meters found in use that did not have proper utility markings and
locks were confiscated.
Example Five. Utility E had many doors on each of its buildings that required detection and entry
devices that would have been a very significant cost to the utility. The solution was to provide one
access entry point into each of the buildings. The other doors were made egress-only by removing
exterior hardware and, when necessary, installing concealed door hinges. Operations and
maintenance staff had to adjust to not having numerous entry points into each of the buildings, but
the capital and annual operating cost savings were significant.
When developing your approach to security, think simple and practical. Before inviting a security
equipment vendor to discuss equipment, first identify what you really need to protect your system.
Providing the appropriate level of physical security for your water system does not need to break
the bank.
-------�
pulling it all together through integrated physical security planning
8.6 Pulling It All Together
Sections 1 through 7 have identified a number of areas for utilities to consider regarding developing
and implementing the optimal security solution for their systems. Every utility has its own unique
qualities that require a customized solution that fits its level of threat, organizational culture, and
financial situation. Key considerations that utilities should include in security planning are:
• Integration of management, operations, and design strategies into the security approach
• Simple solutions
• Solutions that provide multiple benefits
• A cross-functional utility team to develop the solutions
Developing a security solution for a utility does not need to create a significant financial burden,
impede existing operations, or require a complete redesign of the system in most cases. Utility staff
members understand their system better than consultants, regulatory agencies, and equipment
vendors. Using internal resources to develop the initial security master plan, which can be
supplemented by external resources, will be by far the most cost-effective approach.
8-5
-------�
(This page intentionally left blank)
-------�
Glossary
Americans with Disabilities Act
Chicane
Clearzone
Conduit
Countermeasures
Criminal
Daisy chain
Debt service funds
Debt service reserve funds
Design basis threat (DBT)
Signed into law in 1990, U.S. Public Law 101-226
prohibits discrimination based on disability, that it, the
inability to perform daily tasks using traditional
methods.
A sequence of tight curves on a roadway used to slow
cars.
An area surrounding the perimeter of a facility that is
free of shrubs and trees, and features well-maintained
landscaping that does not provide hiding places for an
adversary.
A channel carrying something to or from a place.
A reaction to or as defense against a hostile action to
deal with a threatening situation.
An individual acting alone or in a group, using
personal resources and some knowledge of utility
assets, intent on economic gain. The possibility exists
that a criminal may possess weapons and may inflict
harm.
Groups of padlocks connected together and hooked to
a common chain locking an entrance way.
A fund into which the issuer makes periodic deposits
to ensure that sufficient sum of money is available for
payment of the debt. Typically, the amount deposited
and the schedule of deposits ensure match between the
deposits and the due date of the payments.
A fund in which money is placed in reserve to be used
to pay debt service if there is not enough revenue to
pay the debt. If the reserve fund is used in whole or
part to pay debt service, the issuer usually is required
to replenish the fund from the first available revenues.
The adversary against which the utility must be
protected. Determining the DBT requires consideration
of the threat type, tactics, mode of operations,
capabilities, threat level, and likelihood of occurrence.
-------�
glossary
EPA Response Protocol Toolbox
Foot-candle
Harden
Incident Command System (ICS)
National Incident Management System
(NIMS)
NOAEL
Public Health Security and Bioterrorism
Preparedness and Response Act
Revolving Fund Loans
Tools designed to help the water sector to effectively
and appropriately respond to intentional
contamination threats and incidents
A unit of light intensity defined as the amount of light
measured on a surface one foot from a uniform point
source of light equal to the light of one candle. A foot-
candle is equal to one lumen per square foot.
To improve the physical strength of.
A standardized response management system that is a
key component of NIMS. It is an "all hazard/all risk"
approach to managing crisis and non-crisis response
operations by enhancing command, control, and
communication capabilities.
A system comprising five major subsystems that
collectively provide a total systems approach to risk
incident management. These subsystems are the
Incident Command System (ICS), Training,
Qualifications and Certification, Publication
Management, and Supporting Technology.
The greatest concentration or amount of a substance,
found by experiment or observation, which causes no
detectable adverse alteration of morphology, functional
capacity, growth, development, or life span of the
target organism under defined conditions of exposure
(Pikus 2004)
Signed into law in 2002, U.S. Public Law 107-188
requires vulnerability assessments be performed
and Emergency Response Plans be created or updated
for community drinking water systems that serve more
than 3,300 people.
The federal Safe Drinking Water Act (SOWA) of 1996
allowed states to establish a Drinking Water State
Revolving Fund (DWSRF) program to assist public
water systems with financing infrastructure upgrades
needed to achieve and maintain compliance with the
SDWA requirements and to protect public health.
Funded by Congress, the DWSRF provides low interest
loans to public water systems.
uvi
-------�
glossary
Saboteur
Set-points
Sunshine laws
Terrorist
Triggers
Vandal
Vehicle sally port
Zone of influence
An individual acting alone or in a group, with the
intent of disrupting the utility's ability to operate and
respond, and, possibly, injuring employees.
Pre-determined high and low response levels for an
sensor that trigger an alarm signal.
Laws that make government procedures available for
inspection by the public.
An individual acting alone or in a group, with the
intent of undermining stability and instilling terror
through destruction of economically important or
symbolic assets and, potentially, by killing. Terrorists
spend considerable time and resources to select and
learn about their targets, and plan their attacks.
Pre-determined action levels that initiate a response.
An individual acting alone or in a group, using spray
paint to write graffiti or hand tools to inflict minor
damage to utility assets.
Interlocking gates within a fenced area where incoming
drivers pass through the first gate and stop at the
second gate. Once both gates are closed and the vehicle
is captured within the sally port, a security guard may
confirm the identity of the driver and, if necessary,
search the vehicle to confirm the contents. Once the
vehicle and driver are approved, the second gate opens
and the vehicle may drive onto the facility.
Area of a distribution system that is impacted by a
chemical contamination event.
xxvii
-------�
(This page intentionally left blank)
-------�
CO
g
1
i
Reference
T3
O3
>
CD
CC
o
z
• UJ
So >,
Abraham, Dulcy. 2003. "Sewer Asset Management Decisions, Rehabilitatil
and Security." Proceedings of the American Society of Civil Engineers (AS
International Conference on Pipeline Engineering and Construction "New
Pipeline Technologies, Security, and Safety," Najafi, Mohammad (ed.), Jul
13-16, Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-1, 1817 pp.,
2vol.
•a
i
>
03
cc
o
•z.
Allgeier, Steve. 2004. "Responding to Contamination Threats." Water
Resources Update, Universities Council on Water Research, in publication
CO
Z3
CO
CD
£-•
.. S
03 £1
CO CO
-0 S
0 ^
»-, o>
S tz
E!
** -n
03 "
B o
f§
CO '^
ZJ 13
CO tz
=1 •£
03 |
2 =
0 0
•E. °
Si
™ .2
0 =
•5 S
S .E
.i"**
o E
Q.2
SCO
_ -B
T3 C=
03 03
E -t=
f-i O3
S «
-o S
03 CO
O3 i_
01 0
to co
03 E
•2 o3
53 i
•*=> S
03 0.
5 %
CO 03
fEl
O3
American College of Preventative Medicine. 2004. "Recognizing Waterbon
Disease and the Health Effects of Water Contamination" (web site).
0)
_cz
'-^-
CO
E
^tz
lo
'to
CO
re
to
"tz
03
"tj
'O3
JZ
•o
tz
to
&
o
03
2 £?
CJ 'w
m =>
fe 8
O CO
-a £?
CO :=
P
= "5
o
-S -°
S co
Sg
CO O
CO "CO
*± a
S -S
E 52
3 -52
-1
CO ^
s a
1— CO
American Institute of Architects (AIA). 2001. Building Security Through
Design. Washington, DC.
SO)
,tz
lo t3
t— ^~
^ °
CO 4—i
CO CO
Z3
ts §
E tz
to .2
o> to
.E E
II
co tz
03 —
T3 to
>- ^
s. =
CO 0
cB .E
CD i-.
.— tj
.E to
O> co
03 —
"co 01
^ tz
*t -Q
M E
.H O
03 J=
° «
ll
^ cB
03 *-
•o to
'S°
to i2
03 0
•0 03 to
'> fc o>
O <" tz
Jr O3 ^
°-x: =
t± •" z)
o "o .0
&s i"
CO '.=
co ,c "to
fil
American Society of Civil Engineers (ASCE). 1999. Structural Design for
Physical Security. Prepared by Task Committee, Structural Engineering
Institute, ASCE, Paul F. Mlakar (chmn). ASCE, 0-7844-0457-7.
C
CO
CO
o>
CO
c
CO
E
£
"S
V
«
S
o
i
TJ
S
o
a.
•o
tz
CO
i
"55
•o
"3
O)
CO
CO
•o
Q
ex
lo
3
CZ
CO
CO
Ic
American Water Works Association (AWWA). 1980. Water Utility
Management. Manual of Water Supply Practices— M5, Denver, CO.
|
3
r~>
E
o
o
O)
C
"•a
"o
C
«
-£
o
i
O3
CZ
CZ
O
a
3
A
•£
T3
"o
E
O
1
03
a.
o
•a
tz
CO
tz co
O) 'TZ.
•& g.
co -=
•o g
CD CO
£ E
CO 03
g £
o to
0 -o
is
i= 01
CO CZ
E'-S
CO "O
il
American Water Works Association (AWWA). 1989. Distribution Network
Analysis for Water Utilities. Manual of Water Supply Practices— M32, First
Edition. Denver, CO.
5
03
e
to"
_^
c=
03
*^
03
i —
4=
*o
CO
C
CO
E
03
O3
0)
^cz
\—>
zs
0
_cz
S9
^£
tz
s
O3
"to
i
03
O3
to
tz
0
CZ
.2 M
ll
E S
c5 Oi
S C
-"•a
£ x
-S <»
'> ""="
o =
S co
Q. -
_ CO
1.1
lit
CO -^
1=1
American Water Works Association (AWWA). 1998. Steel Water-Storage
Tanks. Manual of Water Supply Practices— M42, First Edition. Denver, CO.
CO
o "&
~ tz
S •§
" CO
>> Q.
tZ 03
™ Q.
0 >,
£ ^
CO ^
I §>
zi 2
:~ E
S1 03
-O
T3 JO
S g
za S
CO ^
S w o
•° tz •=
52*
S § «
t± -jz; H
5 IS |=
£ E 5
iis
•a •- as
03 to 0
CO 03 tZ
0 ^a '«
fc— Z3
"•"o g
•a tz fa
« « °-
iii
•53 E a.
"a to tz
'= ^ S
ai- E
ai co 03
•= 03 io
•^ jz JS
0 f8 S
t_ "•* "nfJ
Q..2 ^
TZi ^_.
5 •- CO
S S g
re 03 -2
E Jo J5
CO Q. Z3
— 03 0)
i^ iS. 2
0
American Water Works Association (AWWA). 2001 . Emergency Planning f
Water Utilities. Manual of Water Supply Practices— M1 9, Fourth Edition.
Denver, CO.
