HOMELAND SECURITY
 ADVISORY SYSTEM
 GUARDED
  ttj» •»,—. 0»
 i Water Security tan
EmergencyfcrepaTe
Training^Workb&K f
Enforcem

 All Visitors Must Be
 Accomponied by a
  City Official
  yT5jTSJ«-Bfr4'4
  vtottrosi WIL
  BE fSOilCUTCD

-------

-------

-------
The Water Security and Emergency Preparedness Training Workbook for Law Enforcement
was prepared by Maureen McClelland of EPA Region I, with the assistance of Jane Downing,
Lynn Gilleland, Justin Pimpare, Kevin Reilly, and Mark Sceery, also from EPA Region I. We
gratefully acknowledge the insightful comments and assistance of reviewers from within EPA
and other federal and state environmental agencies as well as law enforcement agencies.

Disclaimer: The U.S. Environmental Protection Agency (EPA) prepared this training workbook
to help law enforcement work with water utilities to effectively plan for and respond to water-
related emergencies. This document does not impose legally binding requirements on EPA,
States, Tribes, or the regulated community, and it may or may not be applicable to a particular
situation, depending on the circumstances. Federal and state decision makers retain the
discretion to adopt approaches on a case-by-case  basis that may differ from this guide where
appropriate.

Notice: Limited Distribution. This document contains information that may not be  appropriate
for general public dissemination.

-------

-------
I
     OF
        ,*,   «v

     6 —
       18%^ W W i»® I


     i —

-------

-------
Acronyms
DCSs      Distributed Control Systems
DHS       Department of Homeland Security
EPA        U.S. Environmental Protection Agency
EPACID    Criminal Investigation Division
EPA HSD    Homeland Security Division
EPA OCEFT Office of Criminal Enforcement Forensics and Training
ERPs      Emergency Response Plans
FBI        Federal Bureau of Investigation
ICS        Incident Command System
JTTF       Joint Terrorism Task Forces
LEPCs      Local Emergency Planning Committees
NIMS      National Incident Management System
NIPP       National Infrastructure Protection Plan
NRP       National Response Plan
SCADA     Supervisory Control and Data Acquisition system
VAs        Vulnerability Assessments
WaterlSAC  Water Information Sharing and Analysis Center
Water SSP  Water Sector-Specific Plan
WUERM    Water Utility Emergency Response Manager

-------
-.1—

-------
Overview
    12*
The Water Sector, composed of 160,000 public drinking water supplies and 16,000
wastewater treatment facilities, is one of 17 critical
infrastructures and key resources defined by various
Presidential Decision Directives and the Department of
Homeland Security (DHS). The protection of these facilities
requires an integrated and coordinated  approach among
federal agencies, state and local governments, and the
private sector. Law enforcement provides a critical role in
threat identification, protection, and investigation and should be integrated into the overall
protection framework at the local, state, and federal levels. This workbook on water-sector
security was developed to increase the  awareness of law enforcement personnel to some
of the threats and other security issues  surrounding public drinking water supplies and
wastewater facilities and to help facilitate integration and coordination at the local level.

The workbook will help you understand  the basics of how water and wastewater systems
operate, as well as what utilities are doing to protect themselves and to respond to
contamination threats and
incidents.                                                               <     ~
The workbook is organized
into two sections, each with
six modules. The first
section is dedicated to
Drinking Water Security, and
the second section deals
with Wastewater Security.

-------
 Physical disruption or contamination of a drinking water system can cause illness, disease,
 or even death. A water system can be contaminated, damaged, or disrupted through
 intentional terrorist or criminal action, by an
 accident, or by a natural disaster. Intentional
 contamination poses one of the most
 serious threats to a drinking water system
 because of the intent to cause damage or to
 harm human health. When a contamination
 threat is received or a contamination
 incident happens, it is critical that a water
 utility act quickly and effectively to protect
 public health and the environment.

 Wastewater systems provide essential
 services to residential customers and to commercial and industrial businesses by collecting
 and treating wastewater and then discharging it to receiving waters.  Disruption in
 wastewater treatment can cause harm to the environment and contaminate waters used as
 drinking water sources. Components of the wastewater collection system can also provide
 a means to facilitate the physical harm or destruction of critical buildings and other
 infrastructure.

 This workbook encourages law enforcement to get to know their local drinking water and
 wastewater systems and to work with them to develop plans for responding to
 contamination threats and incidents. Law enforcement should also become familiar with the
Water Sector-Specific Plan (Water SSP) that was released in June 2007 under the
guidance of DHS's National Infrastructure Protection Plan  (NIPP). The Water SSP was
created by the U.S. Environmental Protection Agency (EPA) in coordination with Water
Sector security partners including the Water Sector Coordinating Council and the Water
Government Coordinating Council. It is a broad-based critical infrastructure protection and
implementation strategy for drinking water and wastewater utilities, regulatory agencies,
and Water Sector training and technical assistance partners.

