Interim Voluntary
  Security Guidance For
Waste wate r/S to rm wate r
                December 9, 2004
                American Society of Civil Engineers
               Water Environment
               k Federation8
                 the (ifriha/ Witter f:mirrปiniettt


Preface	ix
Acknowledgements	xi
Executive Summary	xiii
Water Environment Federation	xvii
Important Notice	xvii
Acronyms and Abbreviations	xix
Section 1 Introduction	1-1
       1.1 Purpose of this Document	 1-1
       1.2 Overview of Wastewater Security	1-2
       1.3 Threats to Wastewater Systems	1-2
               1.3.1 Malevolent Threats	1-4
               1.3.2 Natural Threats	1-11
               1.3.3 Unintentional Threats	1-13
       1.4 Vulnerability and Risk	1-13
               1.4.1 Definitions	1-14
               1.4.2 Vulnerability Assessments	1-14
               1.4.3 Vulnerability Assessment Methodologies	1-15
               1.4.4 Evaluating and Reducing Risk	1-17
       1.5 Drivers for Security Improvements	1-19
               1.5.1 Regulatory Drivers	1-19
               1.5.2 Legal and Liability Issues	1-19
               1.5.3 Organizational Mission	1-19
               1.5.4 Multiple Benefits	1-20
       1.6 Implementing a Balanced Approach to Security	1-21
Section 2 Managing for Reducing Risks	2-1
       2.1 Introduction	2-1
       2.2 Governing Body	2-1
       2.3 Customers and Other External Stakeholders	2-2
       2.4 Human Resources	2-4
               2.4.1 Organizational Culture	2-4
               2.4.2 Background Checks	2-5
               2.4.3 Identification Badges	2-6
               2.4.4 Employee Surveillance	2-7
               2.4.5 Employee Response	2-7
               2.4.6 Contractors	2-8

       2.5 Training	2-9
               2.5.1 Types of Training Sessions	2-9
               2.5.2 Location of Training Exercises	2-9
               2.5.3 Cross-training	2-9
               2.5.4 Staff Motivation	2-13
       2.6 Financial Considerations	2-13
               2.6.1 Developing CIP Programs that Adequately Support Security Needs	2-13
               2.6.2 Developing Funding Programs to Support Operating Fund Needs	2-15
               2.6.3 Developing a Funding Program
                    that Governing Bodies and Customers Can Support	2-16
               2.6.4 Funding Sources	2-17
       2.7 Records Management	2-17
       2.8 Policies and Procedures	2-20
       2.9 Procurement	2-21
               2.9.1 Emergency Procurement	2-22
               2.9.2 Procurement of Security-related Equipment and Services	2-24
       2.10 Communications	2-25
               2.10.1 Internal Communication Practices	2-25
               2.10.2 External Communication Practices	2-25
               2.10.3 Public Outreach	2-26
               2.10.3 Communications Equipment	2-27
       2.11 Interagency Coordination	2-28
               2.11.1 Coordination with Other Wastewater Utilities	2-28
               2.11.2 Coordination with Other Agencies	2-29
               2.11.3 Mutual Aid Agreements	2-29
Section 3 Operational Considerations for Reducing Risks	3-1
       3.1 Heightened Awareness	3-1
               3.1.1 Employees	3-1
               3.1.2 Public	3-1
       3.2 Operational Practices	3-2
               3.2.1 General Operational Practices	3-3
               3.2.2 Operational Practices to Address
                    the Design Basis Threat or Threat Condition	3-3
       3.3 Specific Operational Protocols	3-6
               3.3.1 Key and Lock Control Protocol	3-6
               3.3.2 Alarm Response Protocol	3-7
               3.3.3 Delivery Protocol	3-7
       3.4 Specific Operational Considerations for Wastewater Treatment Facilities	3-8
               3.4.1 Treatment Facility-wide	3-8
               3.4.2 Influent Pump Station, Preliminary and Primary Treatment	3-9
               3.4.3 Secondary Treatment	3-10

               3.4.4 Effluent Filtration	3-10
               3.4.5 Disinfection	3-10
               3.4.6 Effluent Disposal and Reclaimed Water Production	3-11
               3.4.7 Solids Handling	3-12
               3.4.8 Process Chemicals and Systems	3-13
               3.4.9 Laboratories	3-14
       3.5 Maintenance Shops, Warehouses, and Storage Areas	3-15
       3.6 Administrative Offices	3-15
       3.7 Vehicles, Heavy Equipment, and Fuel	3-16
       3.8 Additional Operational Considerations for Remote Facilities	3-17
       3.9 Special Operational Considerations for Collection Systems	3-18
               3.9.1 Preventing Access to the Collection System	3-18
               3.9.2 Monitoring Wastewater	3-18
               3.9.3 Satellite Collection Systems	3-20
               3.9.4 Overflow Outfalls	3-20
               3.9.5 Culverts	3-20
               3.9.6 Deep Tunnels	3-20
Section 4 Design Considerations for Reducing Risk	4-1
       4.1 General	4-1
               4.1.1 Design Basis	4-1
               4.1.2 Utility Size and Resources	4-2
       4.2 Physical Protection System Concepts	4-2
               4.2.1 Required Elements of a Physical Protection System	4-3
               4.2.2 Protection in Depth	4-3
       4.3 Physical Protection Systems Design	4-4
               4.3.1 CPTED Strategies	4-5
               4.3.2 Target Hardening to Address the Design Basis Threat	4-7
               4.3.3 Additional Design Considerations for Wastewater Treatment Facilities	4-17
               4.3.4 Laboratories	4-27
               4.3.5 Maintenance Shops, Warehouses, and Storage Areas	4-27
               4.3.6 Administrative Offices	4-28
       4.4 Additional Design Considerations for Remote Facilities	4-28
               4.4.1 Pump Stations	4-28
               4.4.2 CSO Facilities	4-29
               4.4.4 Stormwater Retention Ponds	4-30
       4.5 Special Design Considerations for Collection Systems	4-30
               4.5.1 Alternative Approaches for Designing Collection Systems	4-30
               4.5.2 Preventing Access into Collection Systems	4-32
               4.5.3 Force Mains	4-34
               4.5.4 Culverts	4-34
               4.5.5 Deep Tunnels	4-34

Sections Cyber Security	5-1
       5.1 Problem Description: Cyber Intruder Attack Methods and Consequences	5-1
       5.2 Cyber Security Policies and Procedures	5-2
       5.3 Cyber Security Vulnerability Assessment	5-3
               5.3.1 Business Network	5-3
               5.3.2 Control Network	5-4
       5.4 Operational Solution: Intrusion Defense	5-4
               5.4.1 Internet Intrusion	5-5
               5.4.2 Telephone System Intrusion	5-6
               5.4.3 Wireless Intrusion	5-7
               5.4.4 Insider Intrusion	5-8
               5.4.5 Physical Security of SCADA Components	5-9
       5.5 Operational Best Practices	5-10
       5.6 Cyber Security Training	5-10
Section 6 Electric and Electronic Security Devices	6-1
       6.1 Introduction	6-1
       6.2 System Considerations	6-1
               6.2.1 Threat	6-1
               6.2.2 Known Vulnerabilities and Key Assets	6-1
               6.2.3 Areas of Coverage	6-2
               6.2.4 Levels of Resolution	6-2
               6.2.5 System Size and Device Quantity	6-3
               6.2.6 Electrical Power, Wiring, and Transmission Methods	6-3
               6.2.7 Viewing, Assessment, and Alarm Response	6-3
       6.3 Security Equipment	6-4
               6.3.1 Interior Intrusion Detection	6-4
               6.3.2 Exterior Intrusion Detection	6-5
               6.3.3 Access Control	6-7
               6.3.4 CCTV Camera Systems	6-10
               6.3.5 Visibility and Lighting Recommendations	6-15
               6.3.6 Power and Wiring	6-17
       6.4 Summary	6-18
Section 7 Emergency Response	7-1
       7.1 Emergency Response Plans (ERPs)	7-1
               7.1.1 Requirements for an ERP	7-1
               7.1.2 Key Components of an ERP	7-2
       7.2 Incident Command System	7-3
       7.3 Emergency Operations Center	7-6
       7.4 Crisis Communications	7-7
       7.5 Revisions to ERPs	7-7
       7.6 Emergency Response Plan Training and Exercises	7-7
       7.7 Emergency Response Resources	7-9

Section 8 Other Information Sources	8-1
        8.1 Corresponding Reports	8-1
        8.2 Federal Agencies	8-1
               8.2.1 Centers for Disease Control and Prevention	8-1
               8.2.2 Critical Infrastructure Assurance Office	8-1
               8.2.3 Department of Homeland Security	8-2
               8.2.4 U.S. Environmental Protection Agency	8-3
               8.2.5 Federal Bureau of Investigation	8-3
               8.2.6 Sandia National Laboratories	8-4
               8.2.7 United States Army Soldier and Biological Chemical Command	8-4
        8.3 State and Local Agencies	8-4
        8.4 Information Centers	8-5
               8.4.1 WaterlSAC	8-5
               8.4.2 Water Security Channel	8-5
        8.5 Industry Associations	8-5
               8.5.1 American Chemistry Council	8-5
               8.5.2 Association of Metropolitan Sewerage Agencies	8-6
               8.5.3 Association of Metropolitan Water Agencies	8-6
               8.5.4 American Society of Civil Engineers	8-6
               8.5.5 American Water Resources Association	8-7
               8.5.6 American Water Works Association	8-7
               8.5.7 American Water Works Association Research Foundation	8-7
               8.5.8 National Rural Water Association	8-7
               8.5.9 National Small Flows Clearinghouse	8-8
               8.5.10 Water Environment Federation	8-8
               8.5.11 Water Environment Research Foundation	8-8
Glossary	xxiii
Bibliography	xxix

1-1    Results of a Sewer Line Explosion in Louisville, Kentucky	1-2
1-2    Examples of Wastewater Security Issues	1-3
1-3    Examples of Malevolent Threats	1-4
1-4    Examples of Perpetrators	1-5
1-5    Homeland Security Advisory System for Businesses	1-7
1-6    Examples of Actions to be Taken Under Threat Conditions	1-8
1-7    Threat Categories by Characteristic	1-9
1-8    Examples of Natural Threats	1-10
1-9    Seismic Hazards in the Conterminous U.S	1-11

1-10   Number of Wildfires in the U.S. by Year
       and Total Number of Acres Consumed by the Fires	1-12
1-11   Screenshot of VSAT™	1-15
1-12   RAM- WS™ Process	1-16
1-13   Typical Cost-to-Risk-Reduction Curve	1-17
2-1    Types of Security and Emergency Response Training
       Relevant for Utility Personnel	2-10
3-1    Homeland Security Advisory System	3-2
3-2    Recommendations for Progressive Operational Considerations	3-4
3-3    Example of Barriers Placed to Force a Serpentine Pattern	3-5
3-4    Example of a Collection System Monitoring Device	3-19
4-1    Concept of Delay Calculation	4-4
4-2    Example Layered Security Recommendations for a Facility	4-5
4-3    Recommendations for Design Progression	4-8
4-4    Example Standoff Distance and Clear Zone	4-9
4-5    Entry Control Point with Protected Guardhouse	4-13
4-6    Examples of Active Barriers	4-14
4-7    Perimeter Fence with Aircraft Cable Anchored to Concrete	4-14
5-1    Correlation between Physical and Cyber Intruders	5-2
6-1    Typical Card Reader System	6-8
6-2    Typical CCTV System	6-10
7-1    Incident Management Team Organizational Structure	7-6
7-2    Table-top Exercise Participants and Setup	7-8

Homeland security can no longer be taken for granted. Vulnerabilities that previously were not even
considered must now be identified and addressed. Therefore, design and operational practices and
procedures for wastewater facilities must be updated. Traditionally, wastewater systems were
designed to meet the requirements of emergency events such as floods, tornadoes, and fires. With the
new millennium, it has become apparent that malevolent acts are unpredictable and can affect any
type of facility with possibly greater impacts than would be expected for most natural events.
Updates to wastewater system practices over the past several decades have not incorporated the
significant security measures that must now be considered. As such, the American Society of Civil
Engineers (ASCE), the American Water Works Association (AWWA), and the Water Environment
Federation (WEF) agreed to work together to develop materials to assist in the improvement of water
infrastructure security. The project was funded by the U.S. Environmental Protection Agency (EPA)
under cooperative agreement X-83128301-0. Although the information in this document has been
funded wholly or in part by the USEPA, it may not necessarily reflect the views of the Agency and no
official endorsement should be inferred.
The three organizations (ASCE, AWWA, and WEF) divided the project into the areas of water supply,
treatment, and distribution systems (led by AWWA); wastewater and stormwater collection,
treatment, and disposal systems (WEF), and methodology and characteristics pertinent to designing
contaminant detection and monitoring systems (ASCE).
This document was prepared by CH2M HILL Inc. under the guidance of a Project Steering
Committee of WEF members with varied perspectives and experience with wastewater/stormwater
facility security issues. Drafts of the document underwent thorough technical review by the Project
Steering Committee, and members of the Water Infrastructure Security Enhancements (WISE)
Standards Committee, members of various related WEF technical committees as well as other
stakeholders who volunteered to provide input. The comments offered by the reviewers served as a
"real-vvorld'' check to ensure that the ideas and suggestions presented would likely be applicable for
various sizes and configurations of utilities.
The purpose of this document is to provide a centralized starting point for utilities as they integrate
modern security practices into the operation, construction, or retrofit of their wastewater systems.
The guidance focuses on these four common principles:
•   Maintaining decision-making about security at the local utility level
•   Developing a balanced approach to security by applying design, management, and
    operations strategies
•   Developing cost-effective solutions
•   Successfully introducing security into the culture of wastewater utilities

To enhance the value of this document, an annotated bibliography has been included in lieu of a
"References Cited" section. The bibliography contains not only a list of the materials and web sites
used in the preparation of this document, but also numerous other resources that may assist
wastewater utility managers as they design, operate, and manage their facilities.
With the same concept in mind, information has been included in this guidance that may seem to be
very basic or redundant. The purpose of this format is to ensure that all users of this guidance have
the same level of understanding on which the more advanced and complex concepts are built.
Where appropriate, a range of implementation options, from basic to advanced, are presented. Each
utility should apply its own decision-making process as it determines which of the options most
closely meets its unique needs and situations.

Completion of a document such as this requires significant effort and expertise, not only from those
who construct the text, but also those who, often at their own expense, review the document and
provide invaluable guidance. It is with appreciation that the following individuals are acknowledged
for their key contributions to this document.

                                    Project Steering Committee Members
Jeanette Brown, Stamford WPCA
William Boyle, UW-Madison
Findlay Edwards, University of Arkansas
Homer C. Emery, San Antonio Water System
Madeline F. Goddard, City of Phoenix, AZ
Robert L. Griffin, Shield Engineering, Inc.
Bart G. Jones, Strand Associates, Inc.
Carl M. Koch, Greeley & Hansen
                                        CH2M HILL Primary Authors
William E. Desing
Forrest M. Gist
Kristine K. Hargreaves
Rex T. Hesner
Alan B. Ispass
Jacqueline T. Kepke
Michael J. Matichich
Kenneth A. Thompson
Laurens van der Tak
Linda P. Warren
                                           Technical Reviewers
Zafar Bhatti, Ontario Ministry of the Environment,
Toronto, Canada
Haydn Blaize, Fulton County Public Works, GA
Terry Bradham, Earth Tech, Inc.
Derek J. Burton, Woodard & Curran
Leonard Carson, Metropolitan Water Reclamation District
Paul H. Causey, Marin County, CA

Chein-Chi Chang, District of Columbia Water & Sewer
James J. Courchaine, Brown and Caldwell
Bob Decker, Pima Co. Wastewater Management Dept.
Wes Frye, Metro Water Services Nashville, TN
Daniel Graber, HDR, Inc.
Carl R. Hendrickson, Veolia Water North America
Srinivas Jalla, Parsons
Bart G. Jones, Strand Associates, Inc.
Conrad G. Keyes, Jr., American Society of Civil Engineers
Paul A. Bizier, Chastain-Skillman, Inc.

Charles B. Bott, Virginia Military Institute
Chris Browning, Fulton County Public Works, GA
William L. Cairns, Trojan Technologies, Inc.
Leonard W. Casson, University of Pittsburgh
Jerry Cevetello, Manasquan River Regional Sewerage
Authority, NJ
James H. Clifton, Simsbury, CT WPC

Stephen J. Craig, City of  Redding, CA
David A. Flowers, Natural Water Solutions, LLC
Fred R. Gaines, Applied Water Management Division
Alan Hais, U.S. Environmental Protection Agency
Douglas G. Honegger, D.G. Honegger Consulting
Elizabeth James, Georgia Department of Natural Resources
Patrick T. Karney, CH2M  Hill
Joseph S. Kowalczyk, COM

Stephen R. Krai, LA County Sanitation District
Karl E. Landis, Buchart-Horn, Inc.
Debbie Magin, Guadalupe Blanco River Authority
Bill Maxwell, City of Fort Wayne City Utilities

William McKeon, Philadelphia Water Department
Roger Myers, City of San Diego MWWD
Daniel D. O'Brien, DHPW U&FD United States
Military Academy - West Point
John  P. O'Neil, Unified Wastewater District
Luke Richmond, Beckley Sanitary Board
Cordell Samuels, Region of Durham
Robert J. Scott, Westin Engineering, Inc.

Michael Shatynski, LA County Sanitation District
Stephen L. Simpson,  Black & Veatch Corporation
Chris M. Sorensen, City of Great Falls
Peter L. Stump, Jordan, Jones & Goulding, Inc. -
Norcross office, GA
Thor A. Young, Stearns & Wheler
Thomas P. Krueger, City of Tulsa WPC
Glinda Loving, Milwaukee Metropolitan Sewerage District
George Martin, Greenwood Metro District, SC
Shellie Chard McClary, Oklahoma Department of
Environmental Quality
John L. Murphy, City of Bangor, ME
Vincent L. Nazareth, R.V. Anderson Associates Limited
Rudolf Ohlemutz, Vallejo Sanitation and Flood Control District

Jim Peters, Brown and Caldwell
Dan Ryan, Veolia Water North America
Harold E. Schmidt Jr., Hartman & Associates, Inc.
Marie Shadden, Department of Watershed Management, City
of Atlanta, GA
Irwin Silverstein, NHSRC
Marsha Slaughter, City of Oklahoma City
Monica Sowders, Knoxville Utilities Board
Robert A. Villee, Plainfield Area Regional Sewerage
Authority, NJ
Jody Zabolio, City of Fort Worth, TX

Executive Summary
Preparing for extreme events has been a standard practice of wastewater and stormwater designers,
managers, and operators for many decades. Major rain events, blizzards, and earthquakes have been
considerations in the design of infrastructure and in the planning for emergency preparedness and
disaster response. The focus had always been on natural events, some of which could be predicted
hours, if not days, before they occurred. The events of September 11, 2001 changed this focus. Now,
wastewater and stormwater facilities, along with other public infrastructure and essential service
providers, are clearly potential targets for malevolent acts of destruction and disruption from
domestic and international terrorists. This new focus of concern has also enlightened wastewater and
stormwater industry leaders to recognize and address the potential consequences of other
vulnerabilities such as sabotage, vandalism, and theft.
Wastewater and stormwater infrastructure, while possible targets of purposeful attack, also serves as
a conduit for access to other targets. Large-diameter gravity sanitary, storm, or combined sewers are
often easily accessible via manholes, inlets, and overflow structures, and they can provide a means of
undetected passage under the streets of a municipality to attack both "soft" and "hardened" targets.
Large and small pipelines can also be made into weapons via the introduction of a highly flammable
substance such as gasoline through a manhole or inlet, or even through a building drain or cleanout.
Purposeful contamination of wastewater or stormwater, as well as damage to or destruction of
treatment or conveyance systems, can lead to widespread and long-term environmental damage, and
severe public health impacts. The remote location and frequently unattended operation of many
wastewater pump stations and stormwater facilities increase their vulnerability. Additionally, a cyber
attack on Supervisory Control and Data Acquisition (SCADA) system communications can cause
sewer overflows and flooding, possibly damaging property and environmentally sensitive lands,
contaminating ground and surface waters, and threatening public health.
Overall, the protection of wastewater and stormwater systems, and their staffs, poses many unique
issues and thought-provoking challenges. Industry leaders are meeting these challenges directly
through the Water Environment Federation, the American Society of Civil Engineers, the American
Water Works Association, and others, assisted and funded by  the U.S. Environmental Protection
Agency. This Security Guidance is intended to serve as the "go-to" reference for designers, operators,
and managers of wastewater and stormwater infrastructure intent on meeting these challenges.
The primary purpose of this document is to provide considerations for the design of wastewater and
stormwater systems that can help to reduce the risks posed by malevolent threats. However, along
with design considerations, there are many management and operational practices that can reduce
the risks from malevolent threats as well. Because many of these management and operational
practices can provide a considerable reduction in risk and can  be implemented without major capital
investment, they are presented first, prior to  the section on design.

executive summary

It is important to understand that this document is intended to be used by wastewater and
stormwater professionals who have completed a vulnerability assessment and are looking for ways
to improve the security of their system through utility management, facility operations, and
infrastructure design.
This guidance is organized into the following sections:
Introduction. This section presents an overview of wastewater security, including a description of the
potential natural and man-made threats to wastewater systems. It describes methodologies for
conducting a vulnerability assessment —a step that should be undertaken before using this
document—and discusses drivers for security improvements and strategies for balancing security
risks with costs and other utility priorities.
Managing for Reduced Risk. Many simple shifts in utility management and culture can result in
great improvements to wastewater security. This section outlines management techniques related to
working with the utility's governing body; human resources strategies including considerations
related to the organizational culture; elements of an effective training program; financial
considerations for funding security improvements; tips on records management; policies and
procedures; procurement; and communication practices and interagency communication—before,
during, and after an event.
Operational Considerations for Reducing Risk. Along with changes in the way the utility is
managed, operational changes often provide some of the more cost-effective ways for utilities to
enhance the physical security  of their systems. This section provides suggestions for operational
strategies that wastewater utilities may adopt to cost-effectively improve the security of their
infrastructure support facilities. It evaluates  the applicability of different operational approaches to
security for a variety of threats and provides suggestions for operating treatment facilities,
laboratories, support facilities, remote pumping facilities, and collection system infrastructure.
Design Considerations for Reducing Risk.  The objective of this section is to provide guidance that
enables wastewater utility decision-makers and designers to develop secure sites and facilities that
protect people, information, property, and assets. This section provides general design
recommendations and physical protection system design concepts, as well as specific design
considerations for different types of wastewater treatment and collection facilities.
Cyber Security. As more wastewater utilities automate their processes and rely on the digital transfer
of information, the utilities are increasingly vulnerable to a cyber attack that could compromise not
only data, but infrastructure as well. This section describes potential cyber attacks and presents
management, operational, and design solutions to improve cyber security.
Electric and Electronic Security Devices. The operational and  design sections of this document
identify applications for which utilities may want to install electric and electronic security devices.
This section provides an overview of issues  and situations that should be considered when
determining the type of electric/electronic security system to install. Included are descriptions of
security devices, including intrusion detection systems, access control and card readers, biometric
readers, and closed-circuit surveillance camera systems. Lighting and wiring are also discussed.

                                                                                  executive summary

Emergency Response. No utility can protect against all threats, thus a utility must be prepared to
respond and recover in the event that existing security systems do not prevent a harmful occurrence.
This section presents information for wastewater utilities to consider when planning for and
responding to incidents in order to minimize disruption of service, protect employees and the public,
and mitigate adverse environmental impact. The issues discussed provide the basis for development
of a wastewater Emergency Response Plan for both human-caused and natural hazard emergencies.
Other Information Sources. Many additional resources are available to assist wastewater utilities
looking to delve further into improving security at their facilities. This section presents information
on agencies and associations that have an interest in utility security, as well as their related
documents and web sites.

(This page intentionally left blank)

Water Environment Federation

Founded in 1928, the Water Environment Federation (WEF) is a not-for-profit technical and
educational organization with members from varied disciplines who work toward the WEF vision of
preservation and enhancement of the global water environment. The WEF network includes water
quality professionals from 76 Member Associations in 30 countries.
For information on membership, publications, and conferences, contact:
       Water Environment Federation
       601 Wythe Street
       Alexandria, VA 22314-1994 USA
       (703) 684-2400
The material presented in this publication has been prepared in accordance with generally
recognized engineering principles and practices and is for general information only. However, the
material only should be used based on site-specific evaluation and vulnerability assessments and
after securing competent advice with respect to its suitability for your application. It is your
responsibility to ensure that the information you use is accurate and appropriate to your use. WEF
makes no representation of warranty of any kind, whether expressed or implied, concerning the
accuracy, product, or process discussed in this publication and assumes no liability for consequences
resulting from the use of the information included here. Anyone using this information assumes all
liability arising from such use.
The contents of this publication are not intended to be a standard of WEF and are not intended for
use as a reference in purchase specifications, contracts, regulations, statutes, or any other legal
No reference made in this publication to any specific method, product, process or service constitutes
or implies an endorsement, recommendation, or warranty thereof by WEF.

(This page intentionally left blank)

Acronyms and Abbreviations

ACC          American Chemistry Council
ACL          access control list
AMSA        Association of Metropolitan Sewerage Agencies
AMWA       Association of Metropolitan Water Agencies
ASCE         American Society of Civil Engineers
ASIWPCA     Association of State and Interstate Water Pollution Control Administrators
AWRA        American Water Resources Association
AWWA       American Water Works Association
AwwaRF      American Water Works Association Research Foundation
CBR          chemical, biological, or radiological
CCTV         closed-circuit television
CDC          Centers for Disease Control and Prevention
CHIPS        Citizens Helping in Police Service
CIAO         Critical Infrastructure Assurance Office
CIP           capital improvement plan, critical infrastructure protection
CPR          cardio-pulmonary resuscitation
CPTED        Crime Prevention Through Environmental Design
CSO          combined sewer overflow
CWSRF       Clean Water State Revolving Fund
DBT          design basis threat
DHS          Department of Homeland Security
DoD          Department of Defense
DoS          Department of State
EOC          emergency operations center
EPA          U.S. Environmental Protection Agency
ERP          emergency response plan
EWRI         Environmental and Water Resources Institute
FBI           Federal Bureau of Investigation
FEMA         Federal Emergency Management Agency

acronyms and abbreviations
FOIA          Freedom of Information Act

GC/MS        gas chromatograph/mass spectrometer

GETS          General Emergency Telecommunications Service

GPS           global positioning system

GSA           General Services Administration

HAZWOPER   Hazardous Waste Operations and Emergency Response

HMI           human-machine interface

HSPD          Homeland Security Presidential Directive

HVAC         heating, ventilation, and air conditioning

ICS            Incident Command System

IDS            intrusion detection system

IED            improvised explosive device

IID            improvised incendiary device

IP             Internet protocol

ISAC          Information Sharing and Analysis Center

IT             Information Technology

IWA           International Water Association

LEPC          Local Emergency Planning Committee

MHz           Megahertz

NELAP        National Environmental Laboratory Accreditation Program

NETCSC       National Environmental Training Center for Small Communities

NIMS          National Incident Management System

NIOSH        National Institute of Occupational Safety and Health

NPDES        National Pollutant Discharge Elimination System

NRWA        National Rural Water Association

NSFC          National Small Flows Clearinghouse

O&M          operation and maintenance

OOP           Office of Domestic Preparedness

ORP           oxidation-reduction potential

OSHA         Occupational Health and Safety Administration

PCII           Protection of Critical Infrastructure Information

                                                                          acronyms and abbreviations
PCIS           Partnership for Critical Infrastructure Security

FDD           Presidential Decision Directive

PIN           personal identification number

PIO           Public Information Officer

PIR           passive infrared

PLC           programmable logic controller

POTW         publicly owned treatment works

PSM           process safety management plan

PTZ           pan, tilt, and zoom

RAM-W™     Risk Assessment Methodology for Water

RFID          radio frequency identification

RMP          risk management plan

RPG           rocket-propelled grenade

RTU           remote terminal unit

SARA         Superfund Amendments and Reauthorization Act

SBCCOM      United States Army Soldier and Biological Chemical Command

SCADA        Supervisory Control and Data Acquisition

SEMS         Security Emergency Management System

TISP           The Infrastructure Security Partnership

UPS           uninterruptible power supply

USFA         U.S. Fire Administration

UV           ultraviolet

VA           vulnerability assessment

VPN          virtual private network

VSAT™        Vulnerability Self-assessment Tool

WEF          Water Environment Federation

WERF         Water Environment Research Foundation

WISE SC       Water Infrastructure Security Enhancements Standards Committee

WVU          West Virginia University

(This page intentionally left blank)



1.1  Purpose of  this Document
This document has been developed to provide managers of wastewater utilities, designers of
wastewater systems, and instructors in wastewater operations with information about improving the
security of wastewater infrastructure and reducing risks associated with malevolent acts. The
guidelines that are presented herein cover the broad spectrum of wastewater systems — from small to
large, those with separate sanitary sewers and those with combined sewer systems, and utilities that
provide service to rural towns and utilities that serve major metropolitan areas. Consequently, not all
recommendations will be applicable to all wastewater systems.
Security issues related to stormwater conveyance systems are included in this document to the extent
that the issues parallel those for sanitary sewage collection systems and combined sewer systems,
which may be integral parts of a wastewater utility. Major stormwater facilities such as flood control
canals and dams are not included. As a starting point, and as a prerequisite to implementing security
measures contained in this document, wastewater utilities should complete a vulnerability
assessment (VA) using the available industry tools (see Section 1.4.3) to determine the threats from
which the utility decides to protect against (known as the design basis threat). Additionally, the VA
should include a cost-risk reduction analysis to ensure that the most cost-effective security measures
are put in place. This is especially critical for small utilities and those with stressed resources.
Natural disasters and unintentional incidents (those resulting from human activity, but that are not
malevolent) are recognized as additional threats to wastewater systems, and are discussed later in
this section. Many of the recommendations included in this document that reduce the risk of
malevolent incidents will also reduce the risk associated with some natural and unintentional
disasters. For example, structural hardening (i.e., improving the physical strength) can improve a
building's ability to withstand high winds and earth movement, and redundant unit processes can
improve operational flexibility. However, measures to specifically address natural disasters and
unintentional incidents are not included in this document because extensive information is already
available in publications from the Federal Emergency Management Agency (FEMA); textbooks,
guidance, and standards from industry associations; as well as a wide spectrum of codes.
By no means should this document be considered the sole source of information regarding
wastewater system security. There are several other references already published and several projects
underway that also address wastewater  system vulnerabilities. There are additional references that
address risk mitigation and countermeasures for other infrastructure, as well as general information
on Homeland Security, that may be useful to wastewater professionals. In the preparation of this
document, the attempt was made to reference this published and unpublished material as
appropriate. Discussion of additional sources of information is provided in Section 8 of
this document.

1.2 Overview of Wastewater Security
An interruption in service of wastewater systems, whether from natural disasters or malevolent
actions, can result in widespread public health impacts and significant environmental damage.
Moreover, major damage to wastewater infrastructure would cause disruption of everyday life and
result in catastrophic economic impacts.
Because wastewater systems are typically owned by the government and because they are critical
infrastructure, these systems may be a target for terrorists. Sanitary, stormwater, and combined
sewers can be used as conduits for access to restricted areas and for carrying flammable liquids and
explosive devices. Explosions in sewers can cause collapse of roads, sidewalks, and adjacent
structures and cause injury and kill people in the vicinity and in the structures. A sewer line
explosion in Louisville, Kentucky in 1981 occurred after flammable material was dumped into the
sewer by a local industry (see Exhibit 1-1). Additional examples of impacts to wastewater systems are
shown in Exhibit 1-2 and include:
                                              •   Physical destruction
                                              •   Illegal dumping of toxic chemicals that can
                                                  enter the sewer collection  system and
                                                  disrupt or debilitate the biological system at
                                                  the treatment plant
                                              •   Release of chlorine gas or  other toxic
                                              •   Dumping of gasoline or other flammable
                                                  substances in the collection system
                                              •   Malicious manipulation of the
EXHIBIT 1-1                                         Supervisory Control and Data Acquisition
Results of a Sewer Line Explosion in Louisville, Kentucky          /•C/~AT->A\    ฑ
Source: (C)The Courier-Journal                           (SCADA)  system
1.3 Threats to Wastewater Systems
For wastewater utilities, a threat may be defined as a potential event that may result in (1) damage or
harm to a utility's physical, cyber, or human assets, or (2) an upset or disruption to service or
operations. There is a wide range of threats that may affect wastewater systems. These threats can be
divided into three categories:
•  Malevolent threats, those caused by human activities for the express purpose of damaging or
   destroying assets and terrorizing people.
•  Natural threats, those caused by natural phenomenon such as extreme weather, wildfires, and
•  Unintentional threats, those caused by human activities, but whose consequences are accidental
   or inadvertent.







:s of Potential Th




CD co
S | ฃ
CO — ป_ O)
* a5 ฐ ca
Jr: o CD cj
- 2 13 .23
- E 03 -a
ง S -^ -a
•23 TX -^ •*-•
o> "o ~ CD
o S ซ "c
_j CD a. 33
& 8
ฃ !C: •*-< CD
•s 1 1 o
~ CD 5 g* CO
a. J2 ฐ co 3?
I i!!l

en ~
>• ฃ S
•— c5 Q

"•ง•ฃ i
O ฃ? ฃ: co

i s
Q3 o CO
B S. ^
" zt !ฃ
1 Is

ฐ "cz "c ฐ"
i| {1
CO =r .5* CD
O CD C/3 is
1 1
03 •*-
f— CO
0 co1
E c
o o
CO ^ 0
O3 -ฃฑ 03
= iS "o
•3 a. o
CO o O3 o3
tฑ zz cฐ
•S -- = ^
-S CO E 03
s? .E e .E
'•f^ x •ป= t;
T? 5 •- —
O O3 _ C3
1 11 1
S I 5 ฃ

T3 S
s" ^ 5
ฐ 3 "
E 03 CD
O3 >,
03 *~ >^ ^>
1 ifl
CD as >^ i_
O) j^ ^ CD
CT3 O O ^
_i co c: o
i— U^

^o "c
5 CD
to "cQ
^ H1

.32 co

O) 2* "O -C
_r E as "O
E o is TZ,
03 ^ ^ S
cb) lj .2 o^
0 fc CO CZ
	 1 03 O. Z3

•i= 01 •ฃ
O3 U S •ง
1 i II
CO ^Z •— 	
'o "eo M cz
c ^ co -S ro
i c! 1.1
E fe t= g S
.22 -o ง ซ =1
Q < 0 Q J3


S ฐ fe

0 ฐ >
ฐ- S g co
-0 ~ ^ 03
CZ ^ Q. O
CD -=^ X ^
^j CZ O3 .CD
(5 45 i= CO

O ^

>, * ~
E ง 3 =5
O3 ^j O •ป—
>, ง g E
co •- co *;
ฐ o S 2
E — E 03 c

Q O Q o '>

co ฃ2
.22 — CD

g i i
S S ง
0 '> S
*— O3 CO
E T3 O3
S3 "S 5
E •ง 'f
CO Q_ -— 03
ป 1= ^
co "CD JS =
^ C/5 t LL.

>1 CO
1 if
E 5
2 c/>

ฃr c
TO ^
co o
03 CO
O 03
CO .ฃ= ,_ o>
S> ป ฐ ™
ซ ฐ S "ง
^ E S =5
E o i= TZI
03 ^ >, 03
•*—• co — PH
a^.2 1
_J CD Q- n
CD 5
CO 0
CD t
-S S
< 0

*- "x
>* ฃ o
ฃ ฎ 0

0 ฐ >
a S S co
T3 -^ ^ CD
C ^ Q. 0
2 S 1 -ง
O ปฃ5 ^ co

— ?
-2 "cz
a) E


0) g

p to facility and darr
ent or structures
(exposed pumpsta^
= ฃ rt
S^ Q_ CO
"P "5 0 ~^
> CT O- c
CD -Q 5 .0-

c= -o
CC z:



O3 o
0 t "=
CO Z3 .2
03 co IS
S1 o .E
- o3 if
O) Z3 CD
g e^
_i a) 5
^ c
S .2
XT :^

rt3 ^

!ซ "ง S
CZ 0 ^
Q. CO -fc
= 1 ฐ
Q ^5 5
•o -^

CD ^ H—
T3 2? O
1_ ,yC CO
O) -Q "Jo
iซ— :=: O
c g -o
O .^ CD
'^ X3 CO
CO u 	 ^ "7ซ
"o o 2? co
cu co co
O "o .E TZJ

2 e -a
co tS
o "E =
il i
E 03- E
r a. g
-^ C ti CO
ฃ x ^ J
1 15 1 |

O crt 'co' ^ 	
>, -a CD -t-> co
zz: = -j= a. co
CJ O -^ Z3 O
CD CO .^ ป— O.
-i= 2 "G --52
Q .0 ca Q -a

0) ^
cz tj
i 1 -s i ซ
E? 1=5 p S
•s y co E a.
o o .2 ฐ3 .ฃ
(— o -Q i= -a

J5 E
=3 C3>
"w S
CD <2
CC ^
S | !8
CO ~ l_ C3)
S ซ -S J?
ซ ฐ S 1
--E |i
-2 ^ =" -23
CT "cj .ฃ5 S
o it eo ^
_J 03 Q. Z3
1 II
"o "c5 ^
c CD -^ CO
a. ^ 5 co
.ซ -S > ซ
                                                                                     introduction Motivation
The motivation of perpetrators ranges from the mischief of minors to the desire of terrorists to
undermine the well-being of society. Between those two extremes is a variety of motivating factors
that include persons angry at the utility organization or particular members of the agency (see
Exhibit 1-4). Disgruntled employees who feel abused, belittled, unappreciated, or unrewarded may
attack coworkers or supervisors, damage infrastructure, destroy or change data, or steal equipment.
Former employees who believe they were wrongly terminated or desire to avenge a previous
incident may return to the workplace and commit an assault or murder, property damage, theft, or
sabotage. Spouses and partners of disgruntled employees and former employees may commit the
same acts as revenge on the utility or its management. Similarly, customers who believe they were
wrongly treated, overcharged, or who experienced property damage may vent their anger in similar
ways. Additionally, motivation may be more personal, involving blackmail, debts, or domestic
violence. It is important to realize that any of the actions taken by these angry persons may be
planned or may be impulsive.
  EXHIBIT 1-4                         Financial gain may motivate persons, including employees, to
  Examples of Perpetrators                 t  .                 ,.      ...            „   , L.  ,.
                                    steal equipment, supplies, vehicles, or money. Such thefts may
   • Current employee (insider)      Ik,     be a single breaking and entering, making the crime obvious.
   • Former employee            m     On the other hand, thefts may be insidious if committed by
   • Spouse/partner of employee   ป     persons such as employees, vendors, or contractors who have
   • Vendor or contractor          If     access to the organization's facilities. Thefts may also be
   • Customer                  •     committed through an ongoing scheme that involves stealing
   • Vandal                     I     rarely used items or embezzling small amounts of money.
   • Criminal                   If     These thefts could be covered up through unauthorized
   • Terrorist (domestic and foreign) M     adjustments to inventory or financial records. Such crimes
                                    may remain unnoticed for long periods of time. Thefts by
                                    employees are, unfortunately, common. It is estimated that
more than $400 billion is lost in the United States due to employee theft and fraud and that
68.6 percent of employees who commit these crimes have no previous criminal record.2
At the extreme end of the motivation scale are the driving forces of the terrorist. While remaining a
topic of debate, motivating factors may be political, religious, social, or symbolic; revenge, change, or
the desire to gain attention may instigate a terrorist act.  Terrorists act with the intent of undermining
stability and instilling terror through destruction of economically important and symbolic assets and,
potentially, by killing large numbers of people. Terrorists almost always work in groups and spend
considerable time and resources to decide upon and learn about their targets and plan their attacks.
The motivation of terrorists is so strong, they will adopt different lifestyles, deceive and betray
friends and family, and sacrifice themselves for their cause.
 • Detecting Employees Who Steal, Workforce Management, November 2002, page 31.

The threat of a major terrorist attack on a wastewater system may not appear likely at first; however,
several characteristics may make it a possible target. Foremost, wastewater systems are typically
government-owned and, therefore, may serve as a symbolic and political target. Damage to the
wastewater infrastructure or treatment processes can cause overflows of raw sewage, discharge of
contaminants to receiving waters and reclaimed water systems, and chemical releases (e.g., chlorine
gas) to the atmosphere, resulting in widespread public health concerns and long-term environmental
impacts. Release of flammable or explosive materials into a collection system can destroy not only the
pipeline, but also surface infrastructure such as roads, bridges, and adjacent structures, as  well as
injure or kill people. Additionally, interceptors, tunnels, and collection systems can be used as
conduits to access other targets, and appurtenances such as manholes and stormwater inlets could be
used to hide explosive devices for other primary targets. Tactics  and Methods
Tactics of carrying out malevolent threats include overt actions and surreptitious actions. Overt
actions include direct attack on infrastructure, assault, and hostage taking. Surreptitious actions
include vandalism, theft, contamination, placing explosives, and cyber attacks.
Methods include unarmed individuals attacking utility staff, damaging equipment, shutting valves,
and using sewers as accessways to otherwise secure sites unrelated to the utility. Malevolent threats
also involve weapons such as knives, pistols, rifles, automatic weapons, and standoff weapons such
as rocket-propelled grenades (RPGs) and mortars. Explosives may either be manufactured devices,
such as hand grenades, or improvised devices, such as pipe bombs that use TNT, C4, or another
commercially available compound. Improvised explosive devices (lEDs) can be easily hidden in trash
cans or in vehicles that may be parked or driven on site, and then either manually or remotely
detonated. Perpetrators may also use mail bombs, or bombs that are placed in packages or containers
that are delivered to the utility.
Contamination with chemical, biological or radiological agents is a threat from two perspectives.
First, these agents may be used against personnel through dispersal in the air, through heating,
ventilation, and air conditioning (HVAC) systems, through food, and through the potable water
supply. Second, these agents can be introduced into the collection system or directly into the
treatment system, causing system upsets, disruption of biological treatment processes, and the
pass-through of these contaminants into the environment via outfalls or in reclaimed water systems.
Contamination of the sewer system can also occur from decontamination activities after terrorist
attacks in the service area, satellite systems, or from wastewater generated by persons affected by
these agents. Depending upon the specific substances used, damage may be acute and/or chronic.
This subject is addressed in more detail through a project being managed by the Association of
Metropolitan Sewerage Agencies  (AMSA), titled  Decontamination Wastewater Acceptance & Treatment -
A Wastewater Utility Planning Tool.
Wastewater systems also face malevolent threats to their information systems through cyber attacks.
Such attacks may originate internally or externally. Attacks directly on the utility may disable a
Supervisory Control and Data Acquisition (SCADA) system and alarms, override process controls, or

take control of key points in the system, resulting in the overflow of sewage or insufficiently treated
effluent. Cyber attacks may also interrupt communications, and intranet or Internet services.
Attacks on other organizations, such as power generators or power grid operators, can also
significantly affect the ability of wastewater utilities to provide continuous and effective service. Additional Benefits of Addressing Malevolent Threats
This document focuses on improving security to address malevolent threats —those threats that are
caused by planned or unplanned actions of an individual or group(s) of individuals with the intent to
damage or harm the utility's physical, cyber, or human assets; disrupt service; cause environmental
damage; or adversely affect the public health. Natural threats and unintentional threats (those caused
by human actions, but that are not deliberate) are not specifically addressed by the design,
operational, or management considerations contained in this document. Wastewater utilities have
always faced natural threats, and designers, operators, and managers have considerable resources
available as they prepare for, react to, and recover from weather and seismic disasters. In addition,
most jurisdictions require compliance with specific code provisions and regulations in the design of
structures and other infrastructure that are located in geographic regions subject to specific natural
threats. Nevertheless, many of the countermeasures put into place to reduce the risk of malevolent
threats will also reduce a utility's risk from natural and unintentional threats. Homeland Threat Advisory System
The U.S. Department of Homeland Security (DHS) has developed an advisory system that identifies
the present threat to the entire nation or a portion of the nation. The system uses five colors to express
the "Threat Condition" as follows:
•   Severe - Red
•   High - Orange
•   Elevated - Yellow
•   Guarded - Blue
•   Low - Green
The DHS and the American Red Cross provide lists of recommended actions for citizens, businesses,
schools, and neighborhoods to take under each of the five threat conditions (as shown in Exhibit 1-5).
The EPA has also published a list of recommended actions specifically for wastewater utilities to
implement under  the different threat conditions; however, this list is available only through secured
means such as the Water Information Sharing and Analysis Center (WaterlSAC).
Wastewater utilities should consider using the designated Threat Condition to trigger adjustments to
their operations and operational procedures, similar to that presented in the exhibit above and in the
restricted wastewater document published by DHS. For example,  the New Jersey Domestic Security
Preparedness Task Force developed Best Practices for the Wastewater Industry, an excerpt from
which is shown in Exhibit 1-6.

Homeland Security Advisory System for Businesses
Source: American Red Cross
                Red Crocs
        Together, we con save a life
Homeland  Security Advisory System
            Risk of Attack
                                                            Recommended Actions
                                       Complete recommended actions at tower levels
                                       Listen to radio/TV for current mfonnation/instructions
                                       Be alert to suspicious activity and report it to proper authorities immediately
                                       Work with focal community leaders, emergency management, government
                                       agencies, community organizations, and utilities to meet immediate needs of the
                                       Determine need to close business based on circumstances and in accordance with
                                       written emergency plan
                                       Be prepared to work with a dispersed or smaller work force
                                       Ensure mental health counseiprs ayaijablefor employees	
                                       Complete recommended actions at lower levels
                                       Be alert to suspicious activity and report it to proper authorities
                                       Review emergency plans to include continuity of operations and media materials
                                       on hand
                                       Determine need to restrict access to business or provide private security firm
                                       Contact vendors/suppliers to confirm their emergency response plan procedures
                                       If a need is announced, contact nearest blood collection agency and offer to
                                       organize a blood drive

                                       Complete recommended actions at lower levels
                                       Be alert to suspicious activity and report it to proper authorities
                                       Contact private security  firm  for security1 risk assessment and to determine
                                       availability of support/reinforcement
                                       Contact voluntary organizations you support to determine how you can provide
                                       assistance in case of emergency

                                       Complete recommended actions at lower level
                                       Be alert to suspicious activity and report it to proper authorities
                                       Dialogue with community leaders, emergency management, government agencies,
                                       community organizations and utilities about disaster preparedness
                                       Ensure emergency communication plan updated to include purchase of needed
                                       Ask the local Red Cross chapter to provide a "Terrorism: Preparing for the
                                       Unexpected" presentation at your workplace for employees	
                                       Use Red Cross Emergency Management Guide for Business and Industry to
                                       develop written emergency plans to address all hazards. Include an emergency
                                       communication plan to notify employees of activities; designate an off-site 'report
                                       to' location in case of evacuation.
                                       Develop continuity of operations plan to include designating alternate work
                                       facility/location for business
                                       Arrange for staff to take a Red Cross CPR/AED and first aid course
                                       Obtain copies of Terrorism: Preparing for the Unexpected and Preparing Your
                                       Business for the Unthinkable brochures from your local Red Cross chapter for
                                       distribution to ail employees/management as appropriate.	
      Your locat AmericanJRe
   Example of Actions to be Taken Under Threat Conditions (excerpt from Best Practices for the Wastewater industry)
   Source: New Jersey Domestic Security Preparedness Task Force











	 , 	 A

Coordinate necessary security efforts with local and county emergency management.
Take normal precautions at public events.
Take additional precautions at public events.
Eliminate all public admission to facilities.
Review contingency plans to work at an alternate site or with a dispersed work force.
Review plans to restrict access to facilities.
Announce threat condition to all employees by use of a flag or placard system at the entrance gate.
Hold briefing sessions with employees as shifts come on duty.
Review with employees who and how contacts should be made in case of emergency.
Stockpile food and water for all employees at the facility.
Insist that employees bring necessary medications to work each day as well as a change of
Minimize staffing to essential personnel only.
Avoid ail contracted repair work in and around facilities uniess critical.
Eliminate all scheduled preventative maintenance activity.
Consider partial activation of Emergency Operations Center.
Consider full activation of Emergency Operations Center. , Threat Categories
The spectrum of malevolent threats is broad, and the countermeasures that must be put into place to
mitigate the risks associated with these threats are more of a continuum than a discrete list. However,
to effectively  plan for and design the physical improvements to reduce the risks from malevolent
threats, the threats are presented in the context of defined threat categories as shown in Exhibit 1-7.
•  The vandal category is focused on individuals who are intent on defacing, damaging, or
   destroying property.  No weapons are involved, there are no injuries to persons, and the cost to
   restore the asset is relatively minimal.
•  The criminal category refers to individuals whose intent is to gain financially through violation of
   law or to  seek revenge by attacking a person.

  Threat Categories by Characteristic
                                             Threat Categories
       Asset damage
Thrill, dare
Property damage
Little or none
Financial gain
Knife, pistol, rifle
Political cause
Political cause
Destruction and
human casualties
Stealth or overt
Assault weapons,
explosives, RPGs
•   The saboteur and terrorist categories are similar in that perpetrators are typically motivated by
    political, idealistic, or religious causes. Both categories include individuals bent on physical
    damage or destruction. The terrorist, however, is bent on causing human casualties, typically in
    large numbers and sometimes without regard for his or her survival. The saboteur's objective is
    to cause physical damage or destruction without the intent of human injury, although injury
    might result from such actions. Insider Threat vs. Outsider Threat
The source of the threat in any of these four threat categories may be either an insider or an outsider.
An insider is a person with knowledge of the wastewater  utility who has access to the facilities or
portions of the system as part of his or her daily work activities. Typically, insiders have access to
information systems as well. Although some organizations may consider insiders to be limited to
employees, this document defines insiders as any person who would not cause suspicion by his or
her presence at a utility facility. Thus, examples of insiders can include employees, vendor
representatives,  delivery persons, consultants, and onsite  contractors.
An outsider is a  person not normally allowed access to any of the wastewater utility's facilities.
Suspicions might be raised if such a person or persons were seen on utility property. Outsiders do
not have access rights to utility property, buildings, or information systems.

It is critical to understand that most physical security measures will not greatly reduce the risks
associated with insider threats. Because insiders will have access to utility facilities and information,
the most effective countermeasures to reduce risks associated with insiders are managerial and
operational. Thus, it is important to develop and enforce effective organizational policies and
operational procedures as discussed in Sections 2 and 3 of this document.
On the other hand, risks associated with outsider threats can be reduced through the design of
physical security improvements as presented in Section 4 of this document, as well as through the
implementation of effective policies and procedures.