«
o
•£
I
O3
CO
CO
.C
u
ZI
CO
0
Q-
o
C3
0 CO
II
CO CO
ESr
CO
a oj
•- 1
2 *
03 -E
c: -o
03 c
0> §
T3 0
He
to 2
IZ -j=J
o ^S
'J= C
CO O3
S E
CO ^
ct'K
u •
'« "°
S to
tz c"
•i °
i'l
o E
o o
m =
=J to
tz
E§
CO 53
I s
1— CO
American Water Works Association (AWWA). 2001 . Instrumentation and
Control— M2,Third Edition, Denver, CO.
I
-------�
2
3
Annotation
o
£
CO
"S
oc
re
— 03
en ~
03 >
ra S
_o a.
° ?
il
it
S H
re •>—
-f^ cz
E .0
about water main
II minimize disrupt
it informatior
ptions that wi
E °
t .0
o E
.E o
re o cz
•g CD o
803" ^
•S =2
— -° 0
re co cn
ir -> !=
re <" E
EO3 03
TZf 4->
cn ^ 01
1— -— —
o3
to
^_
0
cz
o
.i
15
O3
cc
5
o
CM
^^
<£
5 o
<_ ^~
.- >
.2 S
"CO Q
'O r- "
S.I
to .-t±
< T3
merican Water Wor
lains— M28, Secom
< s
CT>
^ en
"re en
1 >-
^ z3
H
il
2? re
^ ZJ
lanning for Water I
IB assessment of h
Emergency P
uidance on th
03 C"
plementto
lent provid
zt S
cn "5.
re a.
cn
en cn
"^
c
CO
cn
"en
"co
cz
Z3
o
CD
C/3
O
ez>
OJ
^_^
^
|
cz
o
to
"o
° si
« j
merican Water Wor
esponse for Water 1
< cc
cn
03
"a.
Q.
en
03
03
cz
o
cz
re
Q.
re
a.
o
03
O3
•a
o
0
JC
o
o
to
|
'i
TZl
g
0.
"re
Z3
CZ
CO
cn
15
^
o
cn
S
re
5
0
CM
^_^
«^
S O
> CJ
CD
CZ >
o cz
re Q
C3 _-
o cz
cn _o
cn LJJ
merican Water Wor
lanning— M50, Firs
< 0-
cn
CD CZ
•^Z .C3>
GO "
-E CZ
1 1
o E
4—i Q
cn CD
CD cn
§1 T3
ft
"D i—
« re
agers, supervisors
•egulations, as well
E 03
>, re
S-? cn
11
o ~°
il
was desigr
practices a
CO ^
Z3 Q)
co J5
E ^
^ ji
I— ^5
1
**
o
**~
S3
O
ol
f
'cO
CV3
csi
(Z>
OJ
^^
^
Is
^ ^
o ^
."§ S
en r-f
< 1
merican Water Wor
tilities— M3, Sixth 1
< :=)
fz
re
2
Q.
"5
8
o
CD
CZ
cz
o
o
idices for a cross-
duresand pn
CD
O.
cn
CD
o
o.
"re
Z3
CZ
re
E
cn
^
03 g-
"G "-^
2 S
Q. U-1
•a "2
-S j=
E i
CD -L
cc o
^J- CZ
0 0
o o
cz
^-^ o
^ "-^
5 CD
1 1
' — o
cz rf.
° en
"re 2
"o o
il
<" 0
merican Water Wor
ir Backflow Prevent
enver, CO.
< *- Q
•*-<
03
E
O3
>
0
Q.
E
"co
'a.
re
o
re 42
»- cz
O CD
il
E |
utilities in the deve
ost cost effective ir
assist water
ioritize the m
o •-
-•-- Q-
f 1
If
en 03
•— TZl
CD
0 =
O -i-i
cn re
en cz
1— "5.
"g 0)
re .E
-•— ». C
LJ_ C
!
re to o
'o 'o >,
0 0 .0
cn cn
en cn TZI
< < E
en en re
j*: ^ a.
merican Water Wor
merican Water Wor
trategy Manual. Pre
, 0
o? en
•^ TZl
5 c
0 w
-^ C31
CZ CZ
o 'E
1 §
E -^
t; re
O CD
c .+_
- o
cn re
.9? S
•= Q-
= TZ!
fe 5
j£Z CO
> CZ
* O)
-S "tn
J2 <*>
Q. "c
° "*
cz ^
^ -a" 2
15 03 0)
re *^ "^
E en .•§
cn 03 cz
-— cn o
• ^ cz
H— re cz
o en
<=> F
CM 53
u^ "en
S a>
< cz
11
• — ' cz
CZ 0
o 5
"c3 k—
o 5
Li- CD
_£Z E
O 23
re o
03 CO
03 03
a: .S
CZ CJ
O ^
^ *~ m
o ^- c
O Tn ^
cn f— ^>
"* cnc5
i2.E^
merican Water Wor
esign of Early Warn
repared by Walter l\
< Q Q-
03
re
£
1
O3
O
O3
'o
jrrences and types
ilities.
o ,
0 is
o .E
°K T^
™ O3
E t
° I
« S
11
ej
'^3 re
CJ 1-1
03 03
2 cz
to
en JD
t- B
s-l
O CQ
OJ Q
*"* "^»
D^ -°
S CD
< i_
C CO
<^ §"
O en
"co -^
-a :=
II
(— -Ji
o ^
O3 •+— •
en co
CZ CD
O >
— 1 1 1
'o .??
1 c!
^ w
merican Water Wor
ctual and Threatens
Gere Engineers, In
< ,
o S
'to -g
•a E
cz re
g g-
Li- >-
_r~
L£ fi
CD '£Z
cn ^=
CD '-^
CC ^
cz ^r
o +1
"rd ^
'o
en °
en **~
< CD
en fz
-^ .E
merican Water Wor
ecurity Practices Pr
orporation.
-
-t-^ CD
c: z3
o o
tn w
H
(33 _
CO O
'o g1
tn '"5
•.^ cz
re 43
en ff
en •§
^ ="
CO
03
CZ
42 ^
re "^
5 ZJ
03 O)
« cS
0 g
Cti CO
CQ 5
o 03
"*— cn
CD -^
CD tn
-TT
OJ ~
cn t_
^ E
Z3 O
O ^.'
03 O)
^^ O
TZl -J
CZ ^1?
re -jz
03 ZJ
Eo
03
O en
o cz —
»-S E
1=5
tn g a-
_c m g
cc E -1
LU 03 -f5
< co" ^z £
1
1
TZl
re
11
••— • o
11
~ O3
'•§ -
_ 0
ter and wastewatei
] improve service t
ed to help wa
duce cost am
Q. CD
^ "~
CD cn
T3 TD
en ?2
re £
5 03
^ E
o . •
0 CZ
-O CD
"O CZ
=r cz
^ CD
2 CD
•^ re
en cz
£ E
cz*
*c5)
re
cz
re
o
cz>
CM
^"
CO
S.
cn
CD
'o C-3
CZ Q
03
o> cz
-------�
e
a
1
c
1
c5
c: -_•
entification of legal issues that r
revention, and response to crisis
.T3 0-
£ .E
cr cr
CO CO
.9? "Q.
This document assists wastewater agenc
after a crisis. It is intended to help in the
£
CO
03
a
CO
o>
CM
CD
O
CM
cf
:=•
JJ»
CO
03
'cj
cr . _•
n Sewerage Age
Washington, DC
i«
o =
n of Metrop
Crisis Check
o ~
-— 03
o E
< co
03 cr ^
1 1 1 i
«_ fe ~ H5
ed by the National Conference o
of state FOIA statutes and infori
nber of states where the statute
ystem security information prot
° O3 "^ »—
O *— O3 ^
0 03 -Q3 »_
>, .> CO O
"H co co co
This article contains the results of the sti
Legislatures. The study included an exter
from state drinking water agency staff in
unclear to obtain clarification of the statu
.f
^3 CO
O CD
CO .£
E —
If
§ CO
O) °
c CD
"S c
1! e
0 .03
: o
s «
§ |
*— -£^
O "^~
>* CD
E CO
CO i_
—1 CD
•o to „
B*S
s "= ™
o ••§ .a
co rr
cz § »
S ° &
< -E co
3
c
O3
E
cr
iria for site security using enviro
duce crime risk.
£: 03
•cz '-
'CO 03
This article contains the assessment and
design, which utilizes the building enviro
•o
(— ^^
« .1?
01 _3
i 8
S1!
i— — ^ i
— t -Q _i_
O C •§ •= •£
CZ =J 0 0
"||| =
This article provides recommendations ir
that allows for natural surveillance and u
who belong on the property, preventing i
and integrating the security technology ii
= .
o
•o
cr
_
CD
O
cr
'o
^>
i_r
o
03 E
gning Against T
com/cpted17.ht
CO >,
03 ~
P =5
if
•^ §
=: O-
CO CJ
cr ?
co 3
OC ^
co" ~>
CO O.
< s
B "i
"o 2
8 E
i Through Environmental design
lat, through proper design and u
ities for and fear of predatory cr
t± 01 t
<5 .E o
> CO O-
03 O 0.
>- CL 0
°- 0 03
O3 _ CJ
This article presents the concept of Crimi
(CPTED). This is a design methodology p
built environment, the architect can redui
improve the quality of life.
f
CD -^
1— ^
= - ^
SI
ai o
"*"" ^
CD ^
6
rt ^
-^ "O
_ Q.
ronmental Desic
11. http://www.ci
"> Q-
^ i_"
. CD
§51
CT) CD
1— D.
^ CO
co cr
-o o
i '13
rf r3
co" 1o
co cr
T= o
< 0
03
£ *-
13 ^
« S
omic Analysis of Terrorism Ever
d the first homeland security cer
1 university experts in relation to
C CD *-"
"li
if!
-^ r- «
m ™ O
The Homeland Security Center for the Rii
University of Southern California has bee
excellence. The center will partner with s
infrastructure and "cybersecurity."
CO
.92
"^
2o ^
°- c3
._ «
ii
CO CNJ
Q_
fi^ ^y
CD |5[
>
'= 0
^? >
cz o>
urity: Governme
Civil Engineerin
CJ 3
— '
CD"
i'lo
^£ <~i
mination of Drir
:er Resources U|
53 co
-^ .E cr
§>.£="
LL f— *—
«" g S
•E 1/3 co
.« >; 03
m co cr
•£ H "g
SCO CO
E c°
iproach can help identify and rec
te inventory and using a decisior
lated risks are identified and add
•" 0- CD
S E 0
||!
This article addresses how the asset mar
to public utilities. Through development i
process developed for the United States ,
o
t
-E ;g
III
c o
1 1 I TO
-o e
c: Q-
ra o.
js2
CO CZ
= CD
CT§
O) CD
•— cc?