-------
This workbook will help you:

   >• Understand the basic components of a drinking water and wastewater system.
   >• Understand some of the vulnerabilities of these systems.
   X Understand how a water-sector utility might respond to a contamination threat or
      incident and what role law enforcement might play.
   >• Understand some of the tools available to assist a utility in responding to an event.

Every drinking water and wastewater system is different, and we encourage law
enforcement to get to know the systems in their jurisdiction and become familiar with their
emergency response plans.
This workbook is aimed at law enforcement, although anyone who may be involved in an
emergency response concerning drinking water or wastewater systems, such as public
health officials, emergency responders, environmental protection officials, and other
government officials, may find this workbook useful since it describes the basics of a
drinking water and wastewater system and a general process for threat and incident
response.

-------

-------
                       MH* f S j  «x... £   - ,/g^-
                       <    C»<-1*  * ,"'  ' ^       v
Module  1—Background
In today's uncertain times, there are a growing number of threats that could undermine
drinking water. The focus of this workbook is to increase the awareness of law enforcement
personnel to some of those threats and other security issues surrounding public water
supplies.

Actual events of serious drinking water contamination occur infrequently, and typically do
not result in contaminant levels posing near-term health concerns. Nonetheless, with the
threats of such events increasing, we cannot take drinking water safety for granted. Greater
vigilance by law enforcement, water utilities/and government is vital to ensure that such
events do not occur in the public water supplies of this country.

Utility operators want to ensure the safety and security of drinking water resources, but they
cannot do the job alone. They are not experts in security; they know how to treat water. Law
enforcement's knowledge and expertise are needed for emergency response purposes and
investigative purposes to ultimately bring those who intentionally tamper with a public water
supply to justice, whether the act constitutes vandalism, an environmental crime, or an act
of terrorism.
To assist drinking water utilities with the job of protecting our water supplies, law
enforcement should understand the potential threats to water systems. You also need to
understand how a water system operates, how each component functions, where systems
are located, and what they look like.


-------
Understanding local water system operations, critical resources, and vulnerabilities and
knowing the utilities' contacts will help law enforcement better protect and respond to
potential threats and incidents.
            1
   "[M]embers of Al Qaeda had discussed plans to attack the U.S. drinking water supply."
   U.S. Department of Homeland Security, January 9, 2004, www.dhs.gov

   "Al Qaeda views critical infrastructure targets in the U.S. as attractive attack options
   because of their potentially economic and psychological impacts. These targets include
   water reservoirs and systems, including dams."
   September 4, 2003, www.dhs.gov

   "We know from information . .. from detainees that visible presence of security has
   disrupted planning and surveillance activities by operatives."
   U.S. Department of Homeland Security, December 21, 2003, www.dhs.gov


-------
                 and                      and         Aet ef
Title IV of the Public Health Security and Bioterrorism Preparedness and Response Act of
2002 (Bioterrorism Act) requires water utilities serving more than 3,300 people to:

   V Develop vulnerability assessments (VAs).
   >• Develop emergency response plans (ERPs).
   V Prioritize actions to enhance security inside and outside facilities.
   > Coordinate with existing Local Emergency Planning Committees (LEPCs).

The Bioterrorism Act also:

   >• Expands EPA's emergency powers to include "a threatened or potential terrorist
      attack...."
   >• Increases penalties for persons who tamper or threaten to tamper with public water
      systems.

Under the Safe Drinking Water Act, "tampering" is broadly defined as either introducing a
contaminant into a public water system with the intention of harming persons or otherwise
interfering with the operation of a public water system with the intention of harming persons.
This is a federal crime for which up to a 20 year prison term is authorized (for additional
information see: http://www.epa.gov/safewater/sdwa/laws_statutes.html).

Tampering with either a drinking water system or a wastewater system is a federal crime
enforced primarily by EPA's Special Agents, fully-sworn Federal law enforcement officers,
assigned to the Office of Criminal Enforcement, Forensics, and Training (OCEFT), which
oversees both the EPA Criminal Investigation Division (CID) and the EPA Homeland
Security Division (HSD).  The CID Special Agents investigate allegations of violations of the
nation's Environmental statutes and the Special Agents of the Homeland Security Division
assist CID and the FBI with specific technical investigations that may be related to
terrorism-including tampering.  FBI Special Agents may also investigate allegations of
violations of the nation's environmental laws through a memorandum of agreement (MOU)
between the EPA and FBI. These investigations may be conducted in conjunction with
state and local law enforcement officers (LEOs). If, during the discovery of a suspected
tampering incident at a public water system  there is a suspected nexus to  terrorism, FBI
Special Agents or other LEOs assigned to the local Joint Terrorism Task Force (JTTF) may

-------
                                                                               _ _J
respond to the incident, in addition to EPA CID Special Agents, to conduct the investigation.
During this initial phase of an incident, it will be determined if the incident is a result of
intentional activity, negligence, or other events based on the evidence at hand. In addition,
a determination will be made at the initial phases of the incident whether there is a nexus to
terrorism.  These determinations at the very early stages of an incident will define the scope
of the response by LEOs and how soon the utilities themselves can restore service, if it has
been affected by the incident.  This will be further discussed in Module 6 - Response.
C£f Note: Utilities consider their Vulnerability Assessment a "sensitive" document.