1.3.2 Natural  Threats
Weather events such as hurricanes, tornadoes, flash floods, lightning, and severe storms produce
conditions that can cause structural damage to facilities and interruption to processes that may result
in environmental damage and public health concerns. Such natural disasters may also impact
communications and cyber infrastructure and cause injuries or fatalities to utility employees. Because
natural threats (see Exhibit 1-8) tend to be geographically
specific, not all wastewater systems face the same threats.
Examples of Natural Threats
                                                                ice storm
                  Expansive soils
Flooding from heavy rains, hurricanes, melting snow, or ice
jams can float tanks, damage electrical and mechanical
equipment, surcharge sewers, and overload pump stations
causing sewage overflows and backups. Overflows and
backups can result in treatment plant short-circuiting and
damage to roads that would restrict and delay access to
facilities, as well as present a risk of drowning for employees.
Winds produced by hurricanes, tornadoes, and strong
thunderstorms can damage structures directly or through windblown debris, overturned vehicles,
equipment, and light-weight tanks. High winds can also collapse power transmission towers and
power poles, disrupting power and telecommunications. Fallen trees and windblown debris can
delay or prevent access to facilities.
Lightning associated with thunderstorms is notorious for damaging electrical equipment either
thorough direct hits or by surges in electrical systems. Lightning also puts employees at risk, should
they be in open areas on a plant site or otherwise out in the service area. The more frequent practice
of using utility properties to locate cell phone towers may require additional considerations.
Consequences of blizzards and ice storms include delays in responding to facilities and risk to
employees from drifting snow, ice-covered roads and access ways, and exposure to extreme cold.
Power distribution lines may fail due to the weight of the ice or snow, leaving facilities without
power. Snow and ice make access to manholes difficult, and frozen soil makes sewer repairs more
difficult. Additionally, heavy snowfalls can overload building roofs and tank covers, resulting
in collapse.


While earthquake threats are considered by many to be restricted to the West Coast, Alaska and
Hawaii, much of the United States may be subject to a seismic event of varying intensities (see
Exhibit 1-9). In fact, in the more than
400 years between 1568 and 1989,47
of the 50 states had earthquakes with
a magnitude of a Richter Magnitude
of 6 or greater.3 Direct impacts to
wastewater infrastructure include
the damage or complete collapse of
both structures and pipelines (e.g.,
sewers, process piping, fuel lines, air
piping, and methane piping), with       EXHIBIT 1-9
    ,..              „         .        Seismic Hazards in the Conterminous U.S.
resulting sewage overflows, service      „      //srs
interruptions, possible cessation of
treatment capability, and risk of fire. Indirect damage includes loss of potable water supply
(including fire suppression), gas supply, power, telecommunication, and cyber communications.
Tsunamis are a series of waves generated by an impulsive disturbance, typically an earthquake or
landslide, in the ocean or in a smaller body of water that is connected to the ocean. In the United
States, tsunami-prone areas are coastal locations along the Pacific Ocean, including the states of
California, Oregon, Washington, Alaska, and Hawaii. Tsunamis can be devastating to both life and
property, reaching heights of 90 meters (295 feet) and traveling upwards of 1,000 kilometers per hour
(621 miles per hour), with run-ups inland of several hundred meters. However, of the 32 tsunamis
that reached the United States in the past 33 years, only two traveled inland more than 100 meters
(328 feet), and all but eight were along the Alaskan coast.4
Landslides are usually caused by heavy rain or snow, erosion by waves or wildfires, and
earthquakes. They can quickly destroy structures and bury infrastructure under tons of earth, rock,
and snow. Landslides are known to occur in every state in the U.S., and may be a threat to
wastewater utilities if the facilities are located on or at the base of a slope or on the site of an old
Other land movement may also threaten wastewater facilities. Areas with expansive soils may cause
structures to move unevenly and to crack. Damage is in most cases superficial, disfiguring walls and
ceilings and causing doors and windows to function erratically. However, sewers may crack or settle,
resulting in leaks or poor flow characteristics. Areas with Karst formations (terrain formed by rock
having rock with higher solubility, such as limestone, dolomite or gypsum) may be subject to
sinkholes that may undermine structures and pipelines.
3 FEMA 424 Design Guide, 2004
4 West Coast/Alaska Tsunami Warning Center, NOAA/NWS, http://wcatwc.arh.noaa.gov.

          	-r 1,400,000
                                                                            "Through 6/9/04
                                        EXHIBIT 1-10
                                        Number of Wildfires in the U.S. by Year and the Total Number of Acres
                                        Consumed by the Fires. Source: National Interagency Fire Center, Boise, ID
Each year, wildfires consume
hundreds of thousands of acres,
destroy thousands of structures,
and cause billions of dollars in
property loss (see Exhibit 1-10). In
addition, over $1 billion per year is
spent on suppressing wildfires.5
Although large wildfires are more
frequent in the arid southwest,
wildfires can occur anywhere there
are dry conditions. While
underground pipelines are typically
unaffected by wildfires,
aboveground structures and
equipment at a treatment plant or
pump station could be damaged or destroyed if flammable materials were ignited by sparks from a
fire or a wildfire engulfed a facility. Such an incident would most likely result in sewage overflows
and disruptions in service and treatment capabilities.

1.3.3  Unintentional Threats
In addition to malevolent threats and natural threats, there are inadvertent human-caused events that
may threaten wastewater utilities. Accidental releases of hazardous substances may enter the sewer
system as the result of vehicular collisions, train derailments, or industrial accidents, causing damage
to sewers and pump stations or upsets of the biological treatment process. Contractors working on
adjacent utility lines or structures may damage wastewater system infrastructure. Damage to
collection systems by contractors installing other subsurface infrastructure appears to be one of the
most common causes  of collection system damage. This type of damage may not be realized
immediately. For example, a contractor's work at a treatment plant was found by the National
Transportation Safety Board to be the root cause of a gasoline pipeline explosion in Bellingham,
Washington in 1999. The explosion occurred 5 years after the contractor had apparently damaged the
pipeline, which went unnoticed prior to backfilling.6 Publicly owned treatment works (POTWs) may
also suffer from the secondary affects of other utility interruptions, such as power blackouts and
telecommunication outages.
1.4 Vulnerability and Risk
Prior to identifying a design basis threat (DBT) on which to base a design, make operational changes,
or revise management policies, it is imperative to perform a vulnerability assessment and risk
analysis on the existing or planned wastewater system. A thorough vulnerability assessment
5 Containing Wildland Fire Costs: Utilizing Local Firefighting Forces, National Academy of Public Administration, December 2003.
6 Pipeline Accident Report, NTSB/PAR-02/02, National Transportation Safety Board, October 2002.

performed using either Risk Assessment Methodology for Water (RAM-W™), Vulnerability Self-
assessment Tool (VSAT™), or one of the tools developed for small systems (see Section 1.4.3) will
identify the threats that should be addressed. A subsequent risk analysis will provide decision-
makers with the data required to choose a strategy for reducing risks in the design, operations, and
management of the wastewater system.

1.4.1 Definitions
It is important when undertaking a vulnerability assessment or considering security improvements,
to understand the meanings of vulnerability and risk.

Vulnerability is a characteristic of a critical infrastructure's design, implementation, or operation that
renders the infrastructure susceptible to destruction or incapacitation by a threat. Vulnerabilities may
consist of flaws in security procedures, software, internal system controls, or installation of
infrastructure that may affect the integrity, confidentiality, accountability, or availability of data or
services. Vulnerabilities also include flaws that may be deliberately exploited and those that may
cause failure due to inadvertent human actions or natural disasters. Any weakness that can be
exploited by an adversary or, in a non-terrorist threat environment, make an asset susceptible to
hazard damage may be considered a vulnerability.

Risk is the potential for realization of unwanted, adverse consequences to human life, health,
property, or the environment. It is the quantitative or qualitative expression of possible loss that
considers both the probability that a hazard will cause harm and the consequences of that event. Risk
is usually expressed as a function of the probability that an adverse effect will occur, and the
criticality of the effect on the ability to fulfill a mission or function.
1.4.2 Vulnerability Assessments
Vulnerability assessments provide a systematic analysis of the utility's susceptibility to a malevolent
attack and the means by which the utility can reduce its risk.
The objectives of vulnerability assessments are to:
•   Identify actions (i.e., threats) that an adversary could take to keep a wastewater utility from
    accomplishing its mission of protecting public health and the environment, specifically threats to
    the wastewater system assets including infrastructure, employees, information, and finances.
•   Identify the specific assets (i.e., infrastructure, employees, information, or finances) that may be
    impacted by the identified threats.
•   Determine the relative criticality of the utility's assets.
•   Determine the likelihood that a threat may materialize.
•   Evaluate existing countermeasures.
•   Analyze current risks associated with threats and assets.
•   Identify additional countermeasures and prioritize based on a risk-reduction analysis.

The vulnerability assessment considers the routes and means used to attack and to protect the asset
from attack. A vulnerability assessment may consider features and effectiveness of existing facilities
or, if used as a design tool for new facilities, considers how access may be gained to an asset, how the
asset may be compromised or destroyed, and similar considerations.
One of the first steps of a vulnerability assessment identifies a probable threat against which a utility
should aim to protect its infrastructure. That threat is carried forward as the DBT. Any
countermeasures that are proposed should be designed to defend against that DBT. As was
mentioned in the previous section, there are various threat levels that a wastewater utility may
encounter. Therefore, it is imperative that, before any security upgrades are considered, a DBT be
identified. As recommendations for security improvements are discussed in the following sections
of this document, utilities should focus on the appropriate improvements for  the threat level they
have identified.
The consequences of a successful crime or attack must also be considered to provide an opportunity
to weigh the cost and impact of implementing appropriate physical protective measures against the
potential consequences of an attack. For example, if the likelihood of the attack is low and
consequences minimal for a specific DBT (i.e., no loss of life, mission disruption, or depletion of
functionality is anticipated), the owner may determine that the consequences do not justify the
investment to address that DBT.
A vulnerability assessment also helps a wastewater utility identify its most critical assets and
prioritize its security efforts so that the most crucial infrastructure is best protected. Wastewater
utilities can be most prudent in their decisions on which security improvements to implement only
after they have conducted vulnerability assessments. For these reasons, this document is intended for
use in implementing security improvements after a vulnerability assessment has been conducted.

1.4.3 Vulnerability Assessment Methodologies
Several tools have been developed to assist wastewater utilities in completing vulnerability
assessments. These include VSAT™, RAM-W™, and checklist-based tools. VSAFM
VSAT™ is a database-driven computer software tool that guides users through a vulnerability
assessment and risk reduction process from either an asset hierarchy or a library of threats, both of
which can be customized (see Exhibit 1-11). Assets and threats are linked and security risks are
calculated from a determination of asset criticality and  the probability of incident occurrence using
pop-up decision  trees. Countermeasures can be drawn from a database library or developed as
needed. The impact of the countermeasures on criticality and probability are determined, and the
revised risk level is calculated by the software. VSAT™ then provides for a cost-risk reduction
analysis for prioritizing security improvements.

VSAT™ is designed for a rigorous and logical vulnerability and risk assessment and covers five
utility asset categories: (1) physical, (2) information technology, (3) knowledge-based, (4)
people/employees, and (5) finances. This tool was developed by the AMSA under a grant from the
EPA and is available free of charge to wastewater utilities. A stand-alone emergency response plan
module that is compatible with VSAT™ will soon be available for wastewater systems.

 3 ^ | Raw Sewage Pumping
    Preliminary Treatment
    Primary Treatment (Clarifiers i
    Biological Treatment
   ^ง) Structures

   111 Mechanical
   Hjljt Instrumentation
    Secondary Clarification
  ^ ^ Equipment Management
  ji | Administrative Office
 3M | Control Room
  ^ ฃ! Laboratory

  < ^ Disinfection (Chlorinationj UV)
    Advanced Treatment (Reactors, Filters)
    Reclaimed Water System (Storage tanks, pumps)
    Biosotids Management System
^ Wastewater Collection System
 3 d^ Gravity Sewers
S      Pipes
 *) ^ฎ Pumping Stations
 23 ^OT Stormwater Sewers

  TO(M Support
    Maintenance Facilities
    Roiling Stock

                                                                            * Recovery RAM-W™
The RAM-W™, developed by Sandia National Laboratories with input from the American Water
Works Association (AWWA), has also been applied to wastewater systems as a means for assessing
vulnerability. RAM-W™ uses a consequence-driven approach that focuses on evaluating the
effectiveness of the security protection system. The process (as shown in Exhibit 1-12) helps utilities to
identify those system components that are critical for the system to continue functioning and helps the
utility to prioritize security upgrades and/or modify policies and operational procedures to mitigate
identified risks. In turn, it offers utilities a way to develop a balanced security protection system so
that they can allocate the appropriate resources where they are most needed to reduce risk.

The RAM-W™ Small and  Medium Water Utility Case Study was developed in 2003 as a simplified
way for small and medium utilities to undertake a VA. The methodology presented follows the same
process as the full RAM-W™, but pares it down based on lessons learned conducting large utility
VAs.  The RAM-W™ Small and Medium Water Utility Case Study presents the concepts using the

fictional SmallCity Water District and provides worksheets for use in developing a utility's own VA.
Many small and medium wastewater utilities have found this case study approach to be a very
simple, efficient, and systematic method for conducting a VA.
               EXHIBIT 1-12
               RAM-W™ Process
                       "TT	l;
         End Checklists
Several checklist-based approaches have been developed to assist utilities in assessing vulnerability.
The Asset Based Vulnerability Checklist for Wastewater Utilities, produced by the AMSA, provides a
means for walking through a utility's assets to identify potential vulnerabilities. Similarly, the
National Environmental Training Center for Small Communities (NETCSC) has developed a
workbook-type approach that is published in their Security Vulnerability Self Assessment Guide for
Wastewater Systems. In 2001, the EPA also issued its Water Protection Task Force Alert #IV: What
Wastewater Utilities Can Do Now To Guard Against Terrorist and Security Threats, which presents
measures for wastewater utilities to take to reduce their security risks. These abbreviated tools are
particularly suited for small utilities with relatively short lists of assets.

1.4.4 Evaluating and Reducing Risk
Risk is best evaluated as a function of the likelihood of an occurrence (probability) and the severity of
the occurrence (criticality). The risk of malevolent threats can be effectively compared by quantifying
both probability and criticality and calculating a risk score. For example, in a simple evaluation of
risk, if the probability is quantified on a scale of 1 to 10 with 1 being least likely and 10 being most
likely, and criticality is also quantified on a scale of 1 to 10 with 1 being not critical and 10 being
extremely critical; then an incident that is considered to be somewhat likely and that would cause
a great deal of havoc would be given a risk score of 50 (the product of probability (5) and
criticality (10).

Calculating risk in this manner not only allows for a comparison of different threats based upon their
risk score, but also provides a basis for evaluating countermeasures that would be considered for
reducing risk. Risk reduction can be achieved by lowering either the probability of the event
happening or the criticality of the event, or both. By estimating the reduction in the risk score with
each countermeasure considered, and knowing the cost of implementing each countermeasure, a
cost-risk reduction analysis can be performed. This analysis compares the amount of risk reduction
per dollar invested, and can provide the utility with the information necessary to prioritize
countermeasures by optimizing risk reduction; that is, to reduce as much of the risk at the least cost.
As shown in Exhibit 1-13, a cost-to-risk-reduction curve can be generated, and a determination can be
made as to what measures should be implemented by identifying the "knee of the curve," or the
point at which the risk reduction associated with implementing additional costly security measures is

                EXHIBIT 1-13
                Typical Cost-to-Risk Reduction Curve
          Develop Emergency
          Response Plan
Develop Security
Policies and
                                                             Door Contact Alarms
                                               Improved Locks
                                               and Door Hardware
                                         Reduction in Risk Score
Along with security-related risks, wastewater utilities face a host of other risks that compete for
investments. When prioritizing security investments, utility managers may want to also consider
these non-security risks on a common scoring scale. Failures of major facilities or pipelines due to
obsolescence, effluent permit violations, and unexpected losses of key staff are examples of risks that
utilities must actively manage. A utility can put its security risks in context by conducting an overall
risk analysis addressing both security-related and non-security-related risks.
What this overall risk analysis may show is that, compared to the other risks that a utility faces, risks
associated with malevolent acts may rank relatively low. This is because, although the consequences
of a malevolent act could be very high, the probability of occurrence is likely to be relatively low. For
possible attacks from high-level threats such as terrorists, this is especially true given that (1) there is

no history of terrorist attacks against wastewater utilities in the United States, and (2) there are more
than 5,000 different wastewater systems for terrorists to target. Utilities that serve large cities could be
viewed as more likely terrorist targets than smaller systems (though some have argued that terrorists
may target smaller cities to demonstrate that "everyone is vulnerable"). Yet even in larger utilities,
risks from high-level threats may be low as compared to risks from low-level threats, such as vandals,
when there is a history of incidents involving low-level threats.7

1.5 Drivers for Security Improvements
Numerous factors drive wastewater utilities to assess the vulnerability and improve the security of
their facilities. Examples of these drivers are discussed in this section.

1.5.1 Regulatory  Drivers
At the time of preparation of this document, there is no federal requirement for wastewater utilities
to conduct vulnerability assessments and/or implement security improvements.

1.5.2 Legal  and Liability Issues
Wastewater utility managers may wish to consult an attorney on certain issues, including whether a
legal duty exists for the utility to conduct a vulnerability assessment in order to protect its employees
and/or the public.
More information on legal and liability issues can be found in AMSA's "Legal Issues in a Time of
Crisis Checklist."8

1.5.3 Organizational Mission
Most, if not all, wastewater utilities have adopted mission statements that formalize their
commitment to protecting the public health and the environment. Understanding the vulnerability of
the utility's facilities and services and protecting against threats is in concert with the mission and
goals of today's wastewater utility, some of which are as follows:
•   Provide collection and treatment of wastewater and combined sewage to protect public health
    and enhance the environment.
•   Collect and manage stormwater to protect property and the environment.
•   Provide a safe work environment for employees.
•   Provide reliable services and meet the expectations of customers.
•   Effectively and efficiently maintain the assets that are critical to the utility's ability to meet
    its mission.
7 It is challenging to quantify the probability of a high-level adversary attack given the absence of incident history, while it is relatively easier to
estimate the probability of low-level threats like vandalism given there is more likely to be an incident history from which to draw.
8 Association of Metropolitan Sewerage Agencies. 2002. Protecting Wastewater Infrastructure Assets...Legal Issues in a.Time of Crisis

1.5.4 Multiple Benefits
Implementing security measures typically has beneficial impacts on a utility's operation other than
reducing the risk of malevolent threats. For example:
•   Background checks provide utility managers with knowledge that may help avoid workplace
    violence or theft, and possible embarrassment should an employee's past criminal record be
    exposed by the media.
•   Redundancy of unit processes provides greater operational flexibility to deal with flow variations
    and maintenance of equipment and structures.
•   Discontinuing the use of gaseous chlorine because it may be a target also eliminates the risk of
    adverse public health effects due to a leak in the chlorine system.
•   Installing automatic vehicle locating systems assists in locating stolen vehicles and can also
    improve service  efficiency because dispatchers can route the closest crews to a customer call.
•   Back-up generators provide improved reliability of service and reduce the likelihood of
    sewage overflows.
•   Physical protection through hardening of buildings and other structures may mitigate the risks
    associated with natural disasters such as hurricanes, tornadoes, earthquakes, and wildfires.
•   Securing manhole covers prevents persons from easily dumping septage, portable toilet waste, or
    other materials into the collection system.
•   Increased awareness and more frequent monitoring of the system improves the reliability of the
    utility's pretreatment program and is more likely to prevent unacceptable contaminants from
    entering the sewers or reaching the treatment plant.
•   Increased training and exercises improve employees' knowledge of the utility system and better
    prepare them to  respond to emergency situations, whether natural or malevolent.
•   Many countermeasures also contribute to mitigating the risks associated with the secondary
    effects of attacks or failures of other systems and processes that the wastewater utility depends
    upon (e.g., electric power network for the operation of facilities or the supply chain for the
    continued delivery of chlorine and other treatment chemicals and supplies).
•   Proactively focusing on security indicates that the utility is properly assuming the responsibility
    for maintaining public confidence and providing reliable service to the community.
•   Knowledge of vulnerabilities and risk provides utility managers with a sense of risk-based asset
    management, which can benefit capital improvement planning and eventually result in improved
    bond ratings.

1.6 Implementing a  Balanced Approach to Security
The concept of a balanced approach to security involves more than higher and stronger fences, the
addition of guards, and the locking of doors. It also includes:
•   Policies, procedures, and checklists that allow for recognition of problems and specify proper
    ways to react to problems.
•   Planning for and training of personnel to observe, control, and respond to deliberate actions
    against the utility. Without staff commitment to security, which will require a cultural change in
    the way that business is conducted, physical security measures will not be effective.
•   Systems that are operated and maintained for depth of capability and ease of use and control,
    such as use of intrusions sensors, cameras, and other technology that can quickly detect intrusion
    and aberrations in operational parameters.
•   Proper response to mitigate actions designed to keep a utility from meeting its mission through
    service interruption, damage to the environment, and adverse impacts on public health.
•   The steps necessary to return to normal operations quickly, efficiently, and in a manner that
    allows everyone to learn and improve to avoid a future occurrence with the same impact to
A balanced approach also needs to be consistent with a number of other factors,  such as those listed
•   Design basis threat
•   Financial ability to pay for security improvements
•   Resources to operate and maintain security devices
•   Existing system redundancy
•   Political pressures
•   Sophistication of utility staff
•   Security policies of the utility's parent government (e.g., town, city, county, state)
•   Community restrictions

(This page intentionally left blank)

Managing  for  Reducing Risks

2.1  Introduction
Many of the lowest-cost and highest-value measures that a wastewater utility can take to reduce the
risks associated with malevolent actions are cultural changes within the organization, employee
training, stakeholder awareness, and policies and procedures that change business practices to help
to ensure a more secure workplace and safer facilities. While all utilities should make the
development of security-enhancing policies and procedures a priority, it is especially important that
smaller utilities and those with limited resources make the most of these low-cost actions, rather than
being frustrated by the inability to fund major infrastructure countermeasures.
This section provides concepts, strategies, and actions that wastewater utility managers should
consider when contemplating how to better prepare for both known and unknown challenges that
may arise.
2.2 Governing Body
The governing body of a wastewater utility, whether composed of elected or appointed persons,
makes policy and holds the ultimate responsibility to the utility's customers by ensuring proper
management of the wastewater system, including maintaining public health and protecting the
environment. From this standpoint alone, it is important for utility management to provide
governing body members with at least a high-level overview of wastewater system threats and
vulnerabilities, and management's approach to mitigating the associated risks to the system.
However, because it is likely that governing body approval will be required to implement policy
changes and physical security improvements that may impact capital and operations budgets, utility
managers should consider providing board members with more detailed information on wastewater
Possibly the biggest obstacle to implementing security measures will be convincing the governing
body that wastewater systems are indeed vulnerable. Utility managers might find the following
suggestions to be helpful for their discussions with governing body members:
•  Reference The 9/11 Commission Report that cites imagination as one of the failures revealed by the
   terrorist attacks.9
•  Have the local police chief or sheriff gain a through understanding of the wastewater system, its
   vulnerabilities, and the consequences that may result from a catastrophic event, and have that
   law enforcement officer assist in the utility manager's briefing.
9 The 9/11 Commission Report, National Commission on Terrorist Attacks Upon the United States, 2004

managing for reducing risks

•   Describe the federal government's National Infrastructure Protection Plan for the water sector
    and the development of tools and guides by WEF, Water Environment Research Foundation
    (WERF), and AMSA to assist in the assessment of wastewater system vulnerabilities and in the
    reduction of security-related risks.
•   Use factual occurrences as examples—illegal dumping into a manhole that could have been
    gasoline instead of septage, or vandalism at a remote pump station that could have resulted in
    sewage overflows—to emphasize the importance of wastewater system security.
•   Clearly show how a security breach can impact public health, damage the environment, and
    place utility employees at risk.
•   Examine the effect of an incident for which the utility was unprepared on the credibility of the
    utility and the governing body.
•   Focus on opportunity cost versus the cost of not implementing security measures, including
    possible liability and regulatory action, should the utility not address obvious vulnerabilities or
    take reasonable security measures.
•   Provide the governing body with more than just the consequences; provide management's
    approach to responding to the challenges by realistically forecasting short- and long-term needs
    and their impact on resources (such as labor costs, other operation and maintenance [O&M] costs,
    and capital) as well as on developing funding alternatives.
While communication with the utility's governing body is imperative, utility managers must be
cautious about the security details that might be revealed in public forums. Therefore, discussions
about wastewater security with governing body members should be held privately if state and local
laws allow. These laws, sometimes known as sunshine laws, stipulate the type of discussions that can
take place with board members outside of public meetings and how many governing body members
can meet without public notification. Because sunshine laws vary from state to state, utility managers
should seek guidance from their legal counsels to ensure that the efforts to keep discussions about
security measures confidential do not violate the law. In general, at public meetings, utility managers
should refrain from long and detailed descriptions of security needs and measures. If governing body
members were briefed before the meeting, long, detailed discussions should not be necessary.

2.3 Customers and Other External Stakeholders
It is unlikely that wastewater systems are high on the list of public security concerns. Nevertheless,
utility managers should be prepared to respond to questions from customers, the media, and other
external stakeholders who may want to know if or why wastewater security is an issue and what the
utility is doing to reduce risks to infrastructure, persons, and service. External stakeholders may
include community organizations and environmental activists who are interested in the
countermeasures that the utility may have to prevent or mitigate the effects of a chemical release,
disruption of service, and the pass-through of dangerous substances through the treatment facility
and into receiving waters or reclaimed water systems. Other external stakeholders may be

                                                                             managing for reducing risks
government agencies, elected officials, and business owners who want assurance that the utility has
taken the appropriate steps to maintain service during natural or malevolent disasters.
Unlike other utility matters, proactive communications with all customers and external stakeholders
about security measures may not be necessary or even desired due to the confidential nature of the
subject. However, the utility should initiate discussions about wastewater security with a few
categories of external stakeholders to improve the planning and implementation of countermeasures
and emergency response.
Reclaimed water customers are one category of external stakeholders that need to be briefed on the
risks associated with wastewater system vulnerabilities that might result in a change in reclaimed
water quality. Likewise, these customers should also be provided with an overview of the steps that
utility has taken to prevent contaminated effluent from being pumped into the reclaimed water
system, as well as guidance as to whether an alternative supply is available for cooling water,
irrigation, or other critical uses if the reclaimed water supply must be suspended.
Wastewater utility managers should also initiate discussions with wholesale customers—those cities,
counties or companies that operate satellite wastewater collection systems that discharge into the
utility's system.  Utility managers should insist, or at least strongly encourage, that these wholesale
customers to protect their collection systems with the same level of security as the utility is protecting
its own collection system. Any new or renewed wholesale agreements should include requirements
for the wholesale customer to institute                     :
countermeasures to mitigate risk to the utility's
wastewater system.
Implementation of security measures is likely to have
substantial impacts on wastewater system budgets,
both capital and operating. Whether the utility will
fund security projects from debt sources or net
revenue, pressure on wastewater rates may
necessitate a rate increase. Thus, utility managers may
need to inform customers of the importance of
security measures to providing uninterrupted service
and protection of public health and the environment,
without revealing significant details about the
approach to security or specific countermeasures.
Wastewater utilities may want to consider a specific
surcharge on the base wastewater rate to fund
security projects. A security surcharge was
successfully implemented by the City of Atlanta's
Department of Watershed Management in 2004.10
      City of Atlanta - Ordinance 03-0-2212
      SECTION 7: (a) That the imposition of a
    surcharge shall be placed on all domestic,
 commercial, industrial and other users of the
 City of Atlanta Water and Wastewater System
  to pay for the cost to implement the security
 and infrastructure requirements as described
     in the Safe Drinking Water Act and Public
Heath Security and Bioterrorism Preparedness
and Response Act. (b) that for purpose of this
 ordinance, the surcharge will be described as
 the "Water and Wastewater Systems Security
          Surcharge." (c) that the Water and
Wastewater Systems Security Surcharge shall
 be $0.15 per hundred cubic feet for all billing
     cycles beginning on and after January 1,
    2004. Funds collected from the surcharge
     shall be deposited in a fund separate and
    distinct from other funds of the Water and
	Wastewater System.
                    Enacted January 2004
10 City of Atlanta - Ordinance 03-0-2212

managing for reducing risks

Utility managers should discuss the seriousness and sensitivity of wastewater system security with
union leaders. Such communication can lead to a more unified approach to security among
management and labor, and may help in identifying threats more apparent to employees than to
Proactive communications with other wastewater utilities, regulatory agencies, and first responders
are also important to developing and maintaining a secure system, as described in Section 2.10.

2.4 Human Resources
While policies, operational procedures, and security equipment are important aspects of securing
wastewater utilities, these items will have little effect if utility personnel are not aware of and
concerned about their roles in ensuring utility security.

2.4.1  Organizational Culture
Every organization has a culture that drives employee behavior, guides decisions, affects
productivity, and influences how the organization is perceived from both inside and outside. Over
the past several decades, wastewater utilities have worked diligently on instilling safety and
environmental stewardship as core values of their organizational culture. More recently, many
wastewater utilities have also cultivated a sense of efficiency and customer satisfaction into their
organizational culture. Now, with the threats faced by all public infrastructure sectors, it is
imperative that wastewater utilities also introduce security into the culture of the organization.
Employees are "insiders;" they have unique knowledge of the wastewater system's infrastructure,
processes, and vulnerabilities. They are authorized to access both facilities and information, and they
are located throughout the utility's service area. Thus, employees can provide a vital role in ensuring
that the wastewater system is kept secure through heightened awareness and adherence to policies
and procedures. To gain employee buy-in, a good place to begin is with security awareness training
for all employees. This training should provide an overview of the vulnerabilities faced by
wastewater utilities and the threats against which the utility must be protected. Employees should be
provided with an explanation of new and proposed security policies and should be instructed on
how they can assist in reducing security risks.
To ensure security concepts are integrated into the organizational culture, utility management must
also emphasize security in all its actions and communications. Some suggestions include:
•  Discussing security with the staff during formal and informal meetings.
•  Making security an agenda item at every staff meeting.
•  Ensuring that employees receive adequate security training (see Section 2.5).
•  Developing security policies and procedures and enforcing them consistently and equitably.
•  Creating a position of utility security officer, or expand the responsibilities and authority of an
   existing position (e.g., safety officer).

                                                                          managing for reducing risks

•   Ensuring that the individual(s) assigned responsibility for security are also provided the
    appropriate authority to correct shortcomings and take necessary actions.
•   Including articles on security in internal newsletters.
While employees can provide valuable security improvements throughout a utility, as "insiders"
they can also prove a great threat if their access to facilities and information is  used with malicious
intent. Consequently, wastewater utility managers should take measures to mitigate the risks posed
by new employees, existing employees, and former employees. However, there are numerous
federal, state, and local laws that pertain to employee rights and the employer-employee relationship
that will determine the security measures that can and cannot be taken when employees are involved,
and when hiring or terminating employees. In addition, bargaining unit agreements will
undoubtedly address employer-employee relations and may restrict the employer's use of
otherwise lawful security measures. Therefore, it is imperative that the utility's legal counsel be
consulted before any security measures involving employees, including those  discussed below,
are implemented.

2.4.2 Background Checks
Basic background checks of applicants for utility positions should be standard practice. At a
minimum, such background checks should include confirming past employment, education,
professional certifications, and references, as well as any facts available through public records.
Advertisements and notices for positions should include a statement that background checks are
required, and applications for employment should include a waiver whereby the applicant allows the
background check and also authorizes the applicant's former employers to speak with the utility.
Background checks should be completed before any job offers are made. If lawful, and if consistent
with bargaining unit agreements, background checks with periodic reviews, should also be
conducted for current employees, especially upon promotion to a position with fiscal responsibilities.
Consideration should also be given to expanding the background check to include criminal and  other
records such as driver's license, worker's compensation, military service, credit history, and possibly
character references. However, there may be significant legal restrictions and liability associated with
such enhanced background checks. Whatever level of background checks is conducted, it is
imperative that the utility maintains consistency for all applicants or for all those who apply for
specific positions.
It should be noted that criminal background checks are sometimes incomplete or erroneous and may
need to be confirmed through other channels, if possible. Local law enforcement agencies may only
have criminal records of those persons living or convicted within their jurisdiction. On the other
hand, national databases may not contain information from cities and counties unless such data
were input specifically into the national system. Similarly, credit records may be both incomplete
and inaccurate.
Utility managers should consult with their local law enforcement agencies to determine the most
reliable method for obtaining the background checks for applicants and, if appropriate, employees.

managing for mincing risks

Frequently, local law enforcement officials will provide the background check service at minimal
cost, or assist the utility in finding a reasonably priced and dependable service provider. However,
the utility manager is reminded to seek advice from legal counsel before proceeding with any
background checks.
A more thorough discussion on the subject of background checks is contained in the AMSA
publication entitled, "Legal Issues in a Time of Crisis Checklist."11

2.4.3 Identification Badges
Employee identification (ID) badges provide instant verification of whether individuals are
authorized to enter, unescorted, a utility's facility or handle utility equipment. Regardless of how few
workers a utility employs, ID badges should be provided. Smaller utilities can have custom photo ID
badges produced  for less than $10 dollars each plus a one-time setup charge of less than $100.
•  All employees, including temporary and part-time employees, interns, and volunteers should be
   issued photo ID badges.                                           _____________
•  ID badges should be worn at all times while working at utility                 Multiple Benefits
   facilities and utility job sites. The badges should be worn above           'n addition to increasing
                                                                            accountability and
   the waist so that they are visible whether the person is sitting or               improving security
   standing.                                                           photo ID badges can also
   .-„.      ,                 ,.  ,        ,  .  ,  ,      ,              help new employees get to
•  Office employees may use a clip to secure their badges or hang          .        .  ..   ,
             r  }      }       r                  &        6          know each other s names.
   them from a lanyard around their neck as long as the lanyard is       ====.=====masa=..ssa3a=
   equipped with a snaphook release to prevent choking if the tag gets caught.
•  Field employees should secure their ID badges by wearing them in a protective see-through
   pouch sewn into their uniform shirt.
•  Color-coded badges can be used to alert others if employees are in an area that they are not
   approved to be in and can deter employees from straying into restricted areas.
•  ID badges should contain an up-to-date color photo of the employee, along with an expiration
   date. Both the photo and date of expiration, and color-code if used, should be visible from a
   distance of several feet.
•  Should the appearance of an employee dramatically change, a new ID badge with an updated
   photo should  be issued.
•  ID badges should expire no more that 2 years after the date of issue. Temporary employees,
   interns, and probationary employees should be issued ID badges with expiration dates that
   correspond to the projected end of their employment or probationary period.
11 Association of Metropolitan Sewerage Agencies. 2002. Protecting Wastewater Infrastructure Assets. ..Legal Issues in a Time of Crisis

                                                                          managing for reducing risks

•   If resources permit, ID badges may contain security features such as holograms, watermarks,
    magnetic strips, or radio frequency identification (RFID) devices that permit access to designated
    areas and track locations of employees. See Section 6.3.3 for more information on this type of ID
•   Employees who forget their badges or are visiting locations where they are not authorized to be
    as part of their normal duties should be issued temporary ID badges. Such badges should, at a
    minimum, be time-sensitive or light-sensitive so that the "age" of the badge is indicated by an
    obvious change in their color. Time-sensitive and light-sensitive badges are available for less than
    $0.25 each. In addition or as an alternative, authorized personnel may escort employees visiting
    locations outside of their authorized area.

2.4.4 Employee  Surveillance
Enhanced awareness by all employees is important to reducing security vulnerabilities in the
workplace. Security training should instruct employees on the type of activities that should raise
concern and how they should respond. Some utilities have taken a low-cost approach and
implemented a buddy system for entry into critical facilities. However, to make this system effective,
some type of recognition hardware needs to be in place, such as cameras or access entry readers.
Biometrics and RFID devices can also be used to track employees' whereabouts (see Section 6.3.3).
"Man-down" alarms, which require an operator to confirm his location by pressing a button or
calling an operator in specified intervals, can  also reduce the risk of workplace vulnerabilities while
improving employee safety. This can be particularly important on overnight shifts or other situations
in which only one operator is present.                                  ____^^__^_^______
c           u   uu  *   unu  >.     i    !    i. u  •   i_                   Multiple Benefits
Supervisors should be taught the types of employee behavior that
     .,.,,,...,       ...        .,       ,                     Techniques that monitor
may indicate a threat to the organization or other employees.                   .     .  .    .  .
   J                      ฐ                   r  J                    employees whereabouts
However, monitoring of employee activities at their workplace may          improve their safety while
be subject to federal and state privacy laws, as well as bargaining               reducing the risk from
unit agreements. In general, it is acceptable to routinely monitor                    insider attacks.
employee use of electronic media, such as e-mail and Internet
surfing. Monitoring of employees through closed-circuit television (CCTV) cameras is also typically
acceptable, as long as the cameras are visible to employees. One important prerequisite of employee
surveillance is notifying employees that they  are being monitored;  otherwise, the employees may
have a reasonable expectation of privacy in their work area, and the utility may face legal challenges
to this policy.

2.4.5 Employee  Response
Effective reaction to, and recovery from, natural or malevolent events depends upon a rapid and
thorough response by a knowledgeable and experienced workforce. Emergency response is explored
further in Section 7. Utility management should work with its staff to develop policies and
contingency plans to address problems that employees may have traveling to utility sites and

maughig for reducing risks

facilities during and after an incident. Staging areas and employee reporting procedures (e.g., roll call
by radio or telephone) should be established.
Management should also be cognizant that employees may decide to remain at home with their
families or evacuate from the vicinity if a disaster should occur, thereby leaving the utility without
needed labor and expertise. Utility management may want to consider developing a family
shelter/evacuation plan that will provide employees a level of confidence that their families are safe
while they respond to their duties at the utility. Such an employee-centric and family-friendly
approach is critical to achieving buy-in from employees who would be facing tough decisions in a
Human resource policies should address the excuses that will be considered acceptable for an
employee not responding to work during an incident or if a severe terrorist advisory is declared, and
the action that will be taken for non-excused absences. It is important to note that such policies
should be created and applied with a thorough understanding of the utility's legal responsibilities
governing employee leave, including relief allowed employees under the Americans with
Disabilities Act.
Additionally, consideration should be given to storing several day's supply of non-perishable food
along with bottled water should a facility lock-down (employees not being allowed to leave a facility)
be necessary. Unused food and water can be donated to a food bank at the end of every year.

2.4.6 Contractors
It is important that utility managers consider not only their own employees as a potential insider
threat, but also contractors (including engineers and manufacturer representatives and others) who
may have access to utility facilities and information at any given time.
Suggested contractor security procedures include:
•   Establishing an effective sign-in and sign-out procedure (e.g., requiring a photo ID that matches
    the individual and his  or her signature) and limiting access to sensitive areas (such as chemical
    areas and SCAD A controls).
•   Requiring visitors to sign in and wear a visitor badge so they are easily identified. All visitor
    badges should be returned at the end of the day.
•   Requiring escorts if physical barriers are not present.
•   Limiting use of private vehicles on the construction site.
•   Evaluating the environmental, health, and safety record of contractors before signing contracts
    and considering offering environmental health and safety training to contractors onsite.
•   Issuing "contractor" ID badges that are returned upon the completion of the contractor's work.
•   Performing background checks on contractor personnel assigned to project sites. While this is
    sometimes a difficult activity, it should be considered depending on the situation.
•   Limiting access to sensitive areas (such as chlorine, ammonia, and SCAD A).

                                                                           managing for reducing risks

In addition, for construction contractors, the following could be considered:
•   Locking construction gates at end of the day and when not in use, using interlocking padlocks
    with utility locks.
•   Evaluating potential misuse of heavy equipment and taking appropriate measures.
•   Considering ways of securing the heavy equipment each night.
•   Considering additional fencing and separate entrance, separate parking areas, and guards to
    coordinate construction staff.

2.5 Training
To ensure that a security program is effective, staff must be trained in many aspects of security and
emergency response. With improved security actions come a new culture for wastewater and
stormwater professionals. This section discusses types of training and training resources important
for utility staff.

2.5.1 Types of Training Sessions
Exhibit 2-1 lists training relevant to all wastewater and stormwater utility personnel. If a particular
training is more critical for one group of personnel, the group is listed in the Notes column. Training
that is associated with emergency response (e.g., table-top exercises and incident command systems)
is discussed further in Section 7.6.

2.5.2 Location of Training Exercises
Many state and local resources are available to conduct, and sometimes fund, training for utility staff.
When considering training, it is a good idea to check with local police and fire departments, local
emergency planning agencies, local health departments, and the Red Cross to inquire about available
training. Also, nearby utilities may want to share in training sessions and contribute funding.

2.5.3 Cross-training
Training staff members in skills outside of their normal duties          ===^===^
may be prudent so  that more staff are available to perform needed                      ^
tasks in times of emergency. For example, operators should               A staff that is cross-trained in
                                                  ,                       more than one skill will
understand basic maintenance of pumps, motors, and electrical          jncrease operatjona| efficiency
components. Likewise, maintenance workers should understand               through a more flexible
the basics of treatment plant and pump station operations. A              workforce by reducing down-
cross-training program should involve treatment plant workers         time and tne need to reschedule
                              ,,„,.„                           staff. Cross-training also
spending time with and learning the skills of collection system          prepares a ^ fo|. S(jccession
workers, as well as gaining knowledge of the system's pump              as employees leave or retire.
stations. This type of program also provides a more flexible                    ======

              CO —
              09 >
              oc 2




            o S
            Q- CO
                    I — to TO O) Q-
                    V) 13 O-

                                    -i S.
                                    •*••ง "
                                    "ra g-3
                                    g S g.
                                    S""i 32
                                    LLJ ro ฃ
                                    V} O
                                   -o S
                                   Q- X


                                                -5 &

                                                .E  I

                                                                                ol ฃ .E
                                                                                 : CO ••ฃ o
                                                                                  o * -i



icy Response Trainii

-_ 0
t 0

. *"
i &

to Provide Trai





— -&-
2? s
Beneficial to have mo
person certified at a u
The Red Cross; Consi
City/County Safety
Teaches the steps to baby, child,
and adult CPR. Leam basic first aid
to provide initial care to an injured
* ฃ
ง S

o ฎ
ra CB
'CO 0

To provide care to anotl

E . — .
"O c
ro o
y s
r^ 'o
-- CO
For those employees
spedfic equipment.
Vendors; Consultants;
Safety Coordinator.
Provides background on how the
machine works and a skills test on
how to use the equipment.


To understand the
operations and limits of


•ji >*
CO CO (o
c: -t= 

CO t=
To effectively use a fire
extinguisher and assod
fire types with the prope



"c? t2
For water quality staff
treatment plant opera!

Vendors; Operating SI
SCADA Operators.
Teaches use and maintenance of
specific monitoring equipment.
' CD
*o> o
•ฐ c
cr CD
ro Q.
"c 03
-J9 t| >i
8 "Jo -ฐ
0 S^
ฃ J I
co ฃ :>

To use on-line monitorir
equipment throughout tl



'io c;
Managers or operator
to using the radio duri
Local Emergency Plar
Agency; Police; Fire
Teaches the operations, channel,
code, and general maintenance of
the radio; practice using a radio.
0 CO
s "
OO —*
% ci
ซ 8
> ;^
1 S-
^ O
1 o-

To know the capabilities
and operations of an
800 MHz radio.



City and County Safet
Teaches various types of equipment
that exist, their uses, capabilities,
and limitations (e.g., breathing
;=' JK
f s
ฃ -^
CO ^^

co S -^i
11. .9-
<ฃ 1.1

S c" S
To teach how to use ott
types of safety equipme
company and OSHA lav

S i ง
Fulfills HAZWOPER training required
under 29CFR1910 for personnel who
handle, ship, or dispose of
hazardous materials, or who are
assigned to emergency response
teams for hazardous materials. Initial
and annual training is required.

ฐ ?
S? m
*- "2
2 N
S ^G
J2 ^
1 1
U_ Q.
.- C
"i •c
**= H co
"™ ซ S?

s i?
CO ฃ
1 &
1= CO
CO ' ' '
ai co
LU <0 -— -
ft o S
O -^ cz

N c5 to"
n: <ง"(ง
1 il
ฃ .a 0 .0
ซ> E?E 1
ฃ T-I CO IT.
Managers and persor
in an emergency; fun<
available from FEMA
see the FEMA trainint
S™ ,;
Held at FEMA's Emeri
Management Institute
Training Facility in
Emmitsburg, MD:
Provides a concentrated emergency
training experience.

ง 5^
CO g
CO fe
1 ง>

•^ ** •ฃ oi
To provide general
emergency managemer
courses offered on FEW
Emergency Managemei
Institute training campu:



~ca DJ
iw CZ
03 CO
O h=










QJ ^^
co co
s s.
LU ^
si s
Jฃ w o cz
— >•••" "5
" ^'-5 5
1 'B ง S
-a CD ฃ '55
ss ฐง
-S'^JStS .
2 e p-S^
ซป a> S 8
S.E R'| ซJ
o .E E CD .==
cts s-g a

ro a=
•i S
i ฐ
E co
o c"
ซ i &
ฎ CO
— "a 

1 ^-.2
co ^S
E S =ง
•S ง ^
o a> ~
1— Q. 3

J= "35
2 g
-C* co
:S Q>

"o co
c ฃ
a -B
"CO 2

"•ฃ= 2
E g.
•o 2>
~ C
3 "C
-^ e^ 
&. &

is ฐ
g-fi ro
t CO <ฃ
r= _O ,,•, CO
E€^ g
S Pซ a.


                                                                         managing for reducing risks

workforce that will not only improve response during an emergency situation, but will also allow for
improved efficiencies during normal operations. Planning for a cross-training program should
involve the utility's bargaining union and human resource professionals.

2.5.4 Staff  Motivation
Staff often complain about attending training sessions, especially when their daily jobs are busy.
There are several incentives to help motivate staff to attend training:
•   Certification toward professional development hours
•   Favorable employee evaluations
•   Further career goals/personal development
•   Lunch provided during a training session

2.6 Financial Considerations
When looking to improve security, financial considerations are critical to successfully reducing risks.
Key areas, which are described in more detail in the remainder of this section, include developing
Capital Improvement Plan (CIP) programs that adequately support security needs. To sufficiently
fund security programs, utilities must develop a diversified strategy for funding both capital and
operating needs that decision-making bodies and customers can support.
•   Developing funding programs to support operating fund needs.
•   Developing funding programs that decision-making bodies and customers can support.
•   Developing a diversified strategy for funding both capital and operating needs.
•   Integrating Government Accounting Standards Board Statement 34 (GASB 34) considerations
    with the CIP for security and reporting purposes. (See www.gasb.org for latest requirement

2.6.1  Developing CIP Programs
that Adequately Support Security Needs
To accomplish security objectives, wastewater utilities need to sustain existing facilities at a
functioning level. In addition, they may need to build additional facilities that have been identified
through vulnerability assessments and other related evaluations as key to improving security. The
measures to improve security take a variety of forms, such as providing redundancy where it
currently may not exist, improving the flexibility and management of existing facilities, and securing
access to critical facilities.
Having an adequate CIP and funding program is essential because security-related projects often
compete with other capital projects, such as:

managing for reducing risks

•   System growth requirements. Many wastewater systems with growing and developing
    population bases need to spend substantial funding on capital projects that expand treatment
    capacity or extend collection system networks to new areas.
•   Correcting deficiencies not related to security. Many utilities have neglected aging assets.
    Inventory work and condition assessments conducted as part of asset management programs
    have, in many cases, quantified the need for action to make up for past neglect.
•   Regulatory mandates. Wastewater utilities must comply with new regulations promulgated by
    the EPA and state regulatory agencies, as well as specific permit conditions that may require
    capital investments in new equipment or facility upgrades.
•   Renewal and replacement. Well-managed wastewater utilities proactively plan to spend a steady
    amount on the orderly renewal and replacement of aging system components. While these
    projects contribute to the overall integrity of the systems in the long run, in the short run the
    funding for these projects may compete with specific security-related investments that have high
These competing considerations make it increasingly important for wastewater utilities to have
sound processes for identifying, prioritizing, and implementing their capital improvement plans.
Traditionally, many wastewater utilities have identified required projects but have not  prioritized the
projects or documented how the projects relate to key goals and objectives of the utilities.
Increasingly,  utilities are turning to more systematic decision-management methodologies, e.g., an
asset management approach where risks associated with security vulnerabilities are ranked on the
same scale as risks associated with infrastructure failure, regulatory non-compliance, and the
inability to meet service levels. Projects that reduce risks are ranked in order of the greatest risk
reduction per unit cost.
Another systematic approach to ranking projects is to identify and weigh criteria, then explicitly
"score"  the performance of candidate projects. In such systems, security considerations could be
explicitly recognized as criteria and weighed in relation to other competing priorities. Cost-benefit
relationships can then be developed. In this way, the decision-making process considers the efficiency
of candidate projects toward meeting fundamental agency objectives, such as security. By selecting
the projects that most efficiently contribute to stakeholder goals, it is possible to identify a 5-year, 10-
year, or 20-year series of capital expenditures that maximizes the value of security and  other goals
within identified annual levels of capital expenditure. The Capital Planning Strategy Manual^2 includes
instructions and tools for implementing such methodology.
12 American Waterworks Association Research Foundation (AwwaRF) and AWWA, 2001

                                                                          managing for reducing risks

2.6.2 Developing Funding Programs
to Support Operating Fund Needs
Developing a funding program that supports the operating funds of a wastewater utility is also
critical to reducing risks related to security. Defining and securing stakeholder and governing body
support for operating budgets supports risk reduction in a number of ways. The labor budget (or
contract budget where operations are performed through a private vendor) literally provides the
funding support for the crews that maintain, operate, and monitor the wastewater utility's assets.
Inadequate labor budgets present several labor-related risk threats, including:
•   Possibility of facility breakdowns (e.g., a break in a major collection system segment) that escalate
    into emergency situations because the situations go undetected during the period in which there
    is still an opportunity for recoverable intervention.
•   Risk that power failures, software system failures, computer viruses, or other system failures will
    go undetected if there is inadequate or insufficiently trained staff to monitor and react to these
    types of threats to security.
In addition to providing the labor required to adequately staff the system, the operating budget
contributes to risk reduction/security enhancement by providing funding for operations and
maintenance of security systems, as well as general equipment and supplies needed to keep the
system running in proper working order.
Beyond these basic labor and equipment/supply considerations, the operating budget contributes to
risk reduction and security by providing funding for the following line items listed below:
•   Operating reserves. It is suggested that a minimum of 45 to 60 days' worth of the operating
    budget needs to be set aside in reserve so that utilities can make payments required to stay in
    business in the event of a crisis. In some cases, as much as 90 to 120 days' worth of operating
    budget is needed, especially if revenues are received semiannually or annually via property tax
    billing, or if an interruption in mail service delays receipt of customer payments by the billing
•   Contingency account. Consider annual funding of a contingency line-item in the operating
    budget that would provide for the payment for costs incurred during an emergency (e.g.,
    overtime, contractor services, tanker truck rental, hauling services, and other incident-related
    response actions).
•   Petty cash. Cash on hand is needed to support immediate needs for funding emergency activities
    or to allow transactions with customers or vendors that do not have access to alternate payment
    tools such as credit cards for purchasing minor equipment and supplies.
•   Debt service coverage. Many wastewater utilities fund at least a portion of their capital programs
    through municipal bonds or  state revolving fund (SRF) loans. In most cases, these funding
    vehicles require that net revenues for the utility be adequate to provide some level of coverage
    (typically between 1.10 and 1.25) above the annual debt service payments. For utilities with
    substantial outstanding debt, the coverage amount can represent millions of dollars. Wastewater

 managing for reducing risks

    utilities that do not provide adequate operating budgets to satisfy the coverage provisions for
    their bonds run the risk that their credit ratings will decline and that they will not be able to incur
    additional debt for security-related capital projects. In addition, bond covenants often require
    that utilities also maintain specific minimum amounts in reserve accounts such as debt service
    reserve funds and emergency reserve funds.