U ro
TT» ^
03 S
agner. 2002. "R
ehensive Asset 1
ngs, September
f3 E CD
g c5 o
-a co Q-
LU .c CD
^ 0 cB
§ i^ il
rr^ ^.^ f
L^ >» tj
£ ZJ CM
O cj O
O O3 CD
CO CO CM
1
-------�
B
O
1
C
03
U
03
£
09
CC
o >,
•^ -0
This article addresses the post September 11, 2001 security changes that have been made
protect the water and wastewater infrastructure system for the residents and visitors of
Southern Nevada. There is particular concern over protecting Lake Mead, which is formed
the Hoover Dam, which is the Las Vegas area's largest drinking water source.
i— CM
. CD
CD O
J3 CM
E 0
03 LLJ
§t
O -
CD ™
It: -2=
LU J£
CD C/3
1 — CD
c\i 5
00 co
CD ^
Zj "o
£•» cO Jrr
S £ E
CO 5^
3hillip, Eric Leveque, ar
in the Las Vegas Area \
ence Proceedings, Sep
"-"— t_J ^—
P^^ "
^ CD O
CD CM O
This guide provides information on types of weapons of mass destruction that terrorists
might use including heath information, treatment options, and ways to minimize exposure.
t -
S ^
=3 =3
2 CL.
S"? O
_. co DC
^ en °
-^ 0 5"
- Q. ^
o e/3 ^
.2 ^^
^ O Q
O) -—
'.= CD O
^ E CO
Q_ LLJ ^
? E J2
CO CO k-
- 'tZ O
O) O >
cz t
-a o Q-
"> C3> CZ
CO O CO
" CD CD
^ "O t
^-il
03 F 03
H O3 "o
CQ O Q-
This guide is intended to assist California public water systems in creating or updating an
emergency response plan designed to address both man-made and natural threats that wil
meet state and federal guidelines.
c
03
S>
CD
1 1 i
CO
"c
.0
CO
. CD
CO ^2
O 55
CVJ o
to /--?
CD
>
CO c
f — .2
^ CO
nia Department of Heal
nse Plan Guidance. Ver
° i.
^ co
CO 03
0 CC
Not Reviewed
"^S
g
-1
03
—t
O
CL
r?
:=
CZ
CO
S
E
CD
O
O)
d
•^
L_
Q.
led
= CD
o in
CD CO
CM . .
. O3
S co"
CC en
-03 3
CO ^
0 ^
•o
This paper examines the problems with automation and information systems before
September.l 1, 2001 and the when, where, and how to apply evolving cyber security best
practices to water automation. The paper also addresses the advantages, disadvantages, a
cost impact of apply best management practices to existing systems and designing secure
features for new systems.
j»j
O
CD ^^
CO ^
II
CD Q3
"cO Q_
r"» ""
2 >•
Q- ^
"o
="E
'^ -a
> c
0 co
Q_ CO
O3 O3
"5 g ci.
CD ^ f n
c — 4— ^""^
HILL. 2002. "Solving t
Providing Operations E
HILL Communications
^ 03 :>
CM — CM
0 5 0
This article addresses some of the issues and constraints that must be considered when
upgrading a facility and its assets to reduce the risk of malevolent attacks.
^^
J3
1
CO
o.
03
D_
^_;
O3
E
CO
CD ^*
S2 §
LU
a>
o
f—
1 —
.2 CO
O3 CO
> O3
O3 *—
i£ 21
.^ 03
' .^
CO ^
§i-
CM -0
S c5
S>! CD
O D_
t
This web site page lists the proposed ordinance (HB175) relating to the exemption of secu
related procurements from some portions of the Code of Alabama.
.
tJ
§
0
0
j^l
03 =
" o
ra °
is
° 8
03 CN1
J3 T^
C/3 "re
-Q Q-
= !2
00 o
• • 'cii
CM 2^
••— o
CM _
CM S
9 «5
VaterAtlanta. 2004. "03
y 5. www.cleanwateral
sed October 26, 2004)
? § 03
CO ^ O
0 -3 —
03
This article provides an approach to evaluating a utility system to reduce threats. The artici
includes recommended approaches to security assessment, evaluation of current security,
threat assessment, definition of assets, vulnerability assessment, risk assessment,
countermeasures, emergency response planning, and financing.
£
•*-•
O
£ ' .
i?!
0 CO
CD CO
co g3
en eO
F •&
§ "=
2 03
- l_
CM O
CD "~
° -g
°* CO
CO 0 £^
.E Q. ^
"^ C2~ cz
O T3 — 3
, 5
1
-------�
c:
o
S
0
C
<
Referenci
Not Reviewed
c
en
CO
£ S
S t=
re £
o3 03
tz c
"5 o
> 0
ter Security
/astes 2003
i*
Crum, Ron. 2003. "Prioritizing Water/Waste
Light of 9-11 Using a Case Study." Industria
Proceedings, April.
Not Reviewed
CO
Z3
"o CD'
.2 §
±± d.
"re en
gtheVulner
ter Resource
ilication.
•=51=)
ift > -=.
Danneels, Jeff and Ray Finley. 2004. "Asses:
Drinking Water and Wastewater Systems." \
Universities Council on Water Research, in f
-a
CO
•g
">
0
a.
CO
£i
4—1
0
c
1
e
o
'S.
o
en
O3
•O
re
en"
ZJ
^
S
O3
E
=>
o
0
-o
e
P
o
O3
en
re
This document is
^_-
|,°'
CD f—
O3 1 —
t= CO
'cn *~r
C CNj
L1J £
94. Security
irce AFMAN
05 £
Departments of the Army and the Air Force.
Project Development. Army TM 5-853-1 , Air
May.
CO
-C=
•o
s
i °>
o .E
c c:
i S
S.E
••£ 03
"^ "^
o
CD C/J
cn CD
' .0
"O -^
CO 00
•JT7 CD
f -S
ll
H- 05
2s
i-
E l—
ll
ft
05 CO
~ £-
JC O
o in .
'^ "> E
^ ~3 &
r— ^ en
•==>,><
tu -"-^ en
« § 03
3 le
£ co .E
8 = o
CD re o
Q. 05 0
re 1-5
'^— i -t— CO
— 3= 05
"03 |> -£?
£o-0
.<2 V •§
en o ^
£ 81
e- 1
0 X
.« CO
> ^r
2 S
< i
-^ CO
£• = re1
=J en .22
O 05 03
*i5
-a 03 en
!< i
c "? o5
i s «•
Department of Homeland Security. 2002. "H
System - Guidance for Federal Departments
www.dhs.gov/dhspublic/interapp/press_rele
March 12 (accessed October 26, 2004).
en
±3
O
il
05 CD
.C S-
0 "-" 05
c %•£
S. -o £
*^ =j en
>< o en
« i £ ^
^ r,tj fe
"~~ ^^ "O >
E S- ™ o
0 §- 0 Q.
E " % <2
i_ re re
.« 05 03 x:
en re o ej
E 3 c S
03 re re „
CO CD CD CD
S"g i^ =
I'lil
ci :^ re
C O CJ ^
o o re ^=
^ o !!l •-
as s »
5 S P *
re -a »— o
» S? ° -a
i i S i
-!-• . CO
^ ^ « fc-
13 O .52 CD
1 S 7B I
CO CD ™ ^
*= -s "= =
c ° m 05
— "K 4* E
« 2 ^ S
-^ ^ ^ 03
Tr a ea 2
This article states
attacks. The amoi
however there is
interdependency
CD
1
>
It
cn
•c
CO
a.
X
>;
05
j^
~E.
E
en
Dessoff, Alan. 2001. "Water-related Bioterro
Environment Technology, December.
05
en
= 3
±t o
. JC
03 °
O> ^3
re Q.
r E
— re
03 X
j= g
= m
0 «
« CO
re ?;
J2 C3
J= CD
_ CM
O - O5
•G ^ —
Q. 03 °
P .a cn
.E c= en
05 § -2
e s. 03
_ CD -C
I173 »
en c °
li2-S
— •— CD
5 co o
CO •*-•
s « »
en 2 -^
03 ^- C
s^S.
re > >>
03 > a)
E = ^
"TOO
§ ™ ^
C/3 -^J ^T
rrt i— O
This article discui
the renovated Pei
blast- resistant te
£•
re
=j
.Q
CD
U_
f
O
%
Government
s
CO
_CD
1
a
tn
i
cc
i
CD
S
CD
CM
Z
+
S
—3
Q
&
>- C
0 03
<= C31
CO tl
C3) 03
03 E
F °
1 =
1_ TO
•s -5
£ 05
So-
e i i
= o °-
ll"
a- E =
en'— °
fit
€|&
re -a c
_ re 03
£ c cn
> .0 03
ill
i § =
— O ro
"= ^C 0)
l_ ' '
CD tO "C
fCD CO
•a Q.
2 CD
S.E ?
g'<— o
c: •*-
k- CD O5
°- E to
lit
re ~° as
§5 .« ro
fc ,-= T3
This document is
response plans. 1
response plan an
-
e/3
E S<
CD *^
t=^
w S -
CD Z CM
S 1 i
c Drinking V\
Environmer
blication #3!
X3 £ Q-
Emergency Response Planning Guide for Pu
2003. Washington State Department of Heal
Programs, Division of Drinking Water. DOH
Not Reviewed
^~
o
CM
c CM"
H-; CM
en i_
1 CO
~~_ ja
2S
go
0 "S
TD to
3 03
CO 8
-t-* CO
-§ &
Emergency Management Institute. "Indepen
http://training.fema.gov/EMIweb/IS/crslist.ai
1
^
\fi
CD
•a c
j__ , CD
CD
•i-i -°
C CD
03 >
en re
gj f~
C3. «
^£
•^-< *^
c en
11
" CD
£ E
re o
« "
1?
W ™
s §>
s i
tl
=3 " .
8S^
111
o en £
* 1 S
E s 32
^ o £
M C
= °-t/3
» ^'i
-£= '^ 2.
« 3 «
CD CD +-i
C/3 C/J f
en _ 03
This article addre
some informatior
developed to prol
cn
C
H- °
^ 3
So
be =
« °
CD re
•= 03
-a c
re 05
|»-
•= en c
^ re a.
> J= <
!===£?
•^ -r-i -r-
. c: =j
cn re cj
Emigh, Jacqueline. 2004. "NewTechnologie
wireless systems, email, instant messaging
in the security department." Government Se
re CD
•> |3
-^ 3
0
re c
ii *=
re 05
c en
<° w
o co
.^ p—
-^ 2
C/3 -C=
"w Q-
_,_, CD
re 05
CD _
•° &
>< c
re CD
E E1
ta |
r~ CZ.