Utilities have several concerns regarding the information contained in their VAs. In
response, EPA developed security protocols to protect sensitive information, as described
in the Protocol to Secure Vulnerability Assessments Submitted by Community Water
Systems to EPA.

EPA has developed a number of other guidance materials relating to water security,
including a Water Sector-Specific Plan, a Response Protocol Toolbox, a Security Product
Guide, VA tools, and ERP guidances. See the Resources section of this handbook and visit
http://www.epa.gov/safewater/watersecurity.html.

-------
Module 2—Water Systems

After completing this module, participants will be able to:

   >•  Identify water systems in their jurisdiction.
   >•  List and describe critical components of a water system.
   >-  Identify other water systems' assets in their jurisdiction.

      Is s
A drinking water system delivers water for various uses (e.g., domestic, fire protection,
critical care facilities, industrial use, irrigation, and sanitation).

Water systems are not all the same. They may or may not be regulated by federal and state
governments, depending on the number of people they serve. They may be very simple or
very complicated in construction and operations. They may use a ground water source, a
surface water source, or both. They may also be small or large, ranging from one that
serves a small trailer park to one that serves a major metropolitan area.

Any group of 25 or more people being served by their own water source 60 days a year or
more make up a public water system. Public water systems include places such as schools,
gas stations, campgrounds, highway rest areas, restaurants, industries, neighborhood
associations, and trailer parks.

We will focus on the larger residential and municipal systems. However, much of what is
included in here applies to small systems as well.

Water systems may cross multiple geographical boundaries. Your town's jurisdiction may
include components of another town's water system. Even if the majority of people in your
town get water from their own private wells, you may still have assets to protect.

-------
           the              of'i
 The major components of most water systems are:
    >• Water source.
    >• Transmission.
    X Raw water storage.
    >• Treatment.
    X Finished water storage.
    >• Distribution system.
    V Administration and
       operations.
    X Supporting utilities.
Public water systems may use lakes as
their source water.
Ground water is accessed through
wellheads like this one.
All of these components can be vulnerable to attack from different types of adversaries and
through different mechanisms.

      is                                                       •     •   •
Your community may rely on more than one source for its drinking water. The source may
be surface water, ground water, or both. The source may lie in another jurisdiction. Area-
wide coordination, cooperation, and communication are necessary.


A reservoir is an artificial lake or specially built basin in which water is stored. A small
reservoir may provide water for just one community. Large reservoirs may supply water for
many communities. Underground pipes or aqueducts may transport water hundreds of
miles. Lakes, rivers, and streams may also provide water to public drinking water systems.
Ground water is accessed through wells drilled into aquifers. An aquifer is an underground
rock formation through which water flows slowly. Springs, which begin underground as
groundwater, are another source of water. A public well pumps water from underground
aquifers and distributes water to the community.


-------
Drinking water agencies across the country have identified the land areas that provide
water to public supply wells and surface water supplies. In these areas, precipitation falling
on the land can eventually make its way to a water supply well, reservoir, or river used to
provide drinking water. As precipitation moves across the  land or through the soil, it may
pick up pollutants and carry them to nearby drinking water sources. Because activities on
these lands can lead to drinking water contamination, these lands have been designated as
drinking water protection areas.

Depending on which state you're in, these areas may be called:

   >• Wellhead protection areas.
   >• Aquifer protection areas.
   >• Watershed protection areas.
   V Source water protection areas.

It is important to keep pollutants off these lands whenever possible.

CP During heightened alerts, law enforcement might be asked to increase patrols of these
areas.

     is
Surface water typically is treated with chemicals that combine with naturally occurring
particles. These particles can then settle and be filtered out to make the water clear.
Filtration is important because, besides making the water  clear, it removes some germs that
are difficult to kill.  The water is then disinfected to kill any remaining germs.

Ground water is pumped from aquifers, which can be shallow or deep. Ground water may
or may not be disinfected or otherwise treated. Some groundwater systems treat the well
water with chemicals to control taste and odor.

-------
      are
Water treatment can involve the following
processes.  It is important that you are aware
of these processes so that you understand
areas of vulnerability. Check with your water
supplier to see which apply to your local
water system.

   >• Intake screening. As water is drawn
      into the treatment plant from a
      surface water source, large items
      such as logs, sticks, fish, and plants
      are screened out. If the source is
      ground water, the screening is done
      by nature as the water travels
      through the soil or bedrock into the
      well, which typically also is screened.
   >- Pretreatment. Chlorine and chemicals, such as alum and lime, are added to the
      water to help remove impurities and destroy any bad taste or odor. Sometimes
      chemicals are added to remove excess minerals that make the water hard or cause
      rust to form.
   >» Coagulation and flocculation. The water is sent into a large basin, where the
      chemicals cling to the impurities in the water (coagulation) causing them to form
      larger, heavier particles called floe. These larger particles settle to the bottom of the
      basin so that the chemicals and the impurities can be removed from the water.