 2.6.3 Developing a Funding  Program
 that  Governing  Bodies and Customers Can Support
 In addition to developing budgets that reasonably support the capital and operating funds needed to
 improve security, wastewater utilities need to develop budgets and funding programs that their
 governing bodies and customers will support. To gain support from governing bodies, utility
 management increasingly needs to be able to document that:
 •   Proposed capital programs are justified (i.e., supported by a prioritization process such as a
    vulnerability assessment, and integrated with other capital needs through an asset management
    program such as the one described in Section 2.6.1, "Developing CIP Programs that Adequately
    Support Security Needs," above).
 •   Proposed rate and fee structures are equitable and supportable.
 •   Proposed financing plans for capital program are optimal. For example, governing bodies
    increasingly want an evaluation of several financial planning scenarios (e.g., level of bonding vs.
    equity funding, level debt structure vs. balloon payments toward the end) to ensure that the
    selected path is consistent with the utility's goals and objectives.
 •   Adequate outreach to all segments of the customer base regarding any proposed rate increases or
    changes in the rate and fee structures has been performed.
 Governing bodies increasingly want to see the value proposition in their overall planning process.
 Instead of just performing a standard rate or revenue requirements study, utility systems are
 increasingly deciding to conduct strategic or business planning studies that consider the merits of
 expanding or contracting the activities that are conducted by the utility.
==^==a==^==    Customers and other stakeholders are increasingly sophisticated
               Multiple Benefits                       ,                         "    F
                                 in their attention and interest in wastewater rate and financial
   Developing a sound justification                         .
       for capital expenditures and    considerations. To obtain support for rates and charges that
  a financing plan that earns buy-in    support the capital and operating funds required to reduce
  from a utility's governing body is    risks, utilities need to demonstrate to their customers that:
      just good business practice.
            Following these Steps    *   Proposed rates and charges are fairly divided among the
   leads to ease of implementation,        system's customers and customer classes.
     not only for security projects,        _ .     ,  ,           ,,   , ,.  .  ..  , .  ,.        ....
    but for an overall CIP program.    *   Rates and charges are affordable m hght of mcome Wlthm
^___^^^^__B__^^^^^_        the community and in comparison with rates and charges in
                                     neighboring communities.
    Proposed spending by the utility is justified.

                                                                         managing for reducing risks

2.6.4 Funding Sources
Many sources exist that can provide grants and loans to utilities to assist in security and emergency
response needs. Federal monies are typically funneled through state agencies, often to regions. For
example, funding is available from Department of Homeland Security and FEMA through state
emergency management agencies. In years past, emergency management funding was typically
awarded to first responders; today, utilities across the country are part of this funding. It is prudent
for a utility to contact its regional emergency management agency to discuss emergency and security
needs and to inquire about available funding.
The following list provides sources of grants and loans that may                    Small Utility Tin
be available. Note that for FEMA funds, utilities would have to           ^^ ^^ program for
apply through their associated state agency.                               Rura| Communities (HGP)
.  The Pre-Disaster Mitigation Program (PDMP)                             provides assistance to
                               0                                  communities with populations
   (www.fema.gov/fima/pdm.shtm).                                         of 3]000 Qf |ess at
•  Multi-Hazard Mitigation and Terrorism Prevention                     http://WWW.epa.gov/owm.
   (MHMTP)                                                  ——s—==s==ss=!!=SiS!SSSSSSS=Si
•  The Hazard Mitigation Grant Program (HMGP) assists states and local communities in
   implementing long-term hazard mitigation measures following a major disaster declaration
•  Clean Water State Revolving Fund (CWSRF) programs provided about $4 billion annually in
   recent years to fund water quality protection projects for wastewater treatment, non-point source
   pollution control, and watershed and estuary management. States may also provide loans for
   security related improvements through the CWSRF
Additional information on funding can be found in the Catalog of Federal Domestic Assistance
(CDFA) at www.cfda.gov.
2.7 Records  Management
Our society's thirst for information, as well as the ease of transmitting and duplicating that
information in this technological age, makes it extremely challenging for utilities to control sensitive
documents. Since September 11, 2001, there has been an increasing understanding of the need to
manage sensitive information, but, as with many areas discussed in this document, it is still a
balancing act between convenience and security. It is often necessary to distribute documents, both
internally and externally, but there are steps that can be taken to maintain better control.
Utilities should recognize that plans, maps, and specifications can serve as roadmaps and planning
tools for potential adversaries. To maintain the security of their systems, it is critical that utilities have
policies in place that specify the documents that should be declared sensitive, and that utilities
manage their documents and records so that sensitive documents remain in a secure environment.

managing fnr reducing risks

Utilities should consider developing levels of document security ranging from documents that are
non-sensitive and available to the public without restriction to those that are highly sensitive and
should be available only to limited staff and maintained in a highly secure environment. Examples of
records and material that may be considered sensitive include:
•   Vulnerability assessments, including all supporting documents and files
•   Emergency response plans and disaster recovery plans
•   Audit records related to security
•   Security and emergency response training materials
•   Plans and specifications for security systems
•   Security incident reports
•   Engineering record plans and specifications of treatment plants, pump stations, collection system
    sewers and other collection system facilities
•   O&M manuals
•   Personnel records
Recommendations for securing sensitive documents include:
•   Providing access to sensitive project materials to authorized staff only.
•   Preventing transmission of sensitive material electronically (e.g., via e-mail and downloading
    from servers). For information that must be transmitted electronically, include a confidentiality
    notice, such as:
       Confidentiality Notice: This e-mail and any files transmitted with it are confidential and intended
       for the sole use of the individual(s) to whom they are addressed. If you have received this e-mail in
       error, please delete the original message from your system and destroy any copies.
•   Maintaining all electronic copies of sensitive material on a password-protected secure server, and
    allowing only authorized staff to have access to this folder. (See Section 5, "Cyber Security," for
    additional information regarding the precautions that should be taken to prevent unauthorized
    access of electronically stored documents.)
•   Carefully monitoring information that is put on public web sites. As part of community outreach,
    it has been common for utility maps and facility information to be available on web sites, but this
    produces a security risk. If the utility's information is included on a municipal web site,
    coordinate with the municipality staff to ensure that sensitive information is not publicly
•   Requiring management authorization or approval to publish information on public notices, web
    sites, and flyers.
•   Shredding all discarded working copies (subject to state and local  laws) and maintain only the
    minimum number of hard copies required. Shredding should take place onsite and should not be
    contracted to an outside vendor.

                                                                            managing for reducing risks

•   Keeping all hardcopies of sensitive material in locked metal file cabinets with locking bars such
    as those specified by the Federal General Services Administration [GSA] - minimum Class 5
    security containers. (See GSA specification AA-F-363D for more information.) Only authorized
    project team members should have access to these containers.
•   Storing and retrieving documents.
•   Archiving and storing documents long-term.
•   Implementing clear-desk and clear-screen policies.
•   Segmenting documents to allow wider distribution of non-sensitive information, while sensitive
    portions are restricted authorized staff only. For instance, engineers who need information from
    the utility's VA to procure and specify equipment for security improvements may not need to
    view the entire VA. Allow only designated individuals to view the entire VA and give other staff
    members only the portions needed to do their jobs.
Utilities should consider how information about their facilities is distributed to potential contractors,
consultants, and other outside agencies and organizations. Recommendations for securing
documents in these instances include:
•   Limiting the general information provided in contract drawings and specifications to the
    minimum required to produce an adequate bid. Other information can be provided on a need-to-
    know basis once a contract is awarded.
•   When it is necessary to give sensitive documents to contractors, regulators, and outside agencies,
    attaching a confidentiality clause that declares that documents should not be reproduced nor
    given to others without authorization. The confidentiality clause should be present on all pages
    of a document, not just the covers.
•   Prior to distributing sensitive documents, verifying the identification of the recipient and
    determine whether the need for the document is valid.
To ensure that project materials are kept confidential at all times on consultant and contractor
projects, a clear project chain of command that is followed rigorously can help to ensure that
information is exchanged only as specified. Consider isolating all electronic project working files in a
secure, encrypted project library with access provided only to authorized users with appropriate
levels of password protection. Also, periodic security surveys can help to ensure that all internal staff
and external agencies and consultants are following the security procedures.
Regulatory agencies also hold a large amount of information on wastewater utilities through the
compliance reports and documents they require. Utilities should schedule a meeting with state
regulatory agencies so that they are aware of the information that the regulatory entity will hold
confidential and what will be released to the public. This information will assist utilities in
determining the depth of the information they submit (within their control) and also educate the
regulators on the potential sensitivity of  the information.

managing for reducing risks

Because public agencies are subject to laws such as the federal Freedom of Information Act (FOIA)
and state public records acts, it is important to establish measures to prevent sensitive documents
such as VAs or security plans from being subject to public requests. An exemption for security-
related information was added to the federal FOIA law and was included in the Public Health Security
and Bioterrorism Response Act of 2002, which required water utilities to conduct vulnerability
Because state laws are generally not superseded or limited by federal law, utilities in some states
cannot rely on the federal FOIA exemption to protect sensitive information. Many states have added
special provisions into their laws to exempt security-related information. Utilities should contact the
appropriate state agency to learn about state rules regarding public records. A summary of security-
related FOIA and state public records act exemptions can be found in "Protecting Water System
Security Information" by the National Conference of State Legislatures (2003) or State FOIA Laws: A
Guide to Protecting Sensitive Water Security Information by the Association of Metropolitan Water
Agencies (AMWA).
Finally, it is imperative that all information critical for effectively responding to emergency situations
and for rapidly recovering from disasters be maintained in both hardcopy and electronic format.
When power is interrupted and battery supplies on laptops expire, a hardcopy of important
documents must be available. On the other hand, should a malevolent event result in paper
documents being destroyed or unusable, electronic copies will be invaluable.

2.8 Policies  and Procedures
Simple changes in policies and procedures at a utility can often have just as great an impact on risk
reduction as capital improvements or installation of security devices. Policy and procedure changes
are generally quick to implement and low in cost, making them an extremely effective way to
improve utility security. The key to the success of any such change is to make sure that the staff
understands and accepts the new policies and procedures. While the development of utility policies
is well within the purview of management, consideration should be given to having employee teams
develop procedures that supports and complements the policies. This type of employee involvement
can encourage staff buy-in. It is also important to remember that policies or procedures can only be
effective if they are well known to the staff and that they are consistently and fairly implemented.
The following is a partial list of policies that can be developed to improve security within the utility.
•  Vehicle and Heavy Equipment Policies
   -  Definition of authorized use, especially in emergency situations
   -  Circumstances under which vehicles and equipment can be taken home
   -  How and where vehicles and equipment are to be parked or stored
   -  Requirements for locking vehicles and securing equipment

                                                                            managing for reducing risks

•   Facility Access Policies (see also Section 3)
    -  Key, card key, and lock control
    -  Limiting access to facilities or portions of facilities by security level
       Handling of visitors, tour groups, vendors and deliveries, chemicals, construction materials,
       packages, mail
    -  Construction site security
       Alarm and CCTV monitoring protocols
       Guard service
•   Information Access Policies (see also Section 5)
    -  SCADA
    -  Management information system, laboratory information management system, computerized
       maintenance management system, financial information system, etc.
    -  User name assignment and password protection
       Internet and intranet use
•   Materials Management Policies
       Responsibilities and authorities
       Inventory frequency
    -  Emergency purchasing authorization
The content of the policies should be decided based on the DBT determined from a utility's VA and
the information presented throughout this document. Utility policies, and the procedures that
support them, should be tied to the U.S. Department of Homeland Security's Threat Advisory System
(or similar state system) so that more stringent security measures are put in place as the threat
condition (i.e., green, blue, yellow, orange, red) increases.
Examples of policies can be found in the document entitled, Site Security Guidelines for the U.S.
Chemical Industry.13

2.9 Procurement
The procurement of equipment and services can involve complex policies and procedures to assure
open competition and transparent processes. Such policies and procedures can be especially
burdensome under the stress and time constraints of a security incident or other emergency.
Requirements for public solicitation of bids may potentially jeopardize a utility's security when such
solicitation is for security equipment or security-related construction. Consequently, utility managers
should consider adopting policies that will facilitate procurement under emergency situations and
provide confidentiality of security measures to be employed by the utility.
13 Site Security Guidelines for the U.S. Chemical Industry, the American Chemistry Council, the Synthetic Organic Chemical Manufacturers
Association, and The Chlorine Institute, Inc., 2001.

managing for reducing risks

2.9.1 Emergency Procurement
To undertake rapid and effective response to and recovery from catastrophic events, it is imperative
for the staff of a wastewater utility, under certain circumstances, to be able to procure supplies,
materials, and services quickly and outside of the normal procurement process. Utility managers
should familiarize themselves with existing procurement policies to assure that provisions exist for
emergency procurement and, if necessary, proceed with instituting changes that may be needed to
address malevolent threats in addition to the natural threats typically covered by procurement
Many wastewater utilities are covered by policies of their parent governments that address
emergency procurement; however, these existing policies may not provide the flexibility needed to
effectively respond to the types of incidents that utilities may be facing today. Many procurement
policies allow for emergency purchases of materials and supplies, and possibly services, through an
abbreviated procedure that usually postpones the need for the highest level of approval typically
required for purchases. For example, approval of a purchase or an award of a contract that normally
requires governing body approval may be authorized by a utility staff member and brought to the
board for an "after-the-fact" approval once the emergency is over and with the expectation that
sufficient justification for the procurement action is required.

Procurement policies may require the declaration of an emergency by an elected official or the
highest level of the organization before the standard procurement steps can be waived.  Other
procurement policies may delegate the authority to make an emergency purchase to a department
manager if that manager can justify that the purchase is necessary to immediately protect life, health,
and safety that would otherwise be jeopardized if the normal procurement procedures were

While most emergency procurement provisions have met the needs of wastewater utilities over the
years, the malevolent threats now being faced create some new challenges that existing  procurement
policies may not be able to meet. For example, an event may result in injuries, fatalities, and
interruptions in both communications and power. It may be impossible for local authorities to declare
an emergency condition, or even if declared, utility staff may not receive the declaration in a timely
manner. Similarly, approval of an emergency procurement by a high-level official may not be
possible within the timeframe necessary to react to a life-threatening condition.

Consequently, procurement policies should address emergency purchases that may be necessary
under extreme conditions where high-level approvals may not be achievable and where
communication networks are out of service. Consideration should be given to including the following
provisions in a utility's procurement policy:
•   Allow for the procurement of construction services, engineering services, and personnel services,
    in addition to the purchase of materials, equipment, and supplies.
•   Permit emergency procurement to protect imminent harm to the environment and property, and
    to maintain  wastewater service in addition to the protection of life, health, and safety.

                                                                            managing for reducing risks

•   Authorize emergency procurement to protect "employees" in addition to the "public" to avoid
    any ambiguity.
•   Eliminate the requirement of an official outside of the utility to declare an emergency as a
    prerequisite to invoking emergency procurement procedures, and provide a chain of decision-
    makers authorized to approve emergency purchases. For example, if the utility's director is
    unavailable or unreachable, the wastewater operations manager may give the approval; if both
    are unavailable or unreachable, the maintenance superintendent may give the approval.
•   Authorize approval of emergency procurement to management and supervisory personnel at
    different locations (facilities) throughout the utility.
•   Provide for an automatic waiver of standard procurement procedures should a certain level of
    threat be declared for the utility's location by a government agency (e.g., the Department of
    Homeland Security raising the Threat Advisory to "red").
•   Include the need to strive for integrity and fairness in the procurement process, even during
    emergency situations.
In addition to making emergency procurement procedures more attuned to the threats faced by
wastewater utilities, other procurement methods should be leveraged to provide flexibility to prepare
for, react to, and recover from disasters. On-call contracts are an effective method to acquire materials
or services as needed without having to go through multiple procurements or invoking emergency
purchasing procedures. On-call contracts are procured through normal procedures at annual,
biennial, or even 5-year intervals. Contractors and suppliers bid on a "basket" of items or services
developed by the utility. More than one contractor or supplier can be selected for the same items or
services to allow the greatest flexibility to the utility when the need arises. On-call contracts should
require availability of service 24 hours a day, 7 days a week, every day of the year. In selecting a
contractor or supplier, consideration should be given to balancing the need for a quick response that
is better met by a company in proximity to the utility with the fact that being in proximity may mean
that a company may not be able to respond if a regional catastrophe has occurred.
Utilities may want to consider using existing contractors to provide immediately available equipment
and labor to respond to an emergency. Utilities may have a number of ongoing construction projects
as part of their CIP and annual maintenance activities. These existing contracts can be used to quickly
bring in construction equipment and expertise to supplement the utilities' workforces.
Cooperative purchasing agreements also provide increased flexibility for procurement. Cooperative
purchasing allows a utility to procure items and services through contracts that exist between other
organizations (e.g., other utilities, government agencies, industry associations) and their suppliers
and contractors. In most states, municipalities and counties can make purchases from state contracts,
and all state and local governments can make information technology purchases from federal GSA
contracts. Utilities may wish to coordinate with other utilities and local governments in their states
and adjacent states and cooperate on developing specifications and allowing purchases from each
other's contracts.

managing for reducing risks

2.9.2 Procurement of Security-related Equipment and Services
Utility managers may be concerned about following standard procedures when procuring
equipment, materials, and services that relate to the security of assets. The requirement of public
advertising for bids for security equipment and projects with detailed plans and specifications may
jeopardize the very security being put into place. While several states have enacted laws exempting
security-related documents and drawings containing security information from FOIA or public
records requests, at least one state has addressed this issue. The State of Alabama recently did take
such action by amending its State Code to exempt security-related procurements.14
While an exemption from public advertisement
and bidding procedures provides utilities with the
greatest flexibility, there are methods that may
reduce the risk of exposing a utility's security
strategy in its process of procuring equipment
and construction services. Some steps that may be
taken for security-related projects include:
•   Raising the level at which public
    advertisement and formal bids are required,
    thus allowing for soliciting of price quotes
    from vendors and contractors without
    widespread public notice.
•   Pre-qualifying contractors, consultants, and
    suppliers and allowing only those meeting
    specific criteria to bid on security-related
•   Requiring signing of confidentiality
    agreements by the officers and staff of any
    company desiring to do security-related
    business with the utility.
                    The Code of Alabama
 H39-2-2(g) "In the event of a proposed public
 works project acknowledged in writing by the
Alabama Homeland Security Department as (I)
     having a direct impact on the security or
safety of persons or facilities and (ii) requiring
    confidential handling for the protection of
such persons or facilities, contracts may be let
    without public advertisement but with the
  taking of informal bids otherwise consistent
     with the requirement of this title and the
  requirements of maintaining confidentiality.
             Records of bidding and award
          shall not be disclosed to the public,
             and shall remain confidential."
     41-16-51(a) "....the competitive bidding
 requirements of this article shall not apply to:
 ...(15) Contractual services and purchases of
 product related to, or having an impact upon,
    security plans, procedures, assessments,
     measures, or systems, or the security of
            persons, structures, facilities or
                      Enacted May 2004
    Requiring background checks for any contractor personnel working onsite.
    Allowing viewing of plans and specifications only within a secure room or a central "plan-room"
    instead of distributing plans to potential bidders.
    Dividing projects so that no one bidder has a complete view of the project.
    Considering design-build contracts where one company is selected to both design and construct
    the facilities, or in the case of security equipment, both develop the specification and be
    responsible for its installation.
14 Legislative Reference Service of the State of Alabama, 2004

                                                                         managing for reducing risks

2.10  Communications
When it comes to safety, security, and emergency response, effective communication is the single-
most important concept that can assist in repair of a problem and restore public confidence. It is also
a concept that is not often initially considered by the technical staff involved in an emergency event.
The benefits of effective communication include increased efficiency, improved coordination to
accomplish a goal, and more available resources, such as equipment and technical knowledge, from
other agencies. Furthermore, effective communication improves emergency response efforts by
decreasing response times and allowing utilities a sense of confidence based on anticipated assistance
from other agencies. Lastly, effective communication can create a sense of teamwork and camaraderie
among utility personnel and the outside agency personnel who assist them.

2.10.1  Internal  Communication  Practices
Internal communication practices are important in preparing, identifying, and responding to security
concerns. Following standardized procedures when communicating with fellow staff during an
emergency is extremely valuable. It allows for efficient responses and decreased conversation time,
both beneficial during an emergency.
Utility management should provide personnel with a clear protocol for reporting security concerns.
This procedure is utility-specific and could simply be a telephone number to the utility manager or a
detailed procedure for notifying security staff and police.
Emergency contact lists are essential for contacting staff after hours for emergencies. Many utilities
maintain on-call schedules, with associated home, cell phone, and pager numbers. However,
managers must be aware of privacy concerns; utilities should ask all personnel required for after
hours service to provide an after hours contact number or ask that they be willing to carry a utility
cell phone for communication after hours. Any contact list should be reviewed regularly, at least
every 6 months, and updated as necessary.
Methods of developing communication internally include holding employee meetings, posting
weekly newsletters, and conducting internal workshops. External activities, such as company picnics
and travel, can also promote team building.

2.10.2  External Communication Practices
Emergency prevention and response involve many agencies beyond the utility. Communication
between utilities and outside assistance is crucial both during planning for and responding to an
emergency. Communication should be addressed immediately during planning phases and should
not wait for an actual emergency to begin.
Some benefits of communicating with local emergency service providers (e.g., police and fire-rescue),
government agencies, and neighboring utilities include:
•   Increased efficiency in daily operations and during an emergency

managing for reducing risks

•   Increased available resources
•   Increased knowledge base
•   Smoother coordination and recovery during an emergency
It is important to include an emergency contact list in the utility emergency response plan, and check
the telephone numbers at least every six months. See Section 7.4 for suggestions regarding the
contacts to include.

2.10.3 Public Outreach
A utility may handle security and emergency response
in a technically solid manner, but if the public is not
properly informed, any situation can develop into a
disaster. The public can be a utility's greatest ally in
identifying and responding to a security breach, and
proactive public outreach programs and policies can
foster helpful activities.
Under normal conditions, public relations
considerations can be necessary when performing day-
to-day O&M. For example, the utility should seek
community buy-in when security measures that will
change the aesthetics of a facility are proposed. Gaining
public acceptance before  installing fencing and lighting
in neighborhoods is critical.
Citizens need to feel that local government officials are
listening to them and taking their concerns into account.
Local citizens can be extremely helpful in watching for
suspicious activities, as shown in the Citizens Helping
Police Service (CHIPS) program case study. Using
neighborhood awareness programs, such as infrastructure guards, can create a sense of awareness
and, thus, confidence in utility operations, strategy, and agenda.
Informing citizens through a spokesperson who is trained in public or media communications is most
effective. A Public Information Officer (PIO) is prepared to interact with local citizens and provide
appropriate messages from the utility. The PIO may be a utility employee or a municipal employee,
depending on the size of the utility. The PIO is selected before an emergency  occurs and requires
special public outreach training to be qualified to speak to the public and the media. To instill
confidence during an emergency, use personnel in uniform when TV cameras are present. Having
planned messages can provide the public with organized and concise information, also facilitating
public confidence. It is vital that the person designated to interface with the public and the media be
trained  to do so. Choose  this person before an emergency occurs.
      CHIPS Program in Kennewick, WA
 Citizens Helping in Police Service (CHIPS)
   is an organization of Citizen Volunteers
    that has been  a part of the Kennewick,
  Washington Police Department for many
     years. The CHIPS group is a formally
   structured non-profit organization with
   elected officers, regular meeting dates,
   operational procedures, and designated
       uniforms. These citizen volunteers,
    working together with common goals,
         provide  a valuable service to the
 Department and to the City of Kennewick.
 The volunteers participate in a number of
  tasks on a regular basis as well as being
      an "on-call" group ready to perform
    tasks on an "as-needed" basis. One of
             the CHIPS projects, named
      "Operation  Camel," provides a daily
       physical check of all water storage/
pumping facilities in the City of Kennewick.

                                                                           managing lor reducing risks

Some communities and police departments utilize a "reverse 911" system to notify customers of an
emergency. This automatic dialing system enables several calls per minute to be made to citizens in a
designated area. An informational recording can be played when the citizen answers the telephone.
Distributing information to the community quickly is an essential. Waiting until all facts are known
may be counter-productive, as news agencies will provide interpretations into the vacuum of
information not provided by the local government and utility. Communication should be prompt,
frequent, and reliable. A good article regarding public outreach concerns the Tylenol poisoning crisis
from 1982.15

2.10.3 Communications Equipment
Many types of radios and telephones can be used to communicate with utility employees or with
outside agencies such as the fire department:
•   Two-way radios are a highly effective means of standard communication between dispatchers
    and field vehicles. Extra charged batteries should be carried at all times to prevent loss of contact.
    Note that the frequencies used by public utilities may not be compatible with emergency
    responder frequencies. Therefore, utilities are encouraged to have at least one radio that can
    communicate with first responders (typically 800 MHz). Training to use these 800 MHz radios is
    often available through police departments, fire departments, and local emergency managers.
    Utilities should understand that unsecured communications over two-way radios, including 800
    MHz radios, may be intercepted and monitored by personnel other than those on the system.
    Also, utilities should learn from their local law enforcement agency and radio manufacturer
    whether to ban two-way radio communication in the vicinity of a bomb or possible bomb.
•   Cellular telephones (cell phones) are becoming more popular, especially those with two-way
    radios built in. Again, extra batteries and/or a charger should be readily available. Cell phones,
    like two-way radios, should not be used during a bomb threat unless it is otherwise learned to be
    safe from local law enforcement and the radio manufacturer. It is important to remember that cell
    phone systems, as well as landlines, are frequently overloaded and may not be available for
    communications during disasters.
•   Government Emergency Telecommunications Service  (GETS Program) (http://gets.ncs.gov/)
    allows utility staff to obtain a telephone line by dialing an access code during an emergency. This
    line can prove very useful in a situation when telephone and cellular phone lines are typically
    busy. It is free to sign up and receive calling cards for selected staff. During use, there is a
    minimal charge per minute. Utilities must sign up for this service prior to the actual emergency
    or need to use the service.
•   Volunteer Amateur (Ham) Radio Operators offer an alternate distance communication channel.
^5 "The Tylenol Crisis - How Effective Public Relations Saved Johnson & Johnson," by Tamara Kaplan, Pennsylvania State University

managing for reducing risks

If communications within the utility are disrupted or rendered useless in an event, the utility should
contact its county or state Emergency Communications Coordinator (ECC) for assistance. The name
and chain of command for the state and county ECCs should be maintained and current in the
utility's Emergency Response Plan.
2.11  Interagency Coordination
An important part of protecting utility infrastructure involves interactions with other agencies. By
reaching out to neighboring utilities, a wastewater utility may gain use of equipment and technical
resources that it could not otherwise afford. Coordination with city or county offices such as
emergency management agencies (e.g., Local Emergency Planning Committees [LEPCs]), health
departments, law enforcement, and fire-rescue services may open doors for existing equipment,
grants, and other assistance that the utility could not access or did not previously know existed.
Coordination with other utility providers such as electric, gas, and telecommunications can also
prove beneficial during an emergency.

2.11.1  Coordination with Other Wastewater Utilities
Not all inter-utility coordination should be performed locally because a large-scale disaster may
render other wastewater systems in the vicinity unable to provide services or respond to other
utilities' needs. Therefore, some coordination should be established with wastewater utilities located
80 kilometers (50 miles) or more away. It is recommended that, once utilities have come to an
understanding about coordinating preparations and response in emergency situations, a mutual aid
agreement be established to document the issues and avoid future misunderstandings. Further
discussion regarding mutual aid agreements is presented in Section 2.11.3.
The following emergency  measures should be considered when coordinating with other wastewater
•   Interconnecting systems if possible and practical (with established rates and  charges).
•   Allowing treatment of wastewater at each other's facility if wastewater is brought in by tanker
    truck (with established rates and charges).
•   Allowing solids processing at each other's facilities (with established rates and charges).
•   Acquiring supplies and materials from another utility (with established rates and charges).
•   Borrowing light and heavy equipment between utilities (with established rates and charges).
•   Using staff from another utility (with established rates and charges).
•   Holding periodic meetings (at least quarterly) to share information, renew contacts, update
    information, and review emergency response protocols.

                                                                          managing for reducing risks
2.11.2 Coordination with  Other Agencies
To assure thorough emergency preparation and effective response, wastewater utility managers
should develop relationships with a fairly broad spectrum of government agencies and other service
providers, both locally and regionally. At the top of the list are law enforcement agencies, fire-rescue
departments, and emergency management agencies. Ongoing coordination with other agencies, such
as the local health department, public works department, water supply utility, and solid waste utility
(to accept residuals should other disposal alternatives not be available), is also important, along with
coordination with the wastewater utility's critical service providers, such as the electric utility,
telecommunications utility and chemical suppliers. Wastewater utility managers should strive to
see that the utility receives the highest level of reliability and responsiveness from its providers
and suppliers.
Some action items to consider include:
•   Invite local law enforcement and  regional FBI personnel to a tour of the utility's facilities,
    including a briefing on system threats and vulnerabilities.
•   Stress the importance of local law enforcement patrols past utility facilities and awareness of
    unauthorized access into collection systems or utility sites.
•   Gain permission and learn to use emergency response radios and frequencies.
•   Share telephone lists with key outside agencies.
•   Provide a single point of contact for the utility during an emergency to all agencies that may be
    involved in a security problem or emergency response action.
•   Attend training workshops with other agencies and intermix employees so their primary
    interactions are with people outside of their daily work environment.
•   Hold emergency response exercises and invite external agencies, providers, and suppliers
    to attend.
•   Make sure that first responders are fully aware of all chemicals used and stored onsite so that
    proper equipment is available to safely and efficiently deal with explosions and/or fires.

2.11.3 Mutual Aid Agreements
Mutual aid agreements provide a formal means of documenting coordination efforts between utilities
or other agencies and can  greatly facilitate the exchange of resources during an emergency. They are
based on the concept that  resources, in most circumstances, are voluntarily provided, that there will
be a reciprocal exchange if and when required,  and that providing resources will not result in a profit
to the providing party. While most wastewater utilities will enter into mutual aid agreements with
other wastewater utilities, consideration should also be given to advantages  that might be gained
through mutual aid agreements with water, electric, and gas utilities as well.

managing for reducing risks

Some of the benefits of entering into a mutual aid agreement with one or more utilities include
the following:
•   Commits the participating parties to a mutually beneficial, cooperative agreement based on
    principles and concepts of contract law, which support protecting public heath, the environment,
    and property.
•   Provides a mechanism for coping with emergency situations that allows maximum flexibility in
    the use of resources.
•   Reduces misunderstandings between parties, which often exist when assistance is requested or
    provided on an informal basis, especially during an emergency situation.
•   Defines the parties involved; identifies respective responsibilities; and defines how and when
    they are to be implemented, who performs what and how, who pays for specific services, how
    long the agreement is in effect, how the agreements are terminated, and who administers the
•   Provides for the utilization of resources to augment impacted or insufficient resources or
    capabilities of the other organization(s), thus allowing greater flexibility for all participants.
•   Limits costs by overcoming budgetary restrictions, duplication of resources, equipment
    shortages, and operations or capabilities limitations.
•   Provides that a party requesting assistance will indemnify the party providing the assistance for
    any resulting liability.
•   Enhances communication and cooperation between the participating parties.
•   Provides a legal basis for a participating party to operate outside its service area.
Mutual aid agreements may also specify that the parties providing assistance may withhold all or
part of their resources under certain conditions.


Operational  Considerations  for  Reducing  Risks

Along with changes in the way the utility is managed, operational changes often provide some of the
more cost-effective ways for utilities to enhance the security of their systems. This section provides
suggestions for operational approaches, practices, and protocols that wastewater utilities may adopt
to improve the security of their infrastructure and other assets.
It is important to recognize that operating a wastewater system for improved security is well aligned
with the type of work performed by operations and maintenance personnel everyday. Preventive
maintenance inspections can easily be expanded to observe situations that might affect security.
Tasks such as looking for illicit connections, checking overflow problems, and developing
pretreatment programs to protect the wastewater process can also be used to improve security.

3.1 Heightened Awareness
With the vast geographic area served by most utilities, it is impossible to constantly monitor all utility
assets such as extensive pipeline networks and remote facilities. One way to enhance the security of
utility infrastructure is to increase awareness of potential threats by employees and the public.

3.1.1  Employees
It is important to rely upon the utility's staff to be cognizant of any anomalies that may indicate a
breach of security of the wastewater system. While traveling along daily routes or from job to job,
employees should take notice of any open or askew manhole covers or catch basin grates or any
unusual odors or smoke coming from manholes or catch basins. Any persons or equipment around
an open manhole, catch basin, or on a pump station site other than those of the utility or authorized
utility contractors, should raise suspicion and be reported according to standard procedures and the
utility's emergency response plan.
In addition to utility employees serving to maintain the security of the collection system,
management should work with other local government departments and agencies to train their
employees to also be aware of any unauthorized entry into manholes, catch basins, or curb inlets.
Because of their frequent travels across a municipality, police, refuse haulers, and road crews would
be a good addition to the wastewater collection system security program.
Consideration should also be given to expanding the role of the pretreatment program staff to make
periodic inspections to ensure that manhole covers and catch basin grates are secured in place and
that no unusual objects have been inserted into curb inlets.

3.1.2  Public
Given the large number of points of entry to wastewater collection systems, heightened awareness by
the public is a valuable mechanism for identifying unauthorized access to sanitary and combined

operational considerations for reducing risks
sewer systems. As mentioned in Section 2.10.3, wastewater utility managers should work with those
involved in community policing programs, such as Neighborhood Watch, to educate citizens on how
to identify and report a breach in collection system security. Individuals who note suspicious
behavior and are well informed of how to contact the authorities can significantly reduce the risk to
the system and act as a deterrent. This additional source of information can build on the requirement
of many combined sewer systems and municipal separate storm sewer systems to have illicit
dumping hotlines and environmental awareness campaigns under their National Pollutant Discharge
Elimination System (NPDES) permits.
3.2 Operational Practices
Instituting operational practices that provide a utility with improved security against malevolent
threats can generally be accomplished at costs significantly less than designing and constructing
physical improvements. Nevertheless, developing new operational practices and revising existing
practices can take substantial resources in staff time and expenses, union negotiations, training, and
enforcement. Improving security by a change in operating procedures can also increase workload
and possibly impact efficiency. Also, some operational practices for improving security can be very
costly. For example, consider the employment of guards or contracting with a guard service.
Depending on the number of facilities a utility owns and operates, their size, and the extent of the
utility's service area, using guards can easily impact a utility's operating budget by hundreds of
thousands of dollars annually. Consequently, wastewater  utility managers must be deliberate in what
operational practices to institute based upon the result of the utility's VA.
An important benefit of using operational practices for improving
security is their flexibility. Development and adoption of new and
revised practices does not necessarily mean they need to be
continuously invoked. Thus, many operational practices can be
activated as needed in response to a particular threat category or
threat condition. Consequently, to some extent, costs can be
New or revised operational practices can be linked to a particular
threat category or threat condition, but the extent to which they are
activated would be dependent upon the design basis threat category
identified by the VA, and/or the threat  condition declared in
accordance with the  Homeland Security Advisory System (see
Exhibit 3-1) by the U.S. Department of Homeland Security or other
state or local agency. There are several operational practices however,
that should be adopted and kept activated regardless of threat
category or threat condition faced by the wastewater utility. These
general operation practices are listed in Section 3.2.1.
Homeland Security Advisory System
Source: USDHS

                                                                operational considerations for reducing risk

3.2.1  General Operational  Practices
The following operational security measures should be employed for all facilities regardless of the
design basis threat or the threat condition. Vigilant access management and site maintenance
practices reduce the risks of malevolent acts by sustaining territoriality, controlling access and
performing surveillance. In essence, a well-controlled, well-maintained, and obviously occupied or
used facility and site, tends to discourage adversaries. Access
•   Lock gates when the facility is unattended.
•   Lock doors and windows when the facility is unattended.
•   Inspect the perimeter fence monthly and make any necessary repairs.
•   Provide local law enforcement and fire-rescue personnel with up-to-date information on
    locations of access points and the barriers that they may encounter.
•   Support citizen crime-watch committees in areas around utility facilities. Operations and Maintenance
•   Keep lawn areas mowed and plantings in good condition.
•   Keep trees and shrubs trimmed back from windows, doors, and walkways.
•   Keep litter and trash picked up and the site neat.
•   Keep the exterior of buildings and other structures in good condition; poorly maintained facilities
    can increase the perception that unauthorized access may be easy.
•   Remove graffiti within 24 hours of its appearance.
•   Replace faded signs.
•   Keep sites illuminated at night.
•   Inspect all lighting and surveillance equipment monthly and repair as necessary.
•   Establish procedures for night shift workers at treatment facilities, including regular check-ins
    with supervisors.
•   Assure all processes and systems can be operated manually should the SCADA system fail.

3.2.2 Operational Practices
to Address the Design Basis Threat or Threat Condition
The following recommendations are in addition to the general operational practices listed in
Section 3.2.1. These are operational practices that will assist the utility in resisting various threats.
These operational practices are linked to threat categories and threat conditions in increasing order of
severity. Operational practices listed for each lower-level threat are not repeated for the higher-level
threats but assumed to be considerations for the higher levels as well. Exhibit 3-2 depicts the

operational considerations for reducing risks

recommendation that the general operational practices be put in place no matter the threat category
or condition, and that for increasing threats additional operational practices be considered to counter
the threat.

Recommendations for Progressive Operational Considerations
/ N
^ Section 3.2.1 ^
i AH I
f \
Practices for
"ซ Vandal Threat
> 1 Section ,
: V .^^^^J'^^jl

' Operations "
i Operations Under Vandal Threats or >

Practices for
Criminal Threat
^ Section 3,2.2.2 ^

' threat Condition Blue "
, Operations Under Crimina! Threats or i
r Threat CohdTtTon Yellow ^
1 Operations Under Saboteur Threats or
J Operational ^ j Operational
_^ Practices for 1 Practices for
p" Saboteur Threat P" Terrorist Threat
^ Section 3.2.2,3 J ^ Section 3.2J2.4 ^
' Threat Condition Orange 1
, Operations Under Terrorist Threats or
1 	 Tli^rOSrvaition" Re3 "
f Vandal Threat (Guarded [Blue] Threat Condition)
In addition to the operational practices described above, also do the following:
•   Access
    -  Test security alarms monthly.
    -  Consider using canine patrols when facilities are unattended.
•   Operations and Maintenance
    -  Keep shrubs trimmed to 1 meter (3 feet) and prune the lower branches of trees up to 2 meters
       (7 feet) to maintain clear visibility. Criminal Threat (Elevated [Yellow] Threat Condition)
In addition to the operational practices described above, also do the following:
•   Access
    -  Keep gates locked at all times or post guards at gates.
    -  Inspect the perimeter fence weekly and make any necessary repairs.
    -  Implement and enforce a key and lock control protocol (see Section 3.3.1).
    -  Require all persons entering a facility to provide identification. Employees who show ID
       badges that authorize access to the facility should be allowed entry. Employees  who do not
       have ID badges that authorize entry to the facility should be treated as a visitor  (see below).
       •   Visitors should present identification, such as a valid driver's license, government-issued
           photo identification card, or passport prior to being assigned a visitor badge. A
           photocopy should be made of each identification card presented.

                                                                  operational considerations for reducing risk

       •   All visitors should be given numbered visitor badges to wear on site. Visitor badges
           should be returned when leaving.
       •   Establish a policy for facility tours delineating who is authorized to approve access and
           to whom tours are limited.
       •   Tours should only be allowed when a staff member is available to constantly escort the
           tour group.
       •   Access for cleaning, maintenance, and repairs by non-utility employees should be limited
           to the times when utility employees are present.
       •   Restrict access to rooms that house SCADA and CCTV  systems.
•   Operations and Maintenance
       Establish and enforce an alarm response protocol (see Section 3.3.2).
       Keep all interior doors locked when rooms are unoccupied.
       Lock valuable items in desk drawers and cabinets.
    -  Keep petty cash in a safe that is secured to the floor.
    -  Store portable ladders and secure fixed ladders with guard  locks so they cannot be climbed. Saboteur Threat (High [Orange] Security Condition)
In addition to the operational practices described above, also do the following:
    Establish a "no stopping" zone along the roadway serving
    the facility, with appropriate signage. Request enforcement
    with towing.
-   Provide escorts for all visitors.
    Post guards at all gates.
    Have guards continuously patrol perimeter.
    Place moveable vehicle barriers along facility roads to direct vehicles along a serpentine
    pattern as shown in Exhibit 3-3.
-   Provide CCTV monitoring 24 hours/day, 7 days/week.
                                Perimeter barrier
                                                                             Small Utility Tip
                                                                      Instead of hiring guards,
                                                                     find out whether police or
                                                                         sheriff's deputies can
                                                                     "moonlight" for the utility
                                                                        on an as-needed basis
     EXHIBIT 3-3
     Example of Barriers Placed to Force a Serpentine Pattern
                                                                     Restrict Site tours to non-
                                                                     sensitive areas of the
                                                                     Require two employees
                                                                     in highly sensitive areas
                                                                     such as those housing the
                                                                     SCADA and CCTV

operational considerations for reducing risks

    -  Inspect interior and undercarriage of all vehicles entering facility. To limit delays, personnel
       with appropriate credentials (e.g., authorized staff and utility fleet vehicles that are linked in
       databases for validation) may be exempted from vehicle inspection.
•   Operations and Maintenance
    -  Implement and enforce a delivery control protocol (see Section 3.3.3).
       Assure a 60-day supply of chemicals are on-hand for operations.
       Assure a 96-hour supply of fuel is available without requiring additional deliveries. Terrorist Threat (Severe [Red] Security Condition)
In addition to the operational practices described above, also do the following:
•   Access
    -  Screen all items being carried into facilities. Prevent aerosol cans, pressurized devices, spray
       bottles, bottled gases, pepper spray, mace, and liquids or powders that cannot be readily
       identified from being brought onsite.
    -  Require two employees for access to high security areas.
3.3 Specific  Operational  Protocols
The operational protocols described below are referred to in the operational practices associated with
specific threat categories and conditions described in Section 3.2.2.

3.3.1 Key and Lock Control Protocol
The following features should be included in a key and lock control protocol. The word "key" is used
to refer to traditional metal keys as well as card keys and smart keys.
•   Do not use a master key for all facilities.
•   Distribute keys only to those employees that require access for their daily work.
•   Do not provide contractors with keys.
•   Track all keys.
•   Keys must be in a person's possession or locked in a secure drawer or cabinet, and never left on a
    desk or table, or otherwise unattended.
•   Retrieve keys when they are no longer needed, such as a reassignment of personnel.
•   All keys should be recovered from employees when they resign or are terminated.
•   Consider using smart-keys or complex-cut keys for high-level security areas.
•   Periodically change codes on keypad locking devices.
•   Replace locks periodically to reduce the likelihood of security breaches due to lost keys,
    unauthorized duplicate keys, and keys held by former employees.
•   Perform random key audits and consider replacing all keys if key control has been compromised
    (e.g., more than 5 percent of keys are unaccounted for).

                                                                   operational considerations for reducing risk

•   Only allow a single lock that is controlled by the utility to be placed on the entrance into a facility.
    Do not use daisy-chains of locks to allow use of multiple keys by non-utility personnel; instead,
    coordinate access with those needing entry.

3.3.2 Alarm Response Protocol
Response protocols for security alarms should be developed to assure appropriate, effective, and
rapid response. Employees should be trained in the protocol and understand their specific roles and
responsibilities. Suggested components of an alarm response protocol include these items:
•   Periodically change codes on alarm activation devices.
•   If possible, provide dual assessment of an alarm (e.g., video and motion detectors).
•   Provide multiple methods for reporting alarms and notifying authorities (e.g., telephone, cell
    phone, radio).
•   Designate alarm response teams by alarm type.
•   Notify internal and external groups about alarms as identified in the utility emergency
    response plan.
•   Place alarms at remote facilities into "access" mode when authorized entry is made and require
    employees to call-in to alarm station prior to entry of facilities without card-key access.
•   Track and maintain a record of alarms and security incidents.

3.3.3 Delivery Protocol
Deliveries present a difficult security challenge for organizations, and particularly for wastewater
facilities where chemical and equipment deliveries are a regular and necessary event. The following
elements should be considered for establishing a strict delivery protocol.
•   In addition to access controls provided at the facility perimeter, add a CCTV video surveillance
    system at unloading areas. Deploy cameras to capture the vehicle license plate and driver facial
•   Maintain detailed logs of deliveries and pick-ups, including driver information, vehicle tag
    number, description of shipped item, and source location or destination.
•   Adopt a procedure that requires faxed or electronically transmitted copies of delivery bills-of-
    lading information and driver identification to be sent to the facility prior to the truck arriving
    on site.
•   Implement a procedure for ensuring that a driver who regularly picks up or delivers hazardous
    materials, such as hazardous chemicals, is previously cleared for access, given a proper
    identification badge, and trained properly in the facility security requirements.
•   Provide a delivery holding area where contents of the delivery vehicle and contents of packages
    can be assessed before transferring to final delivery location. This includes an area where
    delivered chemicals can be sampled for a rapid assay.

operational considerations for reducing risks

•   Refuse to accept any delivery that is deemed suspicious.
•   During high-risk periods, or for other specific reasons, inspect vehicles prior to entering or
    leaving the area.
•   Notify chemical suppliers if deliveries are late or do not arrive so that the suppliers can confirm
    the safety of their drivers and the location of their shipments.
•   Work with chemical suppliers to initiate use of anti-hijacking technologies and to develop utility-
    supplier protocols for preventing and responding to tampering during shipment.

3.4 Specific Operational  Considerations
for Wastewater Treatment  Facilities
Operational considerations for reducing risks from malevolent threats to a wastewater utility's assets
were covered in general in previous portions of this section. What follows are specific operational
considerations for protecting against the impacts of malevolent acts conducted by adversaries once
access to the treatment processes has been gained, or the raw wastewater has been contaminated
through the collection system. These operational considerations are not meant to replace what is
required by good operational practice, wastewater industry standard operating procedures, and
regulatory requirements. Rather what follow are additional operational considerations that should be
developed and activated in response to malevolent threats of sabotage and terrorism or threat
conditions of orange (high) or red (severe).
For guidance in operation of wastewater treatment facilities and individual unit processes, numerous
publications are available, including the following:
•   Operation of Municipal Wastewater Treatment Plants - MOP 11, WEF, 1996
•   Wastewater Sampling for Process & Quality Control - MOP OM-1, WEF, 1996
•   Several other Manuals of Practice published by WEF that address specific systems and processes,
    and reports published by WERF that address the treatment and fate of various toxins

3.4.1 Treatment Facility-wide
The facility-wide considerations encompass the areas of access, operations and maintenance, and
backup power. Access
•   To prevent access to critical processes and assets, lock all hatches and vault covers when they are
    not being used. Use a hardened hasp padlock.
•   Lock all manhole covers with bolts or pan-type locks (see Section 4.5.2).
•   Secure valve and gate operators in their operating configuration to avoid malicious tampering
    or an unintentional action by an employee. Hardened chains and locks, or specialized locks can
    be used.

                                                                operational considerations for reducing risk

•   Keep electrical and control boxes locked at all times to prevent unauthorized access. Unrestricted
    access to this equipment could allow an immediate shutdown of unit processes and control
    systems, creating an operational emergency. Operations and Maintenance
•   Develop an understanding of the time of travel of the wastewater through the treatment facility
    at different flows to know how long it would take for contaminants to move from process to
    process and through the treatment plant.
•   Inspect processes and overall operations hourly, being vigilant     S!====!===!7^7T=f^f==^^=
      ^                                     }      &  &                     Multiple Benefits
    to recognize any treatment system upset that may be related to
                                 ,                    ,            Rotating standby tanks, basins,
    contamination of the sewage or chemicals that are added to the        an(j equjpment jnto operating
    treatment process.                                               mode improves their condition
    r> .  .   .   ju i  i   u  •       u  •  i    •     tj               and ensures that they will be
•   Rotate standby tanks,  basins, mechanical equipment and                   .,  ,. .        J
                J                        n r                         available in an emergency.
    electrical components into an operating mode routinely.           	
    Rotation allows maintenance activities to be conducted
    routinely to ensure that standby capacity is readily available when needed.
•   Store critical spare equipment and parts in a secure location away from the operating equipment.
    This protects the equipment from a malevolent act that is directed at damaging the operational
    systems and allows the utility to quickly restore operations after the event occurs. Back-up Power
•   Exercise generators weekly (assuming permits allow) under realistic loading conditions so that
    their reliability is assured in an emergency.
•   Develop and exercise  a power failure plan that identifies staff responsibilities including
    systematic shutdown of non-critical equipment and systems that could reduce loads on
    the generator.
For further information, refer to AWWA's publication, Emergency Power Source Planning for Water and

3.4.2 Influent  Pump Station, Preliminary and Primary Treatment
Continuous monitoring of the influent should be performed at the influent pump station wet well or
at the facilities headworks. Monitoring of pH, oxidation-reduction potential (ORP), conductivity, and
temperature may provide an indication of contaminated sewage that can result in a plant upset.
Combustible gas concentration in the headspace of the influent pump station wet well should also be
continuously monitored.
During periods of elevated threat levels, consider monitoring for additional contaminants in the
influent using the results of the VA as a guide. Also, consider conducting trend analyses to identify a
potential slow release of a toxic  compound into the wastewater system that could potentially build
up in the biomass, leading to an upset condition.

operational considerations for reducing risks

Research is underway to develop early detection devices that would alert operators that the sewage
contained specific toxic chemicals. More information on these early detection devices may be found
in Guidelines for Designing an Online Contaminant Monitoring System (ASCE 2004).
Additionally, influent channels, grit chambers, and primary clarifiers are the locations where the
visual and odor characteristics of the raw wastewater can be inspected at ground or aboveground
level for the first time. If a flammable or toxic substance has been dumped into the collection system,
it is possible that a treatment plant operator may be able to see changes to color, sheen, consistency,
or odor of the raw sewage that can indicate a potential problem. Such inspections should be
made hourly.
Should monitoring or inspections suggest the influent may cause an upset to the treatment process
or a danger to facility or staff, the influent can be temporarily diverted to holding tanks or basins
if available.