+_, CD
CD CO
i.|
E to
-!-• C
C/3
Is
r—
._ CO
,n -D "a
CO T3 ~
=>'•§»
— ^ f— ^~
re ._ 03
" 03 5
ses the crit
frastructur
•ks, and po
en i= n
This article addre
cyberspace. The i
distribution netwi
05
CD
" E
« i
§ 5
s g
^ 0
0 CM
1 1
^
Iss
^ ez> >,
03 CM 0
£ ~,- ^
r °° 5
:= >, o
^^^
Eng, Paul. 2002. "The Clouds of Digital War:
Delivered Via Cyberspace?" ABCNews.com.
http://abcnews.go.com/sections/scitech/Dail
-------�
Annotation
CD
O
i
•s
nr
co
CD
-a
Z3
0 0 ^
CO CZ "-
qj •— ' to
"O f— r~
CZ I CD
CO "^ >
Ip
Q. C13 O)
A guide designed to provide citizens with information they need to be pre
correctly in the event of a natural disaster, or technological or man-made
information regarding planning for an event, evacuation and shelter durin
recovery from an event.
o
CD
•o
"=J
CD
«^
•5;
CO
QC
ZJ
O
S
=
<
LU
U_
j^
CZ
03
Ol
^J^
CZ
03
03
Ol
CO
CZ
CO -
^ cn
cn
>-i CD
P crt
O3 r-i
E 03
LU £
CO CZ
CD jsj
LL o
- „
"S ^B
to S
CD «
._ C/5
CZ ...
CO P
Q. cO
»— C/f
£ g
A step-by-step approach to emergency planning, response, and recovery
sizes. Including a planning process, emergency management consideratil
sources, and other information sources.
cz
O3
E
Q3
CO
CZ
CO
^^
0
cz
CD
OJ
CD
LU
|"
LU
>.
O
CZ
03
Ol
^f
c V1
03 i;
E «
03 ^
«i
^^ cz
^ CO
>-, en
o en
C. CD
CD CZ
P en
CD =
m o
CO ^
CD TZ*
TD ' =
CD
LL CD
CD
O>
CZ i—
_ cz o
T3 CO
C CZ ^3
™ S
c? 0 cz
O CO "ft
This guide is designed to aid state and local emergency planners in devel
maintaining a Terrorist Incident Appendix to an Emergency Operations PI
consequences of terrorist incidents that involve weapons of mass destrui
terrorism hazards
o
cz
CD
Ol
O3
fZ
LU
CD
-CZ
Ol
CZ
i
CO
s
<
LU
LL.
J^
O
S - •
01 52
i pi
O •"
CZ CD
CD r~~>
•j~ -iJ
P-o
cz "=
E o
This checklist contains questions that can help to determine the type of e
occur in the area, how to prepare for an emergency, and what supplies w
o
O3 TZ*
O) O.
CD cj
E Q"
Sit
T— ';=
I §
LU O
LL^ 0>
^ CO
0 E
01 s|
< g
CD ^
E b.
CD jzl
d <_i
^ iz
cz -£=
CD O
P cn
03 en
E cz
LU TZI
CD
2 CO
CD Q.
T3 CD
CD >-
LL. Q_
•o
CO
o>-£
r— CZ
'5. ®
— "o
£.=
CD t— ,
i!
f/5 CO
The purpose of Attachment G is to aid state and local emergency planner:
maintaining a Terrorist Incident Appendix to an Emergency Operations PI
involving terrorist-initiated weapons of mass destruction.
CO
TO
^r *&
<•£ CD
i- "S.
O CO
•*— j=
CD O
"O
~^Z -r—
s °
" . 03
51
o JS
CM CD
srl
§ °
1 1 1
^ ™
O 03
SB
01 co
< ,
tz 01 .-=
li <
03 CZ
Ol CO ^
co 5- cz
cz °- cn
co en "k_
S cz o
.2 t
CD O3
P o" CD
E ^ ^
LU CZ £
— 03 E
™ Ol .CZ
o3 cB ^
"S E S
u_ LU «=r
03
^Z
O3
r>> Ol
« CO
2 cz
•3 E
§" o
03 :a
The objective of this document is to provide the insurance, finance, and t
community with information regarding terrorism risk and the tools availa
risk.
i"«
LL. 2
CO
Z3 *"
C/3 ^
— "-a
sd
CD m
CNJ CZ
^ ^
i £
LU =
Ll_ 03
" CO
L3 ^
S s
O) ^J,
^C "rn
S £
03 _
03 .g
co en
cz ,_
CD CD
P E
CD -r-
E Q- -
t i I ^ CD
CO ™ £
— - -
CD CZ 0?
u_ co O
CD CD
|E ^
c/i =
4_ CZ
O) CD
cz o
CD Z3
El
CO ,-, (X
This guide was written for the building sciences community of architects
objective of the manual is to reduce structural damage of buildings and t<
of casualties during a conventional bomb attacks or other terrorist attack
o __.
— CD
i!
^ C_5
^ £
cz CD"
CD C\J
CD ^
"oS ^
. LU
CO LJ-
CM g1
^ "H
1 1 i GO
LL. +-,
^ "
S51
Ol ^~
< ^
= CO
11
CD „
01 cn
ca -r-
cz 0
^ c5
CZ CO
03 W
Ol CZ
C_ CD
03 *=
||
CD _&>
CD ^
U_ ^
+- 1
CZ
.^ CD
t — CZ
i= CD ,-J
° i i
1 11
ai ^ W
This guide provides the tools needed for wastewater utilities to assess thi
systems from a variety of causes. It provides the tools to make sound ris
discussions to ensure the reliability of their system during an emergency
CD
I
CO
CD
"TO
g
CD
5
O
CD
CM
I"
LU-
LL.
>,
0
CZ
CD
^^
"CZ O3
CD TZI
E "5
03 CD
Ol ^,
CO CZ
S °>
CX3 r—
•^ CZ
•= C/5
O) <*-
LLJ CO
cz
co E
fe °
"O »•-
CD CD
LJL. Q_
0)
CZ
cz
^- cz
"CD J5
CD "CO
11
O- Ol
ZJ CD
This guidance is intended to help state and local governments refine and
emergency operations plans. It also recommends that states encourage r
among local jurisdictions.
cz
g
ZJ
•o
0
cz
CM'
S 03
° £
ZJ CD
< 01
• cz
< "E
LU .2
LL. Q-
*>i C/J
s «
o) 2
3
CD
^— •
CZ
tn
"cO
=
S
CD
CM
O3
CO
-CZ
o
en"
03
o
u_
i—
01
o
0
cz
_cz
o
This article covers perimeter security. It describes the use of fiber optic t<
perimeter control, including the different levels of technology available.
1z
CD
E
E
>
o
CD
8
f
O
CO
CD
"CD
E
CD
f)
CZ
o
QJ>
•_§
1
^*
<£
CD
CD
CM
CD —
i"^
cn •'c
S =J
-s s
LL. CO
-------�
E
C
0
s
Q
C
C
Reference
•o
CD
i
1
*
13
cz o
13 0 03 "0
Fox, Jack. 2003. "Pipeline Infrastructure Security." Proceedings of th
American Society of Civil Engineers (ASCE) International Conference
Pipeline Engineering and Construction "New Pipeline Technologies, S
and Safety," Najafi, Mohammad (ed.), July 13-16, Baltimore, Marylan
Reston, VA/ASCE, 0-7844-0690-1, 1817 pp., 2 vol.
T3
.03
O3
DC
0
Fox, Kim. 2004. "Water Treatment and Equipment Decontamination
Techniques." Water Resources Update, Universities Council on Water
Research, in publication.
•o
O3
'>
O3
or
•&
z
S
as
^*
Gelting, Rick. 2004. "Public Health Surveillance Systems for Drinking
Water Resources Update, Universities Council on Water Research, in
publication.
i
"d
£3
£2
CO
r—
O
8
CO
"o.
1
CO
1
03
£
B
CO
O3
:5
CO ^^
-a 2
co 'c
"O O
CO "
T3 CO OO
<2 .c oo
•— o^J ^3
General Services Administration. 2001. "Furniture: Technical Descripl
Test Standards." June 1.
http://www.gsa.gov/Portal/gsa/ep/channelView.do?pageTypeld=8207
Page=%2Fep%2Fchannel%2FgsaOverview.jsp&channelld=-14005(a(
December 9, 2004).
03
— O.
. 0
O O3
03^ O3 >
a. "O oo
£ - "c?
-i—i rt —
"fe CJ 2
If «
QJ o d
i.l 3
III
± CZ 03
S-^l
75 E «
1 gl
OJ*; =
•° g c=
•— ^ r-»
O 1= •*-'
2 ^ w
c CD H~l
III
111
= 0 00
S "to 03
O3 ^ O>
i> <° •§
|1|
co ,_ -rr
O3 O Q.
•a -4- o
.<2 -££ cS.
;fz ca a.
r— cj CO
o
s
General Services Administration. 2003. Facilities Standards for the PL
Buildings Service (P-100). Chapters, "Security Design," March.
O3
^~" o
g § •'S
i_ O) 92
Q3 d 1-
£ '-E -o
00 " 3
•g co o
05 ^ c
iii
c5 ^ "^-
E § i
S> S "°
1 S e
_c— m
i-_ f^~ ***
o 1— o
gf f
E C M
'E " 0)
Q. 1 0>
"5 Q. "g
cz *-- ;^1
Q. .tz •«-
ell
co E co
CD *-
1 g-i"
0 5 =3
•- >, 03
i 1 E
S 3
— *-^ 'tJ CO
if .E?'|
1— t: ^3 co
Gompers, James. 2004. "Security Improvement Starts With a Plan."
Government Security, April.
03
CZ
o
.CZ
&.
03
S
CO
E
CD
03
J=
O
g
O3
O
CO
•a
cz
CO
•s
i
03
*-
0
CZ
o
CO
I
CZ
1
a.
1
CO
CD
•a
>
o
Sm
Q.
CD
±±
CO
-O
1 1
•— "oo
Government Emergency Telecommunications Service. 2004.
http://gets.ncs.gov/ (accessed October 26, 2004).
oo
0 CL
CQ -
CO O.
"E 0.
CO CZ
•a 'g
CO &
~ cz
cz w
it
O =>
rf CJ
^* CD
= "
E -S
E cn
03 ^
> CZ
0 C
CD to
en Q-
r~ |^
la o
O) O)
CD t-~
=~ CO
CO C3>
OO =
"•a m
O3 CO
CD<
CO CD
cxii
CD ^"
*± CO
~ =
II
co 52
t^ CO
O3
1z
O3
0
Governmental Accounting Standards Board. "Statement 34 Resource
www.gasb.org (accessed October 26, 2004).
o
CO
0
1
1
Q.
CO
•o
C.
CO
1
Q.
"o
1
ca.
S
CO
cz
™
5
03
•^ co
S .03
"~ :=
_ CJ
CO *~
CD •£
II
11
il
•o ^
""E
Is
CO ™
.!2 to
IE i
o *—
= o
*^ *~
=] 00
Great Lakes - Upper Mississippi River Board of State and Provincial P
Health and Environmental Managers. 1997. "Recommended Standard
Wastewater Facilities." Health Research Inc., Albany, NY.
-------�
I
i
o
s
o
i
Reference
•o
J- CD
0 TZI >,
CD" £ o-
o 1 g-
6 | S
CO £ !_
t- O CD
'io
^ *~" 3
.5?T=> 0
CO = ~
CD CO _Q
« g a
-2£ CO i—
0 g? .2
5 o co
.£ Q..2
!S l± to
5 05 ™
0> cz .1=
CZ £ 0
"E ™ S
|sf
§11
„; CO
policy statement!
rim standards foi
reparation of plar
to S °-
<= -J= s
— o 3
C <2 CZO
I e s
1:1 o. „
3 CO
° 11 S
•n CO c
13 zj TZI 55
CO O CZ •**
".cz |g .JS >,
i— £2 t/> to
Great Lakes - Upper Mississippi River Board of State and Provincial Public
Health and Environmental Managers. 2003. "Recommended Standards for
Waterworks." Health Research Inc., Albany, NY.