   >• Filtration. From the basin where the floe settles (sedimentation basin) the water
      travels through filters. Here layers of sand, gravel, and sometimes hard coal
      (anthracite) remove any other impurities left in the water. Another filter may be used
      to remove toxic organic substances.

   >• Disinfection. Once everything is removed from the water, a small amount of
      disinfectant is added to prevent bacteria from growing in the water as it travels
      through the distribution system. Chlorine and chloramines are used most often

-------
      because they are very common and effective disinfectants, and residual
      concentrations of them can be maintained to guard against typical biological
      contamination in the water distribution system. In some places, fluoride is also
      added/Security concerns associated with chlorine will be discussed later in the text.
      Typically, disinfection is the last step in the treatment process and the water is
      referred to as finished water, water that is ready to drink.

   >• Taste and odor control. Problems with taste and odors can originate in the source
      water, within the treatment plant, in distribution systems, and in consumers'
      plumbing. There are a variety of chemicals (i.e., potassium permanganate) and
      treatment processes (i.e., granular activated carbon) used by water utilities to
      overcome these problems.

Law enforcement should do a walk through of their local water utility and learn the areas of
a treatment facility that may store hazardous materials.

     Is                                                         •
Most water systems include facilities to store finished water. A clear well is a finished water
storage facility (tank) adjacent to the treatment plant. Water can be stored in ground-level
tanks, buried tanks, or elevated tanks out in the distribution system. Small water systems
often use very small, pressurized tanks to maintain pressure in the distribution system.

Adequate storage capacity is important because it ensures the positive water pressure
necessary to prevent contaminants from being drawn into the distribution system.

Storage tanks are a favorite target of vandals  and are potentially vulnerable to
contamination. Storage tanks have an entry hatch on the roof, just above the ladder, to
allow entry into the tank for maintenance activities such as cleaning and inspection.

Many water systems now lock and alarm their storage tank hatches. They may use motion
detectors or video cameras to maintain surveillance around water tanks.

On the next page are photos of two different storage tanks. Elevated tanks are used where
the topography doesn't allow placement of a ground-level tank at an elevation that will
provide adequate pressure to the system.

-------
A vandalized ground water storage tank
An elevated storage tank
These tanks usually have a single pipe from the distribution system. Thus, they "ride on the
line" or float on the pressure of the system, and water can go into the tank or come out of
the tank through the same pipe, depending on system demand (pressure).
Elevated tanks can be entry points for contamination because they usually are not
inspected as often as ground-level tanks.

CP Law enforcement can provide some assistance working with water systems in
surveillance and in response to alarms at tanks. Working with water systems to reduce
incidents or false alarms will help maintain everyone's vigilance in securing these important
drinking water assets.

     is
Water is transported from treatment and storage facilities through:

Water mains
   >• Transmission lines (pipes), which carry raw water from its source to a water
      treatment plant. After treatment, water  is usually pumped into pipelines (transmission
      lines) that are connected to a distribution grid.
   >* Distribution pipes, which deliver water to customers.

Pumping facilities. Some water systems also have booster pumps that help keep the
distribution system pressurized. Structurally sound mains and pumping facilities are critical
to guard against public health risks. If pressure is lost or if negative pressure is induced,
contaminated water or sewage may be pulled back into the system through holes or cracks
in the mains.

-------
                                                          A fire hydrant
In a water system, many applications require a pump to
move water from one point to another. In addition to
transporting water through the system, pump applications
include chemical feed systems, sludge removal, air
compression, and sampling. It is important that water
suppliers have more than one pump serving critical areas;
otherwise it may be a vulnerability.

Hydrants are used for fire protection and by the water
department for operational purposes, such as flushing the
system. Any other user should have permission of the water
department before hooking up to a hydrant. Depending on
your locality, there may be a permit process for hydrant use,
or designated hydrants for use by other entities.
      O Law enforcement may want to check whether their town has a hydrant-use policy that
      they can help enforce. Always check and see whether or not somebody hooked up to a
      hydrant should really be there.

      C* Remember - Tampering with a fire hydrant is tampering with a public water system, a
      federal offense.
      Service connections include meters and backflow preventers. These devices help reduce
      the risk of accidental contamination; however, they introduce significant headloss (loss of
      pressure in the system).

      Valves are critical for isolating portions of a water system. Improper use of valves can
      cause severe damage to a water system.

                                                         •
      The operation and maintenance of any water system ultimately depends on management
      and management's commitment to maintaining a structurally sound and safe system. The
f 4^ ^ ^//^ .v^i* y^^^;" 
-------
proper administration and operation of a water system depend on two important assets:
employees and computer systems.

                '.-'.•
A water utility's employees generally are its most valuable asset. They have knowledge of
the system and water quality, and they may also have experience dealing with previous
contamination threats. The importance of knowledgeable and experienced personnel is
highlighted by the complexity of most water treatment and distribution systems.