3.4.3 Secondary  Treatment
Secondary biological treatment processes can be sensitive to sudden changes in the characteristics of
the waste stream. Some fixed-film systems may be more resistant to shock-loading and toxins than
activated sludge processes, but activated sludge processes may allow for more flexibility in
preventing a complete die-off of biomass from a toxic constituent in the wastewater.
•  Continuously monitor dissolved oxygen levels, a dramatic change in which may suggest
   inhibition of the biomass growth, a condition where immediate countermeasures should be
   taken, such as adjusting airflow and possibly diverting flow to standby tanks.
•  For aeration systems using diffused aerators, have floating mechanical aerators available should
   air piping or blowers be damaged.
•  Establish agreements with other wastewater utilities that could provide seed-activated sludge in
   the event of a biomass die-off.

3.4.4 Effluent Filtration
Common filtration techniques include granular media filters and membrane filtration (microfiltration
and ultra filtration). Filter upsets typically require increased backwashing or cleaning intervals.
However, severe problems may require replacement of the media or membranes.
•  Continuously monitor turbidity to detect rising trend or failure of the filtration system.
•  Maintain a supply of filtration media should replacement become necessary.
•  Make arrangements with membrane suppliers to receive replacement membranes in a short
   amount of time.

3.4.5 Disinfection
The most common disinfectants used in wastewater treatment are chlorine and ultraviolet light.
Historically, chlorination has been almost exclusively used to disinfect effluent because of its

                                                                  operational considerations tor reducing risk

relatively low cost, availability, and general effectiveness. Recently, however, increasing concern
about employee and public safety, as well as toxicity to receiving waters, has led to increased use of
ultraviolet light if wastewater characteristics are amenable to its disinfection capabilities and a
disinfectant residual is not required as it might be for reclaimed water systems. Ultraviolet Light
•   Continuously monitor ultraviolet system performance, because a change in wastewater
    characteristics (e.g., absorbance or reflection of ultraviolet (UV) light before it could penetrate a
    microorganism) could result in ineffective disinfection.
•   Assure that a supply of replacement lamps and modules is available.
•   Develop an operational response to loss of disinfectant capacity. Plan for an alternative
    disinfection method such as manually feeding sodium hypochlorite or calcium hypochlorite
    should the UV system fail to adequately disinfect the effluent. Chlorination
All forms of chlorine are highly toxic and corrosive. Government regulations, safety guidelines, and
proper operational practices require careful and deliberate methods and procedures in handling,
storing, using, and disposing of chlorine and chlorine compounds. Because these regulations,
guidelines, practices, and procedures are necessary for all wastewater treatment facilities regardless
of security concerns, they are not all repeated here. What follows are additional recommendations for
reducing risks associated with malevolent threats that may not otherwise be mitigated by
conformance with regulations and other standard practices.
•   Chlorine cylinders should be hidden from view of anyone outside the secured perimeter of the
    treatment facility and stored within a high security level area. Consider anchoring cylinders to a
    concrete slab or structural member.
•   Continuously monitor the chlorine gas leak detector and have trained staff available for small
    leak response.
•   Coordinate with local HazMat teams for response to large chlorine gas releases.
•   Store chlorine cylinders away from the chlorine feed building, but minimize the need to transport
    the cylinders long distances.
•   Store chlorine cylinders and chlorine compounds separately from other chemicals to avoid
    serious reactions should a leak or spill occur.

3.4.6 Effluent Disposal and Reclaimed Water Production
Should wastewater treatment processes be disrupted, the quality of effluent will likely decrease,
possibly causing a violation of permit requirements and having adverse effects on the receiving
water, the environment, and downstream users of the receiving water or reclaimed water if reuse of
the effluent is practiced.

operational considerations for reducing risks
    Prior to discharge or use as reclaimed water, effluent
    should be continuously monitored for pH, ORP,                             Multiple Benefits
    turbidity, and chlorine residual (if chlorine is used as a                  UPfront discussion with
                                                                        regulatory agencies and
    disinfectant). Bacteriological monitoring and monitoring            environmental organizations
    of viruses should also be considered for reclaimed water      regarding procedures for discharge
    production. The need for monitoring of other biological              due to a malevolent act can
    and chemical constituents, as well as for radionuclides,            prฐvide 3" opportunity to work
                                                                cooperatively, potentially yielding
    should be decided on a case-by-case basis. Further               improved working relationships.
    information can be found in Guidelines for Designing an       ===S========B==SBS=SSSSB=S=S===
    Online Contaminant Monitoring System (ASCE 2004).
    Utility management should work with regulatory agencies, and possibly community and
    environmental groups, to develop a contingency plan for managing an effluent or reclaimed
    water that cannot meet the required standards due to a malevolent incident.
    Where effluent is disposed of through infiltration basins and sprayfields, public contact may not
    be an issue, but adverse affects on groundwater and possible aerosols from the effluent spray
    may be a concern. Again, developing a contingency plan with regulatory agencies and other
    stakeholders is suggested.
    In the event that the contaminant has passed through the wastewater treatment facility, treated
    effluent that may contain harmful substances should be diverted to holding tanks or lined ponds,
    if available, for further analysis and pumping back through the plant at low rate of flow to
    be retreated.
•   Consider underwater inspection of outfalls at least once every      a===B.a_.=_=.==.==s__=._=..
                                                                                Multiple Benefits
    two years.                                                                       r
                                                                    Regular inspection of outfalls is
•   Reclaimed water that will be used for irrigation in areas that         gOOC| practice While looking for
    are open to the public should be stored on the treatment plant          signs of malevolent activity,
    site for a sufficient time to allow for analysis to assure it is safe       inspectors Should look for Signs
    c   j- ^_-u      r>          i •    j   ,.   j- X-.-U  ^      L.              of corrosion, sedimentation,
    for distribution. Because reclaimed water distribution systems        ^ ^ majntenance jssues
    have many of the same characteristics as drinking water           ^^^^^^^^^^^^^^^^_
    distribution systems, refer to AWWA's Security Guidance for
    Water Utilities for further information.

3.4.7 Solids Handling
Treatment facilities with anaerobic digestion produce methane, an extremely flammable gas and an
asphyxiant. Government regulations, industry and local codes, and standard operating practices
must be followed to assure the safe management of methane gas. These are not repeated here. What
follows are recommendations that focus on improving security related to malevolent threats that may
affect solids handling operations at a treatment facility.

                                                                  operational considerations for reducing risk

•   Have more than one hauler under contract in case biosolids volume increases due to the inability
    to thoroughly dewater or the primary hauler is unable to provide sufficient services. Maintain a
    "standby" contract with haulers having tanker trucks that can handle liquid sludge.
•   Identify alternative short-term storage for sludge that does not meet either the beneficial uses or
    disposal specifications.
•   Treat the areas around anaerobic digesters as high-level security areas and enforce restrictions to
    assure safe treatment or reuse of methane gas.
•   Conduct trend analyses of biosolids monitoring data to track the potential of a slow release of a
    toxic compound into the wastewater and build-up of contaminants.

3.4.8 Process Chemicals and Systems
Wastewater treatment facilities use a variety of chemicals as part of the treatment process. The
following is a partial list of chemicals and other hazardous substances commonly found at
wastewater treatment facilities and, possibly, remote facilities such as pump stations.
     Activated carbon
     Calcium hypochlorite
     Chlorine  dioxide
     Diesel fuel
     Digester gas
Ferric chloride
Ferric sulfate
Fuel oil
Hydrochloric acid
Hydrogen peroxide
Liquid propane gas
Lubricating oils
Odor-masking agents
Paints and thinners
Sodium bisulf ate
Sodium hypochlorite
Sulfur dioxide
Sulfuric acid
Welding gasses
Security risks for chemicals and chemical systems include (1) the theft of chemicals, (2) use of the
wrong chemical or a contaminated chemical, and (3) damage and destruction of the chemicals and
chemical feed systems. Safety measures, including the proper handling of chemicals, cleanup of
spills, personal protective equipment, and training are a necessary part of any wastewater operation,
regardless of security threats, and are not addressed here. What follows are several recommendations
for reducing the risk associated with malevolent threats involving chemicals  and chemical systems.
•   Implement and enforce a delivery protocol as presented in Section 3.3.3.
•   Contractually obligate bulk chemical delivery suppliers to implement a seal lock at the point of
    origin after loading that cannot be unsealed until arriving at the point of  arrival.

operational considerations for reducing risks

•   Reject chemical deliveries that may have been tampered with (e.g., broken seal, open bags, no
    manifest, or unofficial paperwork).
•   Confirm reasons for late delivery with manufacturer or supplier's home office before accepting
•   Notify chemical suppliers if deliveries are late or do not arrive so that the suppliers can confirm
    the safety of their drivers and the location of their shipments.
•   Work with chemical suppliers to initiate use of anti-hijacking technologies and to develop utility-
    supplier protocols for preventing and responding to tampering during shipment.
•   Perform an assay on a sample of the chemical to assure its chemical constituents prior to
    accepting delivery, or while it is contained in a holding vessel before being placed into a the
    process storage tank.
•   Coordinate with local HazMat response team to assure they are aware and up-to-date with the
    types and quantities of chemicals used and stored at utility facilities.
•   Inspect chemical storage areas, storage tanks, and feed equipment weekly.
•   Assure that a sufficient supply of chemicals is available based upon the threat (see

3.4.9 Laboratories
•   Establish arrangements with other laboratories to be used in situations where the utility's
    laboratory does not have a certain  analytical capability, is overloaded with work, or is unable to
    provide service. Maintain an up-to-date list of other laboratories and the types of analyses
    performed. A comprehensive listing of both publicly and privately owned laboratories that are
    certified under the National Environmental Laboratory Accreditation Program (NELAP) can be
    found at www.epa.gov/nerlesdl/land-sci/nelac/accreditlabs.html.
•   Maintain a receipt log in the chemical receiving area that indicates the name of chemicals
    received and the name of the person to whom the chemical is released.
•   Create and maintain an inventory  of chemicals kept at the laboratory.
•   Chemicals that are consumed in process, disposed, or shipped should be removed from
    laboratory inventory logs.
•   Secure laboratory reagents and limit access only  to authorized personnel.
•   Certain highly toxic materials and  hazardous materials should be stored in locked cabinets,
    freezers, or refrigerators. This applies to sodium  cyanide, potassium cyanide, arsenic compounds,
    select agents, and other materials that may be readily recognizable as poisons.
•   Limit the amount of chemicals stored at the facility.
•   Protect laboratory gas cylinders, both service and spare, in secure wire mesh cages.
•   Perform both periodic and random checks of inventory to catch any unusual patterns of excessive
    purchase of dangerous chemicals.

                                                                 operational considerations for reducing risk

•   Limit the number of staff who are authorized to purchase chemicals and supplies.
•   Have chemical suppliers limit the amount of chemicals that can be ordered at one time.
•   Establish a secondary location at the treatment facility for conducting process control-related
•   Consider the use of radio frequency identification (RFID) tags for valuable instrumentation such
    as a gas chromatograph/mass spectrometer (GC/MS).

3.5 Maintenance Shops, Warehouses, and  Storage Areas
Consider the following operational practices for improving security at maintenance shops,
warehouses, and other storage areas.
•   Limit access to tools, supplies, spare parts, and materials to a limited number of authorized
•   Maintain inventories of tools, supplies, spare parts, and materials.
•   Perform both periodic and random inventory audits.
•   Institute a work order system to track the use of supplies and materials.
•   Require that unused materials and supplies be returned to the warehouse or storage facilities.
•   Develop contracts with outside maintenance shops for functions that can be outsourced during
    an event.
•   Develop on-call contracts with equipment suppliers that will allow procurement via emergency
    purchase order or credit card if the utility uses credit card purchasing (see also Section 2.9.1).
•   Maintain an up-to-date list of outside sources for replacement equipment and supplies.
•   Maintain spare inventory for critical equipment on paper and in a separate secure facility in
    addition to keeping the inventory in electronic format.
•   Keep all welding gases in a locked and secure caged area when not in use.
•   Provide access to multiple staff for disbursement of supplies during an event.
3.6 Administrative Offices
Administrative offices may be the locations where utility staff is most at risk. Additionally, important
financial information is likely stored in these facilities. The following operational practices can help
improve security at administrative buildings.
•   Maintain a receptionist or guard at the entrance to the building.
•   Train the front office receptionist  in alarm protocols during unusual events (e.g., irate customer
    or unauthorized intruder).
•   Require identification of visitors prior to entering the main building (e.g., from a vestibule).
•   Restrict access from front entry point to inside offices.

operational considerations for reducing risks

•   Assure that exterior doors are never propped open by conducting frequent inspections
    throughout the day or via electronic devices.
•   Keep file cabinets closed and locked. Do not leave keys in their locks.
•   Erase whiteboards and remove flip chart papers that contain important information.
•   Keep desks clean and computer screens blank (requiring a password to restore) when work areas
    are unattended.
•   Keep petty cash in a safe that is bolted to the floor.
•   Provide a silent panic alarm at the reception area and other critical locations.
3.7 Vehicles, Heavy  Equipment,  and Fuel
The following practices may improve the safety and security of vehicles, heavy equipment, and fuel.
•   Designate specific parking locations for each vehicle and piece of equipment.
•   Lock all vehicles and heavy equipment when driver /opera tor is not "behind the wheel."
•   Have each vehicle and all heavy equipment clearly marked with the utility's name, logo, and
    individual vehicle number. Consider adding the logo and vehicle ID number to the roof of the
    vehicles for ease of identification from the air.
•   Avoid keeping supplies in vehicles. Keep any supplies that are left in vehicles out of sight and in
    locked compartments.
•   Return heavy and light equipment to a secured location after working hours, or provide a
    security guard at the site where equipment remains.
•   Require identification from the driver of all fuel (e.g., gasoline, diesel, propane, etc.) delivery
    trucks prior to the fuel being accepted onto site.
•   Require fuel cards to be returned upon an employee's termination from employment.
•   Reissue fuel cards with new codes to staff annually at a minimum.
•   Consider purchasing a tanker truck to haul fuel from outside of        ^^^^^=^=^^^==5
                     & ,         ,   ,    , ,  ,                                  Multiple Benefits
    the utility s region in the event that local fuel  sources are
         •i  ui    jr. i  u-     .     j  i    j r,        *,u u-  u            Besides locating stolen
    unavailable and fuel shipments  are delayed. Because of the high           vehjc|es ^ equjpmenti
    cost and probable infrequent use, the utility may wish to share              gps systems improve
    the cost of the tanker and its use with other neighboring utilities.         service response time as
                                                                          dispatchers are aware
•   Use smart-keys (keys that include an electronic chip that verifies          Qf ^e |ocatjon of the crew
    authenticity) for all vehicles and heavy equipment.                       closest to a trouble call.
    Install intrusion alarms in vehicles and heavy equipment.
    Install global positioning system (GPS) tracking systems in vehicles and heavy equipment so that
    they may be located if stolen, and crews and equipment closest to a problem can be dispatched.

                                                                 operational considerations for reducing risk

3.8 Additional Operational Considerations
for Remote  Facilities
Remote facilities are those that are typically unattended, including pump stations, combined sewage
overflow facilities, stormwater retention ponds, effluent disposal sites that are away from a treatment
facility (e.g., infiltration basins, spray fields), and smaller wastewater treatment plants (e.g., package
While larger remote facilities such as master pump stations and combined sewer overflow (CSO)
facilities typically have standby generators onsite, most remote pump stations, because of their
smaller size, site constraints, or relatively low criticality, have no onsite alternative to the main power
feed from the electric utility. Thus, an attack on the power grid could result in sewage overflows and
backups. The alternative is for wastewater utilities to use portable generators that can be brought to
the site of pump station.
Many wastewater utilities have one or more portable, trailer-mounted generators that are towed to
sites needing temporary power. However, utilities that operate a large number of remote facilities
(e.g., many wastewater utilities in Florida and other coastal states that operate hundreds of remote
pump stations), have typically relied upon other utilities and state and federal agencies to provide
additional generators during a large-scale power outage. However, experience has shown that
generators supplied by the federal and state agencies typically do not meet the needs of the
wastewater utility. These generators rarely arrive in time to prevent overflows and backups, are
frequently incompatible with the remote facility's power needs, or cannot be delivered because no
one from the utility is available at the remote site or there is no equipment to lift the generator off the
delivery truck.
Consequently, wastewater utilities should maintain a stock of trailer-mounted generators to meet
their needs, or more cost-effectively, develop mutual aid agreements (see Section 2.11) with other
wastewater utilities over a wide geographical area to standardize the standby power requirements of
remote facilities and cooperatively purchase portable generators that would be available to all parties
of the agreement.
Other operational considerations beyond those previously covered in Section 3 include the following:
•   Utility managers should develop a rapport with residents and business owners who are adjacent
    to and within sight of remote facilities. These "neighbors"  of the utility facilities should be
    advised regarding what should be considered suspicious activity at the utility's property and
    where to report their findings.
•   Inspect remote facilities often. Although the trend over the last decade or more has been to
    reduce the frequency of utility staff visiting remote facilities, reversing this trend may be
    reasonable if the DBT and threat condition warrants. This is especially true for master pump
    stations that serve significant portions of the service areas and major CSO facilities.
•   Change inspection schedules frequently to minimize the ability of an adversary to plan according
    to when a remote facility will be unattended.

operational considerations for reducing risks

•   Provide frequent grounds maintenance at remote facilities, particularly retention ponds,
    sprayfields, and infiltration basins to prevent overgrowth that could offer hiding places for

3.9 Special Operational  Considerations
for Collection Systems
With the vast extent of collection systems and the lack of a means to continuously monitor manholes,
catch basins, and sewers, heightened awareness by both employees and the public as described in
Section 3.1 must play a key role in protecting the infrastructure.

3.9.1 Preventing Access to the Collection System
Access to wastewater collection systems is possible through sinks, showers, water closets, and other
sanitary drains, as well as catch basins and curb inlets in combined sewer systems and stormwater
systems. However, physical access is limited to entry by manhole or catch basin, as is the dumping of
large quantities of flammable liquids. The following measures should be considered:
•   Through newsletters and bill inserts (in cooperation with a billing agency such as the water
    supplier), encourage the public to report missing manhole covers or inlet grates, as well as
    suspicious activity around manholes and catch basins.
•   Periodically inspect manhole covers and catch basin grates to assure they are secure and locked
    where a locking device has been installed (see Section 4.5.2). Inspections should be prioritized
    based on threat level and vulnerability of the system, although they often focus on larger-
    diameter gravity sewers and portions of the collection system that are adjacent to and serve
    government offices and high-density commercial and residential areas.
•   Periodically inspect force main valve boxes, exercise valves, and exposed air release valves to
    assure they are in working order and have not been tampered with.

3.9.2 Monitoring Wastewater
Wastewater utilities with large industrial and commercial components to their wastewater stream are
subject to potential plant upset conditions if the quantity or quality of the discharges into the sewer
system significantly changes. Industrial and commercial connections into the wastewater collection
system are rarely monitored with the exception of periodic pretreatment program sampling. The
implication is that large commercial or industrial connections could potentially be used to discharge a
contaminant into the collection system causing significant impacts on the treatment facilities. For
•   The contaminant, such as a low pH solution, could cause a major plant upset that would reduce
    the wastewater treatment facility's treatment capabilities. The result would be the release of
    partially treated wastewater into the environment.

                                                                   operational considerations for reducing risk

•   The contaminant, such as cyanide, could pass through wastewater treatment facilities process
    without any significant reduction. The result would be the release of a toxic compound into the
Some wastewater utilities have instituted real-time collection system monitoring of the wastewater in
the major interceptors. These utilities are developing an emergency response plan to react to unusual
changes in wastewater quality to protect the downstream wastewater treatment facility. Actions that
have been considered are:
•   Implement continuous water quality monitoring devices (i.e., pH, conductivity, ORP) in the
    collection system at key locations and at the headworks of the wastewater treatment facility.
•   Identify acceptable ranges of the parameters being analyzed, and track the water quality
    monitoring data through a SCADA system.
•   Develop a flow based-tracking system from each water quality monitoring location to the
    wastewater treatment facility. This system should track the contaminant plume into the
    wastewater treatment plant and facilitate activation of response plans.
•   Develop a response plan at the wastewater treatment facility to divert and contain the
    contaminant plume when it enters the facility. Potential facilities that could be used include flow
    equalization basins or one of the primary treatment trains.
•   Develop a process to identify, treat, and dispose of the contaminant.
Exhibit 3-4 is an example of a floating buoy continuous monitoring system that was developed by
Irvine Ranch Water District in California for its collection system and wastewater treatment facility.
  Example of a Collection System Monitoring Device
  Pull Rope, Power
  Wires, aid
  Sampte Tubing
Pull Rope and
Instrumentation Wires

operational considerations for reducing risks
3.9.3 Satellite Collection Systems
If not already being performed, the pretreatment program or other monitoring program should
include the monitoring of wastewater flows from satellite collection systems, such as for other
utilities, large industrial plants, and communities where the collection system is privately owned or
operated (e.g., apartment complexes). Install monitoring manholes at the connection points, and
employ appropriate sampling equipment.

3.9.4 Overflow  Outfalls
Combined sewer and stormwater outfalls provide potential points      =^^—.—^=.!.^====..====.=
of access to wastewater assets and buildings along the pipeline                   Multiple Benefits
alignment. Inspections of outfalls should be made regularly, and              Regular inspections of
video monitoring should be considered. Inspections can also help         ,  the collectlon svstem can
               0                                                  also serve the needs of asset
to meet the goals of National Combined Sewer Overflow Control             inventory and condition
Policy's nine minimum controls to monitor the frequency of CSO        assessment programs called
discharges. If physical barriers are placed over outfalls, regular                fฐr under the National
            •u u    j j..        i. j u •  u -u      ..u    i                 CSO Control Policy.
inspections will be needed to prevent debris buildup on the grate                              J
and failure of the outfall.

3.9.5 Culverts
Culverts, primarily large diameter and box culverts, provide a potential hiding area for adversaries.
Culverts under major roads and railroads may also provide a location for placing an IED. Therefore,
frequent inspections should be made of large culverts, especially those passing under major
roadways and  railroads. Vegetation around the inlet and outlet of culverts should be eliminated or
well maintained to make inspections from a distance easier.

3.9.6 Deep Tunnels
Several utilities in the U.S. convey combined wastewater and stormwater through large diameter
tunnels. These tunnels may be 10 meters (33 feet) or larger in diameter and travel for several
kilometers at depths of 100 meters (328 feet) or more under the surface. Personnel access  to the deep
tunnels is through access shafts from the surface; wastewater and stormwater enter the deep tunnels
through drop shafts from the collection system. Because these runnels are very deep and almost
exclusively constructed by boring through rock, damage from any lEDs placed in the tunnels would
likely cause minimal damage to the runnel and no damage at the surface other than blowing off
access covers. The vulnerability of deep tunnels lies in their ability to provide adversaries relatively
unimpeded underground access because the water level is usually shallow except during rain events.
Consequently, it is critical that all accessways be kept locked and intrusion alarms monitored at all
times. If CCTV or morion detectors are installed in the shafts or tunnels, they should be monitored at
all times unless video motion detection systems with alarms are used (see Section 6.3.4). Frequent
visual inspections of the shafts and tunnels should also be made.


Design  Considerations  for Reducing  Risk

4.1  General
Wastewater managers and designers have traditionally considered security to be an enhancement
provided for a few facilities and limited to application of electronic access control systems and CCTV
monitoring. Today, wastewater system managers, engineers, and architects must consider security as
an integral design consideration for every building or site that may potentially be threatened by acts
of violence, including vandalism, crime, sabotage, or terrorism. The objective of this section is to
provide guidance that enables wastewater utility decisionmakers and designers to develop secure
sites and facilities to protect people, information, property, and assets related to the mission of
publicly owned treatment works (POTWs)—to provide quality services with effective collection and
treatment of wastewater to protect public health and the environment.

4.1.1 Design Basis
The considerations presented in this section are applicable to designs of new wastewater
infrastructure, upgrades to or expansions of existing infrastructure, and retrofitting of existing
infrastructure for the purpose of increasing security and reducing risk.
Criteria for the design of security systems are based on identification of assets that may become
potential targets, and the threat and vulnerability assessments related to those assets. The threat
assessment determines which threats are credible and likely against a particular asset. The
vulnerability assessment (VA) characterizes those assets that may be targeted, evaluates how they are
currently protected and where they are vulnerable to attack, and considers the consequences of a
successful attack.
Identification and characterization of assets are based on consideration of the mission and the
functions that the assets are required to perform. For example, an administration building may house
a number of different types of assets: people, records, money, tools, keys, computers, controls, and
security or process monitoring systems. Once the assets have been identified, they can be
characterized (i.e., their characteristics described with respect to their attractiveness to various types
of crime or violent attacks). Each of the example assets may attract various types of attack—records,
money, tools, and computers may be most attractive to criminals interested in theft; security and
utility monitoring systems may be more attractive to saboteurs and terrorists interested in
accomplishing significant compromise of the system.
Threats are described based on type of adversary and severity of attack; anticipated tactics (such as a
theft or moving vehicle bomb); weapons, tools, explosives, and/or contaminant agents; and
likelihood of attack. Protective measures that protect against higher severity-level threats may (or
may not) provide sufficient protection against lower-level threats, but all types of threats must be
included in the threat assessment because the protective measures may differ for each type of threat

design considerations for reducing risks

regardless of severity level. The summation of this information is referred to as the Design Basis
Threat (DBT). The DBT provides the information needed to design a physical protective system to
delay and detect an attack.
This section addresses the delay and denial protective measures that should be coupled with
detection and assessment technology described in Section 6. Attacks targeting command,
communications, and control systems, referred to as cyber attacks, are addressed in the Cyber
Security in Section 5, although the physical attacks generated by those adversaries to gain access to
the systems should be protected using measures described in this section.
The VA considers the routes and means used to attack and to protect the asset from attack. A VA may
consider features and effectiveness of a existing facilities or, if used as a design tool for new facilities,
how access may be gained to an asset and how the asset may be compromised or destroyed. The
consequences of a successful crime or attack must also be considered to provide an opportunity to
weigh the cost and impact of implementing appropriate physical protective measures against the
potential consequences of an attack. For example, if vandals using spray paint is the DBT, it may be
costly to replace existing building finishes with materials that resist paint adhesion; if the likelihood
of the attack is low and consequences minimal (i.e., no loss of life, mission disruption, or depletion of
functionality anticipated after spray painting the building walls), the utility may determine that the
consequences do not justify the investment to address that DBT. hi another example, a successful
theft may be disrupted after removal of the asset but before the thief successfully escapes the site.
This allows the delay factor to include "getaway" time as long as the asset is still intact when the
adversary is apprehended.

4.1.2 Utility  Size and Resources
The basis for security system design is not a function of a utility's size. Rather, the determining
factors as described above are the identification of assets that may be targets of malevolent attacks,
the characterization of threats, and the assessment of the assets' vulnerabilities. Many small utilities,
and some larger utilities, may not have the necessary resources to put into place many of the security
systems that are presented in this section. Consequently, it is imperative that utilities go beyond the
vulnerability assessment to evaluate associated risks and the costs necessary to reduce those risks
before embarking on a program of physical protection system design and implementation. As
discussed in earlier sections of this  document, most utilities will achieve a significant reduction in risk
at a relatively low cost through adoption and enforcement of security-related policies and operational
procedures. Beyond that, the determination of what capital investments to make should be based
upon the utility's analysis of risk reduction per unit cost.

4.2  Physical Protection System Concepts
In general, physical protection systems are focused upon reducing risks associated with outsider
threats. Physical protection systems can be effective for insider threats only where security layers are
employed to limit an insider's access to specific assets within a  facility (see Section 4.2.2).

                                                                     design considerations for reducing risk

An important consideration when designing physical protection systems: Physical protection systems
should NOT interfere with life safety, occupational safety, and fire protection provisions. Security
systems must be balanced with and complementary to other design criteria and requirements.

4.2.1 Required Elements of  a Physical Protection System
There are several elements required for an effective physical protection system design: detection,
delay, and defense or response. Once a potential attack is detected, the physical protection system
must delay an adversary from accomplishing his or her objectives until a response force can
successfully prevent successful attack. Each of these elements is quantifiable in terms of timing. That
is, detection is the point at which the clock starts with respect to an attack event; delay is the amount
of time required to allow a response force to stop the attack. For example, local authorities may
indicate to utilities that a team can be on site and disrupt an adversary within 15 minutes. That time
dictates that the physical protective measures established must delay the adversary so that the
response force may arrive in time. In this example, the delay times must add up to slightly more than
15 minutes to be effective.
Detection refers to the point at which a potential attack is discovered, assessed, and determined to be
an attack in progress rather than a false alarm. Once an adversary has been detected, the delay
timeline starts. To maximize delay, detection should be as far as possible from the targeted asset, with
delay elements placed between the point of detection and the asset. Locating delay systems as  near as
possible to targeted assets also helps to reduce cost by minimizing the size of the security envelope
surrounding the assets. The delay afforded by various building or perimeter protection systems can
be (and for many systems, has been) measured (see Exhibit 4-1).
Deterrence is often a consideration in design as well, although deterrence cannot be quantified (if
there is no attack, it is unknown whether these measures successfully prevented it). Therefore,
deterrence typically is not considered part of an effective physical protection system. However,
because deterrent measures can effectively prevent or reduce the opportunity or likelihood of attack
and can often be cost-effectively integrated into a facility design through prudent application of
appropriate strategies, deterrence measures are discussed in this section as well.
4.2.2 Protection  in Depth
"Protection in depth" is a term used in the security industry referring to the recommended strategy of
providing multiple layers of protective measures requiring an adversary to defeat a system, travel to
the next protective layer and defeat that system, and so forth until reaching the target. An example of
protection in depth is the application of layers of protective measures at the site boundary (perimeter
fencing system), at the building envelope (exterior walls, doors, windows, grilles, and roof system),
and at the target enclosure (the room in which the targeted asset is housed).

design considerations for reducing risks
                                      Time Estimate
Cumulative Time

Task Description
Climb over fence
Run 76m
Force door
Walk 45m
Cut lock
Walk to container
Open container and gather material
                                                Total (approx 3 minutes)
         EXHIBIT 4-1
         Concept of Delay Calculation

For example, as depicted in Exhibit 4-2, an effective security layering approach requires that an
adversary penetrate multiple separate barriers to gain entry to a critical asset at a typical wastewater
facility. Protection in depth can help to ensure that the security system remains effective in the event
of a failure or an adversary bypassing a single layer of security.
Note that for each layer, the layer is only as effective as the weakest element within that layer. For
example, investing in blast resistant doors to resist terrorist threats is unwarranted if the surrounding
wall construction is inadequate to withstand the same loads. For specific DBTs, complete and
consistent layers of protection in depth should be provided.

4.3 Physical  Protection Systems Design
The approaches described in this section present a combination of two design principles:
•   Crime Prevention Through Environmental Design (CPTED)
•   Traditional target hardening
CPTED principles take advantage of integral features of site and facility design to enhance security by
reducing the opportunity for crimes to occur. CPTED is essentially a crime prevention philosophy
based on the theory that proper design and effective use of the built environment can lead to a
reduction in the fear and incidence of crime, as well as an improvement in quality of life. To
accomplish this, designers  use natural, mechanical, and procedural means.

                                                                     design considerations for reducing risk



-— "
i 	 i













1 	 _
— "^ L
— ^


^ Entry-control point



._ 	 	 -_
i n
Layer #1 !
L. !
^ I
-.-.- j^j Fe
! Layer #3 \ "X^
** J.aver#4 ^ !
"' S^- i I '
i ^Card-entry door ซ

i !
OO ; i
OO i ;
n 	 • 	
Example Layered Security Recommendations for a Facility
Target hardening refers to enhancement of physical construction systems to increase delay or deny
access to the targeted asset. Hardening typically includes enhancements such as application of doors,
locks, and window systems that have been tested and rated for specific levels of resistance to forced
entry (rated in minutes delay time), ballistics (resistance to specific weapons and ballistic impacts), or
blast (ability to withstand various blast loads at certain distances). The recommendations included in
this section that are considered approaches to target hardening generally have measurable
characteristics with respect to the DBT requirements for delay.

4.3.1  CPTED Strategies
CPTED  strategies deter crime by reducing the opportunity to commit crimes, the likelihood that a
crime will occur, and fear of crime generated by experience related to certain environmental
conditions. The concepts embodied in CPTED strategies may be applied to all facilities, regardless of
specific  threats resulting in enhancing security as an integral part of design. Because CPTED
strategies may be widely and cost-effectively implemented as prudent measures irrespective of
specific  threats, they should be among the basic design considerations for new, upgraded, and
expanded wastewater facilities of any size. CPTED strategies can be considered within the following
four categories:

design considerations for reducing risks

•   Access control. Physical guidance of vehicles and people going to and coming from a space
    through judicial placement of entrances, exits, landscaping, lighting, and controlling devices (e.g.,
    guard stations, turnstiles, etc.)
•   Territorial reinforcement. Physical attributes that express ownership, reinforce territoriality, and
    designate a gradient from public to restricted spaces. Examples include natural markers
    (landscaping, choke points), symbolic markers (signage, stickers), physical barriers (fences), and
    procedural barriers (receptionist, guard).
•   Surveillance. The placement of physical features, activities, vehicles, and people in such a way as
    to maximize visibility by others during their normal activities. Surveillance may be natural or
    electronic, informal (office windows  placed to facilitate surveillance of entry roads) or formal
    (continuous monitoring).
•   Image and maintenance. Vigilant site and facility maintenance indicates that the space is being
    used and regularly attended to, and possibly occupied. Proper grounds maintenance also
    sustains surveillance. Image and maintenance activities are mostly related to management and
    operations rather than design.
The following are CPTED strategies that  should be considered for the design of wastewater facilities.  Perimeter
•   Provide access via no more than two designated and monitored entrances.
•   Position all pedestrian entrances next to vehicle entrances.
•   Control access with fences, gates, and/or attendants (guards).
•   Provide sufficient lighting at all entrances (see Section 6).
•   Create gateways or formal entrances delineated by plantings, different paving materials, fencing,
    and gates to separate public areas from controlled areas.
•   Defining vehicle entrances by different paving materials and signage.
•   Avoid opaque fencing, landscaping,  and walls that might provide hiding places along
    the perimeter. Site
•   Provide a clear zone of 15 to 30 meters (50 to 100 feet) or more to enhance visual observation by
    personnel and to create a demarcation zone that makes unauthorized persons more noticeable.
•   Thoroughly illuminate the clear zone (see Section 6) to make it easier for employees, guards, law
    enforcement,  and others passing by to observe and identify intruders.
•   Avoid dead-end driveways and pathways.
•   Provide access to both the front and  back of buildings to facilitate patrols.
•   Provide close-in parking spaces for third-shift workers.
•   Restrict access to roofs from adjacent buildings, dumpsters, loading docks, poles, and ladders.

                                                                    design considerations lor reducing risk

•   Place approach and parking as to be visible from building occupants, especially from a reception
    area if one is planned, and/or guard shacks.
•   Use walls only where necessary; consider stretched aircraft cable as an alternative for maximum
•   Prevent creation of hiding places (e.g., blind pathways, storage yards, etc.).
•   Plan storage areas for visual and/or vehicular access by patrol cars, but limit access to personal
•   Use landscape plants that mature within the available space and do not obstruct light fixtures.
•   Use plant materials that prevent easy passage as boundary delineators (e.g., crown of thorns and
    other thorned shrubs, hollies, Spanish bayonet).
•   Include highly visible, appropriate signage, but do not describe asset or facility function on the
    signs. Use building numbers rather than names that could identify potential asset locations. Buildings and Other Structures
•   Design entrances to be well-lit, well-defined, and visible to public areas and patrol vehicles.
•   Place elevators close to main entrances. The interior of the elevator should be in view from the
    entrance when the doors are open; in addition, the entire entrance should be visible from the
    interior of the elevator.
•   Design stairways to be visible without solid walls.
•   Position all employee entrances next to employee parking.
•   Position restrooms to be observable from nearby offices or work areas.
•   Design interior windows and doors to provide visibility into hallways.

4.3.2 Target Hardening  to Address the Design Basis Threat
The measures discussed in this section provide specific and quantifiable results if implemented as
part of a comprehensive physical protection system. As noted above, detection, delay, and
defense/response are the basic elements of a physical protection system. This section addresses those
physical security elements that support detection (such as fencing that delineates a boundary at
which detection is provided) and delay or prevent the crime or attack event through application of
target-hardening enhancements. The protective measures discussed below relate to the specific
threats identified previously: vandal, criminal, saboteur, and terrorist.
The measures indicated below were selected based on minimum measures being implemented for
many federal facilities, including Department of Defense (DoD), Department of State (DoS), and
General Services Administration (GSA) facilities. They relate to assumed threats such as stationary
vehicle bombs carried in trucks parked near targeted facilities, various levels of forced entry, and
ballistics threats.

design considerations for reducing risks

These measures are listed as general guidelines. The specific DBT for each facility affects the
implementation or selection of these measures, which in turn impacts implementation cost. For
example, a minimum 45-meter (148-foot) standoff distance is included as a default distance where
space allows. For extremely high threat levels (very large quantities of explosives), this may be
insufficient; for extremely low quantities of explosives, such as what can be carried by a pedestrian or
bicyclist, a lesser standoff distance is possible. Explosives threats require specific design to balance
standoff distances (the least costly means of increasing survivability of structures against blast
threats) with hardening of construction assemblies.
The following sections describe considerations  to reduce risk through design of physical protective
measures based on the specific threat categories described in Section Protective measures are
generally listed by site, building envelope, and  specific building systems.
The following recommendations are in addition to those listed in the section above on CPTED
strategies. These protective measures are considered design and construction enhancements that
"harden" facilities to resist various types of attacks. Because the threats are listed in order of severity,
protective measures listed for each lower-level  threat are not repeated for the higher-level threats but
assumed to be considerations for the higher levels as well. Exhibit 4-3 depicts the recommendation
that the design of all wastewater facilities includes CPTED strategies and that, for increasing threats,
additional considerations are recommended to  be added to the design.
Recommendations for Design Progression
Section 43.1
All i
f^ \
j. Against Vandal
!"** Threats
I Section

j Designs for .
' Vandal Threats
Designs for
: Against Criminal
T Threats
1 Section
' Criminal Threats '
, Designs for

* Saboteur Threats
. Designs for
* Terrorist Threats
f '\
Against Saboteur

/" ฐ\
| Countermeasures
, ' Against Terrorist
T Threats
'• ^ Section ^
f  Countermeasures Against the Vandal Threat
Vandals typically use basic hand tools, such as pliers, wire cutters, hammers, crowbars, and baseball
bats, to gain access to assets and may damage facilities using spray paint, fire crackers, fires, and
improvised incendiary devices (IIDs). To prevent vandals from accomplishing their objectives,
numerous materials, assemblies, and components have been developed for areas that attract
significant vandalism and graffiti. These vandal-resistant items include:

                                                                 design considerations for reducing risk

•   Composite plastics that resist graffiti, shattering, and scratches
•   Lights with low-profile lenses or recessed lenses
•   Security cameras and equipment
•   Switches and controls
•   Locks
•   Valves
•   Cages or other protective fittings
In addition to implementing vandal-resistant materials and components, the following physical
protection measures are recommended:

•   Establish a perimeter fence surrounding the facility at an appropriate standoff distance to
    provide a clear zone (see "Site" below). Standoff distance is the distance between the outside
    perimeter (the public areas) to critical facilities or buildings inside the perimeter (the restricted
    access area). See Exhibit 4-4.

               '•  t* ^-'t'^-^^a   '*' iT^ ft   fr-^*'-^-
           • p-ซr^s*s^.'i '*-fc^/ vC\>*;•w^,-
         ..pTjsr ฃyyrirtฃii • f*:->-' • i • A: < • ^>  *
          -,JL            "^ ^:t> '•   ^ ••            *^ f - V
          i^Prefr-     ,      ,     .                           •    r m
            .; f
Example Standoff Distance and Clear Zone

design considerations for reducing risks

•   Use fencing that resists climbing. Examples of such fencing in order of increasing relative cost
    and climbing difficulty include chain-link fencing with small mesh openings, expanded metal
    mesh fencing, and climb-resistant security fencing, including ornamental iron fencing topped
    with curved pickets.
•   Install fencing that is 2.5 meters (7 feet) or higher, with 9 gauge or thicker wire, and, as necessary,
    topped with one or two outriggers with barbed wire strands, razor tape, or concertina wire rolls.
    Fencing may also be curved at the top to prevent climbing over.
•   Securely anchor fence posts in concrete footings to prevent the fence from being pushed over or
    pulled out of soft soils.

•   Designate a clear-zone area from the perimeter fence to building exterior. Within the clear-zone
    region, minimize landscaping and other features that provide concealment. Clear zones enhance
    visual observation by security personnel and create a demarcation zone that makes unauthorized
    persons more noticeable.
•   Fence over the top of smaller site elements to completely enclose critical areas within the site.

Buildings and Other Structures
•   Use non-removable bolts, hinges, screws, and other attachments to prevent removal of locks,
    fittings, and other items that are attached to surfaces
•   For surfaces that may be subject to vandalism, use glazed concrete masonry units or glazed
    ceramic tiles. Special vandal-proof tiles that look attractive but will not readily mark or scratch
    are also available.
•   Apply non-stick, non-mark polyurethane-based paints and coatings for internal or external
•   Rough-textured bricks, blocks, or rough concrete surfaces resist damage, and could present a
    challenge to vandals, although they are difficult to clean.
•   Illuminate exterior areas surrounding assets and facilities.
•   Use climb-resistant cages  around exterior ladders.
•   Locate luminaries beyond reach, placing them on high posts or locate high on building walls.
•   Lighting equipment should not be located in hidden corners or behind buildings where it can
    easily be tampered with.
•   Select lighting and other exposed equipment with scratch and vandal-resistant finishes that
    prevent corrosion, bending and deforming, and with locked and/or concealed fittings
    and controls.
•   Instead of glass, use plastic materials such as polycarbonate.
•   Select exterior furnishings of strong, vandal-resistant construction that is free of easily removed
    or uses projecting parts that are easily repaired. Anchor items to concrete if possible.
•   Locate signs beyond reach where possible and feasible.

                                                                     design considerations for reducing risk

•   Use vandal-resistant plastics in illuminated bollards, light fixtures, and traffic lights.
•   Locate pipes, valves, and other appurtenances that may be damaged behind sturdy fencing or
    panels with tamperproof fastenings.
•   Use materials that are nonflammable.
•   Provide locked security cages around meters and exposed valves or fittings. Use vandal-resistant
    locks. Countermeasures Against Criminal Threats
The criminal threat includes weapons such as knives and handguns, as well as hand and power tools.
To accomplish the criminal's objective of using stealth, power tools are unlikely to be employed
except by the highest severity level of criminal threats, which fall into the saboteur category.
Criminals are generally assumed to be less interested in creating damage than they are in obtaining
an asset and leaving the crime scene undetected. In addition to recommendations to resist vandalism,
consider the following:
•   Provide emergency telephones throughout the site.
•   Bury or otherwise conceal conduits and wires carrying electric supply, telecommunications, and
    alarm signals.

Buildings and Other Structures
•   Minimize signage that may guide adversaries to specific asset locations. Refer to room numbers
    rather than asset locations.
•   Provide warning signs to restrict access but avoid describing asset or reason.
•   Provide a waiting area for visitors.
•   Locate door locks minimum of 100 cm (40 in) from adjacent windows.
•   Use single-cylinder dead bolt locks with minimum 1-inch throw on primary ground floor exits.
•   Use locksets with removable cores to permit easy replacement should a keyed-alike system
    be compromised.
•   Equip solid exterior doors with 180-degree door viewers.
•   Minimize windows, including glazed entrance door windows.
•   Use shatter-resistant glazing materials.
•   Use two locking devices on all windows.
•   If the DBT includes the potential to threaten people with handguns, provide bullet-resistant
    construction assemblies (walls, windows, doors) in those areas. For example, provide bullet-
    resistant prefabricated guard shelters, control rooms, or bill-paying booths for accounts
    receivables areas.

design considerations for reducing risks

•   Locate critical assets and functions to the interior of facilities to maximize layers of delay between
    access points and assets, and in within view of areas occupied 24 hours per day, if possible.
•   Locate critical assets and functions in areas of buildings where they may be difficult to find. For
    example, locate control rooms or accounting areas away from lobby areas.
•   Provide a facility access control system that employs:
    -  Monitoring of all perimeter openings (personnel doors, rollup doors, and roof hatches) and
       locked interior doors for door ajar status.
    -  Establishing a primary entrance door and adding access control, a visitor intercom, and video
       surveillance equipment.
    -  Identifying critical exterior circulation doors, and adding access control to those doors. These
       doors should be designated as access-controlled doors and should only be accessible by
       employees. Access control methods could consist of adding key locks, keypads, or card
       readers with or without using personal identification numbers (PIN) for entry.
    -  Designating remaining doors without exterior access control as exit-only. Remove exterior
       door hardware from exit-only doors. Ensure that on the interior side of the doors appropriate
       exit hardware remains, allowing free access under emergency egress conditions.
    -  Establishing a secure lobby area, with hardened doors capable of being activated by security
       to go to "locked-down" mode.
    -  Using hardened and protected hasp padlocks.
       Providing CCTV camera surveillance of incoming personnel into the secure lobby area using
       a minimum of two cameras; one records body size and clothing characteristics and one
       records a close-up of facial characteristics. All CCTV surveillance should be recorded
       digitally. See Section 6.3.4 for available CCTV technology.
    -  Establishing a secure area to house CCTV monitors, security computer equipment, radios,
       and so on.
       Considering the addition of layered access control to high value areas within the facility
       (such as SCAD A rooms).
    -  Segmenting access control such that only employees requiring access to high-value areas are
       permitted access, rather than all employees having access to all areas. Countermeasures  Against Saboteur Threats
Saboteurs intent on destruction, disruption, or contamination will avail themselves of an almost
unlimited variety of hand, power, and thermal tools (including construction tools such as cutting
torches), contaminant agents, lEDs and IIDs, as well as higher-level ballistic weapons. This represents
a significant threat level and effective protection measures can be very costly. Consider the following
recommendations in addition to those for the vandal and criminal threats:
•   Locate entry control, perimeter detection and barriers as far as possible from facilities or assets to
    denote a standoff zone.  If conventional building construction is used, the standoff zone should be

                                                                        design considerations for reducing risk
    a minimum of 45 meters (148 feet)16 from asset location to provide survivability against vehicle
    bombs. However, depending upon the DBT, the standoff distance necessary may be substantially
    greater. Refer to DoD's Unified
    Facilities Criteria17 and the Army's
    IED Safe Standoff Distance Cheat
    Sheet1" for further guidance.
    Control access to sites by
    unauthorized vehicles through use of
    an entry control point for vehicular
    and pedestrian traffic (Exhibit 4-5).
    An effective entry control point must
    provide a:
        Means to associate vehicle with
        driver, such as validation of the
        drivers' identification prior to
        authorizing access,                   EXHIBIT 4-5
        Mechanism to turn away             Entry Control Point with Protected Guardhouse
        unauthorized vehicles or
        Location for inspection of vehicles and their contents including bomb detection equipment
        Location to detain unauthorized persons and their vehicles
    -   Bullet-resistant guardhouse with toilet facilities and weather protection
    -   Turnstile for pedestrians that can entrap potential adversaries failing validation
        of identification
    -   Barrier to prevent a vehicle from penetrating the gate or crashing into the guardhouse
    -   Ram-resistant gate
    -   A telephone or intercom
    Design entry control points to ensure unimpeded access by emergency vehicles (i.e., fire-rescue,
    police, and ambulance).
    Provide vehicle barriers surrounding perimeter of site.
    -   Vehicle barriers to resist moving vehicles must be designed for the vehicle weight, including
        explosives carried, and the speed at which the vehicle may be traveling. The location of the
        barrier must consider the time to activate and fully deploy the barrier before the vehicle
        reaches the barrier, as well as the acceleration opportunity that distance allows for
        the vehicle.
16 DoD Minimum Antiterrorism Standards for Buildings, UFC 4-010-01, October 8, 2003
17 ซ>/
design considerations for reducing risks

        Vehicle barriers to resist moving vehicles may be active or passive depending on the
        application requirements. If unrestricted access is generally required with deployable barriers
        available to stop unauthorized vehicles, active barriers should be used.
    -   Examples of active barriers are shown in Exhibit 4-6 and include:
        •   Retractable bollards
        •   Hydraulic ramp, drum, wedge, and plate barriers
        •   Sliding gates
        •   Cable-beam barriers
        •   Manual plate barriers
        •   Portable crash barriers
                   Cable-beam barrier
                                                            Retractable bollards
                        Drum-type barrier

Examples of Active Barriers
    -   Passive barriers that resist ramming include:
        •   Aircraft cable barriers
            that may be integrated
            into the perimeter
            fence. Aircraft cable
            must have anchorage
            and foundation
            systems designed to
            resist the forces of
            moving vehicles
            loaded with explosives
            (Exhibit 4-7).
        •   Landforms and
            landscaping elements
            such as ditches, berms,
            heavy vegetation,
                 Sliding-gate barrier
Perimeter Fence with Aircraft Cable Anchored to Concrete
            boulders, bollards (designed to resist vehicle ramming), and concrete.

                                                                      design considerations for reducing risk

•   Provide remote meter reading devices or locate meters outside of the perimeter barrier to
    eliminate the need for electric, gas, and water meter readers to come onto the facility site.

•   Control the potential for vehicles to gain speed between the entry control point and assets by
    chicanes, speed bumps, or other traffic-calming devices.
•   Select sites for critical assets that allow minimum 45 meter (148-foot)  stand-off distance around
    occupied facilities and the critical assets subjected to attack.
    -   Consider placing critical assets below grade or using earth-sheltered buildings to protect
    -   Provide redundant critical utility connections, such as power service, communications, water,
        and wastewater for high security assets.
•   Secure exposed exterior valves, hydrants, manholes, and other appurtenances.
•   Enclose exterior areas housing critical assets with expanded metal mesh enclosures, reinforced
    grouted concrete block, or reinforced concrete walls with roof grilles  to prevent access to assets.
•   Locate fuel tanks, natural gas lines, or fueling stations as far from critical assets as possible.