1
03
">
CD
DC
^_,
o
^
"CO
Grigg, Neil S. 2003. "Water Infrastructure Security: Performance Metrics."
Proceedings of the American Society of Civil Engineers (ASCE) Internation
Conference on Pipeline Engineering and Construction "New Pipeline
Technologies, Security, and Safety," Najafi, Mohammad (ed.), July 13-16,
Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-1, 1817 pp., 2 vol.
•o
cz
CO
cz
CD
CO
to
CD
CO
£
J£
CO
•z:
o>
cz
^
CO
o>
CD
£
p^
3
guidance to wate
CO
CD
"O
">
o
Q.
c
p =
E CD
11
13 co
CO CZ
!E ^
I- E
Grigg, Neil S. 2003. "Water Utility Security: Multiple Hazards and Multiple
Barriers," Journal of Infrastructure Systems, Vol. 9, No. 2, June.
co
D. Q3 ~
E -Q o
o CD CZ
o? 13
^J ~ >>
ill
^1
° di =
>i CO CD
CO ZJ ^3
3 o tz
>,-= ro
c -E "
<~t . . CO
** ±± —
- o£
-4-j TI3 ••— '
« e|
S -r-i
e misconception
cost-effectively i
de consultant am
istment.
f S'^ i
03 E 0 ~
to to ..< P
CO CO ^ t
CD CD O CD
§ ^ o> 01
^ ™ .E £
03 .£• B -
•el gl
« 2 <2 ^
n> 5 -3 «
.to cz g E
^ "5 *- "
1— > O CO
Hall, Terry. 2004. "Outsourcing Vulnerability Assessments— Tips for the
Smaller Utility District." WaterWorld, April.
CO
tz
CD
fZ
to
CD
= §
c '"
CD ^
P CD
S «
§ 0
2 TD
Q. CZ
.i S
>--°
.TT C
= 2
S 0
" S
o -S
cz -|-
£ o
= -c
^S
E .E
i "2
E co
w to get the maxi
mmendations rec
0 0
•= 0
co £
CO CO
zl •§
« •§
••& cz
CD "„,
P
re CO
.52 CD
JZ -CZ
h- 1-
>
I
1z
CD
i
CO
CO
<
J?
2
2
CD
C
> ^
i— O
II
E co-
il
18
0 ^
11
O CO
>• •£
= o
s^
0 "
^ 2
&£
^b
_- CO
5i
"a
CD
">
CD
CC
0
•z.
Hasan, Jafrul. 2004. "The Promise of Early Warning Systems." Water
Resources Update, Universities Council on Water Research, in publication.
•o
CD
'>
CD
CC
'o
Z
iZT
o
Hellar, Miriam. 2003. "Infrastructure Security, Dependencies, and Asset
Management." Proceedings of the American Society of Civil Engineers (AS
International Conference on Pipeline Engineering and Construction "New
Pipeline Technologies, Security, and Safety," Najafi, Mohammad (ed.), Julj
13-16, Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-1, 1817 pp.,
2vol.
•o
1
CD
'>
CD
DC
'o
0
Herrmann, Jon and Janet Pawlukiewicz. 2004. "Water Security Policy and
Research." Water Resources Update, Universities Council on Water Reseai
in publication.
o
•»-•
CD
CZ
o
•Q
.0
-o
"S
o
e—
CO
CO
£1
CD
CO
CZ
o
f-t
CO
2
T3
£Z
CO
o>
^cz
'cz
cz
CO
o.
'o
CD
C3.
sxampleof thety
an emergency.
i °
co £2
O3 O
> CO
'5. Q-
c •-
Ij
II
13 E
co •£
(— -^
i^ E
03
s
Hildebrand, John. 2003. "Preparing For An Environmental Emergency." Se;
Daily Journal of Commerce Online Edition, Environmental Outlook 2003
special section. July 17. http://www.djc.com/news/en/11146998.html
-------�
Annotation
CD
U
e
cu
"S3
oc
ind manage the risks
CT3
lis article discusses strategies a utility can use to overcome
sociated with present and future security needs.
-^ CO
I— CO
CD =3
•° -p
s £
11
"« °
ll
>» LU
2 .22
5 .CO
>
. . >
S i,,-
"o u
£5 S
Q_ CO
"CD "co
0> 'C
II
ackand Alan Manning. 2004.
id not doing) to prepare for a 1
gy, Vol. 16/No.2, February.
-*•§
CO • — ' O
•S <=» £
O c -^
o •— o
CO 0 03
-D -a f—
-&
s
B
cb
frt
erability assessment
es that being responi
d "Srt
iis document outlines what utilities have gained through vul
periences and the weaknesses that still exist. This article sti
epares utilities for terrorists and even more.
-1= X •-
I— CD O.
—i
0 _
"^. *^
Si
> o
> UJ
' t
.-S'g
iv,
53 £*
C CO
•5 EZ
> i
T3 3
i <°
>• s
CD <2
?> t3
cri^
O "^
o ^
** •
.E O) CD
C C -D
5 "5 2
« Q t5
S «_ O
« z JC
< -o i"
E < "S
ra o> 8
^ c o
c "o (t
€° S
"5 DO t=
CO'-O £
olf
O O B
"£<§
CO
C3
CO
CT>
_>,
CO
CD
CD
.C
cz
8
=3
CO
QL
is paper discusses the cyanide poisonings using Tylenol ca
mmarizing the event and the company's response.
E 3
•o
CO
13 f
CD a)
CO §
e/5 *
§ I
1 ^
nr
CJ o
^f 0
°- ^. ®
O3 -— ^*
> co $•
•^ CD CO
CD .2 ^
*= t= S
LU rs -g
S S -?
amara. "The Tylenol Crisis: He
& Johnson." Pennsylvania Sta
w.personal.psu.edu/users/w/x
19, 2004).
"- <= i. ?
c- o > S
I c^^-g
S-gg-ts
^ -1 d O
•o
c;
CO
5 *.
CO CO
d towards drinking w
a secure web tool th
j cyber threats.
CD CO F
is article is a description of WaterlSAC, which is a tool gear
istewater executives, managers, and security officers. This i
avides early warning of potential physical, contamination, ai
P i 5.
f
_J
1
0
CD
I
1—
S t
ames R. (ed). 2003. "WaterlS
' Public Works Journal, Janua
te"¥
-C =!
O o
i5 CO
SB
•p
1_
Q.
s and other compute
om hackers, but also
i= i=
is article addresses security myths regarding SCADA syster
mponents of a utility. The article focuses mainly on threats
ormation about other security problems.
£ S =
f
3
O
*
CD
f
0
•o ^
c= t^-
CO co
"S i
=5 ™
o ^
Q =
— r co
CD x:
•° "tl
=3 ^
^ 2
—
n
Jj
0
ism and terrorist atta
a system.
(Tl H—
is gives general guidelines for protecting against both vand,
;o includes information on how to assess the vulnerability o
J= SI
\— CO
CO
II
*— CD
IE 1
5 .2 ca
<•— CD O-
o c: o.
•=. £ co
So eo
.92 :n ai
2 o o
CD •*=
> "co 5
O c= ^.
c: = J2
^t O fy
E^ *
-s g 1
2.2 -S
CD => C
^ 0 JO
S OT «
-Brooks, Richard. 2002. "Wat
ewater Security Problems and
online), February.
w.homelandsecurity.org/journ
llfl
O ^ 3 T*l
SE ^g"
_l co CO J=
o>
c
•^ -a
C CD
ll
3 and test a real-time
about a secure Web-
tion, or cyber threats
*= r- CO
is article outlines a pilot program funded by the EPA to crea
.ter monitoring system. The article also contains informatioi
rial that offers early warning of potential physical, contamin
j= g o
t— 5 o.
c
o
CO
1
&"
Z-3?
CD ™
"a 3
g S
_J CO
•a
cz
0) ™
1 S1
QJ CD
•a >
o o
Eo
CD
CD •-
£ w"
1— co
CO T3
'kZ CO
CD
CO S-
o d>
-a .£=
is article outlines the tool HAZUS that is used to model haze
Ips agencies evaluate the cost-effectiveness of various plani
tigation projects.
iE£ E
o> ><
ll
"O <"*
Q5 QJ
l£.
~ C\J
Sci
z
o
CM CO
1^5
f >.
p ><
If
" j=
o o
Q eo
•"^ i
\. Scott, Bouabid Jawhar, and
mces," Water Environment & "
— a)
ii
o o
en t/>
11
03
CO
53
11
ie State of Alabama, i
lode of Alabama, and
s <->
is site provides an online legislative information system for
:ludes information about the current legislative session, the
nstitution.
J= " 0
1- .£ 0
CO"
CJ
*J
O
O
"S
(A
^i B
<=> CO
t~*i ^i,
™ 0.
il
S"5,
CO O
-.f ^
Is
s <:
3 Reference Service of the Sta
Jb.legislature.state.al.us/acas/
_> CO
1o 5
tO ->. ^~
'o> S- o
CD t; c=>
— J .C CSJ
„ 0
1— "0
. CD
co .ti:
•£ =
llnerability assessmei
opie agencies are rec
:r CD
is article addresses the regulations from the EPA requiring \
icie addresses what the smaller serving less than 1 00,000 p
and some general guidelines on how to proceed.
j= -C o
1— co ta
CD
E
|
w
CD
C
"rsj
1
03
1
o
CO
•t
§
CO
1—
B
^<
= i
^ S
•i "^
Q cf
= o
CO 0
O CD
3*2
-------�
c
o
s
o
c
^
Reference
~a
cB
>,
o ^
CD ?j
CO Qj
CO C/D
O)^
•^3 CO
C rj
CD CD
1" 0*
•o ^
c Q.
* -a
01 cr
c: ca
+ij — r
CD o
o 'c
o o
<¥ CD
C *"
-9 -jo
E —
.11
CD 0
•a c
o —
L
O CO
i 1
E °-
.1= "^
•— r ^
03 Q3
111
CO CO CD
1— '"O 0.
s
i
CO =
a :E
= i
C ^
= .
j, Eric and William Sieglend. 2002. Security Pla
ry. American Public Works Association (APWA]
jonal Publishing.
CO -> C/)
3 0 05
ra 03 2
S CC Q-
1
03
CC
0
"= 03
5 o
< c
i_ 03
'S -2
Q 0
0 CJ
1— PJ
O> t — >
O CM
g, Alan. 2002. "Terrorism: How To Use Technoi
;0&D)." AWWA Joint Management Conference
Jings, March.
d . QJ
"r— O Q3
d CD CJ
« "S 2
S Q Q_
;5
£5
- O3
CO C .
E "B o
03 > »-
1/3 03 .!5
>, T3 CO
cn 3 >.