Do you know the people who operate your drinking water system? The importance of
knowing who runs your water system is a key point that cannot be emphasized enough.
The day-to-day experience of water system personnel is an invaluable tool to countering
any attack.

%P Law enforcement should get to know personnel at their water treatment facility and
become familiar with the operation:

   >• Meet your water supply personnel face-to-face.
   >• Know the key contacts and their telephone numbers.
   >• Know their official vehicles and any identifying logos or insignias.
   >* Know what type of identification card they have, if any.
Supervisory Control and Data Acquisition (SCADA) systems typically are defined as
computer-based monitoring and control systems that centrally collect, display, and store
information from remotely located data collection transducers and sensors in order to
support the supervised remote control of equipment, devices, and automated functions.
More and more water systems today rely on SCADA for their routine operations.
Unfortunately, these systems can be susceptible to hackers who can cause significant
damage.

Essentially every component of the water supply system—pumping and storage, treatment
operations, and distribution—depends on energy and could be highly automated. Although
these operations are backed up  by manual controls, damage could be done if power were
disrupted or if the automated systems were temporarily lost due to cyber attack.


-------
                   and
   Water has a variety of uses and is connected to other infrastructures through dependencies
   and interdependencies. Water systems are dependent upon:

      X Electric power to run pumps, wells, treatment, operations, repairs, security
         systems, computers, common rights-of-way.
      X Diesel or propane fuel for back-up power generation, transportation, and utility
         vehicles.
      X Natural  gas for heating/cooling systems and for back-up power generation.
      X Telecommunications for voice and data communications and for automated meter
         reading  systems, general operations, remote monitoring, communications with
         emergency responders, common rights-of-way.
      X Transportation for the delivery of chemicals and other materials, for operations and
         maintenance, repair, and to transport emergency responders and equipment,
         common rights-of-way.
      X Chemicals such as chlorine and other treatment chemicals.
      X Banking and finance, which are important to company operations.
      X Postal and shipping, which are important to company operations.

   A number of other infrastructures depend on water:

      X Agriculture: irrigation, animal drinking, facility cleaning.
      X Food: food processing and restaurant operations.
      X Public Health: hospitals.
      X Emergency services: fire fighting, emergency water supplies, equipment
         maintenance.
      X Government: office operations.
      X IT and Telecomm: equipment cooling.
      X Energy: steam production, mining,  refining, pollution control.
      X Transportation: office operations, equipment maintenance, common rights-of-way.
      X Chemical: manufacturing operations.

   It is important to consider how an incident in one sector can adversely affect a water utility.

   More information regarding interdependencies will be discussed in Module 3.
                              v        .  ,

                            ^  ^ ^* s ™,^     /   '
„ „';  
-------
 1.  Are the source(s) of your drinking water within your jurisdiction? If so, where are
    they?

 2.  What types of treatment are used by your local water system and where are the
    critical facilities located?

 3.  What chemicals, if any, are stored on site?

 4.  Can you name one person at the water treatment plant that you might use as a
    contact?

 5.  Have you visited your water treatment plant, met personnel, and done a walk
    through?

 6. What other water systems may have facilities or drinking water sources in your
   jurisdiction?
7.  Does your water system have an emergency power source?

8.  Do you have a copy of the water system's emergency response plan?

9.  Does your town have a hydrant use policy and, if so, do you have a copy?

-------
 Module 3—Threats
         ire the
After completing this module, participants will be able to:

   >• Understand different threats to water systems.
   >- Be familiar with potential types of contaminants.
   X Be familiar with different types of attackers.
       fl f^ wi*^ |Jllfmuif1iJi^ 1 \i,II i^-clUs* s
The Bioterrorism Act of 2002 requires every water utility serving a population of more than
3,300 to conduct a vulnerability assessment of its system to a "terrorist attack or other
intentional acts intended to substantially disrupt the ability of the system to provide a safe
and reliable supply."

The Act requires water suppliers to look at the major components of their water systems,
identify the threats to each component, estimate the potential effects of those threats on
their systems and their operations, and develop prioritized plans for risk-reduction.
There are three general
types of threats to water
systems: physical,
contamination, and cyber.

Physical threats can range
from general vandalism to
the use of explosives.
Targeting specific facilities
within a water system, a
perpetrator may wish to
vandalize, break in, destroy,
Water storage towers are a potential target of vandals aimed at disrupting water service.


-------
                       A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
or disrupt that facility's equipment and operations. There are a variety of ways to disrupt the
many different functions of a drinking water system. Physical destruction can occur through
the use of explosives, but is not limited to that. It could include the use of treatment
chemicals such as chlorine gas. A physical attack that destroys water system components
is generally considered more likely than an intentional contamination event. Explosive
materials may also be more readily available than chemical/biological contaminants.

Some possible targets are:

   V Intakes.
   X Reservoirs.
   > Wells.
   X Dams.
   >- Pumping stations.
   >• Exposed mains.
   >• Treatment plants.
   >• Power supplies.