Buildings and Other Structures
•   Use forced entry-resistant window and door assemblies. Assemblies  must be rated for forced-
    entry resistance commensurate to the DBT level anticipated (rated assemblies are tested for
    minutes of resistance to attack using various combinations  of hand, power, and thermal tools)
    and should include the entire assembly: window/door, frame, anchorage to wall, and lock and
    hinge hardware.
•   Provide high security, forced entry-resistant hardware, including locks, lock bolts, hinges, etc. Countermeasures Against Terrorist Threats
Unless the terrorist is intent on stealth, detection is relatively easy and of little importance to the
terrorist. Depending on the specific DBT, the following tactics may be employed by terrorists:
stationary vehicle bombs parked near targeted facilities; moving vehicle bombs; carried explosives
and lEDs; RPGs and mortars; IIDs; any type of hand, power, or thermal tools; automatic assault-type
weapons; and contaminant agents. Protective measures to resist blast threats are intended to prevent
or minimize casualties; more costly systems may result in greater survivability and reusability of
structures. Blast threats require specific blast engineering to develop appropriate resistance levels to
various explosives threats. The greater the distance a blast can be kept from assets, the less likely the
asset will be injured or damaged, so standoff distance is paramount where space allows. In addition
to appropriate protective measures listed for the vandal, criminal and saboteur threats, consider the
following recommendations:
•   Provide a vehicle sally port where vehicles can be detained until the driver identity can be
    confirmed and the vehicle contents and undercarriage can be examined. A video surveillance
    system should be employed at the sally port.

design considerations for reducing risks

•   Locate assets away from vantage points from where weapons such as RPGs may be fired.
•   Provide pre-detonation screens (materials such as expanded metal or chain-link that serve to
    damage or detonate a RPG as the projectile passes through the material prior to reaching its
    target) at site perimeter between assets and vantage points. Pre-detonation points should be as
    far as possible from assets, including parking areas and occupied buildings.
•   Consider circulation and access to site facilities, including service and mail deliveries. Provide
    sufficient standoff distance between receiving areas, occupied buildings, and critical assets in the
    event bombs are delivered in service or delivery vehicles.
•   Prevent parking adjacent to and under/over facilities (such as rooftop parking or parking under
    occupied sections of buildings). Keep unrestricted parking areas as far from buildings as possible.
•   Locate areas for dumpsters and trash barrels as far away from asset locations as practical.
    Explosive resistant trash receptacles are available, but diligent research must be done before
    purchasing since there is no standard for labeling receptacles as explosive resistant.

Buildings and  Other Structures
•   Locate blast walls behind entrances and large windows to prevent glass shards from penetrating
    building interiors.
•   Design building systems to resist blast and contamination attacks included in DBT.
•   Isolate areas where bombs could be received, including loading docks, mail rooms, storage areas,
    and lobbies. Isolation should be accommodated in both structural and mechanical systems.
    Provide vestibules at entries.
•   Locate air intakes as high as possible, at a minimum of 3 meters (10 feet) above grade in building
    walls to prevent contaminants from being introduced. Ensure that equipment, loading docks,
    trash receptacles, ladders, and other building or site appurtenances do not allow access to air
    intakes. Note: air intakes for chlorine rooms must be near the floor.
•   Protect openings to air intakes with sloped mesh screens to prevent objects from being tossed
    into intake openings.
•   Install low-leakage dampers to minimize penetration of introduced contaminants after the HVAC
    system is shut down.
•   Where chemical, biological, or radiological (CBR) release at some distance from a facility is part
    of the DBT, design facility for air tightness or ensure positive pressure is maintained within the
    structure to limit infiltration.
•   Establish a protected clear zone around ground level or low air intake openings with entry
    restricted to authorized personnel only. The clear zone may be fenced or walled (provisions for
    air circulation required by air intake and HVAC equipment must be considered). Illuminate and
    monitor the clear zone (guard patrols or CCTV).

                                                                    design considerations for reducing risk

•   Provide grilles with openings no larger than 6 inches in diameter in all openings (both intake and
    return air). Grilles should be resistant to forced entry and anchored firmly into building structure
    to prevent penetration through ductwork or openings.
•   Prevent unrestricted or public access to rooftop areas where mechanical equipment is located.
    Other roof openings, including skylights and roof scuttles, should be locked and replaced with
    forced entry-resistant assemblies.
•   Restrict access to mechanical equipment yards and rooms to authorized personnel only.
    Illuminate and monitor entrances to these areas.
•   Evaluate building control programs to consider isolation and zoning of various areas of facilities
    that house critical assets that may be targeted by contamination tactics, automatic shut-off
    switches to zones or facilities, and pressurization and airflow control especially with respect to
    egress areas. "Shelter in Place" concepts require a single point of control to immediately shut
    down all HVAC systems when a contamination event has been detected or  is anticipated (i.e., if a
    cloud is moving toward a facility). This switch must also be readily accessible to building
    personnel or facility manager.
•   Install back-draft dampers on exhaust fans.
•   Provide safe rooms with separate, dedicated HVAC systems to provide secure areas for
    personnel to move to when the facility may be exposed to contaminants. Safe rooms should
    include indoor air purifiers.
•   Use ducted returns to limit access points from which CBR contaminant agents may be
•   Minimize mixing between HVAC zones.
•   Evaluate adsorbent filtration options with respect to specific DBT contaminants. Higher efficiency
    filtration may be beneficial for certain exposures, but not effective against chemical vapors or
    gases used in chemical attacks, and will likely be extremely costly, require extensive area to
    accommodate the filters, and reduce airflow. Refer to National Institute of Occupational Safety
    and Health (NIOSH) guidelines for more considerations and information.

4.3.3 Additional  Design Considerations
for Wastewater Treatment  Facilities
The heart of any wastewater treatment facility, and a prime target for malevolent acts, is the series of
physical, chemical, and biological processes used to treat the wastewater. Each unit operation and
process is generally designed for a specific function,  with the quality of the plant's final effluent
dependent  on the symbiotic and coordinated performances of all the processes. Although generally
robust, an individual treatment process could be disabled or destroyed by a malevolent act resulting
in excessive or incompatible pollutant loadings to subsequent processes and, eventually, upset
conditions throughout the treatment plant. A treatment plant in an upset condition will not be able to
adequately provide the degree or capacity of treatment for which it was designed and could impact

design considerations for reducing risks

the quality of the receiving water resulting in detrimental impacts to the environment and down-
stream users.
Design considerations for securing sites and facilities in general were covered in previous sections of
this section. What follows are specific design considerations for the impacts of malevolent acts
conducted by individuals once access to the treatment processes has been gained, or the raw
wastewater has been contaminated through the collection system. These design considerations are
not meant to replace what is required by good engineering practice, wastewater industry design
manuals, and regulatory requirements. Rather what follow are additional design considerations to
mitigate risks associated with malevolent threats of sabotage and terrorism.
For guidance in designing wastewater treatment facilities and individual unit processes, refer to the
numerous publications that are available, including the following:
•   Design of Municipal Wastewater Treatment Plants - MOP 8, WEF, 1998
•   Wastewater Treatment Plant Design, WEF and International Water Association (IWA), 2003
•  Recommended Standards for Wastewater Facilities -10 States Standards, Health Education Services,
•   Wastewater Engineering: Treatment and Reuse, McGraw-Hill, 2002
•  Several other Manuals of Practice published by WEF that address specific systems and processes  Treatment Facility-wide
Redundancy in design provides multiple tanks, basins, treatment units, pumps, and conveyance
piping and channels to minimize the potential for single points of failure, which are likely to be key
targets for knowledgeable threats. For more information on redundancy refer to WERF's publication,
Efficient Redundancy Design Practices.19
•   To minimize risk to the greatest extent, redundancy should be extended to entire treatment
    facility so the treatment process consists of multiple parallel trains that are separated by a
    distance that would maintain at least one treatment train operational if another was damaged.
    Interconnected all treatment trains for maximum operational flexibility.
•   Each unit process should consist of two or more process units operating in parallel.
•   Equipment such as pumps, motors, blowers, and chemical feed equipment should also be
    designed in multiples, with sufficient capacity to handle peak flows if the largest piece of
    equipment fails or is taken out of service.
•   Twin power feeds to motor control centers and an individual motor control center for each train
    should be considered.
•   At a minimum, the design for individual processes should be conservative and at peak loadings
    with one unit out of service.
   Efficient Redundancy Design Practices, Water Environment Research Foundation, 2003

                                                                     design considerations for reducing risk

•   For treatment plants with multiple trains, consider peak loadings with one train out of service.
•   Higher redundancies should be considered for critical processes, such as biological processes or
    disinfection systems, where redundancies should be 100 percent of design capacity.
•   On-the-shelf spares of process pumps, motors, valves, meters, controllers, etc. provide redundant
    critical components.

•   Provide each unit process with bypass channels, pipes, and pumps to enable an individual unit to
    be removed from service while providing sufficient treatment at peak flow conditions.
•   Provide channels, gates, pumps, valves, and piping to enable unit processes to be used for
    additional purposes, such as using a secondary clarifier as a temporary chlorine contact chamber.
•   Critical valves, gates, and transfer pumps should be automated to allow for quick shutdown or
    diversion of flows. However, all automated equipment should have manual overrides should
    automated controls or SCADA systems be compromised or offline.

Back-up Power
•   Two independent main power supplies are not sufficient for protecting against saboteur and
    terrorist threat categories. Wastewater treatment facilities should have an onsite backup power
    generation capacity to provide sufficient power during a power       =
             win    •  * •    *                                           Small Utility Tip
    outage or blackout to maintain, at a minimum:
       r>        xu .      -^  i.     •  . •  •     j    . ^  ,_„   *         When designing smaller
    -  Processes that are critical to maintaining adequate treatment        .   .    .  .   .      ..
                                           &    n                     treatment plants, consider
       to meet effluent or reclaimed water quality criteria                    having a receptacle for
       A reduced level of lighting throughout the plant                        attaching a portable
    -  Lighting of warning signs, hazardous areas, stairways, and         Stand-by generator rather
                                                                       than an onsite generator
       emergency exits                                               ^^^^^^_^^^^^^_
    -  Proper ventilation in confined areas and other locations (e.g.,
       laboratories) that require a controlled atmosphere
    -  Power to outlets throughout the facility to permit electric power tools to be used for repairs
    Provide an automatic transfer switch for rapid transition to backup power when primary power
    Recent events such as the August 2003 Northeast Blackout suggest that backup power supplies
    and fuel storage should able to provide at least 48 hours of service.
    Locate a supplier of skid-mounted or modular housed generator sets that could be rented if
    needed. Consider establishing a contract for preferred-customer status.
    Treatment facilities should consider looped power distribution networks within the treatment
    plant to enable rapid isolation and removal of a damaged power feed or electrical equipment
    from the power net.
    Provide uninterruptible power supply (UPS) systems for process controls, SCADA systems,
    alarms, computer networks, and communication systems. See Section 6 for further information.

design considerations for reducing risks

Access Control
•   Whenever and wherever feasible, tanks and open channels should be covered, and the access
    doors and hatches should be secured.
•   Critical components such as blowers, pumps, motors, motor control centers, and SCADA
    components should be secured within enclosures and hidden from the view of anyone outside
    the perimeter of the facility.
•   Piping and blower ducts should be installed below ground or within secured structures. Utilities
    should be installed underground.
•   Locking mechanisms should be provided for valves and gate operators.
•   Designers should assure that limiting access to process components does not significantly impact
    O&M activities. For example:
       Adequate access and room for maintenance and repair must be considered in the layout of
       individual unit processes and equipment.
       The ability to remove enclosures maybe necessary to replace or repair equipment.
    -   Sufficient ventilation must be provided within enclosures and structures to remove noxious
       and toxic gases and fumes and ensure a healthy work environment for O&M staff. Influent Pump Station, Preliminary and Primary Treatment
Pretreatment and primary treatment generally consists of influent structures, pump stations, bar
screens, grit chambers, septage receiving stations, primary clarifiers, and associated support
processes such as chemical feed systems, grit and screenings removal, and odor control. Influent Pump Stations and Influent Structures
•   Influent pump stations should be designed to handle peak flows with the largest pump out-of-
•   Influent pump stations should designed to enable removal of pumps and motors for repair while
    maintaining the operability of the facility at full capacity.
•   Oversizing the influent pump station wet well or having redundant wet wells should be
•   Where feasible, provisions should be made for temporary bypass of the raw wastewater around
    the influent pump station to wet-weather or similar storage facilities to provide additional
    downtime capability for repair of the pump station.
•   Real-time monitoring for the presence of toxic or explosive chemicals in the influent wastewater
    stream should be provided. At a minimum, pH and lower explosive limit (LEL) monitors should
    be installed, with consideration given to automatic diversion of suspicious influent into holding
    basins. Biotoxin-specific and  similar monitors are currently under development for potable water
    systems and may be available for wastewater systems in the near future.20
20 ASCE Water and Wastewater Security White Papers, 2004

                                                                     design considerations for reducing risk

•   Provisions for emergency pretreatment of the influent wastewater may also be considered if real-
    time monitoring indicates abnormal conditions and the presence of a toxicant is suspected.
    Pretreatment approaches include the addition of powdered activated carbon, a strong oxidant
    such as chlorine or potassium permanganate, and the addition of a caustic to neutralize or
    precipitate the toxic chemical.  Preliminary Treatment
•   Manual backup processes can provide the redundancy desired,        ^^^^^^^^^^__^^__
    especially for smaller wastewater treatment plants. Examples                  Small Utility Tip
    include manual bar screens and grit removal.                              Designs for smaller
                                                                         treatment plants may
•   A minimum of two screens in separate channels should be                consider redundancy at
    provided. One screen should be designed to permit manual               50 percent of peak load
    cleaning                                                            conditions, or disregard
                                                                        redundancy of primary
•   Grit chambers should be provided that have adequate capacities            clarifiers altogether.
    under peak flow and load conditions with at least one unit of          ^^^^^^=^^^^^
•   Individual unit bypasses and multiple full-capacity feed channels should be considered.
•   Redundant support systems such as multiple blowers and ductwork for aerated grit chambers
    and chemical feed systems should be considered.
•   Septage receiving stations should be located in a sally port at least 45 meters (148 feet) away from
    occupied buildings. Discharges from these stations should be upstream of the screens to
    maximize the ability of the treatment plant to treat these wastes.
•   Visual inspection of discharges into the septage receiving station should be performed, along
    with monitoring using sampling equipment.
•   Offline flow equalization/storage basins should be considered to allow any influent that is
    suspected of being contaminated to be diverted from the treatment processes. If possible, at least
    8 hours of storage  at the average daily flow rate should be provided. Basins should be located to
    take flow after preliminary treatment but before primary treatment.
•   Odor control processes such as chemical scrubbers that utilize fans or blowers should be secured
    within a higher security layer to lessen the risk of a toxic agent being added that could be
    aerosolized. Primary Clarifiers
•   Redundant unit processes and adequate capacities under peak flow and load conditions with at
    least one unit of service should be considered.
•   Treatment plant designs should incorporate the flexibility to use primary clarifiers as short-term
    backups for more critical unit processes, either with permanent or temporary piping and pumps.
    Examples include using these units as secondary clarifiers, gravity thickeners, aerobic digesters
    (with floating aerators), waste-activated sludge storage, and digested sludge storage.

design considerations for reducing risks Secondary Treatment
The vast majority of secondary treatment processes include some type of biological process for
treatment of organic wastes followed by clarification to remove the biological growth from the waste
stream. Although biological processes are fairly robust with regard to normal organic wastes, these
wastes are susceptible to a broad array of organic and inorganic toxins. These toxins can inhibit the
growth, and thus the effectiveness, of the biological system or kill the biomass. Operational flexibility
is a key factor in the design of biological systems to minimize the impacts of toxins.

Biological Treatment
•  The most stable biological process should be employed to reduce the biomass upset from shock
•  A sufficient number of blowers or mechanical aerators should be provided to enable the design
   oxygen transfer to be maintained with the largest-capacity unit out of service.
•  Installing blowers in two separate blower buildings should be considered, with the buildings
   located on either side of the aeration basins with interconnected, but isolatable, air supply piping.
•  Air diffuser systems for each aeration tank should be designed so that the largest section of
   diffusers can be out-of-service without measurably impairing the oxygen transfer capability of
   the system.
•  The overall capacity of air supply system should include at least 50 percent more capacity than
   estimated peak demand conditions. It may be feasible to backup the aeration system with floating
   aerators that can be installed relatively quickly.
•  At least one backup aeration tank should be provided that is equal to  or greater than the capacity
   of the largest of the other tanks. This tank can be used as part of the activated sludge process or
   for storing diverted mixed liquor in the event of contamination.
•  In addition to multiple process units and bypass channels, the biological process should be
   designed with as much flexibility as possible to minimize impacts  to the biological organisms in
   the units. Examples include designing an activated sludge plant to be able to operate in a variety
   of process modes, including complete mix, contact stabilization, step feed, or extended aeration.
   This flexibility provides the operators with tools to either dilute the toxins to manageable
   concentrations or to maintain a significant quantity of biomass out of harm's way to reseed and
   stabilize the process.
•  For fixed film processes, a sufficient number of units should be provided so that the peak flows
   can still be processed with the largest unit out-of-service.
•  Provide sufficient recycle system capacity and flexibility to maintain a viable biomass should the
   flow be affected by a toxin.

Secondary Clarifiers
•  The number and size of secondary (final) clarifiers should  allow for effective treatment at peak
   flow rates with at least one unit out of service.

                                                                    design considerations for reducing risk

•   Design the secondary clarifiers, piping, and pumps with the ability and flexibility to serve as
    temporary backup units for other processes. Effluent Filtration
•   Multiple filter units should be provided so that adequate filtration is achieved with the largest
    unit out of service at peak flow conditions.
•   Interconnected, dual backwash systems, each with a capacity for 100 percent of the peak flow,
    should be provided.
•   Backwash systems should be designed to permit manual backwashing if the automatic system
•   Chemical systems used to enhance filtration should also include a measure of redundancy.
•   Replacement media should be stored in a secured storage building away from the filters. Disinfection
•   Ultraviolet (UV) light should be the disinfection method of choice for new, upgraded, and
    expanded wastewater treatment facilities. Should the utility be required to maintain a chlorine
    residual (e.g., for reclaimed water distribution), sodium hypochlorite should be added after the
    UV process. This will reduce the chlorine demand of the effluent and minimize the amount of
    chlorine required.
•   Disinfection with gaseous chlorine should be avoided due to its toxicity to the environment and
    the extreme hazard to human health should the gas be released to the atmosphere.
•   A location for manual feeding of calcium hypochlorite should be provided as a fail-safe method
    of disinfection should other disinfection processes fail.
•   Where disinfected effluent is to be reused as reclaimed water, disinfection contact tanks and
    outlet channels should be covered.
Ultraviolet Light
•   Provide multiple UV modules in multiple channels designed so that there is adequate
    disinfection at peak flow rates with the largest module and largest channel being out of service.
•   A standby sodium hypochlorite feed system should be considered to provide a backup means of
    disinfection should the UV system become inoperable.
•   Provide secure storage area for UV replacement lamps and modules away from the UV channels.

The design of chlorination facilities involves a wide range of safety considerations and compliance
with a variety of federal, state, and local regulations. The recommendations below are to be
considered in addition to all other design criteria, safety requirements, and regulatory issues
associated with the use of chlorine as disinfectant.

design considerations for reducing risks

•   Chlorination facilities, whether using gas cylinders, chlorine dioxide generators, or liquid sodium
    hypochlorite, should be housed within a building and located within an enclosed higher security
    layer (see Section 4.2.2) that is a minimum of 45 meters (148 feet) from the treatment plant's
    secured perimeter.
•   Onsite generation of sodium hypochlorite should be considered to reduce the quantity of
    chlorine required to be kept onsite.
•   All chlorination equipment, including chlorinators, evaporators, scales, chlorine dioxide
    generators, storage tanks, and feed pumps, should be designed in multiple units with adequate
    disinfecting capacity at peak flow with the largest unit being out of service.
•   All chlorine cylinders or tankers should be screened from the view of anyone outside of the
    treatment plant's secured perimeter view by an opaque partition.
•   See Section, "Chemical Systems," for additional information.

•   Dechlorination facilities, whether using sulfur dioxide, sodium bisulfate, or sodium metabisulfite,
    should be housed within a building and located within an enclosed higher security layer (see
    Section 4.2.2), and a minimum of 45 meters (148 feet) from the treatment plant's secured
•   All dechlorination equipment, including storage tanks and feed pumps, should be designed in
    multiple units with adequate capacity at peak flow with the largest unit being out of service.
•   See Section, "Chemical Systems," for additional information. Effluent Disposal  and Reclaimed Water  Production
At the end of the treatment system, flexibility in the design should allow diversion and holding of
effluent that may not be suitable for disposal or as reuse as reclaimed water.

Surface Water Disposal
•   Equalization storage and holding capacity for diversion of effluent should be provided in the
    event that contamination be suspected.
•   A redundant outfall at a different location than the primary outfall should be considered.
•   Outfall areas, including effluent sampling equipment and monitoring instrumentation, should be
    secured within a higher security layer.
•   If the outfall pipe does is not permanently capped, a bar should be installed to prevent persons
    from using the outfall as a conduit to the treatment facility or combined sewer system.

Reclaimed Water Production
Reclaimed water may include, but is  not limited to, highly treated wastewater effluent that is used for
irrigation, cooling water, lake or stream augmentation, groundwater recharge, and other non-potable
uses. Most reclaimed water systems are characteristic of drinking water systems in that they provide

                                                                       design considerations for reducing risk

water (albeit non-potable) to the public under a pressurized system. Therefore, utilities that process
reclaimed water are recommended to also refer to the Security Guidance for Water Utilities.^
•   Multiple, covered tanks for storage of reclaimed water prior to distribution should be provided to
    allow operators sufficient rime flexibility to test and appropriately manage the produced water. A
    minimum of one-day storage is recommended.
•   In-line continuous water quality monitors for general water quality parameters such as pH,
    turbidity, conductivity, and disinfectant residual should be installed to measure the quality of the
    water immediately prior to distribution.
•   More sophisticated instrumentation that can detect contaminants should be installed as it
    becomes available (refer to Guidelines for Designing an Online Contaminant Monitoring System
    [ASCE 2004]).
•   Pumps,  piping, valves, and related facilities should be provided to enable the system operators to
    either discharge or return the water to the treatment plant's influent rather than distribute water
    that does not meet water quality requirements.
•   An additional disinfection system should be included to enable operators to provide
    supplemental disinfection immediately prior to distribution.
•   Subject to regulatory approval, provide a means to divert reclaimed water to an alternative
    disposal system such as a surface water outfall if the water cannot meet reclaimed water quality
    but will not adversely affect surface waters, or to infiltration ponds if groundwater will not be
    adversely affected.
•   Alarms should be provided to alert operators to reclaimed water quality problems and
    automatically actuated devices installed to divert reclaimed water to emergency storage areas
    instead of the distribution system.
•   All reclaimed water facilities should be enclosed within a higher security layer. Solids Handling
•   Solids concentration process systems such as thickeners, centrifuges, and belt filter presses
    should be designed in multiple units with the design capacity adequate to provide necessary
    thickening with the largest unit out of service.
•   Aerobic digesters and anaerobic digesters should be designed in multiple units with the design
    capacity adequate to provide necessary thickening with the largest unit out of service.
•   Anaerobic digesters and related equipment, including mixing, heating system, gas collection, and
    gas storage, should be enclosed in a higher security layer (see Section 4.2.2), and located a
    minimum of 45 meters (148 feet) from occupied buildings.
•   Waste gas burners should be located a minimum of 15 meters (50 feet) from any other structures.
  Security Guidance for Water Utilities, American Water Works Association, 2004

design considerations for reducing risks

•   Gas piping and storage facilities should be screened so that they are not visible from outside of
    the treatment plant perimeter.
•   Provide methane gas sensors and alarms where anaerobic digestion is employed.
•   Provide automatic shutdown of gas systems at preset pressures.
•   Heat dryers and pelletizing processes should be located a sufficient distance away from other
    structures to minimize the risk of spreading fire should the heating fuel ignite. This standoff
    distance will be dependent upon the type of fuel and fuel storage quantities used.
•   Stand-by  drying beds should be provided to serve as a backup should other solids handling
    processes fail, or provide storage lagoons or tanks for temporary storage of untreated or partially
    treated solids.
•   Stockpile  areas for treated sludge should be provided if transportation to disposal sites becomes
    unavailable, or if contaminants in the wastewater have made the solids unsuitable for there
    normal disposal or application site. Stockpile areas should be enclosed within a higher security
•   Solids loading and transfer areas should be located within a sally port if non-utility staff and non-
    utility vehicles may load or transport the solids. The sally port should be a minimum of 45 meters
    (148 feet)  from occupied buildings. Chemical  Systems
•   Local, state, and federal laws and regulations, such as fire codes, occupational and health
    requirements, must be followed when designing proper and safe storage of chemicals and
    locating mixing and chemical feed equipment.
•   Sufficient quantities of chemicals should be kept available on utility property to provide a 30-day
    supply without additional shipments.
•   Chemicals should be stored in unopened shipping containers, or be transferred into a covered
    storage tank. Hazardous chemicals should be stored within an enclosed area of a higher security
•   At least two storage tanks per liquid chemical are required to provide adequate redundancy.
•   Adequate spill containment and control is required for all storage tanks, and separate
    containment structures are required for each chemical. The containment should be designed to
    hold the volume of the largest tank within the containment, plus an additional volume for fire
    flow or wet weather (if located outside of a building).
•   Spill detection systems should be included in the design of storage and feed areas to assist in
    detecting theft or release of the chemical. Typical systems include vapor monitors for specific
    chemicals or liquid levels in containment sumps.
•   Chemical tanks should have a high liquid alarm and the containment areas should contain a leak-
    detection and alarm system.
•   Chemical piping should be installed below ground if possible.

                                                                    design considerations for reducing risk

4.3.4 Laboratories
•   If the laboratory is located within the perimeter of a treatment facility, consideration should be
    given to enclosing the laboratory within a higher security layer.
•   Local, state, and federal laws and regulations, such as fire codes, building codes and occupational
    and health requirements, must be followed when designing laboratories.
•   Laboratories may become a target all four threat categories: vandal, criminal, saboteur or
    terrorist. Provide appropriate physical protection systems to secure analytical equipment,
    instrumentation, computer hardware, software and chemicals from the identified DBT (refer to
    Sections 4.2 and 4.3).
•   Consider installing tamper- and chemical-resistant locking cabinets in which to store reagents.
•   Gas cylinders that are used for laboratory analysis should be stored within the higher security
    layer of the laboratory and be screened from the view of persons outside of the laboratory.

4.3.5 Maintenance Shops,  Warehouses, and Storage Areas
•   If the building or area is located within the perimeter of a treatment facility, consideration should
    be given to enclosing it within a higher security layer.
•   Local, state, and federal laws and regulations, such as fire codes, building codes and occupational
    and health requirements, must be followed when designing these support facilities.
•   Consider locating these support facilities off site of the treatment facility so that spare parts and
    materials, and replacement equipment are available for response and recovery from an incident
    at the treatment plant.
•   Maintenance shops, warehouses, and storage areas may become a target in all four threat
    categories: vandal, criminal, saboteur or terrorist. Provide appropriate physical protection
    systems to secure equipment, materials, instruments, chemicals and fuels from the identified DBT
    (refer to Sections 4.2 and 4.3).
•   Delivery areas for equipment and supplies, as well as for chemicals and fuel, should consist of a
    sally port to allow for inspection of the delivery vehicles and contents of the delivery. The
    inspection area should be designed to allow multiple inspections should more than one delivery
    vehicle be detained for inspection. The inspection areas should include appropriate equipment to
    allow for the sampling of chemical and fuel deliveries so that a chemical assay can be done prior
    to accepting the delivery.
•   Vehicle fueling stations should be located at a sufficient standoff distance from treatment process
    units and inhabited buildings. The standoff distance should be based upon the DBT of both the
    fuel station itself to avoid damage to other parts of the treatment facility and the structures
    within its proximity to avoid damage to the fuel station.
•   Gasoline and diesel fuel tanks should be installed underground in approved vessels.

design comitoratiMs for reducing risks

•   Automatic fuel dispensing systems requiring key cards that identifies the person using the fuel
    pump (and the vehicle if practical) should be installed at all fueling stations.
•   Consider installing active barriers as described in Section

4.3.6 Administrative Offices
•   Provide space for gatekeepers, such as receptionists or guards, at the entrance to the buildings
    and possibly at key locations on other floors.
•   Silent panic alarm buttons should be available to alert local law enforcement of malevolent
    incidents and provide notice to facility employees to take action as provided in the utility's
    emergency response plan.
•   Consider creating sufficient space for sleeping, eating, and personal hygiene to accommodate
    staff members who may have spend long periods of time in the building during emergency

4.4 Additional Design Considerations for Remote  Facilities
In the design of remote facilities  such as pump stations (lift stations), CSO facilities, and stormwater
retention ponds, all of the concepts discussed earlier in this section should be taken into consideration
and selected for inclusion depending upon the DBT. In addition, to the extent that the remote
facilities have pumps, motors, chemical storage, and other processes, the specific considerations
presented for wastewater collection facilities in Section 4.5 should also be examined for applicability.
Remote facilities may have different risks based upon their location. For example, pump stations
serving military installations, government buildings, financial institutions, and major industrial sites
may be identified as facing a saboteur or terrorist category threat, while pump stations serving
residential areas may be determined to have only a vandal category threat.

4.4.1 Pump Stations
Many wastewater utilities find that their pump stations are frequently targets of vandals because they
are typically unattended and may be located away from populated areas. Designers of wastewater
systems should strive to keep the number of pump stations to a minimum, although it is recognized
that this is may not possible when new developments connect to an existing collection system, or
when other factors such as a high groundwater table or rock near the surface  makes construction of
deep gravity sewers unrealistic or cost-prohibitive.
If possible, remote pump stations should be located in areas that have residences or commercial
establishments where people can easily witness any malevolent actions that may be taken on the
stations. Where possible, pump stations should be designed as submersible facilities with a minimal
amount of equipment visible aboveground.  Equipment, such as motor control panels, standby
generators, or chemical feed systems, should be enclosed in a building. For non-submersible stations,
consideration should be given to designing a structure that blends into the surrounding area (e.g., a

                                                                     design considerations for reducing risk

pump station that looks like a single-family home in a residential area) so that it becomes a less likely
target at all threat levels.
Other considerations for pump stations include:
•   Limiting number of pump stations through deeper and longer gravity sewers.
•   Conversely, increasing the number of pump stations to provide redundancy and limit impact of
    failure of any given facility.
Pump stations should be designed with:
•   At least one redundant pump that matches the largest pump so that the pump station can handle
    peak design flows with one of the largest pumps out of service.
•   Each pump should have a separate electrical supply, motor starter, motor sensor and alarm,
    electrical components, and instrumentation and control components.
•   A permanent standby power generator with automatic transfer for master pump stations and
    critical smaller pump stations should be provided; a receptacle for a portable generator is
    acceptable for smaller, less critical pump stations.
•   Permanent generators should be located inside a building or other weather-tight enclosure to
    ensure startup in cold weather.
•   Fuel for generators should be stored  in underground tanks with a volume sufficient for a
    minimum of 24 continuous hours of operation without refueling.
•   Sufficient excess wet well capacity, or redundant wet wells, should be available to retain a
    minimum of 2 hours at peak flow during an outage for all pump stations not having permanent
    standby generation onsite.
•   Pump-out and pump-around capabilities.
•   Central monitoring of intrusion, flows, pump status, wet well levels, fuel level via a SCADA

4.4.2 CSO  Facilities
CSO near surface storage and treatment facility locations are often highly constrained by the location
of existing CSO outfalls. As with remote pump stations, designs should limit amount of aboveground
equipment, striving to make the facility invisible to the public. For underground storage facilities
without chemical systems, restricted access may not be necessary if accessways and equipment are
hidden and secured. Any aboveground equipment should be enclosed in a building designed using
CPTED strategies discussed in Section 4.3.1.
A unique aspect of CSO facilities is that large-volume tanks are located in areas that are unattended
by utility staff. Thus, at a terrorist threat level, the facility is vulnerable to being filled with a
flammable or explosive substance that could cause damage to surrounding properties and result in
fatalities. Consequently, at this threat  level, CSO facilities should be located away from populated
areas, or the applicable target hardening methods discussed in Section 4.3.2 should be employed.

design considerations for reducing risks

Further, because CSO facilities include many of the mechanical and electrical components included in
wastewater treatment facilities, the designer should consider all of the recommendations included in
Section 4.3.3.

4.4.3 Stormwater Retention Ponds
Stormwater retention ponds have become increasingly prevalent in newer residential, commercial,
and industrial developments, as well as along newly widened roadways. They are designed to retain
at least the initial runoff from a storm to reduce the amount of pollutants entering surface waters and
to mitigate flooding. Some may be designed as dry-bottom ponds, meaning that they have water in
them only during wet periods. Others may be designed as wet-bottom ponds where the pond always
has some water. Wet-bottom ponds are frequently used as amenities (artificial lakes) in communities.
Typically, the only structures associated with a retention pond are its inlet headwall and its outlet
overflow weir. While damage to these structures or a breach of the pond sidewall may result in
flooding, retention ponds may not pose much of an attractive target for malevolent actions. Should a
vulnerability assessment identify a DBT that should be addressed, the CPTED strategies and target
hardening methods described earlier in this  section should be implemented as appropriate.

4.5  Special  Design Considerations  for  Collection Systems
As with any utility network, sanitary sewer  systems, combined sewer systems, and Stormwater
conveyance systems cover large areas, traveling through remote and unmonitored locations with
numerous access points along its routes. But unlike other utility networks, gravity collection systems
are not only targets of malevolent acts themselves, these systems can also serve as conduits for
saboteurs and terrorists to inflict damage on other infrastructure and private property, as well as to
harm or kill persons not associated with the wastewater utility. Consequently, designers must
consider protecting a collection system from direct attacks as well as from its use as a conduit for
other malevolent acts.
Different portions of the collection system may have different risks based upon their location and
size. For example, the section of the collection system serving military installations, government
buildings, financial institutions, and major industrial sites may be identified as facing a saboteur or
terrorist category threat, while a section of the collection system serving residential areas may be
determined to have only a vandal category threat. Likewise, because large diameter gravity sewers
can provide access to other sensitive infrastructure and targets, sewers above a certain size may be
considered to face saboteur or terrorist level threats.

4.5.1 Alternative  Approaches  for Designing Collection Systems
When planning new collection systems, certain legacy design principles may need to be reconsidered.
Mitigating the risks from a malevolent attack on a collection system may be better addressed through
alternatives to large service areas with single backbone interceptors.

                                                                     design coasMenrtloas for ntuetog rtak Decentralization
Since the 1970s, with the beginning of federal funding for wastewater infrastructure, the municipal
wastewater sector has been focused on centralizing wastewater treatment. During this time,
hundreds of individual treatment facilities have been phased-out and replaced by extensive collection
systems designed to carry wastewater to large regional treatment facilities for appropriate treatment.
This trend increased the vulnerability of wastewater systems to threats from saboteurs and terrorists
that may wish to use large-diameter gravity sewers as access ways to commit malevolent acts.
Centralized systems also have the additional vulnerability of providing a single-point of failure for
the wastewater utility.
Recently, there has been discussion among wastewater professionals about the benefits of
decentralized wastewater systems.22 Much of the impetus for this approach has been to provide
more local sources of reclaimed water for reuse without incurring the cost of constructing large
collection systems and large reclaimed water distribution systems to bring the reuse water back to
communities for disposal. Now, with the increasing concerns for wastewater infrastructure security,
decentralization of wastewater facilities also mitigates risks by incorporating smaller-diameter sewers
that travel shorter distances, as well as redundant facilities that eliminate the single point-of-failure
vulnerability. This trend has already taken hold for many new stormwater systems where runoff is
contained within a development and routed to an onsite retention pond.
While decentralization is not a viable option for existing wastewater infrastructure, it may warrant
consideration for new development that would otherwise be served by expansion of the collection
system. Decentralization may be an approach to mitigate future terrorist threats and assure that
portions  of the utility's service area remain in service when other portions have service interrupted. Redundancy
When addressing terrorist threats for new collection systems or extensions of existing collection
systems,  provide redundancy for interceptors and other critical trunk sewers. One alternative is to
provide smaller parallel pipes along parallel roads rather than one large gravity sewer that could
serve as a single point of failure and also provide easier access through the pipe. Standardization
A utility  should develop a standard for sizes and materials used in its collection systems to minimize
the need  to stock numerous replacement parts and materials and to facilitate replacement of
damaged infrastructure. Uncommon pipe sizes and unique pipe materials should be avoided, as
should non-standard manholes, catch basins, and force main valves.
22 The Water Environment Federation is funding a project titled, "Incorporating Decentralized Wastewater Technologies and
Management Into the Practice of Water Resources Planning and Engineering.

design MMMeratlMS for reducing rhks Other Recommendations
As apparent from the discussions about decentralization and redundancy, mitigating risks to a
collection system is expensive, resource intensive, and sometimes counterintuitive. Consequently, the
following suggestions are offered for consideration in addressing threats of saboteur and terrorist,
and only for new collection systems, replacement of portions of collection systems, or extensions of
collection systems.
•   Swales and open channels rather than pipes should be
    used for stormwater conveyance.                                     One Sewer Cover per Day
•   Large-diameter pipe gravity sewers should be replaced                   Gets Stolen in Budapest
    with smaller-diameter parallel pipes to discourage           "In the Hungarian capital 120 thousand
    persons from crawling through.                                 sewer covers of cast steel and 80
                                                                  thousand drain-tap gratings are
•   Deeper gravity sewers should be used in the vicinity of         registered by FCSM out of which 105
    other sensitive infrastructure and potential civilian,                 sewer covers and 267 drain-trap
    commercial, and government targets to prevent                   9ratin9s disappeared last year. In
                                                                addition to the significant financial
    damage from explosions in sewers and, conversely, to             damage ^ uncovered manno|es
    prevent damage to sewers from explosions on the            constitute grave risks for accidents: e.g.
    surface.                                                      recently a car has been completely
                                                              destroyed because it ran into an open
•   The number of manholes, especially in remote areas,             man-hole - the driver was lucky to
    should be reduced by increasing the conventional                    get away with minor injuries."
    distance between manholes. Traditional design              Source: Aquamedia, Vienna, Austria
    standards of 90 to 120 meters (300 to 400) feet may no
    longer be necessary with newer maintenance equipment.
•   Buried force mains or inverted siphons rather than exposed pipe crossings should be used.

4.5.2 Preventing Access into Collection Systems
Misuse of sanitary sewer systems has been a recurring problem for wastewater utilities. Purposeful
and unintentional disposal of substances such as oils, pesticides, and herbicides into residential and
non-residential sink drains, water closets, and floor drains has caused treatment plant upsets and
threatened the health of utility workers. More dramatic, however, has been the dumping of chemical
wastes from industrial sources into sewage collection systems, resulting in loss of treatment
capabilities and destruction of infrastructure and surrounding properties, such as in Louisville,
Kentucky in 1981. Unfortunately, with every wastewater customer being a potential source of
dangerous substance entering the collection system, no physical means of preventing such incidents
are available. Instead, wastewater utilities have depended upon pretreatment programs, along with
sewer ordinances and inspections of non-domestic dischargers' premises and operations and public
education programs, to reduce the number of incidents and quantity of non-sanitary sewage that
enters the system.
Another misuse of collection systems has been the dumping of wastes from chemical toilets, septic
tanks, and grease traps into the sewer via manholes. This type of vandalism or theft, assuming the

                                                                     design considerations for reducing risk

reason for the dumping into the manhole is to avoid payment of disposal fees at the treatment plant,
can be controlled if not eliminated by securing manhole covers. Securing manhole covers also
prevents vandals from removing covers causing hazardous conditions for motorists and pedestrians
and discourages thefts of manhole covers by collectors. A few alternatives are available for securing
manhole covers to their frames, thereby providing security to the manhole and collection system: tack
welds, bolt-type locks, and pan locks.
•   Tack welding provides a rapid security measure that can be used where no other means, such as
    bolting, is available. Utilities have used tack welding to secure manholes prior to visits of
    dignitaries to prevent lEDs from being placed under the street or to prevent persons hiding in the
    manholes. Tack welding has also been used in areas of the collection system known for illegal
    dumping into manholes and areas that are prone to theft of manhole covers. While tack welding
    requires no excavation or replacement materials, it does make maintenance difficult because
    welds need to be broken before utility staff can enter the manhole.
•   Bolt-type locking devices consist of bolts that anchor the manhole cover to the frame. Bolts are
    available with various-shaped heads that require specialized wrenches or keys that are restricted
    for distribution to utilities. Specially manufactured head shapes are
    also available to assure that the wastewater utility has a unique              Multiple Benefits
    locking device. The bolt-type devices prevent the cover from being           Pan-tvnp manhnlp
    removed, as well as preventing access into the manhole.                     locks also restrict
•   Pan locks prevent access into the manhole as well as preventing            mflฐ^ mtฐ *e S6Wer
                                                    r       ฐ               thereby lowering
    dumping into the collection system. However, it does not prevent the         inflow/infiltration
    manhole cover from being removed. The pan is installed with its rim       -__===========
    resting on the manhole cover frame and locked into place with  either a padlock or specialized
    lock. The manhole cover is placed on top of the pan.
The DBT should lead to the decision as to whether manholes will be secured and, if so, what method
will be used. Welding, bolt-type locks, and pan locks will prevent a vandal, criminal, saboteur, or
terrorist from dumping substances into the collection system, as well as restrict personal entry into
the manhole. However, pan locks will not protect the manhole cover from being removed by a
vandal or stolen by a criminal.
Combined sewer and separate  stormwater systems present the additional challenge in that storm
drain catch basins and curb inlets are always vulnerable to having liquid substances dumped into
them. Persons, however, can be prevented  from entering through a catch basin or curb inlet by tack
welding grates to frames or securing the grates to the frames with the bolt-type locking devices
discussed above. Additionally, choosing grates with smaller openings may discourage saboteurs and
terrorists from trying to place IIDs or lEDs into the system.

design considerations for reducing risks

4.5.3 Force Mains
Sewage force mains present two additional vulnerabilities to the collection system—valves and
aboveground crossings. The following recommendations are offered depending upon the DBT.
•   Buried force main valves can be secured through the use of bolt-type locks on the valve box cover
    should the DBT be based upon a saboteur or terrorist threat category.
•   Exposed valves, such as air-release valves on bridge crossings, may be subject to vandals as well
    and can be secured by a perimeter fence or other metal enclosure.
•   Exposed force mains on bridges should be placed so that the mains are not easily accessible from
    the roadway, and access along the pipe can be restricted through a fan-shaped fence with or
    without barbed or razor wire where the pipeline begins its crossing.
•   For a DBT at a saboteur or terrorist category, consider installing exposed force mains in a casing
•   Where possible, boring or tunneling should be employed to eliminate the need for hanging force
    mains from bridges or otherwise exposing the pipe in a separate crossing.

4.5.4 Culverts
Large diameter culverts and large box culverts that carry stormwater under major roads can provide
a hidden location for an explosive and a haven for saboteurs or terrorists. For saboteur and terrorist
threat categories, the following design modifications to culverts should be considered.
•   Horizontal bars can be positioned across the inlet and outlet openings of the culvert. The
    horizontal bars can be secured using vertical bars if the length of the horizontal bars results in
    insufficient strength.
•   A 6-inch clear opening should be provided at the bottom of the inlet and outlet to facilitate flow
    and avoid a buildup of debris.
•   Both inlets and outlets should be designed for easy access for frequent maintenance and clearing
    away of debris.

4.5.5 Deep Tunnels
By their very nature, deep tunnels are typically 100 meters (328 feet), more or less, underground and
bored through rock. Thus, they do not provide a preferable location for an adversary to place an
explosive device to damage or destroy buildings or other infrastructure on the surface, or even create
significant damage to the tunnel itself. Deep tunnels, which may be more than 10 meters (33 feet) in
diameter do, however, provide a virtual freeway for adversaries to gain underground access
throughout a large portion of a city because the water level is usually shallow except during rain
events. Under all threat categories, entry to access shafts should be locked and intrusion control
monitored. For saboteur and terrorist threat categories, the following countermeasures should be

                                                                    design considerations for reducing risk

Adequate lighting and ventilation should be provided in access shafts to facilitate inspections.
Installation of motion detectors in access shafts should be considered.
Installation of video motion detection systems or thermal imaging devices (see Section 6.3.4) in
access shafts and tunnels should be considered. Cameras and other equipment can be mounted in
corrosion-resistant enclosures.

(This page intentionally left blank)


Cyber Security

Cyber security is the protection of enterprise information systems from outside or inside attack. The
reliance of a typical wastewater utility on its automated systems is substantial: many operators rely
on the Supervisory Control and Data Acquisition (SCADA) system to aid in running the plant, the
financial system maintains fiscal equilibrium, and several other systems facilitate most business
processes. Financial pressures have decreased the staff at most facilities to the point where few, if
any, utilities can run in "manual mode" for long. In short, if the information systems do not work, the
enterprise will not operate.

5.1  Problem Description:
Cyber Intruder Attack Methods and Consequences
Information system failure can have catastrophic repercussions to a utility. Compromise of the
financial system can result in millions of dollars of lost revenue. Corruption or destruction of
operational data can lead to fines due to late or inaccurate regulatory reporting. A sabotaged Web site
has the potential to shake public trust during a time of crisis. Interruption of plant processes because
of a SCADA system malfunction can lead to a wide range of health implications for the community.
With millions of Internet attacks recorded daily, there is no shortage of potential intruders to the
enterprise. For the purposes of the following cyber security discussions, intruders are defined as:
•   Hackers: The primary goal of hackers is unauthorized entry; their motivation is thrill-seeking or
    criminal opportunity.
•   Attackers: The primary goal of attackers is to destroy enterprise operations; their motivation is
    often political.
•   Insiders: The primary goal of insiders — typically disgruntled employees — is to disrupt enterprise
    operations; their motivation is personal vengeance or financial gain.
To maintain consistency with discussions of physical security in other sections of this document, the
Exhibit 5-1 provides a correlation between physical intruders and cyber intruders.
Information systems are more vulnerable than ever before. Today's information management trends
point to a technology convergence resulting in standardized system architecture. A demanding
regulatory environment and the need for defensible decision-making push today's utilities to
integrate previously isolated information systems onto standardized platforms. In addition,
employees increasingly request round-the-clock access to internal information systems. Taken
together, these trends create more opportunities for intruders to access and affect the entire enterprise
information structure.

cyber socurfty
          EXHIBIT 5-1
          Correlation between Physical and Cyber Intruders
                     Physical Intruder                     Equivalent Cyber Intruder
                         Vandal                                Hacker
                        Criminal                                Hacker
                        Saboteur                              Attacker
                        Terrorist                              Attacker
                         Insider                                Insider
Gaining unauthorized entrance to an organization's information infrastructure is no longer the
province of a small cadre of skilled intruders. The specific vulnerabilities of widely used platforms,
like Microsoft Windows™, are detailed on numerous web sites. An arsenal of hacking tools is readily
available on the Internet at no cost. These "freeware"  programs are easy to operate and effective at
gaining entrance to organizations via the Internet, radio, telephone, or wireless. Novice hackers can
generate destructive virus code from special applications with no knowledge of programming. This
shorter learning curve benefits an attacker intent on intrusion and destruction. Cheap laptops,
anonymous Internet accessibility, and readily available hacking tools offer political organizations a
potent tactical weapon.

5.2 Cyber  Security Policies and Procedures
The most effective course of action available to utility management is the creation of a cyber security
plan (often done within the context of a physical security plan). A cyber security plan provides the
policies, procedures, and direction for system enhancements that minimize intrusion risk as well as
insider malfeasance. It is, however, an unfortunate reality that even the most vigorous anti-intruder
security may not thwart a determined attacker.
The SCADA system is of particular concern. Any disruption to the accurate operation of the SCADA
system could have adverse health repercussions to the community. A specialized assessment of the
SCADA system is recommended due to its marked difference from a more traditional information
technology (IT) system. It is worth noting that the trend in automation systems is to use a more "open
architecture" that does not rely on proprietary vendor protocols. The result is a more  publicly
available standardized operating platform, which increases the odds that its vulnerabilities are more
widely known.
The centerpiece of a cyber security plan is its policies. Publicized and enforced policies can reduce the
opportunity for an insider to anonymously sabotage any portion of the information system. Elements
of this plan should include:
•   A process for granting/revoking access to information systems
•   Password policies
•   Restricted  information flow between the business and control networks

                                                                                 cyber security

•   Comprehensive system documentation
•   Outlawing of unauthorized wireless or modem connections
•   A Disaster Recovery Plan
•   Incident response goals
A forward-looking plan also provides a method for continuous security improvements. In this
rapidly evolving field, it is essential to stay current. Several organizations are in the process of
formulating cyber security standards. At the time of this writing, for example, a federal standards
agency, the National Institute of Standards and Technology, maintains a highly informative web site
(www.csrc.nist.gov) that publicizes best practice security guidelines.

5.3 Cyber  Security Vulnerability Assessment
A valuable tool for management to understand those portions of the enterprise system that are at
greatest risk is the cyber security VA. A VA is a focused examination of the entire business and
control network from a security perspective. Each component is evaluated for its degree of
susceptibility to outside or inside attack. Based on analysis of the utility's DBT, specific
recommendations aimed at preventing the most likely types of attacks are developed.
Given that the typical wastewater utility often deploys an array of specialized information systems,
the vulnerability assessment should consider systems residing on the business network as well as
systems on the control network. These systems are defined below for the purpose of this document.