_>, "o «
§• co .2
•co •— 03
^_ O3 O
O = =
C/3 =3
3? .co co
3 03 "O
O 3 ^
" l"g
^1 f^ CO
o t to
03 .E £
CO l~ "^
03 'CO" 03
S E -o
t5 Qj ^j
If i
S CO ^
fz QJ ^-J*
0. 03 -a 03
E-> k— c/}
o ca c
" TS 0) Q.
^ '^ co •-
Q. 0) g 'g
Q3 C CO E
*-• 03 CO CO
CO CO O3 *-
•C £ 20 a
1— a. ca o
,
CO
CD
o
c/f
2
£
Jj
.arry W. 2004. Water Supply Systems Security.
c/f
CO =
2 ^
eg
CD
(4_ >
o £
-^ E
o -—
•J2 c
S CO
ro o
••-1 CD
o E
it
i-
CO CD
CD J=
CO ^
Q 0
Q- -1=
>- TD
"Z. C
03 ™
£ 03 CO
" co S
03 ~ S
-> co co
2 3 co"
CO CO Q3
f= JC CO
H to 1.
CZ c O5
«d = ^
°°1
Z3 ~ C/J
2? 5 ?
£ ° £
T— CO
.52^—0-
O3 E O3
'JE 03". SG
1— CO T3
•o
c
CO
CO
CO
CD
C
•o
03
S.
Q>
a.
^^
0
CI
I1
03
LLJ
Q
CL.
Ol
C
o
a.
E
c\i
0
CZ3
CM
ca •»"
a. *-
1 =
S <
to c
c= o
V^ Q.
CJ CD
^ CC
•o
O3
03
1
DC
•z
1
1
O
CXI
Engineering Security Manual, TM 5-853-1/AF3
/ Engineering -- Project Development
ii
i »
S CO
•o
O3
1
"S
DC
0
•z
cxi
09
1
CD
CXI
Engineering Security Manual, TM 5-853-2/AF3
/ Engineering -- Concept Design
j§ •=
•"= CD
2 CO
•a
03
1
CD
CC
z
CO
09
1
r—
C3
T —
CXI
Engineering Security Manual, TM 5-853-3/AF3
/ Engineering -- Final Design
al
= 03
^> CO
•o
I
03
CD
CC
O
03
1
CD
CXI §3
Engineering Security Manual, TM 5-853-4/AF3
/ Engineering -- Electronic Security Systems (rn
S "=
•.= o
= O3
S co
T3
1
CD
CC
"o
-o ^
co ££
*i
CD
|O
O
CD 52
£ -B
o °-
«-< o
to ^
CD -2
C CD
"3 co
O =
"O >
« £
w i£
E c
CD O3
"co 12
C
O3 CO
£0 C
g CO
°J O.
CO 03
CO CO
3 c:
_ 0
cO *""*
E £
co >-
•ffi Q-
o* Q
« >
03 .-
1 =
0 2
O CO
"S ii
II
c _:
. . ~>
O3 Of
03 'R
e-i CO
X CO1
1 S
*- "03
act
1 Small Flows Clearinghouse. 2003. "Preparing
nent Process for Small Wastewater Systems."
, Winter.
c= S3 d
to ert -^-
^ < ?
1
CD
CD
CC
0
IS
o
o
CO
09
CC
1 g
- "cO
•^~ n
Eileen and Alan Hais. 2004. "Wastewater Secur
Universities Council on Water Research, in pul
l" ts
^ "o.
O ZJ
-------�
f
i
c
o
5
c
c
^
Reference
o
03 CO"
| S
% -a
11
| 0
en "r~:
>, =
CO :=
0 TD
"o re
03 ^
re 1
O -^
.9 -^
ll
-!-• "CO
cz cz
CL ° "to
"CD — co
|||
•o £«
fe.o S
°- .-5 'H
co £; "
£ « o
t— T3 0
.IZ
1 "5
"yj tO
co.E
^ -a 1-03
O a} CO" *J cz
t3 o ' S °>
Ostfeld, Avi and Elad Salomons. 2003. "An Early Warning Detf
(EWDS) for Drinking Water Distribution Systems Security," Pr
World Water and Environmental Resources Congress, June 2i
Philadelphia, Pennsylvania; Sponsored by Environmental and '
Resources Institute (EWRI) of the American Society of Civil Er
ASCE/EWRI, 0-7844-0685-5.
re
° .«
CZ oj
•a >,
cz re
|E
£ jz
cz *t
03 ^0
"g '&
3 £
^ "o
"o co
*^ 03
TZI a.
E 'H
CO CD
££
cz -a
O 4-<
Q. Z3
CO O
CD .O
_^ CO
CO CZ ^_I
.^ o cz
**— "+^ CD
CO ^ "D
-j^ E "o
CO i— c
£f ~
co cz t
s'sr"
ts -§ e
? i £
eb site contains
sm incident. It ir
a response to a
5 1 =
CO 2 ~
j= fe =>
(— S -o
O3
O
CO
CD
TZ>
0
Q.
CO
Pennsylvania Emergency Management Agency. 2002. First Re
to Terrorism Incidents, http://www.pema.state.pa.us/
cz
CO
CO
CD
2 .y
O. ~r^
CD O.
it
03 .92
"G CO
Q. ^
.E o
o >.
5 °-
« Q.
'55 >.
en re
03 ^
ll
O CO
to CD"
* 5
|I
CO CZ
E 0
•^. •—
.•& te
1 5
4S o>
0 .>>
ll
03 C
co —
— co
CD —
•o ±± co
o> .J2 .—
i-ii
1— 0 -Q
C
•o
CD ^^
co a.
Q. S
CD o
Q- "co"
c
Pennsylvania Emergency Management Agency. 2003. Disastei
Planning Guide for Facilities, http://www.pema.state.pa.us/per
view.asp?A=566&Q=254838. September.
to
03
1
o
CD
CO
O
f—
O
i
CD
O>
"o
o
CD
_Q
=3
O
-a
c
CO
O)
"CD
CO
O)
cz
^
0)
cz
aguidetoinsta
CO
CO
"~
Ja-
1—
o
CD
^
Phillips, Bill. 2002. The Complete Book of Electronic Security.
McGraw-Hill.
O
& 0)
c3 c
O> Z3
co "o
I-i
> co"
O CD
Q.O
T3 S3
03
S E
re 03
03 j-
o re
'.^ CD
-Q JZ
o S
•»-• Z3
CO 0.
| o
.C CD
« 5 E
CO Q. M
J=l O> ~
E Q. 0
S E £
°£-l
CD "55 o
° -*2 tz
1§£
;t addresses the
nd local governi
encies resulting
re ™ p>
.CO ^ CD
1 — CO CD
CO
CO
CD
CZ
TD
£
CO
CL
O3
n
Public Law 107-188, Public Health Security and Bioterrorism I
and Response Act of 2002.
|
ii
"co
c
0
CL
CO
CD
CO
CD
CZ
CD
"55
cz
^
o
CD
Q.
CD
CO
•d
CL
EcS
O-'o
Q. cz
CO CD
D) E?
cz £
'.fr E
~ 03
o o>
c cz
o ^5
**— cz
CO CO
CD .CZ
^ °
S CO
an contains pro
ovides guideline
°- 5.
to
•a
a.
o
•g
0
Q.
« 1
CD ~^
CO -*-1
fi
re o>
11
:E O>
T3 .E
re CO
£ g1
Z «
11
S. c
w °
CD -a
CO S
co fo
CD re
-c5 -°
-a co
re cz
03 JS
73 <=-
t 03
re ^j^
co m
•p co
1— T3
2^ a>
"g 1 S E
— CD CD s—
l-e g
kA- CD f^ f^
« -E S- "
S E « 9-
Ringert, Kathy J. 2002. "An Approach to Terrorism Preparedm
Health and Hospital System." Journal of Homeland Security (c
Reprinted with permission from Baylor University Medical Cer
2001;14:231-235.
http://www.homelandsecurity.org/iournal/articles/rinnerthealtt
o
CO CZ
CZ 0
0 Q.
•= co
co 2?
II
1 s=
o *°
~a g
CO "-S
"o" -—
-t "P
g 8
0 0
c?>
.E o
o o.
Ii
f i
ll
'— «
o .,
03 0
Z3 Qj
l.t
«|E
CZ CO CO
~ O3 C=
s <=>-•«
E = >,
ZJ O o
O CO ^
•a E 01
-•— • CD e t CO
Rostami, Jamal and H. Besharatian. 2003. "Application of Inte
Systems for Improved Protection, Security and Reduced Main
Pipelines," Proceedings of the American Society of Civil Engin
International Conference on Pipeline Engineering and Construi
Pipeline Technologies, Security, and Safety," Najafi, Mohamm
13-16, Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-'
2vol.
o>
o
o
0
«
{
s
^
^
£
o
•o
CD
CZ
O)
"co
s
1
CO
ii
s
h—
i
"V
•1
ocument is a "Ti
•a
CO
Ic
1—
2
CO
CD
ra
s
Sandia Corporation. 2002. Risk Assessment Methodology for
May.
-------�
e
0
75
•5
C
C
eference
cc
CZ
g
CO
'O
CD
-o
CO
*— CZ
P P
il
CD "^
E «
CD P)
CD O
id model that includes
jactive capability of an
re ~
|H
5 en
CD CZ
E -Q.
CO P
This paper presents a dynamic risk fi
model. The model focuses on a deve
Ix:^
-2 3= CD
P CZ J3
C CD CZ
-= i— 53
S^l
r — w— -1—
§ ° co-
"4= CO CD _,-
re 01 cj T
E .E ^5 T
u_ T3 ?^ O>
o 5 ° co
!§£?
Js: c: l_ *3-
£ D_ CD CO
— = lo r-
fe 5 A
i 1 •- tb
io S.E5
2 •£ i§ =
o c p ^
i i t^ ;"r.
i H. 2003. "A Dynam
ritical Infrastructure f
Risk-Based Decision
ra, California. ASCE/E
-CZ CJ CZ ra
0 re ° "2
""^ _ CD re
w — cz m
53 ^> CD ™
1 '§ .£ re
ZJ 0 CZ CO
CO CD P
CO CO O 00
CO
CO "g
CD ^
-O CD
> '^
O n.
t: 22
information secure. It f
d hardware and softwa
jblic works
ormation an
This article addresses how to keep p
recommendations about web site inf
ta
.X
o
o
_Q
Z3
Q_
E
CO
o
CD
1 —
CD
JZJ
3-
"co
CZ
're
S1
D)
CZ
•s
03
2
Q-
^
•
CD -CZ
CD °>
CD £ P
Hi
« ~ §5
CD £3 CD
£ re -°
CO g
o>.92 fa
.E ±± J=
co^ °
•S2 re -E
/astewater facilities are
esame risks as water 1
from water agencies w
& .CZ CZ
1 'S S
i|i
0 CZ CO
o „, o>
This article discusses the security pr
reports that wastewater facilities fac<
are many lessons wastewater agenci
the process.
£?
=>
S
w £•
3: «
CD =1
= Z
CD CD
J= LL.