Physical interdependences between the power and water sectors are one of the key
infrastructure interdependencies.  The effects of the August 14, 2003, power failure on
drinking water and wastewater facilities varied from a momentary loss to days without
power and water and wastewater service. The lesson learned by these facilities was the
                                                           need to review their
                                                           vulnerability assessments
                                                           and emergency response
                                                           plans to better address
                                                           power outages in their plans.

                                                           Interruption of transportation
                                                           can also hinder the
                                                           operations of a water
                                                           treatment facility if it is
                                                           unable to get the chemicals
                                                           or the fuel deliveries it needs
                                                           to continue  operations.
Obvious signs of tampering should be reported immediately to law enforcement.
           :MSSi:SsiliP:iRSii^SS:i:HlS:ilS!!S:.:i:::i:i.Ri "ifflwffi.jP • •.••«<* «Mk K *i* P««(^Mr:SiR-P**.:::'-P ^P •^^^•t^^siiKymiMl^mm^Mf^^i,	:;• jjjadp.'' •/'W'BimSiiSlFlwaKipiilijiiiii

-------
Part 1: Drinking Water Security, Module 3 — Threats
       ~      18,
For the fifth day in a row, Detroit Water and Sewerage
Department officials asked their 4.3 million customers to boil
all tap water before drinking it. Detroit sells water to 126
southeastern Michigan communities. They also say
residents should conserve water. Testing water in Michigan
takes at least 48 hours and requires two clear indications in
a row that water is clean.  If both test results show bacteria-
free water, the water is considered safe to drink. Thursday's
power outage stopped the pumps, dramatically lowering the
pressure and the amount  of water in the pipes. That meant
bacteria were able to enter the water supply. Detroit's water system has back-up generators
at three of its five plants that should kick in when the main power fails. But the power wasn't
nearly enough to get the water running at high  pressures.  It was basically there for
emergency reasons, such as fires. In 1995, it cost $2 million in equipment alone to provide
backup power for a plant that pumps 30 million gallons a day. Some of Detroit's plants
pump 600 million gallons a day. Victor Mercado, director of the water department said his
department will closely examine what the department could have done differently (http://
www.freep.com).
At a water treatment plant in Florida, an unknown person or persons crossed a barbed-wire
fence, broke open an entry gate, and removed aerator screens. State officials reviewing the
case described it as a "professional job" that could have affected the water in more than
4,000 homes. The utility was fined by the state for violating a new law requiring notification
of the health department of such break-ins within 24 hours (http://www.heraldtribune.com).

Contamination threats are more difficult to discern  than physical threats. The event does
not have to actually result in contamination of the water to have an impact. Just the threat
of the contamination will alter a system's operation. Signs of a possible contamination
incident include dead or dying animals, fish, or vegetation; empty containers or drums near
a water system facility; discarded personal protection equipment such as gloves, goggles,
or suits; odors; discolored water; or large  numbers of individuals seeking medical help in
hospital emergency rooms. Most of these signs can happen for other reasons, so it is
important to use sound judgment and not cause undue panic when evaluating an incident.


-------
4	A Water Security arid Emergency Preparedness Training Workbook for Law Enforcement

Currently, there are several hundred contaminants that might be used to contaminate a
water supply. A few contaminants have the potential to produce widespread death or illness;
a larger group of contaminants could produce localized death or illness in a segment of the
population; hundreds of contaminants could disrupt service and undermine consumer
confidence.
Incident-Cyanide-1
A white supremacist group calling itself "The New Order" proposed the use of a 50-gallon
drum of cyanide to poison the water supplies of major cities. The plot was proposed to
divert attention from the groups' other planned attacks, including bank robberies,
unspecified attacks on all capital buildings around the country, post offices, etc. Several
members of the New Order were arrested in Illinois in 1998 ("Supremacists had hit list, FBI
agent says," the New York Times [7 March 1998]:A14 [http://www.nytimes.com]).

       -     -                                         -
A letter containing the poison ricin was found in an airport
postal office in Greenville, SC. Law enforcement officials
were said to view the incident as a case of criminal extortion
with no threat to public health or suspicion of terrorism.
Quoted officials also said that the enclosed note threatened
that large quantities of ricin would be dumped into drinking
water reservoirs unless the government conceded to
demands regarding working conditions in the trucking industry (http://www.cdc.gov/nceh/
hsb/chemicals/mmwr-ricin.pdf).


In the summer of 1984, members of the Rajneeshee cult contaminated salad bars in The
Dalles, Oregon, with the Salmonella bacterium. Cult members had discussed a plan to use
sewage and rodents to contaminate the area's water supply, but this  idea was never carried
out (http://www.cdc.gov/ncidod/EID/vol5no4/tucker.htm).

Cyber threats are a new category of concern. SCADA systems may be susceptible to
hacking, which could result in disclosure, theft, or corruption of sensitive information.
SCADA system hacking could affect the operation of the system, with potentially harmful
effects.
Security patrols aren't limited to dry land.