5.3.1 Business Network
The business network generally hosts software applications and databases that facilitate enterprise
business, scientific, and engineering processes, such as:
•   Enterprise Resource Program.  A comprehensive financial program that includes modules for
    General Ledger, Accounts Payable, Accounts Receivable, Payroll, and possibly Human
•   Laboratory Information Management System. A repository of laboratory result information and
    process data to support regulatory compliance and treatment plant operations.
•   Computerized Maintenance Management System. A work order system to provide preventative
    maintenance on assets, such as  pumps.
•   Customer Information System. A financial system that facilitates customer invoicing and
    collection, and resolving customer complaints.
•   InterneVlntranet. A network of networks that provides customers and employees with the
    ability to interact around-the-clock from any computer.
Additional systems might include e-mail, permitting, geographic information system, fuel usage,
and others.

cyber security

5.3.2 Control Network
The SCADA system consists of numerous electronic components distributed in the plant and over a
large geographic area. The system's main function is to oversee and operate the pumps, valves, and
instruments that control the collection, treatment, and disposal of wastewater. Operable elements of
the SCADA system are located in wide range of facilities, including the treatment plant, pump
stations, lift stations, vaults, and pretreatment facilities. Though SCADA systems vary widely in their
composition, the following represents a typical list of components, grouped by function:
•  Computers
   -   SCADA servers
   -   SCADA Human Machine Interface (HMI) programming workstations
   -   SCADA HMI workstations and view nodes
•  Networking
   -   Switches (optical and Ethernet)
   -   Routers
   -   Hubs
   -   Firewalls
   -   Modems
   -   Serial interfaces (connecting telephone lines to SCADA devices)
•  Data Conveyance
       Ethernet cabling
   -   Optical cabling (e.g., plant loop)
   -   Telephone lines (leased or owned)
   -   Radio transmitters and antennas
   -   Wireless transmitters and antennas
•  Distributed Control Components
   -   Programmable logic controllers (PLCs)
       Remote terminal units (RTUs)

5.4  Operational Solution:  Intrusion Defense
Cyber intruders can gain access to an enterprise network via one of four broad avenues: external
attacks via the Internet, the telephone system, wireless transmitters, and internal attacks via normal
modes of access. The following subsections outline methods of preventing unauthorized entry from
each avenue.
It should be noted that management, operational, and design considerations for cyber security should
coordinate with planning for the security of the overall organization. For example, card-reader access
systems may have been specified in the physical security plan to regulate access to restricted areas.
Card readers can also benefit cyber security by doubling as a log-on device that can record who has
logged in and out of a computer.

5.4.1 Internet Intrusion
Internet access to the enterprise is not always under the control of the utility IT department. It is
common for a utility's umbrella municipality to administer all security aspects of the Internet
gateway, including firewall configuration and intrusion detection system (IDS) oversight. In that
case, it is important for utility staff to participate in municipal IT matters via technical committees or
similar intra-organization forums in order to participate in security matters. Protection Against Outside Hackers
The outside hacker is most easily deterred at a firewall. If no entry point is penetrable, the hacker will
likely move on and choose an easier target. To improve prevention:
•   Coordinate with the enterprise or utility IT department to allow penetration tests on the Internet
    firewall. These tests are designed to uncover "open ports" commonly used by hackers to gain
    entrance to the enterprise network. Once inside, a hacker is free to access any computer on the
    business network, including SCADA computers if the business and control networks are
•   Restrict general user access to critical applications. For example, locate the financial servers on a
    separate network segment with tightly restricted access. Protection Against Outside Attackers
Even the most daunting security at the Internet gateway may succumb to the efforts of a determined
attacker. Additional steps are necessary to further secure the SCADA system if connections exist
between the business and control networks. All network traffic between the two networks should be
strictly controlled to regulate legitimate connections. The most secure option is to separate the
networks. However, there may be business advantages to keeping them linked. If the networks are
linked, the link may be programmed to activate automatically at certain times of the day or week for
a specified duration to perform certain functions such as backing up data onto access-controlled
portions of the business network server.
Methods of securely segmenting the business and control  networks include:
•   Virtual Air Gap. Allows one-way data traffic from a control network server to a business
    network server by means of an optical isolator.
•   Dual-homed Server. Directs SCADA process data into a database server via one network card on
    the control side; allows access to the database only from the other network card on the business
•   Router. Restricts traffic to a small number of destinations as regulated by an Access Control List
    (ACL). The policy governing the router ACL should ensure that only appropriate Internet
    Protocol (IP) addresses (such as a designated printer or the email server) can be accessed across
    the business and control system networks.
•   Firewall. Of particular value in the case where utility IT department has no control over the
    enterprise  Internet gateway.

cyber security

Devices such as firewalls and routers, if properly configured, can effectively insulate a utility's
networks from outside attack. It is recommended that the utility appoint an appropriately skilled
staff member or consultant to determine the current best practice in Internet intrusion design because
these technologies are evolving rapidly. Important design elements at the time of this writing are
listed below:
•  Ensure the firewall is either "stateful packet inspection" or "proxy" served. For additional
   security, these two firewall types can be implemented together in a "layered" approach.
•  Install an IDS at the Internet gateway and regularly audit IDS logs for evidence of unauthorized
   entry. An IDS system,  properly monitored, can identify when a firewall is under attack and
   provide valuable information about intrusion attempts. Other IDS tools can detect system
   configuration changes and log file anomalies.
•  Contract for periodic evaluation of firewall and IDS effectiveness by a third-party security
   specialist to continuously maintain and improve operational performance.
•  Consider using a Virtual Private Network (VPN) solution to ensure secure access to inside the
   enterprise from the Internet. A VPN is a private network that uses a public network, such as the
   Internet, to connect remote sites or users together. Instead of using a dedicated, real-world
   connection such as leased line, a VPN uses "virtual" connections routed through the Internet
   from the company's private network to the remote site or employee. Well-designed VPNs use
   firewalls, encryption, and other techniques to improve security.
In addition to segmenting  the business and control networks to protect against Outside Attackers,
conduct server and workstation software audits to ensure the operating systems are "hardened" with
the most current upgrades and security-related patches. The Microsoft Windows™ operating system,
for example, is a favorite target of hackers because of its widespread use and well-documented
security flaws.  Some specific activities associated with this audit might require that utilities:
•  Verify anti-virus software is updated with the latest virus patterns.
•  Verify all servers have latest security patches applied for applications (e.g., database programs,
   and email) as well as the operating system.
•  Review system logs for inappropriate activity.
•  Confirm that all administrator passwords for operating system and HMI have been changed
   from the default passwords.

5.4.2 Telephone System Intrusion
The most common method of telephone system intrusion is via dial-up modem. Most SCADA
systems employ a modem to facilitate maintenance of the HMI by vendor or in-house SCADA
technicians. Traditionally, these modem connections have little or no security, making them an
attractive target for "war-dialing" (a common technique used by telephone hackers that uses a
software program to automatically call thousands of telephone numbers to look for any that have a
modem attached).

                                                                                  cyber security

The following operational and design tips can help the utility protect against intrusion via modem:
•  Most modems can be configured to only allow dial-up access to a restricted set of telephone
   numbers. Consider also setting up a dial-back system to verify numbers.
•  Leave modems connected to the SCADA system turned off. Turn on only for use by verified
   personnel (vendor or SCADA technician).
•  Use a timer device to turn off modems after a preset period of time (e.g., one hour) if not in use.
•  Coordinate with the enterprise IT department to verify security on non-SCADA modems
   connected to the business network.
•  Create policies designed to prevent the installation of unauthorized modems on enterprise
   equipment. Those modems are often used in conjunction with remote control software to
   facilitate working from home. The security risks to the business usually outweigh the
   convenience for the individual. Commercial telephone-scanning software can usually identify
   modem connections not sanctioned by the utility.
•  Equip all SCADA modems with "lock and key" hardware devices. Distribute the "keys" to
   SCADA technicians and trusted vendors only. This solution provides flexibility as well as a
   higher degree of security. Many utilities appreciate the benefits of allowing vendors to access
   their systems remotely. For example, vendors of gas monitoring equipment can troubleshoot,
   calibrate, and maintain their equipment remotely, saving the utility money and irritation. "Lock
   and key" modem options allow technicians needing access to call at any time and from any
   telephone (e.g., a SCADA technician on travel), thus retaining flexibility while decreasing
   security risk.
•  Instruct employees not to divulge user information—especially passwords—over the telephone.
   Hackers have a high success rate of obtaining passwords from unwary employees by posing
   as an IT technician needing user account information. This technique is known as "social
   engineering." Train employees to report any attempt to elicit password information via
   social engineering.
•  Telephone lines are also sometimes used to connect RTUs from the field. Consider encrypting
   commands to prevent interference from attackers "tapping" into leased or owned lines.

5.4.3 Wireless Intrusion
The explosion of wireless networking at home and in the workplace has created an enormous
security risk for network administrators. Many wireless installations in the workplace exist without
the knowledge of the IT group. These installations generally have little or no security and can be
accessed by anyone within signal range.

cyber security

The well-documented security flaws of wireless networking increase operational and design
requirements for a secure implementation. To bolster system security against a wireless attack:
•   Eliminate unauthorized wireless networking—use wireless detection software and appropriate
    antenna/laptop to identify unauthorized installations. A wireless access point using the default
    settings is very vulnerable to network attack. Many wireless products are capable of
    configuration to acceptable levels of transmission security.
•   Specify wireless networking configurable to the appropriate security level. Turn off "beaconing"
    and minimize broadcast area through a combination of antenna-type/placement and wireless
    access point configurations.
In addition to local wireless networks, many utilities rely on radio transmission to interact with
remote SCADA components in the field. RTUs in the field exchange monitor and control information
in "plain text." These unencrypted broadcasts can be intercepted and retransmitted with different—
potentially harmful — information. To prevent interception:
•   Encrypt radio traffic between RTUs (or PLCs with radio units) to master unit with
    scrambler/descrambler devices. As an alternative,  modify radios with appropriate capabilities to
    spread spectrum frequency-hopping. This technology can be used for voice networks as well.
•   Provide "hardened," lockable enclosures for all remote control system units. Many of these units
    are in located in isolated areas with few protective  measures to deter vandalism.
•   Provide signal supervision and tamper alarms to detect loss of signal and tamper attempts.

5.4.4 Insider Intrusion
Although an inside attacker has a decided advantage by possessing access privileges to the enterprise
system, a more stringent security environment renders all operational staff activities less anonymous.
A well-designed cyber security plan seeks to minimize inadvertent or intentional damage to the
SCADA system by former or current employees and contractors (i.e., "insiders"). At the core of any
security plan is an enforceable security policy and accompanying procedures that promote
operational accountability and auditability. An effective policy reduces the chances of acting
anonymously, and restricts potential damage through limited access privileges, both physical and
The wastewater utility industry is often staffed by long-term employees. The introduction of more
stringent security procedures can be perceived that the utility no longer trusts its employees. The
current security-minded national environment, however, supports the perception that procedural
changes to protect the enterprise are inevitable. Several security practices that promote accountability
and auditability are part of this mainstream movement, including:
•   Developing security policies and posting them in all control rooms.
•   Requiring individual logon credentials to access the SCADA system.
•   Configuring HMI log-on privileges to match responsibility level.

•   Ensuring HMI log files associate user log-on credentials with actions and changes made to the
    HMI (creating a non-refutable audit trail of operator actions).
•   Requiring appropriate password strength rules for user access (i.e., more "complex" passwords
    for higher access privileges).
•   Automatically deactivating passwords after a certain time has passed without use.
•   Immediately removing a user account from the HMI if the account becomes inactive due to
    voluntary, and especially involuntary, termination.
•   Configuring an inactivity timeout log-out (or proximity sensor log-out) to protect the control
    system if no one is present in the control room or the user has stepped away from a remote
•   Safeguarding laptops used for onsite programming of remote PLCs or RTUs against theft or
    unauthorized use.
•   Requiring a password to make software programming changes to RTU/PLCs.
•   Programming set point ranges to reject potentially harmful out-of-range adjustments.

5.4.5 Physical  Security of SCADA Components

While extensive efforts may be undergone to secure cyber portals to SCADA and business networks,
sensitive electronic components are often completely accessible to anyone in the plant. The utility can
reduce crimes of opportunity by:
•   Locking PLC cabinets.
•   Providing exposed outdoor RTUs with protective, lockable casing.
•   Securing SCADA servers in locked, climate-controlled areas.
•   Restricting access to the control room (and network/server room) with entry system that stores
    information about who has entered and departed. Consider biometric devices for areas requiring
    the highest levels of security.
•   Hardening control rooms using techniques presented in other sections of this document,
    including physical improvements to doors, windows, and walls.
•   Install third-party software — or upgrade current HMI version — to enable change propagation
    capability that monitors revisions to programming by date/time and login credentials. This
    software can also  "undeploy" programming changes and revert to a previous version.
•   Install safeguards for laptops used for onsite programming of remote PLCs or RTUs against theft
    or unauthorized use.

cyber security
5.5 Operational Practices
The following operational practices supplement the detailed recommendations above to make the
business network and SCADA systems more secure and lessen the consequences of a failure.
•   Back up SCADA servers and programming workstations to tape every night. Verify that backup
    system consistently captures a "snapshot" of designated servers and workstations. Provide off-
    site storage of selected backups necessary for disaster recovery purposes.
•   Routinely back up all SCADA programs for PLCs, distributed control units, RTUs, SCADA
    servers, and similar programmable devices to provide for rapid recovery in the event of loss of
    program or need to install new devices. Store programs offsite.
•   Install anti-virus software and configure for daily virus pattern updates on all servers and
•   Reset all operating system and HMI passwords away from default settings.
•   Set passwords to automatically expire, prompting users to develop new ones on a regular basis.
•   Provide an uninterruptible power supply (UPS) for all servers, networking components, and vital
    workstations. Consider the addition of a backup generator if warranted by system criticality.
    Provide individual UPSs for any critical SCADA devices not protected by the main UPS system.
•   Provide a secondary method to collect data from the remote systems in case of a communications
    failure. If, for example, a spread-spectrum radio network is the main method of remote SCADA
    communication, then telephone lines could be used for dial-up access in case of radio failure.
•   Configure identical SCADA servers for "fail-over" redundancy.
5.6 Cyber Security Training
Training activities also ensure a higher level of cyber security. User acceptance is an important part of
adherence to security policies. Training sessions help review security procedures and impart to users
the importance of individual responsibility.
The general user population must be trained to understand all security policies and procedures.
Specific topics should include the following:
•  Do not share passwords with others. A common technique, called social engineering, has
   intruders posing as network administrators to extract passwords from trusting users.
•  Do not write passwords down.
•  Do not set up wireless networks or wired connections between networks without authorization.
•  Password-protect home machines used to connect to the enterprise.
•  Network administrators should analyze log files to pinpoint unauthorized activity accounts.
•  Operators should log out of the HMI whenever out of the control room.


Electric and  Electronic Security  Devices

6.1  Introduction
The previous sections of this document identified applications for which utilities may want to install
electric and electronic security devices. A utility's decision to use this equipment should be based on
its DBT, as well as other operational and design considerations. This section provides an overview of
issues and situations that should be considered when determining what type of electric or electronic
security system to install once a decision has been made that a such a system will be employed.
Included are descriptions of security devices, including intrusion detection systems, access control
and card readers, biometric readers, and closed-circuit surveillance camera systems. Lighting and
wiring are also discussed.
A variety of different security systems and components are commercially available. Before specifying
and purchasing any security devices, it is important to understand the characteristics and
requirements of the area and facility to be protected. With this understanding in hand, detailed
criteria can be developed to specify exactly how the device should be implemented and how the
device fits into the overall security system.

6.2  System Considerations
To determine the type of security system to install,  it is important to understand the characteristics of
the area to be protected, as well as the security expectations and requirements.  This section describes
the information that should be obtained and questions that should be asked to  help a utility plan and
implement a security system.

6.2.1 Threat
As mentioned previously, the types of security equipment employed will be dependent on a utility's
DBT. The utility must understand from whom it is  trying to protect the space. Questions that the
utility needs to consider include:
•   Is the anticipated adversary an outsider, an insider, or an outsider collaborating with an insider?
•   What tactics, motivation, skills, knowledge, tools or weapons might the adversary use?
    Protecting a facility from a skilled, trained terrorist with knowledge of the facility requires a
    different tactic than protecting against a teen-aged vandal.

6.2.2 Known Vulnerabilities and Key Assets
A utility's vulnerability assessment will identify the assets that are most critical to meeting its
mission. The types of assets to be protected will influence the type of equipment recommended to
protect them.

electric and electronic security devices

6.2.3 Areas  of Coverage
The characteristics of the area that the equipment will be expected to cover are critical factors that
must be taken into account when selecting equipment. Designers or purchasers of security devices
must know what area they are trying to protect, as well as what conditions may result in false alarms.
Excessive false alarms resulting from any type of surveillance equipment can cause frustration among
utility staff and ultimately result in discontinued use of valuable security equipment. Therefore, it is
very important to consider false alarm rates in the design and purchase of electronic equipment.
Selected equipment must have an appropriate sensitivity level that allows detection but is not
triggered unnecessarily. Characteristics of both the equipment and the site conditions should inform
these decisions.
Questions to consider include:
•  What is the area or region to be protected?
•  Does the area occupy a level surface?
•  Is the area enclosed? Is the area indoors or outdoors? Indoor areas typically have lower nuisance
   alarm rates and are easier to protect.
•  If indoors, what ambient noise levels, thermal conditions, or vibrations may exist?
•  If outdoors, what humidity, temperature conditions, or wind conditions exist?
•  Are small animals or children living nearby the protected space?
•  How large is the area?
•  What is the configuration and physical layout of the area protected?
•  What are the existing lighting conditions within the area?
•  Are any restrictions in place that limit placement or levels of site lighting, such as neighborhood
   zoning requirements?
•  Are the assets visible from the fence or property line?

6.2.4 Levels of Resolution
To accurately specify the required security hardware, it is important to define the required level of
resolution that the system must achieve: detection, classification, or identification.
•  Detection. The capability to determine the presence of an intruder (but not necessarily classify as
   a human, animal, or object).
•  Classification. The capability to determine the classification of an intruder as human.
•  Identification. The capability to determine the identity of a human intruder.

                                                                 electric and electronic security devices

6.2.5 System Size and Device Quantity
Before selecting equipment, it is also important for a utility to think about the size of the area that it
wants to cover and the number of devices it will need. Understanding the potential growth needs of
the system also allows the designer to provide a system that scales with a minimum of cost and effort
as the system size and requirements expand.

6.2.6 Electrical Power, Wiring, and Transmission Methods
Availability of electrical power will also influence selection of security devices. Questions to consider
•  What electrical power is available for security hardware, if any?
•  What backup power is provided for security?
•  Are lightning strikes a consideration? Is a lightning protection system advisable for new
   electronic equipment?
•  Will all wiring be protected within conduit?
•  How are alarm signals transmitted back to a monitoring system?
•  Will hard-wired systems be used or are wireless communication methods being considered?
•  What bandwidth is available for transmitting security alarms and video images? For example,
   dial-up telephone modems or radio telemetry systems provide limited bandwidth for
   transmitting video images, whereas high-bandwidth broadband connections allow higher rates
   of transmission and smoother video image playback.

6.2.7 Viewing, Assessment, and Alarm Response
Utilities also must consider how information transmitted by security devices will be used.
Approaches to viewing and assessing camera images and responding to alarms should be part of the
criteria when making decisions on equipment selection.
Questions for  consideration include:
•  What areas need surveillance? What camera surveillance systems may be required? Is there a
   need to have CCTV camera coverage at the entire site perimeter?
•  What monitoring system is in place to receive the alarms: a SCAD A system or a separate
   intrusion detection system? For example, it is advisable to separate the SCADA system from
   security alarms whenever possible so that an adversary cannot disable both simultaneously.
•  Who will monitor the alarms? Will the alarms be monitored on a continuous basis or as alarms
   come in?
•  Who will view the security alarms and assess them?
•  Where is the monitoring system located?
•  What is the security response once an alarm occurs?

electric and electronic security devices

•   Is the response onsite or offsite?
•   What is the response time?

6.3 Security Equipment
Once a utility understands the characteristics of the area to be protected and the security expectations
and requirements, the utility can determine the type of security equipment to use. There are many
different types of security equipment including:
•   Intrusion detection (interior and exterior)
•   Access control systems (card readers, PIN access, and biometrics)
•   CCTV surveillance
Each of these types of security equipment is described in this section.

6.3.1 Interior Intrusion Detection
Many types of interior intrusion detection systems are in use today, including volumetric sensors and
boundary penetration sensors. Interior Volumetric Sensors
Volumetric sensors monitor an internal area to detect the presence of an intruder. There are several
types of volumetric sensors, including microwave, ultrasonic, passive infrared (FIR), and dual-
technology (microwave and PIR). The most commonly used are dual-technology sensors.
Dual-technology sensors use both microwave and PIR sensor          ^ซS==BS^^=S=B^=
           ,       ,            ,        ,              „  ,                    Small Utility Tip
circuitry within one housing. An alarm condition is generated if
 .,    ,    .           „„,                    ,        ,.„              Designs for smaller utilities
either the microwave or PIR sensor generates an alarm condition.        mjght ^^ an ^^ do()r
In some dual-technology sensors, alarm settings may be adjusted            contact and interior dual-
to require that both the microwave and the PIR unit detect an          technology sensor connected to
intruder presence before an alarm condition is generated.                      a SCADA alarm point.
Dual-technology sensors have some drawbacks; for example, the
PIR channel is relatively vulnerable. An elusive burglar may use an infrared emission-blocking cloak
or screen to camouflage his infrared radiation. In addition, in hot climates when air-conditioning is
off, there is a serious problem of misdetection with high ambient temperatures. Some dual-
technology sensors attempt to overcome this limitation by having installer-selectable logic, where
detectors from either channel  are enough to trigger an event. However, this mode is not very popular
because it suffers from the false alarm weaknesses of each technology. Interior Boundary Penetration  Sensors
Boundary penetration sensors detect the presence of an intruder across an interior boundary, such as
a door, window, or hatch. The most typical boundary penetration sensors are door  switches, glass-
break sensors, and linear-beam sensors.

                                                                    electric and electronic security devices

•   Door switches. The workhorse of the security intrusion detection field, door switches include
    contact switches, magnetic switches, and balanced magnetic switches. These switches may be
    used in a variety of applications, from monitoring doors to monitoring hatches, vaults, and panel
    enclosures. By far, the most effective is the balanced magnetic switch. This switch has internal
    circuitry that resists tampering or defeat from strong magnetic fields. By comparison, standard
    magnetic switches have been defeated by applying a strong magnet to the exterior of the door to
    bypass an alarm and force the  door open.
•   Glass-break sensors. There are three basic types of glass-break sensors: acoustic sensors (listens
    for an acoustic sound wave that matches the frequency of broken glass), shock sensors (feels the
    shock wave when glass is broken), and dual-technology sensors (senses acoustic and shock
    vibrations). Because glass-break sensors do not sense motion or intrusion from entering a door or
    hatch, the sensors should be used in conjunction with other methods (such as volumetric
    sensors). It is recommended that glass-break sensors not be placed directly on a glass surface.
•   Linear-beam sensors. Also referred to as a photoelectric beam or photoelectric eye, linear-beam
    sensors consist of a transmitter that emits a beam of light that is invisible to the human eye and a
    receiver that receives the beam of light.  If the beam of light is interrupted or broken by motion
    from an intruder, an alarm is triggered. Linear beam detectors can be surface mounted or
    recessed. These sensors require a straight line of sight between the transmitter and the receiver.

6.3.2 Exterior Intrusion  Detection
Several types of exterior intrusion  detection sensors exist and may be classified according to type,
method of use, style, and mode of  application. The following exterior systems are most applicable to
wastewater system applications: freestanding sensors, buried-line sensors, and fence-mounted
sensors.  Freestanding  Sensors
Freestanding sensors are the most  common  style of exterior sensor available. Types include active
infrared, PIR, microwave, and dual-technology sensors. Microwave and dual-technology detectors
are frequently used as freestanding sensors  and are discussed below.
•   Microwave sensors come in two styles: bistatic and           ^™"^^^^^^^=^^^^^^^=
                                                                            Small Utility Tip
    monostatic. Bistatic microwave sensors  use a transmitter
      ,    .     ...       .   .                               Monostatic microwave sensors
    and receiver pair. Monostatic microwave sensors use a                   .    „ ,      ...
               y                                                    work well for  monitoring
    single sensing unit that incorporates both transmitting           reservoir ladders or Other small
    and receiving functions. With both bistatic and                   areas. The device can be aimed
    monostatic sensors, the sensors operate by radiating a            down a reservoir ladder toward
      ^  „  ,         ,  .               .     ,           ,        the  ground, for example. Make
    controlled pattern of microwave energy into the protected                ..   .  .   .   .  .,
             v                       6-y         h-                   sure tne device  is rated for
    area. The transmitted microwave signal is received, and a         outdoor use before installing.
    base level "no intrusion" signal level is established.           ^^^^^^^^=^==^^=:
    Motion by an intruder causes the received signal to be altered, setting off an alarm. Microwave
    signals pass through concrete and steel and must be applied with care if roadways or adjacent

electric and electronic security devices

    buildings are near the area of coverage, otherwise nuisance alarms may occur. Many monostatic
    microwave sensors feature a cut-off circuit, which allows the sensor to be tuned to cover only a
    selected region to reduce nuisance alarms.
•   Dual-technology sensors use a combination of PIR and microwave technology, as discussed
    previously. Buried-line  Sensors
Buried-line sensors include pressure/seismic sensors, magnetic field sensors, buried-ported coaxial
cable, and buried fiber-optic cable sensor systems. Each of these systems relies on sensing the
presence of an intruder by means of a buried cable system within the ground.
A factor that must be considered when using buried-line sensors is the presence of underground
utilities. Underground utilities, such as gas, water, and sewer lines, must be sufficiently below the
detection zone, or false alarms may result. Typically, 1 meter (3 feet)  is sufficient to prevent false and
nuisance alarms. Underground electrical wires must also be considered.
Other factors must also be considered when using a buried-line sensor. Rodents have been known to
cause maintenance problems by gnawing on the sensor cables. Installations also should not be in
areas where running water will either wash away the soil that buries the sensor, cause nuisance
alarms during a heavy rain, or result in any standing water or pooling issues.
A drawback to the buried-line sensor system is that it may have different sensitivities when buried
below different surfaces. For example, if a continuous system is buried below a concrete surface as
well as under a lawn, the sensitivities required for each surface may be different.  A good sensitivity
adjustment for concrete may be too sensitive for grass. In this case, it may be best to individually zone
those areas, so that the sensitivities may be adjusted for each area. Fence-mounted Cabling Sensors
With all fence-mounted systems, it is critical that the fence               ^_———-_
construction be of high quality, with no loose fabric, flexing, or                              IV
sagging material. The fence should also have solid foundations for             Fence-mounted sensor
                                                                      systems work well in areas
posts and gates. Otherwise, nuisance alarms may occur.                         without animals or
Several types of fence-mounted perimeter intrusion detection                   passersby;  Otherwise,
          •4,-ru    -iji^      u-i-u*:       •             nuisance alarms may result.
systems exist. These include electro-mechanical vibration sensing,         =^^=5^=^^^=^=
coaxial strain-sensitive cable, fiber-optic strain-sensitive cable, and
taut-wire systems. Two styles of fence-mounted sensors are most prevalent and are described below:
coaxial and fiber-optic fence sensing.
•   Coaxial strain-sensitive cable systems use a coaxial cable woven through the fabric of the fence.
    The coaxial cable transmits a dielectric field. As the cable moves  due to strain on the fence fabric
    caused by climbing or cutting, the electric field changes are detected within the cable, and an
    alarm condition occurs.

                                                                     electric and electronic security devices

•   Coaxial strain-sensing systems are readily available and are highly tunable to adjust for field
    conditions due to weather and climate characteristics. Some coaxial cable systems are susceptible
    to electromagnetic interference and radio frequency interference.
•   Fiber-optic strain-sensitive cable systems are similar to the coaxial strain-sensitive cable
    systems. The fiber-optic system uses a fiber-optic cable, rather than a coaxial cable, woven
    through the fence fabric. Strain on the fence fabric causes micro-bending of the fiber cable, which
    is monitored by the control panel, generating an alarm condition.
•   Fiber-optic strain-sensing systems are relatively newer detection systems but have a strong
    following. The systems are readily available and are highly tunable to adjust for field conditions
    due to weather and climate characteristics. The systems are impervious to lightning,
    electromagnetic interference, radio frequency interference, or other electronic signals and can be
    used over long distances.
Possible defeat measures include tunneling, jumping, or bridging across the fence system. Careful
climbing at corner posts may not generate sufficient vibration to generate an alarm condition.

6.3.3 Access Control
An access control system allows the movement of authorized personnel and material into and out of
facilities while detecting and possibly delaying movement of unauthorized personnel or contraband.
Entry control elements may be found at a facility boundary or perimeter, such as at vehicle gates,
building entry points, or doors into rooms or other special areas within a building.
Access control systems make a verification decision and then determine whether to grant or deny
access to a person. This verification decision is usually based on determining whether the person:
•   Carries a valid credential, such as an access card.
•   Knows a valid PIN.
•   Possesses the proper unique physical characteristic that matches the person's characteristic
    recorded at enrollment. This is called biometrics and includes characteristics such as a fingerprint
    or hand geometry.
These three concepts are summarized as "what you have," "what you know," and "who you are"
and are described in the following subsections. It is important to remember the effectiveness of any
access control system is improved significantly through basic security policies such as key control
and a cultural emphasis on security. Suggestions on security policies and management concepts are
presented in Section 2 of this document.

electric and electronic security devices Credentials (Access Card Types)—What You Have
There are a number of different types of credentials (or access cards) used in personnel entry control,
including photo identification, exchange, stored-image badges, and coded credentials. There are
many techniques available for coding a badge or card. The most common techniques include
magnetic stripe, Wiegand wire, bar codes, proximity, and smart cards. Eighty percent of the card
reader market uses magnetic stripe, Wiegand wire, or proximity technology.
Card reader access control systems provide the most reliable, flexible method of controlling access to
a facility. Card reader systems come in many configurations, from stand-alone systems controlling
only one door to scaleable systems to provide enterprise-wide control for an entire corporation
spanning multiple continents. Newer card reader systems offer sophisticated database intelligence
that allows integration with payroll, information technology, and human resources databases. If an
employee is terminated, his or her access privileges can be revoked within the access control system
instantaneously. Some access control systems offer seamless integration with video surveillance
systems, where access control alarms and video surveillance images are displayed on common
PC workstations.
As shown in Exhibit 6-1, a card reader system typically consists of:

    A computer server or
    workstation that displays
    alarm conditions and
    allows programming of
    the system
    A badge station, allowing
    creation and
    programming of badges
    Local control panels that
    control the doors, card
    reader units, and access
    A printer unit that prints
    each event and alarm
           BuiWirig A
Typical Card Reader System
                                      Building 8
Under normal operation, the
system grants access at doors with card readers by comparing the time and location of any attempted
entry with information stored in memory. Access is granted only when the security card used has a
valid entry code at the card reader for a designated time frame.
Significant advantages of the card reader system include the capability for event tracking and
programmable software functions, such as the following:

                                                                   electric and electronic security devices

•   Event tracking/event logs are logs of security events recorded by the access control system that
    indicate the actions performed. Each event log entry contains the time, date, and other
    information specific to the event.
•   Two-man rule software is software programming that is optional on many card reader systems.
    It prevents an individual cardholder from entering a selected empty security area unless
    accompanied by at least one other person or exiting if only one person will remain in the area.
    Once two cardholders are logged into the area, other cardholders can come and go individually
    as long as at least two people are in the area. Conversely, when exiting, the last two occupants of
    the security area must exit together.
•   Anti-passback software prevents users from giving their cards to someone else to use. This
    feature is sometimes available with keypads. To prevent the same PIN from being used by many
    people, a time element can be programmed in so that the PIN will not work after the first time
    until a specified time expires. Some anti-passback systems require that, if a card is used to enter
    an area, the same card must be used to exit that area before it can be used to gain access to a
    different or unrelated area. This feature also helps eliminate "piggy-backing" or tailgating by
    unauthorized persons. PIN—What You Know
There are two primary considerations for selecting a secure PIN. First, the PIN should be long enough
and have enough digits to prevent easy guessing, i.e., at least 6-digits in length. The PIN should be a
combination of letters (with capitalization), numbers, and characters for better security. Second, the
PIN should not be a number that is too meaningful to the individual to whom it is assigned (e.g.,
birthday or nickname). If a person is allowed to choose his or her own PIN, he or she should be
discouraged from choosing a PIN that is too meaningful. These considerations are consistent with the
concept of strong authentication for computer passwords discussed in the Section 5 of this document.
Some systems provide a maximum number of PIN entry attempts before disallowing the credential
or generating an alarm to the central control system. Biometrics—Who You Are
Commercial equipment is available that uses hand or finger geometry, handwriting, eye pattern,
fingerprints, speech, face, and various other physical characteristics to identify an individual. When
selecting or deploying biometric devices, consideration of the security objectives is required to assure
that the optimal device is selected and that it will operate as desired.
Hand readers and fingerprint readers are the most common biometric access control applications.
Fingerprint reader stations are physically smaller in size and have a lower cost than hand geometry
readers. Fingerprint readers are best suited for installations with smaller user populations (such as a
lab area accessed by approximately 20 people), whereas larger user populations are better served by
hand geometry readers.

slsctrlc Md oljiliMic Mduity dBvlc0s

Not everyone can use biometric devices. Fingerprint readers have a higher false-rejection rate than do
hand geometry readers. For example, a portion of the population cannot use fingerprint readers
because of dry skin. Manual labor staff who routinely use their hands may have worn fingerprints or
scars on their fingertips, making it difficult for effective fingerprint reading. In addition, physical
changes occur with age or injury that can impact biometric reader effectiveness. In these cases, a hand
geometry reader might be a more effective technology.
Training on the capabilities and limitations of the selected biometric device is essential. The
procedures need to provide for the periodic update of biometric data for each person tracked by the
device; enrollment of staff into a biometric reader is not a one-time actions.

6.3.4 CCTV Camera Systems
CCTV camera surveillance systems are integral to effective assessment of alarms. This
section describes some of
the requirements and
components comprising a
CCTV system.
As shown in Exhibit 6-2, a
CCTV system typically
consists of:
•  one or more cameras
•  transmission media
   (fiber cable, coaxial, or
   twisted-pair cabling)
•  a monitor for viewing
   incoming camera
                                                                           Video Recording
                           EXHIBIT 6-2
                           Typical CCTV System
•   a matrix switcher or multiplexer that receives incoming video streams and directs them to
    monitors and recording equipment
•   a means to record each event and alarm condition Camera Characteristics
There are several key performance characteristics of a video surveillance camera. Among these are:
•   Camera Resolution. The amount of detail that the camera can distinguish and produce.
•   Minimum Illumination. The minimum amount of light needed for the camera to display images.
    (For illumination, the lower the number, the better.)
•   Lenses. The lens size and type required for the camera.

                                                                   electric and electronic security devices

Other important considerations of CCTV camera systems are whether the cameras are fixed or pan,
tilt, and zoom (PTZ) cameras:
•   Fixed-position Camera Mounts. The camera is mounted in a fixed position and cannot rotate or
    pan. A good application for fixed cameras is detection surveillance, because video motion
    detection can be more readily applied to the static field of view.
•   PTZ Camera Mounts. These camera mounts allow the camera to rotate, pan, tilt, and zoom.
    Because of the drive motor and housing, PTZ cameras are typically four times more expensive
    than fixed cameras. PTZ cameras are often used for assessment surveillance applications to view
    and assess alarm conditions.
Other camera features include the following:
Matrix switchers are components that provide switching capability between cameras and viewing
monitors. They typically offer functionality that allows programmable settings such as camera
naming, guard-tour camera sequences, and salvo switching.
Digital video recording provides a great improvement in camera image storage. Benefits include
eliminating consumable media (tapes), reducing physical storage space, ease of search-and-playback
functions, and the capability to add watermarks for documenting evidentiary recordings.
Video motion detection systems permit detection of entry or intrusion using video images. This new
technology is based on computer algorithms that analyze the received video image and compare it to
stored images in the system memory. The incoming video is analyzed for the direction of the object's
movement and changes in images and background "texture." Advanced software can also
distinguish between human, non-human, and vehicle images and initiate appropriate alarms.  Low-light Cameras
Several technology solutions are available to permit viewing under low light conditions, including
black/white switching cameras, infrared illuminators, or thermal imaging cameras.
•   Color - blacV*vhite switching. Some cameras will automatically switch from color during
    daytime to black/white at night, which permits viewing under low light conditions.  This can be
    an effective solution in situations where the existing illumination levels are too low during night
    conditions to permit color camera use, but color camera use is desired during daytime conditions.
    Numerous CCTV camera manufacturers offer auto-switching black/white cameras.
•   Infrared illuminators. The human eye cannot see infrared light. Most mono-CCTV cameras,
    however, can. Thus, invisible infrared light can be used to illuminate a  scene, which allows night
    surveillance without the need for additional artificial lighting. Infrared also provides many other
    benefits above conventional lighting, including:
    -  IR beam-shapes can be designed to optimize CCTV camera performance.
       Extended bulb-life.
       Covert surveillance, no visible lighting to alert or annoy neighbors.
    -  Lower running costs.

•lactrle and etoctmte wcvrlty (tovices

   It is important to design illumination specifically for the CCTV camera being used. The range that
   the camera will see in the dark depends on sensitivity and spectral response of the camera and
   lens combination.
   A number of camera manufacturers each produce a variety of beam patterns, e.g., 10 and 30ฐ spot
   (precise) illuminators and 60ฐ flood illuminators.
•  Thermal imaging cameras use special technology that senses heat signatures rather than visual
   information. These cameras operate under complete darkness. Thermal imaging cameras are best
   used in long-range detection and surveillance applications. Because they register a heat signature,
   it is not possible to resolve the identification of the adversary; instead, these cameras are best used
   to indicate the presence of an adversary. CCTV System Recommendations
Considerations when purchasing a CCTV system include:
•  Ask the dealer if the new system or device is compatible with any existing devices such as
   cameras, matrix switches, and multiplexers. Rewiring for new cameras and devices is labor-
   intensive and can be expensive.
•  Look for ease of use.
•  Investigate the scalability of the system. If more cameras are needed locally or remotely, can new
   systems be added with as little effort as possible?
•  Understand the service plan. Manufacturers provide service and maintenance programs, and
   some have premier service plans that provide feature upgrades and enhancements on computer-
   based video recorders.
•  Consider how the images will be viewed, the number of monitors needed to support the system,
   and how multiple camera scenes will be multiplexed onto a common monitor (not every camera
   requires an individual monitor).
•  Integrate an incident alarm feature into the CCTV system so that continuous monitoring is not
   required. Some type of notification (e.g., an alarm on the CCTV monitor or SCADA control
   screen) linked to detection should trigger an operator or security professional to assess an alarm.
   A well-designed Security Control Room may have only one or two monitors that display
   continuously and 2 others that are blank until an event them, at which time the operator is
   alerted. Cameras should all be linked to sensors that automatically bring them up to monitor. Let
   the machine do what it does best—detect, and let the humans do what they do best—respond
   and evaluate.

                                                                    Bloctrlc flnd Blsctfonlc nciirity tevtcn

Considerations when implementing a CCTV system include:
•   The main concern with remote video monitoring is data security. Unless adequately protected, it
    may be possible for a hacker to gain access to remote video sites. To reduce the possibility of
    unauthorized access, user name and password protection is an important feature that must be
    implemented. A firewall and video encryption should also be employed to dramatically reduce
    the chance of unauthorized entry into the system.
•   Use ample light whenever possible. The most common reason for poor quality images is that the
    light level is too low. Generally, the more light, the better the images. With lighting levels too
    low, images become noisy and blurry with dull colors. For low-light situations, ensure that you
    have a low-light camera.
•   Scene illumination should be even across the field of view  of the camera, with a maximum light-
    to-dark ratio of 8 to 1. The minimum illumination level should be 11 lux (one footcandle).
•   Avoid backlight. Try to avoid bright areas in the images. Bright images might become over-
    exposed (bright white) and objects might appear too dark.  This problem typically occurs when
    one tries to capture an object in front of a window.
•   Reduce the contrast. A camera adjusts the exposure to obtain good average light level in the
    image. A person in front of a white wall tends to appear too dark. If a gray wall is used instead,
    this problem does not exist.
•   Sensor size. The lens must make an image large enough for the sensor. The larger the sensor, the
    more expensive the lens. If a lens made for a smaller sensor is used on a bigger sensor, the image
    will have black corners.
•   Lens and field of view. The lens selection and alignment should be established so that a
    reasonable width of the  alarm sector can be seen at the near field of view. The far field of view
    should be no more than 41 meters (135 feet) wide at the far end of the alarm sector to allow at
    least 4.5 pixels to cover a 0.3 meter (1-foot) square target. This minimum resolution is needed to
    classify the intrusion source as being a person versus an animal or debris, and requires that the
    camera be mounted several meters outside the zone being assessed.
•   Focal length. Wide-angle lenses have a better depth of field than telephoto lenses. This means
    that you can focus both close to the camera as well as at a distance. Telephoto lenses require a
    more precise focus adjustment.
•   Iris. Always use auto-iris lenses for outdoor applications. The iris automatically adjusts the
    amount of light reaching the camera and thereby optimizes its performance. The iris also protects
    the image sensor from getting damaged by strong sunlight. With an auto-iris lens, always set the
    focus in low light. If the adjustment is made in sunlight, it  is very easy to focus, but then at night
    the iris diameter increases and the image is not in focus anymore. Special dark focus filters are
    available that reduce the light up to ten times.

electric ami electronic security devices Mounting a  Camera Outdoors
When mounting a camera outdoors, the lighting changes depending on the time of day and the
weather. Because of this, consider the following for outdoor cameras:
•   As discussed previously, always use auto-iris lenses with outdoor cameras.
•   Use caution when mounting a camera behind glass. If you mount a camera behind glass, such as
    in housing, make sure that the lens is close to the glass. If the lens is too far away from the glass,
    reflections from the camera and the background will appear in the image.
•   The mounting height for the camera should be high enough to angle the camera down to avoid
    sunglare, yet low enough so that no lamps are visible in the camera field-of-view.
•   Avoid direct sunlight. Direct sunlight blinds the camera and may permanently bleach the small
    color filters on the sensor chip, causing stripes in the image. If possible, position the camera so
    that it is looking in the same direction as the sun.
•   When using a camera outdoors, avoid viewing too much sky. Due to the large contrast, the
    camera will adjust to  achieve a good light level for the sky, and the interesting landscape and
    objects might appear  too dark. One way to avoid these problems is to mount the camera high
    above ground. Use a pole if needed.
•   Always use sturdy mounting equipment to avoid vibrations caused by strong wind. Wood poles
    should not be used for cameras, and the use of cantilevered-arm mounts or poles is discouraged
    because of stability concerns in wind. Metal triangular antenna tower sections are ideal for
    stability. CCTV Compression Standards
Digital images and digital video are always compressed to save space on hard disks and make
transmission faster. Typically, the compression ratio is 10 to 100. An uncompressed image with a
resolution of 640 x 480 pixels is approximately 600K (kilobytes) (2 bytes per pixel). Compressed
25 times, the image is approximately 25K. There are a number of common compression standards:
•   Joint Photographic Experts Group, more commonly known as JPEG, is a good and very popular
    standard for still images that modern programs support. This is the preferred standard for many
    network cameras. The JPEG compression ratio is approximately 10:1.
•   Motion-JPEG is a variation of JPEG where still images are shown at a high frame rate. It gives
    very high-quality video, but unfortunately, it consists of a lot of data, with a compression ratio of
    approximately 20:1.
•   Moving Picture Experts Group (MPEG) 2 is a standard for video. Many variations are possible,
    but normally MPEG 2 performs at 720 x 480 pixels, 30 frames—per-second. Only modern
    computers (Pentium III with adequate random access memory [RAM]) can decode MPEG 2, as it
    requires larger computing capacity. The compression ratio is approximately 20:1 or better.
•   MPEG 4 is a new standard for video. It provides better performance than MPEG 2, but it is not
    commonly used. Compression ratios for MPEG 4 can be 200:1 or better.

                                                                    Bloctrlc md Bloctronlc socnrity tartest Example System Performance Criteria
•   CCTV cameras and fields of view are configured such that the area of interest (face, license plate,
    etc.) occupies a certain percentage of the overall width of the scene.
•   For cameras used for detection of an intruder (i.e., the capability to determine the presence of an
    intruder, but not necessarily classify as a human, animal or object), the area of interest should
    occupy a minimum of 10 percent of the field of view, with a maximum field of view of 91 meters
    (300 feet) in length or less.
•   For cameras used for classification of an intruder (i.e., the capability to determine the classification
    of an intruder as human), the area of interest should occupy a minimum of 15 to 20 percent of the
    field of view, with a maximum field of view of 61 meters (200 feet) in length or less.
•   For cameras used for identification of an intruder (i.e., the capability to determine the identity of a
    human intruder), the area of interest should occupy a  minimum of 25 percent of the field of view,
    with a maximum field of view of 23 meters (75 feet) in length or less.
•   All CCTV cameras shall be listed in accordance with Underwriters Laboratories (UL)  3044,
    Surveillance Closed Circuit Television Equipment.
•   Exterior cameras should have minimum resolution of  470 horizontal lines.
•   Exterior cameras should be rated for use at 0.54 lux (0.05 foot-candles).
•   The camera should provide adequate onsite digital recording capacity for all cameras at 30 days
    of continuous storage at 1 frame per second.
•   CCTV equipment should have integral digital video motion detection capabilities. The system
    should be programmable to degree of motion, range of motion, speed, number of pixels to cause
    motion, and area of motion detected.
•   To conserve bandwidth and storage requirements, the CCTV equipment should be capable of
    providing a video compression ratio of 20:1 (or better).

6.3.5 Visibility and Lighting Recommendations
Visibility and lighting are critical elements of a successful security system.  Visibility
Within a parking lot, trees and shrubs should not obstruct viewing. Tree branches and leaves should
not be lower than 3 meters (10 feet) above the lot surface. Interior shrubs and bushes should not be
higher than 46 centimeters (18 inches) so as not to obstruct vision or conceal an adversary.  Lighting
A significant part of visibility is lighting. Lighting should enable people parking and employees to
note individuals at night at a distance of 23 meters (75 feet) or more and to identify a human face at
about 10 meters (33 feet). These are distances that will allow them, if necessary, to avoid the
individuals or take defensive action while still at a safe distance.

electric mi electronic security devices

Security lighting increases the effectiveness of guard forces and closed circuit television by increasing
the visual range of the guards or CCTV during periods of darkness. It also provides increased
illumination of an area where natural light does not reach or is insufficient. Lighting also has value as
a deterrent to individuals looking for an opportunity to commit crime. Normally, security lighting
requires less intensity than lighting in working areas. An exception is at normal doorways.
Exterior lighting for areas such as parking lots ensures a minimum level of visibility when guards
perform inspection of the protected area. Guards and CCTV surveillance systems must be able to:
•   see badges, people, and other guards at gates
•   observe activity
•   inspect vehicles
•   observe illegal entry attempts
•   detect intruders in the protected area
•   observe unusual or suspicious circumstances
Each parking lot presents its own particular problems based on physical layout, terrain, atmospheric
conditions, and security requirements. The goals of direct illumination are to provide a specified
intensity throughout the area for support of guard forces or CCTV, provide good visibility for
customers or employees, and have a minimum of glare.
The most severe problem is illuminating the small narrow "corridors" formed by adjacent parked
cars. To get light into these areas, it is recommended that any point in the entire parking lot be
provided with illumination from at least two and preferably four lighting (pole) locations. The lights
should be mounted at a minimum height of 6 meters (20 feet), with the lowest value of illumination
on the pavement not less than one-fourth of the recommended average (a 4:1 light-to-dark ratio).23 Example System Performance  Criteria
The minimum recommended illumination levels for the barest sight essentials on the parking lot are:
•   Provide lighting that is a minimum of 2.2 lux  (0.2 foot-           =^^^==^==
        ,,   ,       ;v      .  ,    ,      ,   ,      .,  ,                        Small Utility Tip
    candles) around key assets for observation by unaided eye.
                                                                 Low pressure sodium lights are
•   Provide minimum of 2.2 lux (1 foot-candle) (the average          reasonably efficient and provide
    maintained horizontal to the surface) for  self-parking areas.              a uniform lighting ratio.
•   Lighting at entry and exit points should be at least 16 to
    22 lux (1.5 to 2.0 foot-candles) for safety and for adequate observation by employees or CCTV.
•   Twenty-two lux (2 foot-candles) of lighting should be provided for attendant parking areas
    because of liability and potential damage to automobiles.
•   Where  additional lighting is required, lighting of 54 lux (5.0 foot-candles) and higher is
    often used.
23 RP-20-98, Lighting for Parking Facilities, Illumination Engineering Society of North America

                                                                  electric and electronic security devices

•   RP-20-98, Lighting for Parking Facilities, published by the Illumination Engineering Society of
    North America, provides recommended illumination levels for parking facilities.

6.3.6 Power and Wiring
Without a reliable power source and intact wiring, a security system cannot function. Indeed, cutting
the power to a security device may be an adversary's first course of action. Recommendations for
reliable power and security wiring are presented here.  Uninterruptible Power Supplies  and Battery Backup
For all electronic components of the security system, some method of power backup is recommended.
With generator-backed systems, if normal AC power fails, there is a 5- to 10-second lag before
generator backup engages. With manual systems this time can be much longer. Thus, uninterruptible
power supply (UPS) systems are recommended for devices requiring 120V ac power, such as
computers and video monitors.
When considering UPS systems, compare the cost and flexibility of using smaller point-of-use UPS
units against a large system-wide UPS. In some cases, greater flexibility and cost-effectiveness may be
achieved using point-of-use UPS units. Additionally, the cost of maintaining a spare point-of-use UPS
unit is much lower then providing a redundant system-wide standby UPS unit.
Batteries are cost-effective and reliable for low-voltage devices, such as cameras and card reader
systems. Four-hour battery backup is recommended, at a minimum. Provide automatic charging
means to automatically maintain battery charge under normal power conditions, and provide
recharging means to automatically recharge batteries within 24 hours after charged batteries have
been discharged. Provide extra protection for single-point-of-failure equipment such as the power
transfer switch for backup power.
Modular battery backup systems provide an advantage because they may be expanded by simply
adding more components and batteries. As backup power requirements increase, the battery system
capacity can be adjusted to meet current needs. Security Wiring
Recommendations for the wiring of security devices are as follows:
•   All exposed security wiring should be installed in conduit. The wiring conduit should be
    concealed, where possible within the structure.
•   No splices or wire nuts should be used within wiring circuits. All wiring terminations should be
    made via mechanical termination blocks.
•   All interconnecting wiring between security system components should be monitored for
    integrity so that an abnormal condition (wire-to-wire short, wire break, or wire ground-fault
    condition) is automatically indicated to the user upon arming the system or causes an alarm if the
    system is already armed.

electric and electronic security devices

•   Coaxial cable RG-59U, the most common coaxial cable style is rated for up to 229 meters
    (750 feet). Use fiber-optic cable for CCTV runs farther than 229 meters (750 feet).
•   Fiber optic cable offers several advantages over coaxial cable; it is impervious to electromagnetic
    interference, radio frequency interference and offers good security against eavesdropping. For
    new CCTV installations, fiber is recommended over coaxial cable, except for very short runs
    (under 15 meters [50 feet]). Example  System Performance Standards
•   All wiring shall comply with the NFPA 70, National Electrical Code, specifically Articles 725
    and 800, as appropriate.
•   Security panels shall be UL listed as meeting standard UL804.
6.4 Summary
A variety of different security systems and components are commercially available. Before
implementing a security system, it is important to understand the characteristics and requirements of
the area and facility to be protected. With this understanding, detailed and specific criteria can be
developed to specify exactly how the security system should be implemented.
Technology and manufacturers of security devices are rapidly changing. Therefore, web resources are
useful for getting the latest information on security products. USEPA has published guidance for
water and wastewater utilities on security devices and equipment in the form of its Security Product
Guides. This guides are kept up-to-date on EPA's web site at www.epa.gov/safewater/security
under the Primary Topic of "Security Enhancements, Research, and Technology." At the time of
writing, guides are available for security products, cyber protection products, physical asset
monitoring products, and water monitoring products. At the time of writing, guides are available for
security products, cyber protection products, physical asset monitoring products, and water
monitoring products.