1—
- CN
^r P
S ^
s^
11
CD -
3 P
<"-§
wE
ion D. and Wendelyn
r Environment & Tec
CZ S
rrt Co
•= 5
rrt "^
C/J
8" 22"
C ^
CD ±i
Q. =J
V) O
o
o
cr
CD
E.J
Ss
CO _
CO U»
S •-
II
^ P
as the Vulnerability Se
ks and the advantages
11
CZ S
CD
This article describes a software pac
(VSAT™). This article describes how
CO
.92
=> ^5
«>
.92 >;
-±± O)
11
CD JZ
c o
— CD
g ^
o> ^
c~ .
Eyes: In assessil
ater Environmen'
s K. 2004. "Watchful
their assets first," W
lary.
""PC1
E ° ^
3 0 £
- p
i^'2
Z3 ^
"5 .cz <3
CO co i-
p
CO
°>c3
E o
^ o
o «J
-i^ o
c: CD
s &
el"
CO <»
and on effective policie
nology that can restrict
co" "o
E oj
Si
o-S
Information on various access contr
employee access. Including informal
only areas the employee works in.
E
CO
CO
8
o
:ess Control."
business-crime/a
Police. No date. "Ao
imesvalley.police.uk/
^e
5 1
•^ >
crt >
CD ^
E >:
If
P)
CZ
CZ
re
£
•2
're
CO
Z3
P
J3
CQ
e including informatior
bout chlorin
This web site contains information a
of chlorine.
P
www.cl2.c
3
CZ
g
"co
mportant Inform
•*
CD
O
CM
O
CZ
s"
Z3
"co
f~
CD
^cz
o
s
o
CD
f
!•
intrusion-detection uni
rements for
"Z3
CD-
CD
_J
^
CD
.CZ
^-<
CO
.^
CD
O>
a
5
CO
jg
CD
CO
|E
73
K
~ CO
O> cj
CO cO
11
= oi
i CO
to
c J=s
o ^
•^ co
O CD
CD Q.
II
-II
CO O
IB
- g
csi o
.aboratories Inc. 200
. http://ulstandardsin
)04).
«°^
CD *_ CT>
4— CD c\J
•L= jzi v;
g E »
-S ™ o
T3 CZ1. -Jz!
CZ CD "
Z3 CO O
CO
c "P
ca cz
Q. re
0 «
8 g
i- 0)
0) 'CO
-CZ CD
-*~l "O
"O
CZ CO
™ S3
CO OJ
p> re
C CZ
i!
-° c?
s^
°5
0- CO
3 "H
_ re
S 5
1 °
« -o
CD CD
•° re
CZ CD
s^1
ts z:
.CZ C=
This document presents measures t
from airborne hazards. The docume
security planners.
"CD
•o
CZ
re
CO
O)
CZ
'S
1. Protecting Bui
Washington, DC
•ps of Engineers. 200
m Airborne Hazards.
5 S
o *-
>• £2
E cz
E ra
ronmental and occupat
n an ISCORS survey an
IS
CD CD
05 CO
P
'4= CD
-S «
This document provides recommeni
precautions. The recommendations
CD
If
—3 CO
CO CD
CZ CD £?
P P. 5
ill
g g CO
~ CO CZ
|.E V»
rr >- cO
O ^v -—
0 •> CD
.Ell
nteragency Steer
ssment of Radio.
t of Radioactive I
jnt Works.
;nt of Energy (DOE) I
idards. ISCORS Asse
tions on Managemen
blicly Owned Treatmi
E «-§<£
t! CO cz .^
co ,-
-------�
I
I
c
o
re
•s
B
C
Reference
.a of g"
|| |
*° 1= S
"CD +S c
C CD CO
O yj" .p- O
05 S 'g 1
"• fii o. -2
SO3 03 C=
c ° 03 >
re „ CD ^~
C 05 !t .&
03 05 0 =
-- o -g o
E ^'5 3,
O O) —
1 ^ -= 'ol
o>" 03" . S1
fe S £-§-
ra £E = o~
en "I s S ;E
CD is 3 £3
25 " d 03 i=
^ -^-. rT)
| '~- c .£? 1
••— • ~n rrt -4—" o
C~ T-i ~
1 3 1 1 1
>_ re fe £ ~
guide is intended 1
te, and governmer
ols, transportation
nmendationswith
naintenance, admi
05 5 o 5 ~
g •£ -5 y =
1— Q. 03 K: re
£; 03
g CD Q
•^ ^ J3
U.S. Department of Health and Human Services, Centers for Disease Coi
and Prevention (CDC), and National Institute of Occupational Safety and
(NIOSH). 2002. Guidance for Protecting Building Environments from Aii
Chemical, Biological, or Radiological Attacks, May.
0
o
'•E
E
o
£
o>
'•f oi
.2 05
o ^
O> p
^ ?»
•^ "05
m nd
Q r^
'w -^
^ "5<
il
§1
o 2>
.9-i
^i ?
i— re
S of
C/l "'
05 S
.E o
•55 w
'5 o
sl
i!
05 05
-g «
> ^
e 'te
0_ 0.
O3 ^.
&* * —
U.S. Department of State (DoS) Office of Foreign Buildings Operations.
A & E Design Guidelines for U.S. Diplomatic Mission Buildings. Chapter
"Security and Risk Management Design." June.
CD
re
05
£3
CD
CD
E
fa
.c
c
re
OL
05
O
CL
O5
CD
CD
O5
e
re
I
05
O
0
1
^
c
CO
-Q _£O
§ E
= 05
03 .!=
.Q ID
S O5
O ^
CD re
.•° 05
13 -O
CO -r~.
-^ T
re
U.S. Environmental Protection Agency (EPA). Integrated Contingency PI
Guidance.
05
E
E
CD
CT
05
0>
"c
"Q.
>.
O
CD
O>
CD
03
U
I
CO
£2
o
CO
CD
CO
CD
•^
^
_g
document explain;
O5
t^
CD
^
T-
U.S. Environmental Protection Agency. "RCRA, Superfund, and EPCRA 1
Training Module: Introduction to Emergency Planning Requirements."
•o
C.
CO
o
Q.
LLJ
1 oi
^-* re
E "5-
E .!=
O CD
CJ ^
i".E
c Sfi
C. CD
J2 =
0. 05
>^ re
g-|
CD
Si E
05 .«
E o
S V
— S
"± 0
03 0
document is a guii
nmends including
O5 O
IE °
Q.
LLJ
05 e/3
"re ^
U.S. Environmental Protection Agency (EPA). 2001. "LEPCs and Deliber
Releases: Addressing Terrorist Activities in the Local Emergency Plan."
550-F-01-005. August.
T_,
re 05
O5 "c
05 9J
^ *"
O5 O
T3 03
I ^
1= 05
1|
-1- ^
o -P
"-S CO
.fO CI
"S 5
E ^
"" ^o
CO ^
CD
> CO
o ^
0 t
CD O
co" ®
C "0
O ^
o. o
*- CD
CO C
CD '—
-a CD
11
II
CD
S E
^ 05
O) "^
05 2
_-a
C3
i_ 05
U.S. Environmental Protection Agency (EPA). 2002. "Guidance for Wate
Utility Response, Recovery, & Remediation Actions for Man-Made and/c
Technological Emergencies." Prepared by Michael Baker Jr., Inc. for the
USEPA's Water Protection Task Force. April 15.
http://www.epa.gov/Arkansas/6wq/swp/security/EPAEmergencyResponi
anc.4-15-02.pdf
1
O> •!-•
g -
5 CD
co E
en Q3
« >
*2 0
J» o-
o? E
ii
0 =1
ciC
E 2
CO CO
g1^
1^1 -^ J_
^ E +^
^ ^ 5
" g re
-a 3 05
g 1=3
U- CD CD
o> E S
-Ii£
0 i= g
S Tj?, ><
en c Q.
52 g 1
S ?S
CO ^* -T3
iPA's Clean Water
ng to assist public
ict public heath am
~a 4^
^ c o
t— S CL.
U.S. Environmental Protection Agency (EPA), Office of Wastewater
Management. 2003. "Use of the Clean Water State Revolving Fund to
Implement Security Measures at Publicly-owned Wastewater Treatment
Works", January. http://www.epa.gov/OW-M.html/cwfinance/cwsrf/
security.pdf
c
., d
o 'c:
tj "~
CD i«_
i"^
4-. CO
II
if
11
c. >
05 ~°
3 O3
J2 5
•^ s
c — j-i
CD j
11
C
"CD °
CO -J^
CO C
•— E
X CO
-§ I
o o
° re
esponse protocol
ling a response to
r modeling.
^ CD
£11
U.S. Environmental Protection Agency (EPA). 2003. "Response Protoco
Toolbox: Planning for and Responding to Drinking Water Contamination
Threats and Incidents." Interim Final, December.
http://cfpub.epa.gov/safewater/watersecurity/index.cfm
-------�
c
o
•i
c
t=
Reference
CO g
re 03 EZ
51 -5 o
CD C^" -^-<
CO CD CO
C *~ ^
CD co 92
CC 'r- cz
>» 1— .S-
c "G °"
» « "i
Er^ ^
^
LU O Crt
cz g- £
CO CD ZJ
03 DC TZI
111
Q. 0 Ci
•S fe c
CD o *~*
"- 03 CO
document provides guidance
ired under the Public Heath S
munity drinking water system
:ed in a terrorist attack.
CO Z) cz .^
3" ?
CZ CO
O3 „,
III
cz cz ~o
LU o CD
HI
C/3 £3 p
i— ro £~,
tection Agency. 2003. Large Wate
Guidance to Assist Community V
ilic Health Security and Bioterrori!
July.
o • • •"
— ; ^ Q3 C3
£5^2
CD c ^= O
.^03^03
f r, co E co
{". 03 0 03
=> CC o CC
o ti
^— • cz
.C CO o
•^1 i
i— O CD
CO CD "yj
S* C/? co*
*— -^ ^_ -^t:
£ CD -22 «
^o^2
>. ^: 01 co
•_ = S 0
O3 Q_ cz t
TO 03 "C 03
E CD •— c
=) -S <= —
— ^ ZJ "a
« = E S
fill
|||1
document provides guidance
are an Emergency Response 1
jrrorism Response Act. This a
s, procedures, and equipmeni
CO Q. ^ cz
'^ e .2 ss
|— Q. CQ Q.
O3~
CO t_
O ~ .a
03 ~,~ai ts
O c* O3
c tz co
CD 03 CO
E? w 0
92 en So
tection Agency (EPA). 2004a. "En
1 and Medium Community Water
:ewater/watersecurity/index.cfm (
11^
10^ §
C 0 =?
CD **~ ni
I s &
c CZ r-»
o « -§
ill-
cz -3 o
. — >* ;5*
C/l 1^ °- C^
- J3 4± o
^» Q_ ^. cxi
>. co
"— CD
-*— ' •*— '
Z3 CO
cd co
^ 2 o
.2 .2 Q-
Jr; cz *o
CD
o S aS
"c^ "W '£
I 8 S
0- CL CT3
CD w O
S 'CO g
CO Ol -r;
CD CO co
ill
CO 0 ••=
i ^ I
111
o a. "5
is ft
1_ TO .CZ
EPA developed the Security P
agers in reducing risks from,
intentional terrorist attacks. T
lable to enhance physical sect
£ I a I
CD
to
5
CD
to
£ o
•a 'l~
co -5
CD S
to
tection Agency (EPA). 2004b. "W
3water/security/guide/index.html.