-------
Part 1: Drinking Water Security, Module 3 — Threats
The consequences of a cyber attack may require local law enforcement to assist a water
system in notifying the public. And of course, any investigation following such an incident
will include local law enforcement.
A series of water main breaks occurred in Denver one night. Early indicators pointed to a
computer problem that may have resulted in too much pressure in water lines, breaking a
valve and causing subsequent water main failures around town. Three breaks reportedly
occurred between the hours of midnight and 1 a.m.

Early indicators point to a possible computer problem, which may have sent too much
pressure through water lines, breaking the valve and causing subsequent water main
failures around town.

Meanwhile, cleanup and repair costs resulting from a massive water main break Friday at
Denver Public Schools headquarters could reach $1 million and keep the building closed
until at least Thursday. The break in a high-pressure water main filled the building's sub-
basement with four feet of mud in spots.

According to officials, shifting earth most likely caused the 6-inch underground steel water
main to sever.

About 200 to 300 employees work in the seven-story building. Some were to report to work
today in other locations, while others were getting an unplanned day off. School
operations were not expected to  be affected, a district spokesman said.
(http://www.wwdmag.com/wwd/index.cfm/powergrid/rfah=|cfap=/CFID/1542911/CFTOKEN/
34152703/fuseaction/showNewsltem/newsltemlD/8780).
The consequences of one of the above attacks or threats on a water system are varied. We
shall offer some general thoughts on the subject here, but to find out the specific
consequences that would affect water systems in your jurisdiction, you need to meet with
your water system personnel.

One of the factors that affect the severity of the consequences of an attack is the amount of
redundancy built into a water system. A contaminated reservoir may not cause the shut


-------
                      A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
down of a system with multiple sources and adequate storage. But if that reservoir is the
system's sole source of water, a "single point of failure," then losing that reservoir is a
much larger problem.
O Law enforcement should work closely with their water system to learn what the system's
"single points of failure" are, and pay special  attention to them, especially in times of
heightened threat levels.
The mission of a water system will also affect the consequences. If a water system puts a
high priority on providing fire protection, then a contaminated source may mean that a
water system does not shut down, but instead issues a "do not use order" or, that it
bypasses a damaged treatment plant or process in order to provide water for fire protection.
These issues are system specific, so again, you need to meet with the water systems in
your jurisdiction to discuss this with them.


Water systems must identify their critical  assets. They need to consider the following kinds
of questions:

   >• What are the easiest targets?
   >• What will affect the water system or its customers the most?
   >• What are the terrorists' goals?
   >- What are the terrorists' constraints?

Asking and answering the right questions will help water system personnel determine the
nature of an attack.  Remember that many things must go as planned to result in casualties.
History says this isn't that easy. However, it is relatively easy to disrupt service or destroy
public confidence.

CS* Law enforcement may be able to assist a water utility in identifying local and regional
threats and in determining what assets are vulnerable. Law enforcement also may be able
to assist the utility in becoming a less attractive  target.


-------
Part 1: Drinking Water Security, Module 3 — Threats
€p Law enforcement's role in assisting water utilities might focus on:

   X Surveillance.
   X Patrols.
   X Communications/24 hr. contacts.
   X Physical security.
   X Site control.
   X Public notification.
   X Investigations.
   X Threat warnings.
   X Liaison with state and federal law enforcement and intelligence resources.

It is vitally important that law enforcement take any threat to a water system very seriously
and notify water contacts.  If notified, a water supplier can then take action to minimize risk
to the public.
Threats can come about through:

   X Natural disasters.
   X Vandals.
   X Disgruntled employees.
   X Terrorists.
   X Computer hackers.
On June 11, during a routine facility check, utility staff discovered that one or more unknown
persons had cut the barbed wire on a newly installed security fence and removed the
padlock on a tank hatch on the city's 5 million-gallon elevated water storage reservoir.
Immediately acting to protect the city's 60,000 residents from a possibly contaminated
water supply, employees shut off water from the reservoir, isolating it from the distribution
system, and began the 48-hour process of draining it. After a thorough investigation and
water sampling analysis, the incident was believed to  have been caused by local youths.
The utility manager said, "Three strands of barb wire were cut at the corners and the
padlock was cut off. We assume it was kids using a bolt cutter; it was an impressive feat."


-------
 §	_	AWater Security and Emergency Preparedness TrainingWorkbook for Law Enforcement