Emergency Response

Even the most well designed and effectively operated protection system cannot prevent all threats.
Thus, a utility must be prepared to respond and recover in the event that existing security systems do
not prevent a harmful occurrence. This section presents information for wastewater utilities to
consider when planning for and responding to incidents in order to minimize disruption of service,
protect employees and the public, and mitigate adverse environmental impact. The issues discussed
provide the basis for development of a wastewater Emergency Response Plan (ERP) for both human-
caused and natural hazard emergencies. This section is intended to provide general information and
resources on emergency response; resources listed at the end of section should be consulted for
emergency response plan specifics.

7.1  Emergency Response  Plans (ERPs)
The purpose of an ERP is to provide a utility with a standardized response and recovery protocol to
prevent, minimize, and mitigate injury and damage resulting from emergencies or disasters of
human-caused or natural origin. The ERP should clearly outline the communication and coordination
that would occur between the utility and local emergency response personnel, including police, fire,
and public health officials. The plan should be developed through workshops and consultations with
local emergency management personnel and first responders; this communication provides the utility
with knowledge of local resources and begins the agency coordination necessary in responding to an
emergency. The ERP should also define procedures and protocols to be followed during an
emergency, as well as identify equipment and resources to assist the utility in responding to and
recovering from unintentional or natural disasters.
The ERP, as well as other materials that may be needed during an emergency, must be kept up-to-
date in a hardcopy format and available to the utility's staff. Electronic formats of ERPs, maps,
manuals, and other documents may not be accessible during extended power outages.

7.1.1  Requirements for an ERP
In general, wastewater utilities are required to develop ERPs and protocols through a variety of
regulatory programs. SARA Title III (Superfund Amendments and Reauthorization Act), Emergency
Planning and Community Right to Know Act of 1986, and the Clean Air Act (Section 112) require
wastewater facilities that store and handle hazardous and extremely hazardous chemicals to develop
emergency plans. Under the Clean Water Act, point source dischargers to Waters of the U.S. must
hold National Pollutant Discharge Elimination System (NPDES) permits. Also, non-discharging
wastewater facilities that produce residuals must also hold NPDES permits. A standard condition of
an NPDES permit is a contingency plan, which includes emergency response components.

emergency response

In addition, wastewater utilities that store certain regulated substances over threshold amounts,
including chlorine and sulfur dioxide, must develop Risk Management Plans (RMPs) that are
submitted to EPA. Process Safety Management Plans (PSMs) are required under Occupational Safety
and Health Administration (OSHA) regulations or similar state requirements. Both RMPs and PSMs
have significant emergency response components.
States, counties and municipalities may have additional regulations requiring ERPs. Utilities are
encouraged to communicate with their state regulatory agencies and local public health departments
about any requirements for wastewater and stormwater emergency plans.
Coordination with other utilities and local agencies is critical when developing emergency plans and
procedures. The wastewater ERP should become an "annex" or appendix to a city-wide ERP.
Information contained in a city-wide ERP or in a water system ERP  (required by the Public Health
Security and Bioterrorism Preparedness and Response Act of 2002) should be reviewed for
consistency with the wastewater ERP so that community response to an emergency can be as
cohesive as possible.
7.1.2 Key Components of an ERP
There is a great deal of information that must be incorporated into an ERP to make it useful and
successful in aiding a utility's response and recovery in an emergency. An ERP may be organized
into the sections described below.
•   Introduction describes the purpose, goals, regulatory requirements, overall organization, and the
    access control protocol for the ERP document.
•   Emergency Planning Information describes the utility's emergency planning partnerships;
    mutual aid agreements; and emergency response policies, procedures and documents. It also
    summarizes the scenarios from the most recent VA that are addressed in the ERP.
•   System Information contains an overview of the wastewater system including a description of
    the collection system, pump stations, and a discussion of the treatment facilities and processes.
    System maps, site plans, flow diagrams, hydraulic profile schematics, and data tables should be
    included to aid in the understanding of system capacities and inter-relationships of system
    components. Emergency resources, such as backup power supplies and redundant facilities,
    should also be listed in this section.
•   Concept of Operations describes the utility's polices, procedures, and plans to mitigate
    emergency incidents, including how threats might be received by the utility. This section should
    also cover ERP activation, response capabilities, personnel safety provisions, and protective
    action protocols. Refer to the EPA Response Protocol Toolbox for actions based on threat
    assessment, including the possible, credible, and confirmed stages, as well as information on site
    characterization and use of laboratories that are capable of detecting a broad range of
    contaminants. The toolbox files can be downloaded at www.epa.gov/ safewater/watersecurity.

•   Incident Management is effectively accomplished through an incident command system (ICS)
    described in Section 7.2.  Overall emergency response should be centered at the emergency
    operations center (EOC) as discussed in Section 7.3.
•   Emergency Communications should be addressed in a form of a crisis communications plan
    described in Section 7.4.
•   Emergency Response, Recovery and Termination describes damage assessment activities, in
    which the utility determines the extent of damage and estimates repair or replacement costs;
    prioritization of actions;  identification of resources necessary to return the damaged system to
    full operation; and actions to stabilize the system. This section also includes a discussion of the
    recovery phase emphasizing the importance of appointing a recovery manager who then selects a
    recovery team. These leaders will develop a strategy to transition from an emergency situation to
    the recovery phase until normal conditions are reached and the emergency is terminated. A
    recovery plan should list the steps required to restore the system to normal operations. Finally,
    the discussion of termination and review of the emergency should highlight the importance of
    declaring an end to the emergency and learning from the incident. Those lessons should be
    incorporated into future versions of the ERP.
•   Appendices can include various documents relevant to emergency response of the utility, such as
    the following:
       EPA-suggested measures for water and wastewater utilities
       Maps and other relevant system information
    -  Mutual aid agreements
    -  Threat documentation forms
    -  Contamination threat evaluation worksheets
    -  Generic site characterization plans
       Site characterization report forms
    -  Equipment lists
    -  Example public notices and press releases
       Emergency contact lists that contain primary and alternate contact information for, at a
       minimum, the incident management team, the crisis communications team, utility personnel,
       local, state and federal emergency management staff, chemical and equipment suppliers,
       contractors and consultants, mutual-aid partners, media contacts and sensitive customers.

7.2 Incident Command System
On March 1, 2004, the DHS established the National Incident Management System (NIMS) pursuant
to Homeland Security Presidential Directive-5. NIMS consists of five major subsystems that
collectively provide a total systems approach to risk incident management. These five elements are

emergency response

the Incident Command System (ICS), Training, Qualifications and Certification, Publication
Management, and Supporting Technology.
On September 8, 2004, the DHS sent a letter to state governors that outlines the requirements of NIMS
as our nation's first standardized approach to incident management and emergency response. The
minimum FY 2005 requirements for local jurisdiction support of NIMS are:
1. Completing the Introductory NIMS Awareness Course, available online at
2. Formally recognizing the NIMS and adopting NIMS principles and policies. The NIMS
   integration center (NIC) has tools to help with NIMS (www.fema.gov/nims).
3. Establishing a NIMS baseline by determining which NIMS requirements the jurisdiction already
   meets. There is a NIMS Capability Assessment Support Tool (NIMCAST) under development
   from NIC.
4. Establishing a timeframe and developing a strategy for full NIMS implementation.
5. Institutionalizing the use of the ICS.
ICS is a standardized response management system that is a key component of NIMS. It is an "all
hazard/all risk" approach to managing crisis response operations as well as non-crisis events by
enhancing command, control, and communication capabilities. In the early 1970s, ICS was developed
to manage rapidly moving wildfires and to address the following problems:
•  Different emergency response organizational structures
•  Unclear or unspecified incident objectives
•  Too many people reporting to one supervisor
•  Lack of reliable incident information
•  Inadequate and incompatible communications
•  Lack of structure for coordinated planning among agencies
•  Unclear lines of authority
•  Terminology differences among agencies
Information and training on ICS can be obtained online at http://training.fema.gov/emiweb/

7.2.1  Benefits of ICS
The adoption of ICS offers these benefits:
•  A flexible, but formal, response management system that allows for the cultivation of response
   management expertise at all levels of applicable response organizations.
•  Increased coordination between utilities, their personnel, and other first responders such as
   police, fire, public health, and public works departments
•  Application to any response situation ("all hazard/all risk")
•  Logical and smooth organizational expansion and contraction

•   Autonomy for each agency participating in the response
•   Increased support of trained personnel during major incidents
•   A "public domain" system that allows unrestricted distribution by commanding officers to
    improve capabilities and unify the local response community into a more effective organization

7.2.  2ICS Command Structure
The Incident Management Team, as shown in Exhibit 7-1, consists of the Command Staff (incident
commander, public information officer, liaison officer, and safety officer) as well as the operations,
planning, logistics, and financial sections of the utility. Not all positions may be activated during an
emergency. Based on this structure, the ERP describes the utility personnel who will fill each role (at
least two people for each position on the team) and their roles and responsibilities.
Command Staff
f Incident 1-
[_ Commander J

C \
Safety Officer

* ^-x x ..r " *'

Public Information '•.<
Officer %
.,„.,.„ „,„
( \
- 	 ซJ

           Operations  j
Planning and
                                                 Logistics    [;.
 Finance and
 Incident Management Team Organizational Structure

During an emergency situation, the Incident Management Team members will, at a minimum:
•   Identify an Incident Commander to manage the Operations,
    Planning/Intelligence, Logistics, Finance/Administration
    Sections, and related sub-functions of the ICS.
                                                Small Utility Tip
                                   The Incident Management Team
                                    at a small utility may consist of
                                      one or two staff covering the
                                     functions of all ICS positions.
Set priorities and implement previously developed Incident
Action Plans (lAPs).
Control and mitigate emergency situations.
Coordinate and support all field-level incident activities within the utility service area.

BflisrgBncy response

•   Gather, process, and report information to stakeholders within the utility service area and to
    other levels of the ICS.
•   Coordinate with local governments, organizations with which the utility has mutual aid
    agreements, or regional Emergency Operations Centers (EOCs) as appropriate.
•   Coordinate the transition of expanded ICS responsibilities to outside agencies when the scope
    and parameter of emergency response exceeds jurisdictional capability.
•   Request resources from appropriate agencies.
•   Organize recovery and cleanup of emergency response activities.
7.3 Emergency Operations Center
An Emergency Operations Center (EOC) is a pre-designated facility from which to coordinate the
overall response and support for an emergency. The utility should select a primary EOC location, as
well as an alternate EOC location to be used in the event that the primary EOC is not available or
rendered unusable by the emergency. The EOC can be a separate room equipped and designated for
emergencies only or a room that has been equipped to be easily transformed into a command center
during emergency events.
During an emergency situation, the staff at the EOC will:
•   Establish an EOC Director to manage the Operations, Planning/Intelligence, Logistics,
    Finance/Administration Sections functions and related sub-functions of the ICS.
•   Set priorities and develop Action Plans (APs).
•   Coordinate and support all field-level incident activities within the utility service area.
•   Gather, process, and report information within the utility service area and to other levels of ICS.
•   Coordinate with local government, operational areas, or regional EOCs as appropriate.
•   Request resources from appropriate agencies.
The EOC must have sufficient communication equipment (telephones, computers, two-way radios,
etc.), copies of engineering and operational plans and procedures for the utility, chalk or white
boards, and tables and chairs sufficient to meet the needs of those individuals assigned to the EOC.
Consideration should also be given to providing overnight accommodations at the EOC with cots
and bedding, a supply of food and water, and bathrooms with showers.
A map showing the relationship between the primary and alternate EOCs, as well as their addresses
and telephone numbers, is helpful to include in an ERP. A list of the emergency equipment to be
stored in the EOC should also be included in this section of the ERP. Lists of available field
equipment can be contained in an appendix to the ERP.
Handwritten and electronic logs should also be developed and controlled through the EOC. These
logs become the official documentation of the emergency and can serve as the primary basis for the
post-incident review. This section of the ERP should stress the importance of the logs and describe
procedures for their generation and storage.

7.4 Crisis Communications
During an emergency, clear and timely communication can save lives, property, and credibility. A
crisis communications plan identifies who to contact, the order in which the contacts are to be made,
and the telephone numbers to be used. It details communication        ^^^^^^^^^^^^^^^^
procedures within the utility incident management team,                          Small Utility Tip
communications with stakeholders, crisis communications tools,            Many ERPs contain a Crisis
and key messages for the public. If there is a need to communicate       Communication plan; however,
,.,,,..      .,     ,.  ,          .  .  .     .,                smaller utilities will likely rely
to the public or to use the media to communicate to a wider                      	' .  .'
                                                                       on their locality s crisis
audience, this must be done by a designated person who has been         communication procedures.
trained to do so.                                                  _______B__^^^^^^_
The crisis communications plan should also identify the various stakeholder groups, both internal
and external to the utility, that should be notified during crisis situations and the procedures for such
notifications. It often includes contact information for staff and next-of-kin, onsite vendors,
contractors, visitors, local emergency response agencies, municipal and sensitive customers, public
and local news media, and regulatory agencies.
Crisis communications tools for disseminating information to internal and external audiences should
also be identified and included in an appendix to the ERP as applicable.  These tools may include
boiler-plate public notices and press releases. Key messages should also  be developed in the ERP
process to facilitate rapid communication during an emergency event.
Communication protocols and resources should also be discussed in the Emergency Communications
section of the ERP. Sections 2.10 and 2.11 of this document discuss the importance of coordination
and communication with emergency responders and local emergency management agencies, health
departments, and neighboring utilities, and provide tips on improving coordination. When
coordination and communications protocols are established before an emergency, the more efficient
and successful the response will be in a crisis.

7.5 Revisions to  ERPs
An ERP is never a final document. ERPs should be revisited and revised often. A utility staff member
should be assigned responsibility and given utility-wide authority for keeping the ERP up-to-date,
including maintaining contact lists and equipment information. A review of the ERP should take
place at least annually, and should be based on the operational and procedural recommendations of
the most recent VA, results of any training exercises, and lessons learned from actual emergency
responses. The ERP should also be updated to include procedures involving any new  security
equipment and technology.

7.6 Emergency Response Plan Training  and Exercises
The ERP should also contain a section that discusses the utility's emergency response  training
program. Training and drilling are critical to successful emergency response. It does not matter how
good an ERP is on the shelf if utility personnel are not trained to use it, or utility personnel and

emergency response

emergency responders are not used to working together. Section 2.5 of this document provides an
overview of training programs that a utility may consider for improving security and emergency
response. The following programs specifically related to emergency response should be considered:
•   Orientation Sessions: Orientation sessions include basic instruction and explanation of the ERP
    and action plan procedures. Written tests may be used to ensure a defined level of
    comprehension by the attendees.
•   Table-Top Exercises: Table-top exercises are extremely helpful in testing emergency procedures
    and enabling communication between personnel who would respond to an emergency.
    Participants are presented with a fabricated major event and must discuss their potential
    responses. Table-tops involve many players acting out an emergency situation in an indoor
    setting within one or a few rooms. A director facilitates the exercise and develops a plausible
    scenario with a "trusted agent" from the utility. After the exercise is complete, the director should
    conduct a review of the exercise and lessons learned with the participants.
    Players in a table-top exercise may be limited to utility employees involved in an emergency or
    may include all agencies responding with the employees. Exhibit 7-2 shows a typical table set-up
    when the exercise begins. The controllers/evaluators help to keep the exercise moving according
    to the exercise plan, and assist in evaluating the success of the exercise.
               EOC    B	1  Incident
                                                       '   Command
          City Officials               x ^     ^ +          Local Fire
          County Officials (as tasked)     x x ^              Local Police/Law Enforcement
          Public Utility              [   Offsite   J         HAZMAT
          Public Safety                 Suooort  I         Ambulance
          Emergency Management   v..^_Z.lL^J^         Facility Representatives
          Public Information                                Offsite Response Teams
                                  Federal Agencies
                                  State Agencies
                                  Local Government Agencies
Table-top Exercise Participants and Setup

FEMA has developed a time-tested, effective method for emergency training that applies to table-top
exercises. The eight steps are as follows:
•   Conduct a needs assessment to determine a plausible emergency scenario.
•   Define the scope of the exercise, including participants and ground rules.

                                                                              emergency response

•   Develop a statement of purpose and write the exercise directive that summarizes the exercise
    information and agenda.
•   Develop the exercise objectives against which the success of the exercise and participants will be
•   Compose the introductory narratives or background information for participants.
•   Develop major and detailed events in the form of a Master Scenario Events List that describes
    inputs of information and when these inputs occur during the exercise.
•   List expected actions of the participants, which will be used in the evaluation of the participants.
•   Prepare problem statements or messages and provide these to participants as the emergency
    scenario unfolds.

7.7 Emergency Response Resources
Numerous agencies have published information and provided assistance for utilities in formulating
ERPs. FEMA has developed extensive information relating to emergency prevention and response. A
number of these documents are listed in the bibliography of this document. Additional information
and documents can be found on the FEMA Web site at www.fema.gov.
There are guidance documents and tools that have been specifically developed to assist wastewater
agencies in developing ERPs. For instance, WERF has published the "Emergency Response Plan
Guidance for Wastewater Utilities," which presents details on the goals and content of ERPs for
wastewater utilities. The Vulnerability Self-Assessment Tool (VSAT™), developed by AMSA, has an
ERP Module that can be used to guide a wastewater utility through ERP development. In addition,
AMSA will soon be releasing a planning document for wastewater utility managers focused on the
wastewater generated from decontamination activities at scenes of biological, chemical, and
radiological contamination.
The EPA's Response Protocol Toolbox: Planning for  and Responding to Contamination Threats to
Drinking Water Systems contains six modules designed to help the water sector effectively and
appropriately respond to intentional contamination threats and incidents. Much of its information
directly relates to wastewater and stormwater. The toolbox files can be downloaded in pdf or
Microsoftฎ Word format at www.epa.gov/ safewater/watersecurity. Locate the information by
selecting the primary topic of "Emergency/Incident Planning," then selecting the toolbox from the
list of "Emergency Response Tools and Guidance Documents."
Also available from the EPA is a "Laboratory Compendium" database of laboratories with water
testing capabilities. This database was populated through voluntary information from laboratories
nationwide. It can be used to determine where to send contaminated wastewater or stormwater
samples for testing.
The ASIS International Disaster Preparation Guide published in 2003 and available online at
www.asisonline.org/newsroom/crisisResponse/disaster.pdf is an easy-to-read overview of
emergency response that is useful to provide to  utility employees.

(This page intentionally left blank)

Other  Information Sources

Many resources are available to assist wastewater utilities in improving the security at their facilities,
such as the associated guidance documents and the many government agencies and utility
organizations listed in this section.
8.1  Corresponding Reports
This document was produced by WEF to support wastewater utilities as they implement security
improvements to protect their assets and the public from potential threats. EPA provided funding for
the development of security guidance to WEF, ASCE, and AWWA. The three organizations divided
the development of the guidance into the areas of wastewater and stormwater systems (led by WEF);
water supply (led by AWWA contaminant online monitoring systems (ASCE). These guidance
documents are being developed under the leadership of the ASCE's Environmental & Water
Resources Institute's Water Infrastructure Security Enhancements (WISE) Standards Committee.
The three documents resulting from this joint effort are:
•  Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities
•  Interim Voluntary Security Guidance for Water Utilities
•  Interim Voluntary Guidelines for Designing an Online Contaminant Monitoring System

8.2  Federal Agencies
Numerous federal agencies have information available on water and infrastructure security. Several
of these agencies are presented here alphabetically.

8.2.1 Centers for Disease Control and Prevention
The Centers for Disease Control and Prevention (CDC) has compiled significant amounts of
information related to emergency preparedness and response. Information can be found on the CDC
Web site related to  the preparation for and response to specific bioterrorism agents, chemical agents,
radiation emergencies, and natural disasters. The CDC also provides information about laboratory
The CDC Web address is www.cdc.gov.

8.2.2 Critical Infrastructure Assurance Office
The Critical Infrastructure Assurance Office (CIAO) operates within the U.S. Department of
Commerce. CIAO was created by Presidential Decision Directive-63 (PDD-63), published in 1998 to
promote the protection and assurance of the nation's critical infrastructures. CIAO's basic mission, as

other Information sources

articulated in PDD-63, is to coordinate national planning activities related to critical infrastructure
CIAO also supports the Partnership for Critical Infrastructure Security (PCIS). The Partnership is a
collaborative effort of over 60 member companies and associations and 13 federal government
agencies in the 8 critical infrastructure sectors identified in PDD-63, including water and wastewater.
More information on PCIS is available at www.pcis-forum.org.

8.2.3 Department of  Homeland  Security
The mission of the federal Department of Homeland Security (DHS) is to "lead the unified national
effort to secure America.. .prevent and deter terrorist attacks and protect against and respond to
threats and hazards to the nation."2^ The Information Analysis and Infrastructure Protection
Directorate of DHS oversees protection of critical infrastructure, including wastewater facilities. This
Directorate operates the National Infrastructure Protection Center, in conjunction with the Federal
Bureau of Investigation (FBI).
Several Homeland Security Presidential Directives (HSPDs) have been issued. HSPD-7: Critical
Infrastructure Identification, Prioritization, and Protection establishes a national policy for federal
departments and agencies to identify and prioritize critical infrastructure and key resources and to
protect them from terrorist attacks. HSPD-9: Defense of Agriculture and Food deals with on-line
monitoring and development of a national network of laboratories with standardized diagnostic
protocols and  procedures. HSPD-10: Bio-defense for the 21st Century deals with the President's multi-
agency strategy to coordinate federal response to biological terrorist attacks and remains a classified
document. A fact sheet describing the directive says that it "builds on past accomplishments,
specifies roles and responsibilities, and integrates the programs and efforts of various communities —
national security, medical, public health, intelligence, diplomatic, agricultural and law enforcement—
into a sustained and focused national effort against biological weapons threats."2^ DHS has also
published the Protection of Critical Infrastructure Information (PCII) Interim Rule. The PCII program is
designed to encourage private industry and others with knowledge  about critical infrastructure to
share sensitive and proprietary business information about this critical infrastructure with the
The Office for Domestic Preparedness (ODP) is the principal component of DHS responsible for
preparing the United  States for acts of terrorism. ODP achieves its mission by providing grants to
states and local jurisdictions, providing hands-on training through residential training facilities and
in-service training at the local level, funding and working with state and local jurisdictions to plan
and execute exercises, and providing technical assistance onsite to state and local jurisdictions.
24 Securing Our Homeland, U.S. Department of Homeland Security Strategic Plan, 2004
25 Department of Homeland Security. 2002. http://www.dhs.gov/dhspublic/display?content=3522

                                                                           other Information sources

Information and documents can be found on the DHS Web site at www.dhs.gov. The Information
Analysis Infrastructure Protection's Web site, within the DHS Web site, is www.nipc.gov. OOP's Web
site is www.ojp.usdoj.gov/odp.
The Federal Emergency Management Agency (FEMA) is now part of the DHS Emergency
Preparedness and Response Directorate and is tasked with responding to, planning for, recovering
from, and mitigating against disasters. FEMA has extensive information relating to emergency
prevention and response. A number of these resources are listed in the bibliography of this
Additional information and documents can be found on the FEMA Web site at www.fema.gov.
Within FEMA, the U.S. Fire Administration (USFA) coordinates awareness and information sharing
activities related to Critical Infrastructure Protection (CIP) for the emergency management and
response sector of the nation. This role stems from Presidential Decision Directive-63, superseded by
HSPD-7 in December 2003. Generally, CIP consists of the proactive activities to protect indispensable
people, physical assets, and communication systems from all hazards. More formally, according to
USFA, it is "an analytical process to guide the systematic protection  of critical infrastructures by the
application of a reliable decision sequence that assists leaders in ultimately determining exactly what
really needs protection as well as when."2**
Information on the CIP program is available at www.usfa.fema.gov/fire-service/cipc/cipc.shtm.

8.2.4 U.S. Environmental  Protection Agency
As mentioned above, the U.S. Environmental Protection Agency (EPA) provided funding to WEF,
ASCE, and AWWA to develop guidance for utilities on securing water, wastewater, and stormwater
infrastructure.  EPA also has numerous documents available on topics such as vulnerability
assessments, security-related products for water and wastewater, and emergency response protocols.
Information and documents can be found on the EPA Web site at www.epa.gov/safewater/security.

8.2.5 Federal  Bureau of Investigation
The FBI is the principal investigative arm of the United States Department of Justice. It has the
authority and responsibility to investigate the crimes assigned to it. The FBI is also authorized to
provide cooperative services to other law enforcement agencies, such as fingerprint identification,
laboratory examinations, and police training. The mission of the FBI is "to protect and defend the
United States against terrorism and foreign intelligence threats, to uphold and enforce the criminal
laws of the United States and provide leadership and criminal justice services to federal, state, local,
and international agencies and partners."27
When a security breach is suspected or confirmed at a wastewater utility, the FBI will often be called
in. FBI representatives can also help utility personnel determine if a  threat to  the utility  is credible.
26 U.S. Fire Administration. 2004. http://www.usfa.fema.gov/fire-service/cipc/cipc.shtm

other information sources

More information on the FBI and links to local FBI contacts can be found at www.fbi.gov.

8.2.6 Sandia  National Laboratories
Sandia National Laboratories has a long history of developing technologies for infrastructure
protection, from security devices to the RAM-W™ VA methodology. Through its Critical
Infrastructure Surety Group, Sandia National Laboratories provides fact sheets on modeling of
interdependencies and other topics.
Information and documents can be found on the Sandia National Laboratories Web site at

8.2.7 United States Army Soldier  and Biological Chemical Command
The mission of the United States Army Soldier and Biological Chemical Command's (SBCCOM's)
Homeland Defense Business Unit is "to enhance the response capabilities of military, federal, state
and local emergency responders to terrorist incidents involving weapons of mass destruction."2*5 The
SBCCOM has made available biological and chemical agent quick-reference tables, fact sheets, and
reports regarding protective equipment and response measures.
More information and documents can be found on the SBCCOM Web site at
http://hld.sbccom.army.mil/ ip/ index.htm.
8.3 State and  Local Agencies
State agencies can also provide a wealth of information related to wastewater infrastructure
protection. Local public health agencies, environmental regulatory agencies, emergency planning
agencies, Governors' offices, and other agencies may have additional resources, as well as
information on grant funding.
The Association of State and Interstate Water Pollution Control Administrators (ASIWPCA) is an
association of the State, Interstate and Territorial officials who are responsible for the implementation
of surface water protection programs throughout the nation, including state regulatory agencies.
ASIWPCA provides information on national programs and funding and can direct utilities to state
resources. More information is available at www.asiwpca.org.
FEMA is also a good resource information on state emergency management agencies. For a directory
of state offices and agencies of emergency management, see www.fema.gov/fema/statedr.shtm.
Local Emergency Planning Committees (LEPCs) are another excellent resource for information on
security and emergency response planning. EPA's directory of LEPCs can be found at
www.epa.gov/ ceppo/ lepclist.htm.
27 Federal Bureau of Investigation Strategic Plan 2004-2009
2^ United States Army Soldier and Biological Chemical Command. 2003. http://hld.sbccom.army.mil/about_us.htm

                                                                         other Information sources
8.4 Information Centers
Numerous resources exist to provide security-related information to wastewater and stormwater
utilities. Eleven primary information centers are listed below.

8.4.1  WaterlSAC
The Water Information Sharing and Analysis Center (WaterlSAC) is an information service
developed to provide water and wastewater utilities with a secure Web-based system for early
warning of potential threats and information about water and wastewater security. Utilities can
purchase a secure subscription to WaterlSAC that allows them access to the Web site, which contains
alerts on potential terrorist activity, information on water security from federal homeland security,
intelligence, law enforcement, public health, and environment agencies. The site also provides
information on physical vulnerabilities and solutions, as well as emergency response resources.
WaterlSAC was developed under a grant from the EPA and is governed by utility managers
appointed by national drinking water and wastewater organizations, including WEF.
WaterlSAC's Web address is www.waterisac.org. Subscribers can enter the secure site from there.

8.4.2 Water Security Channel
The Water Security Channel is a no-cost service of the WaterlSAC that provides electronic bulletins
and advisories issued by the EPA and DHS, and also makes available a password protected library of
federal advisories. Water and wastewater utilities, water associations and governmental water
protection agencies can sign-up for access to the Water Security Channel.
The Water Security Web address is www.watersc.org.
8.5 Industry Associations
Numerous industry associations and professional societies have published additional information on
infrastructure protection. Some examples and information on documents these organizations are
developing are presented here alphabetically.

8.5.1  American Chemistry Council
As discussed in other sections of this document, many wastewater utilities use potentially hazardous
chemicals such as gaseous chlorine and sulfur dioxide. The American Chemistry Council (ACC)
provides information on chemical safety and security. The members of the ACC produce nearly 90
percent of the chemicals manufactured in the United States.
Information is available on the ACC Web site at www.americanchemistry.com.

other Information sources

8.5.2 Association  of Metropolitan Sewerage Agencies
The Association of Metropolitan Sewerage Agencies (AMSA) has taken an active role in the
development of tools related to wastewater security. With funding from EPA, AMSA developed
VSAT™. As described in Section, VSAT™ is a software tool that can be used to assist in
conducting a vulnerability assessment. VSAT™ also has a module that can help utilities develop an
emergency response plan.  Information on VSAT™ is available at www.vsatusers.net.
AMSA is also developing a Decontamination Wastewater Planning Tool. Funded by EPA, this
planning tool assists utility managers in establishing a protocol for managing wastewater and runoff
generated from the decontamination activities at sites that may have been attacked with CBR
weapons, and the sewage discharged from hospitals, laboratories, homes, and business that may be
likewise contaminated. The planning tool provides a comprehensive overview of the issues POTWs
should consider when planning for a terrorist incident, pre-incident planning and coordination
guidance, and tactics for incident response. The tool is provided in both hardcopy and electronic
format to allow for customization by individual utilities.
Information about this tool and other wastewater security resources, including AMSA's quarterly
electronic newsletter, "Wastewater Sector Security Link," can be found on the AMSA Web site at

8.5.3 Association  of Metropolitan Water Agencies
The Association of Metropolitan Water Agencies (AMWA) is also active in the infrastructure security
arena. AMWA administers the WaterlSAC, described above. AMWA also produces the bimonthly
newsletter, "Water Security Scan."
The newsletters and additional information can be found on the AMWA Web site at www.amwa.net.

8.5.4 American Society of Civil Engineers
The American Society of Civil Engineers (ASCE) also provides resources related to infrastructure
protection, including the protection of wastewater facilities. As mentioned above, with its
Environmental and Water  Resources Institute, ASCE has developed guidance on on-line contaminant
monitoring under the Water Infrastructure Security Enhancements Standards Committee (WISE SC)
grant. Information on this guidance is available at www.ewrinstitute.org.
ASCE is also a  partner in The Infrastructure Security Partnership (TISP). TISFs mission is to "act as a
national asset facilitating dialogue on domestic infrastructure security and offering sources of
technical support and expert comment on public policy related to the security of the nation's
built environment."2^
Information on TISP is available at www.tisp.org. Additional information on infrastructure security
can be found on the ASCE Web site at www.asce.org.
29 The Infrastructure Security Partnership (TISP). 2002. http://www.tisp.org/static/about.cfm

                                                                        othor Information sourcos

8.5.5 American Water Resources Association
The American Water Resources Association (AWRA) is a non-profit professional association
dedicated to the advancement of multidisciplinary water resources management, research, and
education. More information is available at www.awra.org.

8.5.6 American Water Works Association
The American Water Works Association (AWWA) has geared significant resources toward assisting
water utilities in completing vulnerability assessments and upgrading the security of water
infrastructure. The RAM-W™ methodology was developed with support from AWWA, and AWWA
has conducted numerous RAM-W™ training programs around the country. AWWA has produced
several publications that can be used as resources for the wastewater industry. As mentioned
previously, AWWA has also developed the companion security guidance document for
water utilities.
AWWA security resources are at www.awwa.org/advocacy/learn/security.

8.5.7 American Water Works Association Research Foundation
The American Water Works Association Research Foundation (AwwaRF) has also undertaken
significant research related to water and infrastructure security. AwwaRF has more than 25 security-
related projects underway or completed. Topics of investigation include:
•  Threat definition
•  Early detection of potential contaminants
•  Identification of vulnerable points in distribution systems
•  Emergency management
•  Procedures for decontaminating infrastructure
•  Best management practices for security issues
•  Alternative water supplies
•  Actual and threatened security events at utilities
Information is available at www.awwarf.org.

8.5.8 National Rural Water Association
The National Rural Water Association (NRWA) is a non-profit federation of State Rural Water
Associations. Its mission is to provide support services to the state associations who have more than
22,000 water and wastewater systems as members. Member state associations offer a variety of state-
specific programs and services, including training programs and onsite assistance in areas of
operation, maintenance, finance, and governance.

other Information sources

In 2003 and 2004, NWRA and its associated State Rural Water Associations provided 2,114 onsite
types of assistance related to security, consisting of 4,379 hours. NWRA and the state associations
have produced several tools related to security and vulnerability assessments. These include the
Rural Water Security Emergency Management System (SEMS), a software tool for conducting VAs,
and the Security Vulnerability Self Assessment Guide for Wastewater Systems and its accompanying guide
for water systems. The self-assessment guides present a checklist approach for conducting a VA that
is particularly useful for small utilities.
More information and links to the state associations are available at www.nrwa.org.

8.5.9 National Small Flows Clearinghouse
The National Small Flows Clearinghouse (NSFC) is a nonprofit organization that provides objective
information about onsite wastewater collection and treatment systems for communities of less than
10,000 people. The NSFC is the only national resource of its type dealing with small community
wastewater infrastructure. The NSFC is housed in the National Research Center for Coal and Energy
at West Virginia University (WVU). The NSFC provides a number of resources for the wastewater
community, including a technical assistance hotline, educational products, computer databases, and
publications including Pipeline and Small Flaws Quarterly.
More information is available at www.nesc.wvu.edu/nsfc/nsfc_index.htm.

8.5.10 Water Environment Federation
The Water Environment Federation (WEF) continues to produce technical material and conduct
training in water, wastewater, and stormwater security. With funding from EPA, WEF has published
this document and is in the process of publishing a document on threats to wastewater utilities. WEF
also offers numerous training programs for water and wastewater utilities of all sizes on VA concepts
and on how to conduct a VA using VSAT™.
Up-to-date information on WEF's security programs is available at www.wef.org/watersecurity.

8.5.11 Water Environment Research Foundation
The Water Environment Research Foundation (WERF) has conducted a number of projects related to
wastewater security. WERF was awarded a $2.1 million cooperative research grant from EPA to
coordinate seven projects to protect the nation's wastewater infrastructure and public health.
The first of this series of projects, Experiences and Research Gaps to Secure Wastewater Infrastructure and
Protect Public Health (no. 03-CTS-1S), began in August 2003 with a symposium to convene various
agencies to discuss and prioritize research needs.
The six remaining projects are as follows:
•   Identify, Screen, and Treat Contaminants in Water/Wastewater will identify methods to screen for
    common CBR compounds and then determine the removal efficacy of wastewater treatment
    processes. (Project 03-CTS-2S)

                                                                              other Information sources

•   Security Measures for Computerized and Automated Systems at Wastewater Facilities will provide
    guidance to utilities on how to secure and protect automated systems and will document
    currently available technology to detect and correct such security breaches. (Project 03-CTS-3S)
•   Contingency Planning for Wastewater Treatment Facilities will help water and wastewater treatment
    facilities and their communities nationwide to develop individual contingency plans in the event
    of an emergency. (Project 03-CTS-4S)
•   Communicating with Your Local Government and Community will help public agencies, such as
    water and wastewater utilities and elected officials, effectively communicate with the public.
    (Project 03-CTS-5S)
•   Software and Guidance for Assessing and Inventorying Wastewater Treatment Infrastructure will
    provide a valuable tool for utilities to identify and categorize their underground and
    aboveground assets and then to better assess the condition of their systems. (Project 03-CTS-6S)
•   Feasibility Testing of Support Systems to Prevent Upsets in WWTPs will develop an approach for
    identifying and dealing with attacks on wastewater treatment facilities, focusing on the
    contamination of influent with chemical, biological, and radiological agents. (Project 03-CTS-7S)
Information on WERF projects can be found at www.werf.org.

(This page intentionally left blank)

Access control
Americans with Disabilities Act
Clear zone
Physical guidance of vehicles and people going to and
coming from a space through judicious placement of
entrances, exits, landscaping, lighting, and controlling
devices (e.g., guard stations, turnstiles, etc.)
A division of government with a specific function, or a
non-governmental organization (e.g., private
contractor, business, etc.) that offers a particular kind of
Signed into law in 1990, U.S. Public Law 101-226
prohibits discrimination based on disability, that it, the
inability to perform daily tasks using traditional
Anything of value (people, information, hardware,
software, facilities, reputation, activities and
operations). Assets  are what an organization needs to
get the job done —to carry out the mission. The more
critical the asset is to an organization accomplishing its
mission, the greater the effect of its damage or
A sequence of tight curves on a roadway used to slow
An area surrounding the perimeter of a facility that is
free of shrubs and trees, and features well-maintained
landscaping that does not provide hiding places for an
A channel carrying something to or from a place.
A reaction to or a defense against a hostile action to
deal with a threatening situation.
30 "Risk Management: An Essential Guide to Protecting Critical Assets." National Infrastructure Protection Center, November 2002.

Crime Prevention Through
Environmental Design (CPTED)
Daisy chain
Debt service reserve funds
Design basis threat (DBT)
EPA Response Protocol Toolbox
CPTED principles take advantage of integral features of
site and facility design to enhance security by reducing
the opportunity for crimes to occur. CPTED is
essentially a crime prevention philosophy based on the
theory that proper design and effective use of the built
environment can lead to a reduction in the fear and
incidence of crime, as well as an improvement in
quality of life.
An individual acting alone or in a group, using
personal  resources and some knowledge of utility
assets, intent on economic gain. The possibility exists
that a criminal may possess weapons and may inflict
Of or pertaining to the Internet, computer networks,
computers, electronic communication, and other high-
tech related matters.
Groups of padlocks connected together and hooked to
a common chain in such a way as to allow access
through a key that can unlock any one of the padlocks.
A fund in which money is placed in reserve to be used
to pay debt service if there is not enough revenue to
pay the debt. If the reserve fund is used in whole or
part to pay debt service, the issuer usually is required
to replenish the fund from the first available revenues.
The adversary against which the utility must be
protected. Determining the DBT requires consideration
of the threat type, tactics, mode of operations,
capabilities, threat level, and likelihood of occurrence.
The point at which a potential attack is discovered,
assessed, and determined to be an attack in progress
rather than a false alarm.
A comprehensive document designed to help the water
sector to effectively and appropriately respond to
intentional contamination threats and incidents

Emergency Reserve Funds
Improvised Explosive Device
Improvised Incendiary Device
Incident Command System (ICS)
Lower Explosive Limit
A fund into which moneys are deposited to cover
extraordinary operation, maintenance, or repair
expenses in the event of an unforeseen incident such as
a natural disaster or malevolent event.
A unit of light intensity defined as the amount of light
measured on a surface one foot from a uniform point
source of light equal to the light of one candle. A foot-
candle is equal to one lumen per square foot.
To improve the physical strength of.
An apparatus or contraption placed or fabricated
without detailed manufacturing that incorporates
destructive, lethal, noxious, pyrotechnic, or incendiary
chemicals and designed to destroy, incapacitate, harass,
or distract through high-speed projectiles and
An apparatus or contraption placed or fabricated
without detailed manufacturing that incorporates
destructive, lethal, noxious, pyrotechnic, or incendiary
chemicals and designed to destroy, incapacitate, harass,
or distract by creating intense heat and fire.
A standardized response management system that is a
key component of NIMS. It is an "all hazard/all risk"
approach to managing crisis and non-crisis response
operations by enhancing command, control, and
communication capabilities.
Entrance by force or without permission, either
physically or via electronic methods.
The lowest concentration (percent by volume in air) of
a flammable gas or vapor that can result in an
explosion from ignition in a confined space.
The metric (SI) unit of measuring the power of light
being produced by a light source or received by a
The metric (SI) unit of light intensity defined as the
amount of light equal to one lumen per square meter.

Mutual Aid Agreement
National Incident Management System
Protection in Depth
Public Health Security and Bioterrorism
Preparedness and Response Act
Revolving Fund Loans
A document that formalizes coordination efforts
between utilities or other agencies and facilitates the
exchange of resources during an emergency. The
agreement is based on the concept that resources, in
most circumstances, are voluntarily provided, that
there will be a reciprocal exchange if and when
required, and that providing resources will not result
in a profit to the providing party.
A system comprising five major subsystems that
collectively provide a total systems approach to risk
incident management. These subsystems are the
Incident Command System (ICS), Training,
Qualifications and Certification, Publication
Management, and Supporting Technology.
The strategy of providing multiple layers of protective
measures requiring an adversary to defeat a system,
travel to the next protective layer and defeat that
system, and so forth until reaching the target. An
example of protection in depth is the application of
layers of protective measures at the site boundary
(perimeter fencing system), at the building envelope
(exterior walls, doors, windows, grilles, and roof
system), and at the target enclosure (the room in which
the targeted asset is housed).
Signed into law in 2002, U.S. Public Law  107-188
requires vulnerability assessments be performed
and Emergency Response Plans be created or updated
for drinking water systems that serve more than
3,300 people.
Low interest loans provided by states to  assist public
wastewater systems with financing infrastructure
upgrades needed to achieve and maintain compliance
with regulations and to protect public health. The
funds for the loans are appropriated by Congress in
accordance with the Clean Water Act as amended
in 1987.

Sunshine laws
Territorial reinforcement
The potential for realization of unwanted, adverse
consequences to human life, health, property, or the
environment. It is the quantitative or qualitative
expression of possible loss that considers both the
probability that a hazard will cause harm and the
consequences of that event. Risk is usually expressed as
a function of the probability that an adverse effect will
occur, and the criticality of the effect on the ability to
fulfill a mission or function.

An individual acting alone or in a group, with the
intent of damaging or destroying physical assets,
disrupting the utility's ability to operate and respond,
and, possibly, injuring employees.
Laws that make government processes and procedures
available for observation and inspection by the public.
The placement of physical features, activities, vehicles,
and people in such a way as to maximize visibility by
others during their normal activities. Surveillance may
be natural or electronic, informal (office windows
placed to facilitate surveillance of entry roads) or
formal (continuous monitoring).
Physical attributes that express ownership, reinforce
territoriality, and designate a gradient from public to
restricted spaces. Examples include natural markers
(landscaping, choke points), symbolic markers
(signage, stickers), physical barriers (fences), and
procedural barriers (receptionists, guards).
An individual acting alone or in a group, with the
intent of undermining stability and instilling terror
through destruction of economically important or
symbolic assets and by injuring and killing people.
Terrorists spend considerable time and resources to
select and learn about their target and plan their
An individual acting alone or in a group, using spray
paint to write graffiti or hand tools to inflict minor
damage to utility assets.

Vehicle sally port
Interlocking gates within a fenced area where incoming
drivers pass through the first gate and stop at the
second gate. Once both gates are closed and the vehicle
is captured within the sally port, a security guard may
confirm the identity of the driver and, if necessary,
search the vehicle to confirm the contents. Once the
vehicle and driver are approved, the second gate opens
and the vehicle may drive onto the facility.
A characteristic of a critical infrastructure's design,
implementation, or operation that renders the
infrastructure susceptible to destruction or
incapacitation by a threat. Vulnerabilities may consist
of flaws in security procedures, software, internal
system controls, or installation of infrastructure that
may affect the integrity, confidentiality, accountability,
or availability of data or services. Vulnerabilities also
include flaws that may be deliberately exploited and
those that may cause failure due to inadvertent human
actions or natural disasters. Any weakness that can be
exploited by an adversary or, in a non-terrorist threat
environment, make an asset susceptible to hazard
damage may be considered a vulnerability.





- uT cL
5 o o-
•2 CO iv.
co < 5 ฃ
*=• — ' en CO
i, Dulcy. 2003. "Sewer Asset Management Decisions, Rehabili
urity." Proceedings of the American Society of CM Engineers
onal Conference on Pipeline Engineering and Construction "Ni
Technologies, Security, and Safety," Najafi, Mohammad (ed.),
16, Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-1, 1
^ CJ "-^ CD ^
-ฃ^ C/D ฃ ^= •*"" — :
_c5 "^ +2 Q. -^ >



Steve. 2004. "Responding to Contamination Threats." Water
es Update, Universities Council on Water Research, in publica
S" "
"03 O
O> O>
= CD
< OC


03 53
"o ^
o 2>

J! "B
"co -i:
— ' 'p
03 ^
0 0
"fz o

2 "^
"co -22
•ง e
to medical pn
ise trends froi
co "a
O3 ^
O) o
CO co
ป E
" 1

CD ^~


n College of Preventative Medicine. 2004. "Recognizing Water
and the Health Effects of Water Contamination" (Web site).

E .ซ
< Q



-•^ <ป
^ '*— '
B =
™ ^
le intended fo
n security for
-ii 0
E 03
S -2
C_3 ^
-2 ฐ-
T3 O

i^ CO"

n Institute of Architects (AIA). 2001. Building Security Throug
Washington, DC.
S d
'>- Cl>
E 'ซ
< Q

ง .E
to ง
ฃ o
03 ฃ
_f |
CO •—
.E |
o ^
•^- cj
'5> *

^— O)
CO cz
3 E
0 0
=J O
idelines to str
a terrorists b
= -5
CO .ฃ
:E 5? to
> 4— O>
Q CD c:

•c ^ "s
0 ~ฐ -=>

*~ to -jz:
co r: to
(^ 5 03

n Society of Civil Engineers (ASCE). 1999. Structural Design fi
Security. Prepared by Task Committee, Structural Engineerini
, ASCE, Paul F. Mlakar, (chmn). ASCE, 0-7844-0457-7.
O3 CO —
fฃ ^ 00
< Q- -E



uidelines and


n Water Works Association (AWWA). 1980. Water Utility
Tient. Manual of Water Supply Practices-MS, Denver, CO.
.0 o>
ป— CO
CD (—
< S



5. ซ
- g
JO 03
g %
C3 ^3
=J "
CO cz

•= o
ฃ E

o i^
n Water Works Association (AWWA). 1989. Distribution Netw
for Water Utilities. Manual of Water Supply Practices— M32,
Denver, CO.
._ 'in cz
i- :>, o
JE CO ฑฑ
fc C "O


'+z -^
E 2
— "to
= S
cz -2i
CO 0

*— CL
co -iฃ
•p cz

3" .
n Water Works Association (AWWA). 1998. Steel Water-Stora
flanual of Water Supply Practices— M42, First Edition. Denver
CO *=•
'! n
< ™
_ CO
Q 03
"L? CO
>"i Q.
a CD
™ Q.

~ 03
"'S ฃ
>, E
•ฐ ^
I 1
03 CO
.Q r- _1
^^ c; cz
ra c: S
to '-K *
ฃ 1-S
8 se
3 C 03
ง03 O3
•o o
ฐ- "O "co
uidelines and
his manual in
; put in place
o> I— JS
83 e ฃ
."2 .03 CO
Q" S ฃ
3 *- ">
c— .ฐ. E.
CO 03 -2

ฃ co .ฃ3
CO O- ^
•^ Q3 Ol

n Water Works Association (AWWA). 2001. Emergency Plann
tilities. Manual of Water Supply Practices-Mi 9, Fourth Editioi
S ^ >-"
ง .ฃ >
E ^? o3
< ง Q


0 CO
1 1

'E to

CO .2
asic explanati
nd instrumen
ซ C
•— 2
0 1
0 O
to =
3 ca
co J2
p ฃ


n Water Works Association (AWWA). 2001 . Instrumentation a
-M2,Third Edition, Denver, CO.
CO 1
.y o

1 0





*- ™
C/3 t>J
.S> >
"o* ฃ
O o.