° -S ™
O- ~ 3Q
]3 c! o
SI cri
US
Set |
|f|
"^ 03 ±2
Z3 CO E
Reviewed
0
L_
CD
^
S
a
CO
03
•o
O
E ef
o> °
to fa
leed for Improved Distribution Sy
ncil on Water Research, in public
O3 O
3 CD"
CM ^3
CZ O3
.— O
~~ "* ZJ
>- o
03 CO
-Q CD
ID CC
o
•o
CD
•o
1
CO
CO
Ol
cz
_o
_o
CO
•o
CO
•o
c= -J
2 a
co eg
E i
antiterroris
f a terrorist
document outlines the DODs
mize casualties in the event o
£ 'E
o
CO
•o
CO
•o
co
E
—
. 2003. "DoD Minimum Antiterroi
. October 8.
•| o
•»-• O
o o
CO CO
LU 01
Is is
'E '5
Z3 CD
^ c?
»'S
o -o
!5 <=»
•§ .E
~ S
g 0
>> 0
CD O
CO CD
° -o
O Z3
-^ O
>— £Z
o —
3 2
o => >,
« i H
•S-ffi S,
CZ [^ CD
CD 1— £
Ol • £=
CO •£- 03
CO 03 CZ
.* c= co
r public wol
cy managei
overy from
article addresses the need fo
icies in all phases of emergen
ning for, response to, and rec
.52 55 c
(^ co° "B.
"5
_
12
o
o
D_
f~>
rst Responders' Need to Speak U|
f-
ii
. CO
. CJ
-C LO
CO CO
^D i-
Reviewed
==
CO
CD
;S
5
CO
£
ssment Tool™ for Water & Waste\
;essed October 22, 2004).
CO S-
< *-
M— O3
"CD =
CO CO
>, 03
±i co
il
CD >
| I
?• i
Reviewed
=
O3
0
ZJ
O
CO
y
"o
CO
Risk Manager's First Impression
ifornia-Nevada Section, AWWA.
— Ol
CO CO
5 ^
01
II
i 2
Q- Q.
CD O
.4—1
CO 03
s y
i g
0 CO
co -5
"O 03
i s
CD "O
f «
s ?
o "i
**~ Q.
-I 1
2 co
Q. CD
01 0
manual presents current desi
ons. The manual is intended t
'mation.
to 'jz; o
jllji
CD CD
^ M—
.Q °
-a -a £
c 22 o
cO "-^
•*"* ^^ "«
tn • Q-
ca uj cz
eration (WEF). 1993. Design of V\
tations. WEF Manual of Practice F
f Wastewater and Stormwater Pu
eration. Alexandria, VA.
•o co o -o
£ 01 1= £
^- c C3) -t-i
CZ "Q. "CO CZ
CD r- CD CD
E I Q E
§^ § S
1 1 I 1
LU g o LU
^ E ^ is
CO O to co
5 CO I- 5
-o
c
03 "S
CO .2
CO C3-
E CD
e -s
•*— cz
"S CD
03 >
Q. CO
x .=
o
O -d
r- i_
5 O3
Ol CO
cz c:
~ « to'
fi Q. .03
managemei
written for
y case stud
manual focuses on recovery
t to plan for. This manual was
ral disaster and includes man
CO CO Z3
IE -= to
t— 5 cz
^o
•^
O3
E
1
CO
-22
"to
i
Q
2
Z3
CJ3
C33
cn
LU
cz .92
o .-t;
to 'o
H
II
E 03
g^
-5 S
CZ CO
LU g
i_ CD
CD •*— '
^ CO
CO CO
55
•o
§.s
O) "a
cz E
^ 03
""• £
ja -a
r—
.E co
co ,,r
CD SG
-— t^
.•t: zs
**- 2
^ ^
.^ to
to 03
co
OJ >
LL. ,
ronment
ations foi
1-1
LU Z3
v- E
-S I
> o
5 o
-------�
S
i
cf
"to
CD
•o
CD
1
CD
CO
1
o
T3
I
CO
£>
to
-D
_cz
CD
CO
CO
cipal Wastewater
Water Environment Federation (WEF). Design of Muni
Treatment Plants, Manual of Practice 8, 4th Edition.
_Q
•a
CD
CO O
ZJ <-•
CO "P
•a P»
o t
« "1
— &
o —
*— 03
cz -Q
0 CZ
" 8
-C Co"
•*-* CD
-a "d
i I
TT ^
£ -O CO
•H- .E O
(— C~ +•*
£ E ez
_ ZJ O
o CD o
.Si's >,
0 4= ID
™ CD *i-
O. S CO
.cz <"
L— £ >
CO CO o
03 — t:
CO CO Q.
CD .O cz
42 w .22
ZJ ^ '^~
co .iz -"^
03 CO tl
•*- CO~ O3
co .9? E
05 = to
I 45 S
This article
production
wastewater
i ?
9. Protecting Worl
'astewater Treatm
igton University.
Water Environment Research Federation (WERF). 199
from Exposure to Physical and Chemical Hazards at V\
Plants. Project 97-HHE-3. Prepared by George Washir
a
E .E
*~* -a
1 «
CD CT
yj co
S -S
5
l_ ••— •
Q rS
**"" •§
CO CZ
CD ^
'If
co
o. o
C CO
"CO CD
>t i—
o —
£ 3
•§ P? o"
c c
111
»- CO 3
CD —5 "O
.> g, E
^ Q3
03 ^ cz
CO S C
O3 CZ CD
!•= 03 >
'*= ZJ CZ
CZ == O
CD CZ O
-^2
This manua
examines tt
alternatives
i
-a
1
cc
03
'o
E
CO
Water Environment Research Federation (WERF). 200
Design Practices. WERF Project No. OO-CTS-5.
•o
O3
O3
OC
O
CZ
il
0 0
O3 Q-
co E
"T _r
Water Environment Research Federation (WERF). 200
the Wastewater Sector: A Prioritized Research Agendc
Proceedings, January.
•o
03
"S
OC
"cO
O.
'o
Planning for Muni
Water Pollution Control Federation. 1989. Emergency
Wastewater Facilities. Manual of Practice SM-8.
CO
TD
O
.CZ
03
E
cz
o
js
CD
•a
"co
i
"cO
*f
,2
c
CO
S1
CO CZ
03 0
S'B
"CD .E
„ 1^
CO CD
i o
03 ,^
•"• y)
*- O3
03 M
H CD
C O
^ "i
Q_ «>
co -a^
CD CD
% g1
3-s.
.!2 E
-a CD
CD CD
•D -0
"-F <=
« s
11
s; and Richard M.
November 2003.
Whelton, Andrew J.; Janet L. Jensen; Todd E. Richard
Valdivia. 2003. "The Cyanic Threat." Civil Engineering,
O3
1
03
OC
'o
z
CO
•>
O3~
id Water for Reus
White, G. Clifford. 1978. Disinfection of Wastewater ai
Nostrand Reinhold Company, New York, NY.
CD
O)
S
O _
to c5
"cO "d
o c;
It
"1 CO
° o E
•&* 3 qj
'k_ CO -O
Z3 CZ O
0 CD i-
CD _ Q-
<" ° &
03 CD •—
£ "0 ZJ
CO j_j
•i s-
eg ^ S
CO "*"^
eo 2 -S
CO ^
o ^ —
£2 co ^
C -t— - O
o f — *^
'i= 03 73
CO E 03
T3 O3 CO
p 2 ">
E §" tz
|i|
i se
CZ i-, >^
0 £• CD
co E £
^ i i
1 !-•&
o cr i_
i; o 3
Q. CO CJ
CD CO ^
0 CD «
— -a 03
•it
ill
i— ±; 03
8«
- c
>. 03
A Sense of Securi
." Water Environs
Whiting, Nancy E. and Russell Rocha. "Safety Corner:
Part 2 Enhance your facility's onsite chemical security
Technology, February 2002.
O3
1
I
OC
'o
orner: A Sense of
Resource —
y 2002.
Whiting, Nancy E. and Russell Rocha. 2002. "Safety C
Security, Part 1: Protect Your Facility's Most Precious
Personnel." Water Environment & Technology, Januai
•o
CO
5
CD
CZ
B
o
JZ1
p
Ol
cz
'cz
cz
CO
a.
13
0
CD
CO
**—
C
o
CO
E
|
C
C
1
5
CD
B
E
»*— CD
03 -jz;
° :=
"E c1
co -K
JZ 'x
1— 03
CO
i
Institute of Architf
cz
CO
o
03
CZ
'53
O3
Q
•a
i
C31
CZ
'cz
cz
CO
OL
•S
o
CD
CO
i
CNJ
§ S
03
CD *-*
-0 "o
CO 03
CD "o
_ Q_
> O
O3 "^
^3 CD
'co "°
CO o
d. .E
03 T3
.E 03
1 -S
O3 '(y5
03 CZ
•a o
CO °
11
>1 2
co o
^ f~
CD CO
Ii
D) "*"""
c Sfi
•^ CD
CZ Z3
•o s
= JZ CO
« ^ 03
CO -= 03
Q. ZJ CO
.^ CO CO
O3 c O
= -a w
'53 -a o
CO CO **
This guide i
component
system and
ulnerability Self
jary 4, 2004.
Wisconsin Rural Water Association. 2004. "Security V
Assessment Guide for Drinking Water Systems." Febri
http://www.wrwa.org/System_Security.html
-o
CD
Not Review
*
vironment Resean
Zieburtz, William B., Jr. 2003. "Economics." Water En
Literature Review, September/October 2003.
-------�
(This page intentionally left blank)
-------�
Photo/Illustration Credits
Figure 4-3, page 4-13. Illustration courtesy of Master Lock Company, www.masterlock.com
Figures 4-6 and 4-7, page 4-30. Photo and illustration courtesy of Watermark Navigation Systems,
LLC. www.navbuoy.com
Figures 4-9 and 4-10, page 4-36. Photos courtesy of Riverdale Mills Corporation, www.wirewall.com
Figure 4-12, page 4-37. Photo courtesy of SecureUSA, Inc. www.secureusa.net
Figure 4-14, page 4-39. Photo courtesy of All Storage Systems, www.securitycages.com
Figure 4-15, page 4-41. Photo courtesy of Ladder Gate - R B Industries. P.O. Box 4734, Greensboro,
NC 27404
Figures 4-16,4-17, and 4-20, pages 4-43 and 4-45. Photos courtesy of McGard, Inc. www.mcgard.com
Figures 4-18 and 4-19, page 4-43. Photos courtesy of Hydra-Shield Manufacturing, Inc.
www.hydra-shield.com
xlv
-------�
(This page intentionally left blank)
-------�
-------�
-------� |