-ฃ= 03

o 5
ฑฑ JT
mation about water main
that will minimize disrupl
manual contains current infor
ides viable, economic options
term solution.
OO .— O)
•j= o cz
i— .E Si



orks Association (AWWA). 2001
id Edition, Denver, CO.
ป_ o
03 03
to CO-
5 CM
O i
03 .E
E i

1z o
03 03
o) 9?
c ^
= |
ency Planning for Water I
e on the assessment of h
is a supplement to the Emergi
supplement provides guidanc



orks Association (AWWA). 2001
ir Utilities.
S re
O3 ^
to ^
re "
.y o
1 ซ
< DC


on how to develop a plan
manual provides information


orks Association (AWWA). 2001
st Edition, Denver, CO.
S ir
02 0
5 s
E ซ
< O_
.E oo
ง ฃ
o S
ฑฑ 00
•a =
cz o
CO •ซ-


E -a
03 =2
-a ฐ
cz .E
CO <ฃ
Q. 0
3 '.~
O3 O3
a> •-
co "2
E co
03 CO
manual was designed for utilil
atest safety practices and fede



orks Association (AWWA). 2002
Edition, Denver, CO.
5 |=
03 CO
5 ง
S oo
•^ .92
03 it:
E 5
< =)


jnd practices for a cross-
manual provides procedures i

T3 "P
03 .t
I "~

O i
03 _L
OC 0

orks Association (AWWA). 2004
ntion and Cross Connection Con
>• CD
^ >
> B d
o o *—'
•C CO 03
03 CO >
E 5 S



.S E

CO j^
"o ~
•ฃ 0
water utilities in the deve
t effective improvements
resource is intended to assist
that will identify the most cos
en c

*— ซ. C
CC _<2
< Q_
•^ o.

o j!?.
"to 1-
orks Association Research Foun'
orks Association (AWWA). 2001
S 2 ™
5 5 g
SCO >>
•^ 'iT 03
< < CO

f-3 ^

>ป „.
03 03
S "
to ง
ฃ "
o 1
00 CO
ง c?
'•S3 E
'^ H—
co cz
03 o
—3 O3
^ a.
S ca
-a re
g oo"
~ ฐ CO
— 03 ^~
c & .E
ฃ co .ฑฑ
-ss S ง
ฃ 8 E

i i
CM ฃ
•—•••• "GO
ง 0>
cz o

"So *—
-0 03
orks Association Research Founi
.rning and Predictive Source Wai
• M. Grayman.
S ง .2
s -^ sป
^ e5
5 LU ^
k_ n) CO
CD '^ n
< Q CL


.f— .
03 03
!8 tn
TO >^
tion of a maintainable dal
3S with relevance to watei
document reports on the crea
ccurrences, threats, and hoaxi
en O
".cz cz
1— O
CO .03
0 CO
*"*• 'T^
<. i"

ta -4z:
T3 -^2
orks Association Research Founi
ned Security Events at Water Uti
^^ Oi
? tg e
03 O3 03
4ฑ< *— O3
re jpf cz
5 _ ฐ>
j. ^ CZ
< < oO


3 —i
E "
E Si
O 03
0 CO
O3 O3
to fe
utility managers and the
le operations in order to i
project is intended to provide
procedures to include in routir
1— CO

^ 03



O J3
^0 "g

orks Association Research Foum
Primer for Water Utilities. Prepai
> CD
s •ฃ
nj o
^> CO (~~
ol .2
CO ^i CO
•g-= o
O3 Z3 Q.
E 03 O
< CO O



re intended to provide wa
facilities are.
is a list of 39 questions that a
jrstanding of how secure their
ซ -s
1— ZJ
| |
5 ~"l
C/> &
S -2
^> CO
0 "
co to
CO g
o 03
^— oo
03 to
r Homeland Security. 2002. "Ger
" (Web site).
0 cz iS
ป- 0 03
S '*= E
.•t; ^ ^
to 5 g
r— .•**. C
^- 1 ' 1 >
cc E ^
LU 03 -5;
< co1^ E


S ฃ
= E
tฑ o
.32 o
~ 03
Z3 *^
elp water and wastewatei
ost and improve service t
handbook was developed to h
agement methods to reduce ci


ropolitan Sewerage Agencies (Af
re Assets. Washington, DC.
s "^

O "tj^
cz re
o .t
00 -0

•R ฃ2
03 03
•*-• tr\
:er utilities to understand
as terrorism or natural dii
checklist will enable wastewal
ared for extreme events such i
.- 03
1— Q.

CM *~5
ง cz"

5" 21
CO ~

ropolitan Sewerage Agencies (Af
;list for Wastewater Utilities. Was
03 0
H— f_3
ฐ "
•^= JO
"8 1
CO —
< >




This Checklist provides wastewater utilities assistance in assessing legal matters that may
arise in crises management, specifically with regard to protecting the utility from terrorist
events. The Checklist includes a review of legal issues concerning: vulnerability assessmen
internal operations and procedures, environmental releases, duty to the public, contract
issues and insurance issues.

en d

CO >
>. = -
ฃ tz ,_:
CO ฐ 03
O •*=; -o
- 2 E
c i i
•a o IS.
5= 't 03
< S CO
This article contains the assessment and design criteria for site security using environment
design which utilizes the building environment to reduce crime risk.

1 &
0> ^
C ฃj
c CO
— 75
ฐ- -S
>i •|~l
-&* C/J
0 CZ 03
03 — 4-
"2 ฐ &
CO 03 ง
" "" 3
_ en -^
/ DiGreggario. '
J at the Americi
i, September, h
CZ 03 T3 ^
-a Q. E 03
ฃ = . ca Q.
ro co '•S o
ซ 'fe - E
•a -2= cz ง
f= '== o S
ฃ"1 ฃ!>
co- .i S 1
T= 03 O 03
< a o co

This article provides recommendations improving security through creating an environmen
which allows for natural surveillance and unobstructed visibility, controlling access to
persons who belong on the property, preventing unauthorized access of persons onto the
property, and integrating the security technology into functional design and architecture.

igning Against'
5fi S1
Q3 -^->
03 -0
i— 03
. •ฃ
— Q.
75 <->
"O a:
cz g
co S
oc 5
a" i

CD ,5
=1 o
U "
m _J
CO |
S' t3
S to
ฐ^ CO
CO c—
03 E
—3 CO
^ ^
.E 03
m H:

Not Reviewed
cz 1o
o >
•p-; ^>
= cz
.-2 o
1o 'o
o ง
• • o
ซ o
•— C/3
ซ 03
CO 'J=
co1 !2
1 =
imination of Dr
ter Resources I
•p S
ฐ5 g
o - . .2
" ^-13
•^r •= .2
O 'ซ— i rt
0 CO 3
CM ™ 5.
O3 c^
j<: cz cz
CZ Z3 	
ฃ5 > -cz-
"- E "
•s" ป S
-S co co
J2 >-, 03
03 CO CC
CO „.
^i O)
to cz •
This article addresses how the asset management approach can help identify and reduce ri
to public utilities. Through development of a complete inventory and using a decision-maki
process developed for the United States Air Force related risks are identified and addressee

.E ^
o >
cz -
CO " •
cz "
LU g
E Q.
cB o.
ซ <
^*^ -1— '
ฃ |
O) O3
.E S>
C3 ™
^S -
'agner. 2002. "1
•ehensive Asset
ings, Septembe
S Q. "0
-o E ฃ
!= o o
-a co Q-
LU .CZ 03
•o a> cj
c = cz
ซ e 03
CZ JZ 03
0 0 0
O O3 O





03 O
.ฃZ T"
. cz O3
O3 O3 ฃ
*— Z3 -O
^ ฐ T3
00 "S ง
E 3 !ซ
c [en ^
This article addresses the post 9-1 1 security changes that have b
water and wastewater infrastructure system for the residents and
Nevada. There is particular concern for protecting Lake Mead, wh
Dam, which is the largest drinking water source.

03 O
.0 LU
E t
ฃ3 LU
CV3 -
••— c/i
O fZ
t3 tฃ
.g >*
ป ป
ฃ CO
i; Leveque, Eric, and Mary Lee. 2002. "1
the Las Vegas Area Water and Wastev\
rence Proceedings, September.
.B- c 03
0- ง 0
Z3 T— -^ CD
m T- CM
CO =>
tป 8
"z: o.
ง 03
ฃ ffi
to E
ซ-- "cz
'•5 3
I 2.
en re
This guide provides information on types of weapons of mass dei
might use including health information, treatment options, and w

= ^
^ -O

g ^
CM "c g
^ CD ^
E ง.$

•k E. and David A. King and Philip M. Tii
id Biological Terrorism: Emergency Re
American Public Works Association (Al
g ™ =•
- ™ =
ง 'E s


re -o
ฐ> re
c "•*
•— oj
Q. to
= •%
ซ O
'•ง 'i

This guide is intended to assist California public water systems in
emergency response plan to both man-made and natural threats
federal guidelines.

apartment of Health Services. 2003. Ca
Ian Guidance. Version 1.0. December.
0 0-
C c
ฃ i.
1= C/>
0 DC
j^ >
CO ฃ
^ O L_
i •*"* O
o> o *=

^ s - - 3
•ฐ & w CD
crt * O M-
SO ^^ Q3
*•* ~a *—
i>> o CD
co "^ en"
cz J^ ซ o>
This paper examines the problems with automation and informati
the when, where, and how to apply evolving cyber security best p
automation. The paper also addresses the advantages, disadvanti
apply best management practices to existing systems and design
8 >,
CO ฃ
o3 -a
r~> CU
0 g.
•K c?

5" o^
. 2002. "Solving the Puzzle. Providing /
Jing Operations Effectiveness and Effici
Communications Group.
— ' '> — '
2 ซ S
CM •= CM
0 5 0

0 c/i
O ^
03 "
This article addresses some of the issues and constraints that mi
upgrading a facility and its assets to reduce the risk of malevolen

, :
. 2003. "Beyond the Vulnerability Asses
Utility Information Management Group
n: i
5 ^
"re o>
CZ "?ซ
0 "&
E "ซ
1 ซ
•*"" "* C.
— 2
This presentation to the American Society of Industrial Security (*
Facility Security Training discusses Crime Prevention Through En

. 2003. "Crime Prevention Through Env
i by Kristine Hargreaves.
^ S
S ฃ
•— .&

re zi
-CZ ^
ฃ2 ! !
ฃ = 1
ฃ3 ฐ CD
o ^ nj
This article provides an approach to evaluating a utility system to
includes recommended approaches to security assessment, evali
threat assessment, definition of assets, vulnerability assessment,
countermeasures, emergency response planning, and financing.

.•ง? o3
o en

E ฃ"
"re |
~ f/ป
•istine A. and David A. Dobbins. 2002. "
ructure with a structured approach for i
onment & Technology, January.
s 1 >
~ M— 1 1 1
S .E ^
Q. i_ , •ฃ•

Not Reviewed

4— ' O3
!•= ฐ
2 2?
03 ^
> o
_ 0
,*S 03
2003. "Prioritizing Water/Wastewater J
1 Using a Case Study." Industrial Wast
3, April.
d V ฐ>
O O3 ._
. O 03
CZ 4-t ^
E "ง> 2
O '_! Q_

Not Reviewed

CO 52"

ii H
re en
J I d
eff and Ray Finley. 2004. "Assessing th
iter and Wastewater Systems."Water R
Council on Water Research, in publica
^-5 .s
ง -J c5
re '^ 'E
Q Q 3

"ฐ ฐ 'O
re "re E^
"03 — cd
lซ W
ง si
03 *ฑ ^
(—ป CZ ~^
T" re o
ฑฑ :~ -—
Z3 'E "g
O3 "7?. CO
This document outlines the preliminary protective measures for s
planners to use when developing facility construction that are of i
includes guidelines for selecting preliminary protective measures
database for determining the cost of the protective measures.

T— "
CD 0
CZ C33
_^ 2
CO <
softhe Army and the Air Force. 1994.
elopment. Army TM 5-853-1 , Air Force
re 03 •
Q- 'o" &
03 S ™
o o_ S




han chemical
d be tremendous
This article states that infrastructure attack on water systems is more likely t
attacks. The amount of chemical needed to contaminate a water supply woul
however the substantial risk is to critical facilities. The article also addresses
interdependency between water and other infrastructures such as power.
bo ^
73 CD
to E
ฃ S
i O3
fR Q
Dessoff, Alan. 2001. "Wati
Environment Technology,
—. &
"03 "CO
Ol 03
-*-1 to
This article discusses measures that will lessen the impact of blasts on their
the renovated Pentagon wing that was hit Sept. 1 1 as an example of how bla
technology can help reduce the loss of life.

iir emergency
an emergency
This document is meant to provide water utilities with a starting point for the
response plan. This document includes information about the importance of
response plan and a template for preparing an emergency response plan.
-^ "CO •
C/J O3 ^^
tu ^ CM
to w -A

o> cz =^fc
.E c cz

CJ "-"_ -0
S ฃ Q_
03 ฐ o3
"Ej 03 ง
CD E 3
O5 "C o>

Emergency Response Plan
2003. Washington State D
Programs, Division of Drin
;ent. It describes
ve been
This article addresses the information security threats that are currently pres
some information security problems with technology and some tools that ha
developed to protect against these threats.
ป- ฐ
o 5
3? o
- 1
;Ei -a
._ CD
O3 g-
c ___
^ Cง Q.
> _I= <
^ ฐ- >;
s: ~o '^
co" rt o
i S I
( — CO CZ
o 03 cz
& E 03
|_ I_ 03

Emigh, Jacqueline. 2004. '
wireless systems, email, ir
in the security department
n attack via
This article addresses the critical U.S. infrastructure that may be at risk for a
cyberspace. This includes the nation's emergency telephone system, water-c
networks, and power grid.
0 E
I *
< 00
"CO |-^_
'ZZ o
0 CM
t CD
03 ^
i— g
* 1
s J=S
z >,
O3 O
^— ' CO
= >* CD
u ^ i1
-•S gs
.2> ฃ -o
Q Z co
~r 0 ~5i
CO < 0
"2 = ซ
Eng, Paul. 2002. "The Cloi
Delivered Via Cyberspace?
3r and waste water
ity of primary
This book provides information about emergency and standby power for wat<
utilities, including guidance to assess the vulnerability, condition, and reliabili
electrical equipment.
CD w
O) _j^
E ง
co co

CZ co"

t- er
^^ ^t
Q >-:

CO 5
— ' 53
-o co
c ซ
™ 5
co" *o
93 co
00 to
QC ^

Ellermeier, Fred J., Donald
Power Source Planning foi
e prepared and
!e event. This
during an event,
A guide designed to provide citizens with information they need in order to b
react correctly in the event of a natural disaster or technological or man-mad
includes information regarding planning for an event, evacuation and shelter
and recovery from an event.

Federal Emergency Manag
Citizen Preparedness."
companies of all
, hazard specific
A step-by-step approach to emergency planning, response, and recovery for
sizes. Including a planning process, emergency management considerations
sources, and other information sources.





< B
C &
03 i:
E ซ
03 ^
Federal Emergency Manag
Guide for Business and Ini
•H -2
f\ Z3
o i=
This guide is designed to aid State and local emergency planners in developi
maintaining a Terrorist Incident Appendix (TIA) to an Emergency Operations
managing the consequences of terrorist incidents that involve weapons of m
(WMD) and other terrorism hazards


CD " •
CD "
< C
-^ CD
O3 —
Federal Emergency Manag
Consequences of Terrorist
what type of
it supplies would
This checklist contains questions that should be asked in order to determine
emergency can occur in the area, how to prepare for an emergency, and whc
be needed.

d M—
O) Q.
CD cฃ

^ ~^->
f"-- c3
O3 *—
CD _^
< ^.
S "5
LL. O)
^, ">
& E
CZ 03
03 -^
O> >
< ^
"cz 5
CD ^-
E bL
03 -f.
Federal Emergency Manag
Preparedness Checklist, hi




to o
O) . — .
*03 '
w to
•a CL
.<= CO
cn Q ^~""
P - i
ป— CD ^>
a-O TlT
 o> i;
o> S3 ซ
i E -a
^^ 8
O CO ^

"O 	 	 „ *o
o aid State an
ippendix (TIA
ted weapons
*- ซa. co
CO -i-i +3

^ ."2 "Z
E - ฃ
O '~ CD
g ฃ CT
*C CD •—
ป- " >
0 CO 0
CD >
C/5 O) C
ฃ E .E
in * O3
O ฐ^
to E
z5 g
01 E
ฃ o
ce, and the
s available 1
"*- 03
03 B
C ^
to cz
co -j^
CZ .^
tn ฃ?
c 1
03 CO
E o>
z5 E
o g

.<2 to
^-ป ฃ
"o ฃ

CD ^
'f 1
03 E
JZ 0
1— 0

5 o"
tg CM

Lu <
2 ^
CO '"^
— ' O)
-^ ฐ3
O3 ^
O) ^
ซt tn
Emergency Management
; Primer for Terrorism Ri!
— 7% jzi

O3 O3
03 ^

™ •*-*
Q5 2
™ 5 CO
3f architect;
Idings and 1
rorist attack
.•&"^ -2
=5 "o 03
E 03 S
^ O) O
E to "
CO 73 ^
ilding science
ce structural
al bombattac
E-S ง
2 ~
ฃ ฐ o3
!^ CO CZ
fi 8
i 1 c?
5 E ~
CO 03 =3
5 ^ co
cu o -2
CO 03 2
IfZ ฃ3 M—
0 .
•4— ' L_
ง E
CO 03
:EMA). 2003. Reference M
i Buildings. FEMA426, Dec

03 ^
< 59
Emergency Management
Potential Terrorist Attart
S ^
CD ^1
LL. ^
CD 2
t/5 O
•— !i2
_f— ^
"^ T3
*" C
n, S3
to asses thi
risk manac
05 "cz "ซ
— o o1
-— — {/} f^
ZJ 03 03

S S 03
S O O3
ded for waste
les the tools t
3m during an
O3 -is +2
03 > CO
c ฃ 5r
.ซ Q. L:
o — S
'*~l ' i-
-cr (/} o
ซ CO .$"
TO ., •=
'> 0 CO
*— ^* CD
CD "^ O
S ซ S?
1— i: 03

:EMA). 2004. Wastewater !
• — •
Emergency Management
ance Assessment Guide
1 i
IB 03
1 1 n

.!= to
J5 o.
"** "cO
03 CZ
refine and
S |
p "co
ซ "CO
> i=
O •ซ— '
O) en
"rt "g
•O cz
"co *~
tn en
CD ••— '
.c —
o ซ
T3 ™ ,X

co en
.!2 S '=:
SO. .^,
o ^r
rt ^* 2
CO 03 O
1— 03 CO
=EMA). 2002. Introduction
Guidance. August.
— • o>
Emergency Management
al Emergency Operations
-a T3
03 CZ


'," Government Security, Fi

fiber optic '
= 1
CD _c:

w ^
.Q O
-o "
O "O
CO ^
" 0)
E '-5
03 "cj

fc— -Q
> *~
o tz
0 0
03 0
1 1
tn ~
^ฃZ O3
1— 0.

imeter Security," Governm
co" -w
-S S


cz o .
03 O O? T3
scurity." Proceedings of thi
) International Conference
w Pipeline Technologies, S
13-16, Baltimore, Marylan
3., 2vol.
CO LU ^ _>, Q.
|f Ig"
1.1 if i
= ?ง |S
„ LU o E ^.
= '"? "i ™ S
•cT^ c??-^
" . ^ a3 ^5 LU"
>,; r- LU ^ >
0 CO 03 55 -
to o cz to cz
~* 'g = co o
ฃ < bl" 1 tr


lipment Decontamination
iversities Council on Watei
^3 CZ
LU _
•o 03"
to -ง
1.2004. "Water Treatmen
jes." Water Resources U
h, in publication.
ฃ= o- y
^ 'cz to
x" o co
0 03 03
LU h— DC


ance Systems for Drinking
ncil on Water Research, in
— ZJ
"O3 O
ฃ *-^
zj cn
CO .03
ฑฑ ฐ2
S ?
S 03"
ZJ 4-J
Q_ tO
" . CL
0 „
C3 3 Q.
"k_ •
cn "G
cn "c
•a o
•a <
cz co
cn *_
ซ ฐ
* "S
*•• * .tr
ซ ง-
cn CD
cz *—
-S 8
0. 03
u ^
ป CO
O3 cz
•a ฃ
~ 03
^ CL
o -a
03 CZ
1— CO
to ,_
cn ||
.1 o

irniture: Technical Descripl
iT R'^
- to o
O -J O
CM a 



ฑฑ O.
"o q_^
CD O3 >
2 '*""' "C3
a. -a co
P^ TO Q)
5 "co 12
'a 'o 'zj
:^ <~^
"S 0 03
> 03 ZJ
0 -— 0
> *- 03
c -o w
CO m X
ween all partie:
local building ;
e that a safe ar
03 *~ ZJ
This design guide calls for close interaction
calls for close collaboration between the die
appropriate designers and consultants to en
• ^
r. s
•o - .
listration. Facilities SI
Chapter 8 "Security C
rvices Admii
•100). 2003.
General Se
Service (P-

ฃ 3
c= ฃ -ti

t! o) 32
CD C ^
CO cO Jz;
^ *-; ฃ5
ซ w 5
-i— ' C/3 O
S "^

ir 0 •ฃ
.i ฃ 5
ig for security
its. The article
phic area, and
~ S 2
E CZ 0)
This article discusses the importance of plar
making many unplanned high cost improver
big picture security, such as facility and geo

2 o.

re CD
o> —
-E ?
^ ซ
irnment Accoui
ng for security
This web site page discusses "Integrating G
Statement 34 (GASB 34)" regarding CIP plai

ing Standards Board.
ed October 26, 2004).
•^ "
c CO
0 0
o re
— ; 01
~ o

This is the policies for design, review, and a
collection and treatment facilities.

-ii o
.0 •*-
D_ -a
.2 •ง
tJ cz
•— +S
0 (n
of State am
Albany, NY
GO ^ ^—
.1 fป 1
CC 03 CO
'5. ™ or
.S- re -cz
co s i^
co *= re
ii S = .
55 1-2
11 =
Great Lake
Health and

O> "g ฐ

"co c CD
03 CD 0
•o .cz o
re *- 53
t!i= 03
3 ^ S
o ^^ o
CD •*-• Q.
03 C/>
*- W3 ฃ
S 5 ฐ
93 co 'E
to 03 E
This document addresses the recently impel
public water supplies as well as criteria for r
address issues of critical asset redundancy,
existing and future public water supplies.

O jz
.E o
0 c
*— CD
c -22
re .J2
03 CO
s &=.
M- O 03
0 P- 75
ssissippi River Board
ital Managers. 2003. '
for Public Water Supi
^ 1 -t
03 CZ =
=> "> CO
, CZ 03
CD ^ B
3 ™ 2
*- ฃ co
i S •ง
CD ^ S

Not Reviewed
0 CD .
to To
tz co >
= . _T 03 •"— CM
CO +S CZ >, r
.ซ ฃ "03 "3 Q.
^ , 	 ^ rZ — 3 Q-
O3 LU Q^ ^^l f^.
g<ฃ | ง,ซ
E CD = F O
*- CD O ^ CT>
I'll |S
ifrastructure Security:
srican Society of Civil
Engineering and Con
, and Safety," Najafi, f
eston, VA/ASCE, 0-78
Z | .1 i1 "i
3 . "o cz ^ j^
^ lu ฃ "o ฐ
0> 03 ,03 = E
-2> o = ii ฃ
*— u. o CD re
CD Q. O 1— CO


ties for risk ass
This document provides guidance to water i

CZ 03
re cz
-o "^
co CM"
re o
O3 _-
'ater Utility Security: f
frastructure Systems,
CO ฐ
^- of
C3> 'ฃ
'ป— re
re 42 co

Q. 03 tj
fZ JZ1 03
0 03 *=
0 .CZ 03
1 = i
-S S ฃ

•^= o X
03 "G -^
5 o ง
"c cz co
0 "•= ฃ
^ O •^J
ฃ= TZi ™
•K o *=
This article addresses the misconception th<
vulnerability assessment cost effectively is t
of outsourcing to an outside consultant and
a smarter long-term investment.



iourcing Vulnerability
' WaterWorld, April.
= • .^
0 >,
CM .ฑฑ
— — CZ
31 CO


E o
c '"
i 03
1 8
CD l__
Q. C
E g
>- re
return on sect
g prioritization
E .E
This article discusses how to get the maxim
The article includes recommendations regar



Ve Completed Your V
i/ol.135/No.3, March.
o to"
>- -Jf
= . 0
0 .0
^ 1
— " 2

Not Reviewed

to ^3
> ZJ
^ CD_
" . CZ
E .cz"
O3 O
1/arning Sys
i/ater Reseai
he Promise of Early V
versities Council on V
CM •ง
	 ; Q.
ZJ ^
Hasan, Jafi





dencies, and Asset
of Civil Engineers (ASCE;
Construction "New
t/lohammad (ed.),
1-7844-0690-1, 181 7 pp.
Hellar, Miriam. 2003. "Infrastructure Security, Depen
Management." Proceedings of the American Society i
International Conference on Pipeline Engineering and
Pipeline Technologies, Security, and Safety," Najafi, f
July 13-16, Baltimore, Maryland. Reston, VA/ASCE, C

Not Reviewed

r Security Policy and
uncil on Water Research,
Herrmann, Jon and Janet Pawlukiewicz. 2004. "Wate
Research." Water Resources Update, Universities Co
in publication.

t gives and example of what type of
lize and emergency.
This documen
order to minin
ental Emergency." Seatti
ental Outlook 2003
sws/en/1 11 46998.html
Hildebrand, John. 2003. "Preparing For An Environm
Daily Journal of Commerce Online Edition, Environmi
special section. July 17, 2003. http://www.djc.com/ni


icusses strategies a utility can use t
h present and future security needs
This article dis
associated wit

ce: What you should be
;," Water Environment &
Jacobs, Jack and Alan Manning. 2004. "Target Practi
doing (and not doing) to prepare for a terrorist attack
Technology, Vol. 16/No.2, February.

E o
CA C/3
CO ป—
JQ •*-•
re jS
03 *—
c: co
1 %
> ซ
gป 03
o .y
ฃ t;
•5 re
t outlines what utilities have gained
id what weaknesses still exist. This
es for terrorists and even more.
This documen
experiences ar
prepares utiliti

ulnerability - What You
mary." WEFEC 2003
Jacobs, John K. and Alan Manning. 2003. "Beyond V
Should Be Doing (And Not Doing) Now! A Case Sumi
Conference Proceedings; October 2003.

0> CO
cusses the cyanide poisonings usin
he event and the company's respon
This paper dis
summarizing t

jblic Relations Saved
lol/crisis.html (accessed
Kaplan, Tamara. "The Tylenol Crisis: How Effective Pi
Johnson & Johnson." Pennsylvania State University.
October 29, 2004).

,_ s:
03 O
5 3
o> ~5
.E o
•*: •" co
r— t-i jฃi
•^ 03 re
' 51
CO O3 ฃ
T3 *- \_
CO 0 S
5 03 -S
0 M &
re " ™
CO |— O
"5 co t3
2 S3.E
re .9 E
._ M— (ซ
3 description of WaterlSAC which is
ecutives, managers, and security of
warning of potential physical, conti
This article is i
wastewater ex
provides early

Level of Water Utility
Kircher, James R. (ed). 2003. "WaterlSAC: The Next
Security," Public Works Journal, January.
V- Q.
ซ 0
E ™
0 =
0 jQ
iB ซ
-ง c^
E .ซ=
re E
4=J c/}
ซ 0ป
*" k_
0 ฐ
dresses security myths regarding S
a utility. The article focuses mainly
lout other security problems.
This article adi
consonants of
information at

' and other Security
Kubel, David B. 2003. '"My SCADA System is Secure
Myths." WEFTEC 2003 Conference Proceedings, Jam


~ฐ r
re ง
™ 03
"> S?
— CO
•3 ซ
C o
+-< 03
To ;=
ieral guidelines for protecting again;
nformation on how to asses the ver
c —
03 CO
O> 03
CO ~ฐ
O3 ^
> 0
CO o
JE <"
h- re

An Overview of Water
ournal of Homeland
Lancaster-Brooks, Richard. 2002. "Water Terrorism:
and Wastewater Security Problems and Solutions." J
Security (online), February.




~c 03
~ w
ปT1 1 C/)
test a real-tim<
a secure Web
ir cyber threat;
^ +- u
-0 Z3 .
C 0 CZ
CO -Ct O
CD ™ '-g
•K c 2
c3 t3 t

1-1 ^~
ป c S
~ '™ >,
CD ,-, CO
E ฐ 1
i To ฃ
*~ CD "o
E ^3 o.

O CD 21
This article outlines a pilot pr
water monitoring system. Th
portal that offers early warnir

.Si -0
ฐ 6
Q_ 2
^ OS
IS c
cz "C
•^ CD
CD — .
CM '5
>, o
CO -
03 'C
—1 CO

CD (/)"
-ฃZ CO
1— 03
•iz ฃ
•a cz
ฃ3 c5

-o o
o -^
E g
2 -5

"a t/3
a> w
^3 C
~ .>
CO 03

rf O
T ^
O ฃ3
, . q> •

*t— ZJ ?n
This article outlines the use c
modeling helps agencies eva
recovery, and mitigation pro}

_ JO
o CM"
T3 o
j- z
-" coฐ
>, T
E o
F >•
cz ofl
ca ._
= o
m .—

5 CD
o oi
CO g
cc ฃ
=" g-
0, g
CO 0
J= ^
. O3
S C3-
bility assessmi
igencies are re
CZ ฐ-
= S
> 0.
O3 C3
.E o

II .
C? ป Us
LU S g
ฃ CD Q.
E 0) 0
O CZ ^
H — > g
co 03 jc:
g w cz

This article addresses the reg
article addresses what the sn
do and some general guidelir
ng Water Security," Source
"^ >
C ^
Q cf
™ .2

CO "o
CD >
O Q3
...3 S
CD o
o .t:
co -^
^ O

^— >^
lenting a secui
ects of securit
1" &

7=1 ง.
CO -o
.E "
1 s
t3 "cz
o o
*~ &
•^ ^>
CZ ^
k_ (/)
1 "i


"^ "~"!
This guide is intended to pro'
disaster recovery program. It

35 =
in ฑ
~a ^
1 1

C ^
llend. 2002. Security Planni
irks Association (APWA), M
01 o
~ ^
fn o
i 3 .
,™ 13 O>
= Q- .E
5 cB"
CO „ =
'ป—  CO
5 o a?
ซ ^ e

Not Reviewed

Q o5
c ^
< g
^ /.x
"m CM
w To Use Technology To Di
anagement Conference 200
O ^
^" -t—
I "5

i 9 o

- 03
CO ^
S > -2
>. "o -^
"Q..E c
ง• co co
t3 !~ S
5 CO r=

ฑ^ •— CO
0 5 >>
03 E "g
ฃ t/3 ™
'S ^ ^G"
ง, '— CD
2 O -CZ
CD "w-t.
o E ซ
" 03 >,
03 jc: o
> *" *-.
~ M- t?

This text provides comprehei
presenting detailed coverage
assessment, safeguards agai
contamination response.

jpply Systems Security. Lai


CO =
S in
'o to
to the attacks
:an improve it
CD +-•

I- Q.

2 f
J= ji:
*- T-J
I i
CD ^
"ฃ E .X
ฃ S ซ
ro - :^
E co s

c ฐ-
— co P3
This report is the result of an
September 11. It outlines wh
preparedness and response (

mproving NYPD Emergency

•8 <
c o
~<2 ฐ-
•*• c/D

Not Reviewed

/lanual, TM 5-853-1/AF32-1
'd ฐ

Engineering Si
Engineering -
S =
:= CJ
^ CD

Not Reviewed

"co 'co
=3 03
cz Q
CO .^
p^ป o
en i
Engineering Si
Engineering -
S =5
•.= o
= O3
2 co

Not Reviewed

^ Q
•& "cO
Engineering Si
Engineering -
S z5
=: 0
-J= O3
2 co

Not Reviewed

/lanual, TM 5-853-4/AF32-1
nic Security Systems (new)
>rป -^
"i —
3 LU
CD l
Engineering Si
Engineering -
S =
i 8
^ co

Not Reviewed
•o -
O O3
3: cc
"cz ซ
CO to
co E
iction to Special Issue on W
idate, Universities Council c
_p3 "•
0 w
C 0

C.!5 CD
CZ •*— i
CC = . ซ
^ O Q-
^ CD _
S c^> .E





•ซ- a>

W cS
.^ ฃ
4_, ro
wastewater systems and 01
in, and funding options that
To a.
CD c=
LU =>_
	 r CD"
"55 ^

^ 'o
5l co1
rd o
ง CD
0 S
'E ^
Q3 C

co .3
"G ฃ-
CD a
ient and application of a det
onsideration the hydraulics
s ;; s
ง- 2 to
"CD — co
> CO r—
•8 .Si
CD ซ "3
ฃ *- -a
^ CO "co
'ง -1
co -ซ— ' n3
™ ฃ C
CD r/j "^
•o co
S .ซ 0
1— -a o
W .1ฐ J2
c T3 i— CD
CD ฃ CO > C
•g Q- CM -0 LU
is. 2003. "An Early Warn
stribution Systems Secu
tal Resources Congress,
Donsored by Environmen
f the American Society of
Ostfeld, Avi and Elad Salomon
(EWDS) for Drinking Water Di
World Water and Environmen
Philadelphia, Pennsylvania; S|
Resources Institute (EWRI) ol
ASCE/EWRI, 0-7844-0685-5.

ฐ? 0

o E
r*> ( .

k_ 4_i
C C/5
ป fo
"I 2
5 ~
.0 "o

t a first responder should fc
mation about different types
m i— r-
B S —
CO = E
ts •ง e
O .=* CD

is web site contains
rorism incident. It ir
ring a response to a

f— .!= "o
ponder's Quid
lagement Agency. 2002.
Pennsylvania Emergency Man
to Terrorism Incidents, http://
.0 .y
D. '"H
c" ฐ

CD ._
Q. *
.E O
CD "^
nagers to provide assistanc
nature, so that it may apply
rfe" CD
'o S
•*— o1
o >^
is guide is directed 1
snts. It is intentional
-C := =3
1— 0 -Q

1 -
*~- "d"
i- CM
ซ a
a co
lagement Agency. 2003.
Pennsylvania Emergency Man
Planning Guide for Facilities.



, selling, and troubleshootin

is is a guide to insta


Jew York:
lete Book of Electronic Si
m -f
"c "-5
S =
O) O
w -S
•S /T

C a5
CC ^

"s ^
O -C
d to combat threats to publ
lelpthem prepare for public
,o "co
a = s t
St" e_a i^ n-ป
pproach to Terrorism Prc-
Journal of Homeland Sei
im Baylor University Med
Ringert, KathyJ.2002. "An A|
Health and Hospital System."
Reprinted with permission frc




c o
ฐ ฃ•
•si ฃ
1 "
E o
o *^
o ฎ

ซ ••ฃ=
__ CT
O r-*
This document outlines the value of installing monitoring, ci
systems on pipelines. This type of system would improve ci
emergency situations.
tami, Jamal and H. Besharatian. 2003. "Application of Integrated Control
tems for Improved Protection, Security and Reduced Maintenance Costs
ilines," Proceedings of the American Society of Civil Engineers (ASCE)
rnational Conference on Pipeline Engineering and Construction "New
iline Technologies, Security, and Safety," Najafi, Mohammad (ed.), July
16, Baltimore, Maryland. Reston, VA/ASCE, 0-7844-0690-1, 1817 pp.,
0 g, 0. 4B Q.,J, >
DC CO O- -E Q- ,— CM
This document is a "Train-the-Trainer" manual designed to '

dia Corporation. 2002. Risk Assessment Methodology for Water (RAMSM
^ O
42 'to
03 "c
E co
"CD o
00 C
•a *
~o -*^
.E *?
Is ^
This paper presents a dynamic risk framework and model th
model. The model focuses on a developing the reactive cap;

nders, John H. 2003. "A Dynamic Risk Model for Information Technolog
jrity in a Critical Infrastructure Environment," Proceedings of the Tenth
ference on Risk-Based Decisionmaking in Water Resources,
ember 3-8, Santa Barbara, California. ASCE/EWRI/UEF, 0-7844-0694-4
= " c- S

-ง 03
'ง *=
ir CD
H-J ง
~ 4=
*"" CO
This article addresses how to keep public works informatior
recommendations about web site information and hardware
ell, William G. 2004. "Protecting Against Cyber Terrorism." Public Work
135/No.S, March 2004.
o> o
CO >
03 .ฃ=
S ง"
O3 ฃ O
0 In -=
1 e =

03 "O 03
' CO ^

"ง i= "^
•2 TO -"=
03 "^ 5
CO 03 ซ
Q3 > CJ
~ CO 03
"O c^ ^
^CO c/3
This article discusses the security process that wastewater 1
reports that wastewater facilities face many of the same risk
are many lessons wastewater agencies can learn from watei
the process.

5 ซ
03 =]
^ ฃ
03 03
S' d
03 >,
-o o>
T3 C_3
= 03
CO 1—
CD o3
2 c
= 1
CO 0
= s
ซ ซ
co r^
S ฃ"
c ^
03 ฑi
Q. =3

1 —

CD I :
^ c"
**_ C/3
03 =
^ CO
:-= tl>
CD ^
This article describes a software package known as the Vulr
(VSAT). This article describes how VSAT works and the adv
ivan, James K. 2004. "Watchful Eyes: In assessing vulnerabilities, utilitie
jld look to their assets first," Water Environment & Technology, Vol.
Jo. 2, February.
C/D CO i-
0, ci 03
C. CD ฃ
—  CO 03
•J5 ฃL 03
Information on various access control systems, and on effei
employee access. These include information on technology
Including information on technology that can restrict empio
employee works in.

Ties Valley Police. No date. "Access Control."
>- ฃ

This web site contains information about chlorine including
of chlorine.

Chlorine Institute, Inc. 2004. "Important Information" (www.cl2.com).

This web site page lists the UL requirements for intrusion-d
erwriters Laboratories Inc. 2002. "Intrusion-Detection Units UL 639."
tember 30. http://ulstandardsinfonet.ul.com/scopes/0639.html (accessei
iber 29, 2004).
C O3 ^3
o J'f
! "I"

1 &
lu O3
0) 03
1 1
.0 ฐ>
This document presents measures that can be taken to prot
from airborne hazards. The document is geared towards bui
security planners.

Army Corps of Engineers. 2001. Protecting Buildings and Their
upants from Airborne Hazards. Washington, DC.
CO g
Z3 O






c E
0 ซ
I |
"co to
c o
o -a
W "2
vironmental and occupi
on a ISCORS survey ar
cz -a
~ CD
™ ซ
"O re
f— yj
E .2
E to
0 "0
o c:
•a o
"5 o
0 P
t: "-
p ซ
o -tt
•a 3
C/3 O
~ CD
1— 0-
-a .=
C CD ฐ>
o o> ฃ5
0 .> 52
c?t3 tg
~ CO S
en O ซ
U.S. Department of Energy (DOE) Interagency E
Radiation Standards. ISCORS Assessment of Ri
Recommendations on Management of Radioact
and Ash at Publicly Owned Treatment Works.

,* to" cf
.y CD o
s *= ~~
•3 = co
0. " ฃ
ป- .2 -ป=
0 - -o
"CD .JS c
ง "-.y ง
to J2 it -2
ir CO 0 co
S •— 
12 1 1 1 i
 c ซ- ~ -
cz .E .52 o cz
•= 3 ™ *— m
E -ฐ E aฃ
5 | ง s E
03 E -f= |> -o
^ cz eg ^ ca
CZ i— *^~* CO
52 S o c S
1 t&S 1
en "> cz co 2
•- -a re "0 =
S i ~ 1 1
'5 „,- .ฃ2 E •to
01 ฃ2 o E E
co ™ o ง =
S -g "g " ?
1- a. to ฃ Jo
ฃ tD
o S E
ป ™E
8 IT2
c= = ?
CD 0 C .
0 " m >,
. O 0) CO
U.S. Department of Health and Human Services
and Prevention (CDC), and National Institute of
(NIOSH). 2002. Guidance for Protecting Buildin
Chemical, Biological, or Radiological Attacks, M



T3 Sft
Mission Buildings inclu
exterior safety measun
to ~
E ฐ>
o .E
Q. -Jฃ
Q g_
1- CO
-e ซ
^ O
=53 ">
."ฐ cz"
to 2
CD ci
TD ^
03 tu
T3 "
> .i
2 CD
0. Q.
r^: 52
O) Q.
0> CO
ง s
0 ^
cz '=
'-O CD
'=5 cz
m ฐ
LLJ -^
cz iS
U.S. Department of State (DoS) Office of Foreig
A & E Design Guidelines for U.S. Diplomatic Mi;
14 "Security and Risk Management Design."

S =5
*" ^ O
CO ^3 
!t: to TZI
U.S. Environmental Protection Agency (EPA), 0
Management. 2003. "Use of the Clean Water St
Implement Security Measures at Publicly-owne
Works", January. http://www.epa.gov/OW-

""I CO
planning committees (I
I measures in their plan
O r -i
cz ฃ3,
O) E
E 'o
CD 2
ฐ cB
S ง
CO ^
.ซ "o
*- cz
cz —
E "2
3 S
8 E
-o f=
"•= CD
h- ฃ
52 co
H =
CD =
J=> CZ
"ป ^
Q Cu
1 ci
™ c5
c3 2>
DL g
_l LU
• CO
•i- 0
0 0
0 —1
U.S. Environmental Protection Agency (EPA). 2
Releases: Addressing Terrorist Activities in the
550-F-01 -005. August.

re w
to c
52 >
% -S
ซ S3
-S Q.
^ B
F *-
id remediation to man-i
instructions for differen
CO jz
s 1
O .=
Q. O
55 .E
"- CD
to cz
CD ^=
'> ^
cz ฃ1
•— 1
=3 tO
o> -c
ซ 2
'•c ir;
i— 52

^ ^r
52 -S "
1 = r
> n> o
t- CD •=
pii t
. *~ m •
cvi co ™ CD
ง11 i
U.S. Environmental Protection Agency (EPA). 2
Utility Response, Recovery, & Remediation Acti
Technological Emergencies." Prepared by Mich
USEPA's Water Protection Task Force. April 15.

ฃ2 "ฐ
O o
CD ฃ
O- !=ป,
CO -^
t= |
O3 ^—
2: -c:
Oj Q.
~ -a
lules that focus on the c
:. The tool was develope
o S
"S *^
0 cz
t5 .2
03 to
•52 E
x ซ
0 0
o re
0 S
^ o>
ฐ CO
2 o .
o. o. o>
CD " =
in Q> '•=
ซ l_ cu
0 ซ "ง
Q. 0) 2
co cz E
E "E •-
^ c 52
Jz co to
1— o. 3

"o c R-
|1 1
e .E ฃ
ฐ- E S
li ฐ
Is ง
(/3 t— o
"52 a.
^ -2 J2
• S S-
CO 1
8 = -S
U.S. Environmental Protection Agency (EPA). 2
Toolbox: Planning for and Responding to Drink
Threats and Incidents." Interim Final, Decembe

8 a
c- -a a
re CD cz
s: -5 73
CD 0- {D
C/3 CD .f_!
C :=
CD C/3 .Q
CC E c
^^ 1 — co
CJ . 0
S y to
?T> <- ^Z
iow to prepare an Emen
Bioterrorism Response
dures, and equipment tl
0,"ฐ S
cSi 2
T=> >, ฐ-
>— ^<
C3) =3 C
CO rrt "r—
"0 CD S
Z3 X TZ1
01 0 "0
CO ^= 2
T3 "ง ซ
•I <ฃ•ฃ
O CD —
Q. ^ Z3
CZ CD o5 "u
tD TD •*=• m
E = ^ S
5 = 3 W
8-g i>to
"0 .^ ~ C
to = "g 2
•= o^ -— t
^— O3 *~~ CLl
1— S T3 52
>. "0
g s
ง>= g?
1 ป g
L! ii
f fcs
^fj E
g Sf e
n, •= CD
CD -^ i^
O> r^ O
U.S. Environmental Protection Agency. 2003. L
Response Plan Outline: Guidance to Assist Corr
Complying with the Public Health Security and
Response Act of 2002, July.





3 -a
? re ซ
^z TO cz
gf 1
=5 3^
re CD '4-1
a> co cz
CD 03
*- f. •&
document provides guidance for small and medium water systems
are an Emergency Response Plan as required under the Public Heal
jrrorism Response Act. This act required drinking water utilities to i
edures, and equipment that can be utilized in a terrorist attack.
co a .CJ o
-— CD O O
(_ cLm Q.

O ™
0. 0.
C/5 ^f
CD . •
01 "co ^~
>• P ฐ
05 CO CM
CZ 1— *—
ฃ s S
^ 5 -G
ง>, O
^— i. ^
, —
g E ฃr
CD .2 '5
O> 73 O
< 03 03
CZ S "
ฐ -a "
i s S
*H 	 ^
O rrl CD
tt I {ง
U.S. Environmental
Plan Guidance for S

>• CO
= CD
ZJ 00
-D S ฃ
S5 2 o
ฐ 3 c=L
2 g^
*^ '^; 'z:
EPA developed the Security Product Guides to assist treatment plan
agers in reducing risks from, and providing protection against, pos:
intentional terrorist attacks. The guides provide information on a vai
able to enhance physical security
r~ r^
5= nJ S rt
e E i ซ

I ฐ

73 .CZ
a re
ง 7^
? I
o -a
~-r- O3
2 1
yi ^>
>• ฃ•
P. --E
ซ 3
< CO
CZ ^
0 CD
t) S
O3 >
S3 = . CD
ฐ CD "^
ol S ™
U.S. Environmental
Security Product Gu
re ~
CD '>
1 e
•'-' o cc
P^1 "*"* ir
= -52 ง.
ZJ C 0
-^ O3 P
c "E .= S?
re — ^_, o
=ป ฃ2 ™ ^,
^3 Zฑ ^ 	
guide, created by the National Response Team (NRT), can be used
mergency response plan and meets state and federal requirements.
isolidating mechanism for facilities with multiple emergency plans i
>us regulations to be compiled into one Integrated Contingency Plar
CO 05 O -—
•~ c^ *-^
f^ re re g



U.S. Environmental

document explains the Emergency Planning and Community Right-
IRA) emergency planning requirements.
co Jr1
._ Q_
ฃ ^

o "
73 =
CZ 03
re _
•C)" CZT
ง3 tr
t 0)
03 c
= -1
,7! r=
w re
< Q.
cc -ป.
0 0
= CD
. C3)
>-, *n
„ 03
O3 1 1 I
< 2
CZ r—
0 g
03 ZJ
o •<=>
ot S
U.S. Environmental
Training Module: Inl

o= ฃ cz
>, h— re
y W ฐ
document provides guidance regarding how to prepare an Emerger
ired under the Public Heath Security and Bioterrorism Response Ac
i ^3
cz re
Scz ฃ
o3 — 03
J= co cz
E E "a
LU c5 03
E GO re
CD >> S"
OT S p
,_ re t
S > 'c:
ง ฃr-ฃ
E Jn
03 ง S2
E? c= 2
fe |ซ
O ^
CO C 3 ^~
0 if ™
O C/3 ^>
CM '55 -•ฃ
>> rf F?
Ho ป
t_ o m

••s1! ซi-
" ^ ^ -3
0 •„; -ฐ .
Dt CC?ฃ!
U.S. Environmental
Response Plan Outli
Complying with the
Response Act of 20(

document outlines the DOD's antiterrorism standards for buildings
mize casualties in the event of a terrorist attack.
CO -j=

ฃ E



Q ,_
z CD
- .O
C5 *— '

nj i—
'^ O
CD '
-4-j O
o 5
c/) o
CD 11
S Z3
re co
LL. C3>
T=> -E
CD 73
'E '3
ra co

f c?
P -o
ฐ- re
-CZ C=
article addresses the need for public works agencies to work closel
icies in all phases of emergency management. This would include o
ning for, response to, and recovery from an emergency.
co ฃ cz
-— CD cO
-CZ O) —
h- re o.


OJ —
-E S
Q. -^3
Q. 0.
i— **—
03 0
re CD
^ P
manual presents current design practice for wastewater and storm*
ons. The manual is intended to be a comprehensive and useful sour
ซ -^ s
-— c3 ฃ2
e s 1
J— .C
— -a co
CO ฃ 0
w re '.==
S &ffi
to 2 co
g ฐ- 0)
m • cz
qj -rt- ._
co ! Q.
re Q E
*^ป LJ ^
> =
ง, re H

s^ 1 .
Q ^ E <
• — o >
8 S S3 ซ
03 cz 73 -z:
T- re cz 73
• S re cz
L^LL. ฃ ฃ9
5 > S rf
^— ' ^^ > ^^
cz <ซ' 52 d
'•w ฐ 5 '-s
2 -S > 2
03 JS M- CD
TZ! CO O 73
03 ,— 03
i|_ OJ CZ i_i_
Water Environment
Stormwater Pumpin
Task Force on Desig
Water Environment

re re
*— 73
3 CZ
from a disc
not experiei
manual focuses on recovery management including what to expect
t to plan for. This manual was written for plant managers who have
ral disaster and includes many case studies.

ฃf ง





S- ui
CZ 03
o .t:
Is 'i
73 ^
O3 c
LL. t;
Water Environment
Wastewater Treatme

8 .a
O> "O
guide developed by communications experts to assist utilities in bu
ionships with customers, community leaders, interest groups, and 1
co fS
•= -S
ฃ ฃ



0 jo
CM re
. cz
^> CO
^> 1-^
^, .f^
cz 2
O Q_
•ง 03
O3 ^0
73 S
03 5
LL. .
Water Environment
Communications for




ndustry standard for wastewater design.


.2 c
Water Environment Federation (WEF). Desi
Treatment Plants, Manual of Practice 8, 4th

Z3 •*-•
ฃ/) ^3
^3 CD
O t
r- CD
~~. -f"
J 1
o *-
i: 03
c -^
0 cz
" 0
*-• O3
•a 'c
^ 1
ฃ -a co
,_, c o
a _ i:
covers the results of a research project th
facilities, such as chemical and petroleurr
treatment facilities to improve safety con
03 <= ฃ
o o -y
•-E--G S
|= "ง ro
|_ Q. 5

ฃ2 -H-

0 <5
o ^
5 ^ -^*

O) .*— S2
C ^^ CD
|| 1
cl S g
O3 ^ ?
03 g .E
o> T, i:
•*~ rt co
^^, CO >
LL. T3 S
Water Environment Research Federation (V
from Exposure to Physical and Chemical H,
Plants. Project 97-HHE-3. Prepared by Geo
JO (o
t= S
92 '^
to >
S •-
03 'c
1 =

co CD
— -o

.1 identifies effective redundancy design pi
le influence of regulatory requirements or
to conventional redundancy.
h— CD CO



2ป CO
Water Environment Research Federation (V
Design Practices. WERF Project No. 00-CT



discusses past cyanide threats, the types
employed, and processes for elimination.
I ง


e— k_
* 1
cz >
"E ci
CO ._
rf ^
LU g"
Whelton, Andrew J.; Janet L. Jensen; Todd
Valdivia. 2003. "The Cyanic Threat." Civil E



CO 03
t— o
03. CO
O 0^ ^p
" 3 ง
^^ O r—
"il p ™
. *- O)
^Vl C/3 O
Whiting, Nancy E. and Russell Rocha. 200!
Security, Part 1: Protect Your Facility's Mo;
Personnel." Water Environment & Technoli
co -a
" c
E re
03 .>•
tz % v>
O " p

'ง <" 0
o *—
03 o Q-
^~ "O ^
*" ca g
c E 03
'CO 03 "
CO -Q 0
O3 _ CD
provides some recommendations for ass
some examples of improvements that car
curity survey that can be used to help det
03 CO 22
73 CD <"
'•F !2 .92
ซ" *- ง
-— Q. CO
I- ฑฑ as

03 ฐ

co •>

O n I
CD k_
CO 5
E ^

Whiting, Nancy E. and Russell Rocha. "Saf
Part 2 Enhance your facility's onsite chemi'
Technology, February.


ice from the AIA contains information for
CO 03






-Q "o
03 *~*
I r
> CD
J5 o
'co cz
CO -—

c -g
03 0
tS "
"a CD
CO -ฐ
03 "5
is designed to help small wastewater syst
s and identify security measures that sho
1 the customers it serves.
1 |1


> I1
•^^ 2
= "S
CO = .
- CO
Wisconsin Rural Water Association. 2004.
Assessment Guide for Wastewater System



Zieburtz, William B., Jr. 2003. "Economics
Literature Review, September/October.