 ("Security Threat a 'Dress Rehearsal' for Janesville." Carpenter C., Opflow, September
 2002, Vol.28, No.9.)
 It had a look that is common to weekend vandalism: the cut screen, the mess in the
 building, the spilled material. But the building was the control room of the water treatment
 plant, and the mysterious bright red substance was spilled into the town's water supply over
 the weekend. The substance was identified as a vinyl patching compound. The  problem
 was isolated and the residents were supplied with treated water from a neighboring district.
 Two 13-year-old boys were in custody and facing charges of contaminating a public water
 supply. (Cox J., Sacramento Bee, October 13, 1999.)
 A letter sent in 1985 contained a threat to poison water with plutonium trichloride (PI-CI )
 unless charges associated with a notorious criminal case in New York City were dropped.
 The letter was judged to be a hoax, despite sampling analyses indicating potentially
 elevated levels of plutonium. (Questions were raised regarding possible errors with the
 sampling and analysis protocol.) The incident was announced publicly (4 months later) after
 press inquiries.
 In Queensland, Australia, on April 23, 2000, police stopped a car on the road to Deception
 Bay and found a stolen computer and radio transmitter inside. Commercially available
 technology had been used to turn this vehicle into a pirate command center for sewage
 treatment along Australia's Sunshine Coast. The perpetrator's arrest solved a mystery that
 had troubled the Maroochy Shire Wastewater System for 2 months. Somehow the system
 was leaking hundreds of thousands of gallons of putrid sludge into parks and rivers and
 onto the manicured grounds of a Hyatt Regency hotel. Janelle Bryant of the Australian
 Environmental Protection Agency said, "Marine life died, the creek turned black, and the
 stench was unbearable for residents." Until the suspect's capture, during his 46th successful
 intrusion, the utility's managers did not know how the attacks were accomplished. To
sabotage the system, the suspect set the software on his laptop to identify itself as
"pumping station 4," then suppressed all alarms. He was the "central control system" during
his intrusions, with unlimited command of 300 SCADA nodes governing sewage and


-------
Part 1: Drinking Water Security, Module 3 — Threats
drinking water alike. "He could have done anything he liked to the fresh water," said Paul
Chisholm, chief executive of Hunter Watertech.
1.  What are the potential threats to drinking water?

2.  Can you name a few contaminants that might be used in an attack against a water
   utility?

3.  Can you think of a few places in your jurisdiction that might make an attractive place to
   add contaminants to the water system?

4.  What can law enforcement do to assist a water utility in becoming a less attractive
   target?

5.  What can law enforcement do to assist a water utility in understanding potential threats?


-------

-------

Module  4—Vulnerabilities
                               •"•'- *'JKi- «**-' I
                               - r «t: -,
                                     '-.*
              *  '       -                                 •
After completing this module, participants will be able to:

   X  Understand vulnerabilities of water systems.
   X  Understand some of the contaminant concerns at water systems.
   X  Understand ways of working with water system personnel to protect their water
      systems.

                                              of a
Under the Bioterrorism Act of 2002, water suppliers are
required to look at the major components of their system,
identify the threats to each component, and estimate the
potential effects of those threats on their system and its
operations.

The following is a brief discussion of some of the
vulnerabilities of water systems. This is not intended to be a  Treatment processes such as
complete overview. Law enforcement should talk with the     sedimentation are vulnerable.
managers of the local water system to understand its
particular vulnerabilities and how they plan on protecting them.

Potentially vulnerable  components of the water system operation include:

   X  Source water (reservoirs, wells, intake structures, dams, raw water pumps).
   X  Treatment and  chemical storage facilities (treatment plants, treatment processes,
      chemical storage, booster treatment, clear well).
   X  Transmission and distribution system (pump stations, valves, hydrants, service
      connections).
   X  Finished water storage (storage tanks).
      DRINKING WATER SECURITY MODULE 4 — VULNERABILITIES

-------
                      A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
   X Administration and operations (administration
      building, billing, maps and records, SCADA).
   >• Supporting utilities (transportation, communication,
      electricity).
When looking at reservoirs or wells, water suppliers should    Wellheads are a vulnerable component.
ask themselves, "Is it possible for someone to dump or
discharge a hazardous substance into the reservoir or well and go unnoticed?"

   >• Reservoirs:
      • Vulnerabilities: Natural and man-made contamination.
      • Means of protection: Dilution, treatment, watershed patrols, local residents
         (water watchers).
      • What to  look for. Cars parked near reservoir access; discarded equipment
         around the reservoir; Illegal entry onto water company lands; unknown persons
         taking photos or videos of reservoirs.  Law enforcement should know any
         restrictions that are in place around the reservoir (Is it closed to hiking?
         swimming? boating? fishing?) and enforce those restrictions.

   > Wells:
      • Vulnerabilities: Natural and man-made contamination;  physical damage to the
         well cap, pump, casing, or power supply.
      • Means of protection: Fencing, redundancy, well construction, patrols.
      • What to look for: Signs of intrusion or tampering with the well; illegally parked or
         abandoned cars in the area; people in the area when inappropriate; discarded
         equipment, containers or drums; and triggered alarms.
d* Law enforcement may be asked to increase patrols in the vicinity of reservoirs.
Protecting so many assets is challenging and may at times cross lines of jurisdictions and
require area-wide cooperation.
The key question that must be answered is: "How possible is it for someone to intentionally
contaminate a water source near the intake and go unseen?" The intake area is not
       DRINKING WATER SECURITY MODULE 4 —VULNERABILITIES

-------
Part 1: Drinking Water Security, Module 4 — Vulnerabilities
necessarily adjacent to the treatment plant
and is therefore vulnerable to outside
intruders who may go undetected by water
system personnel. Intakes can be critical
assets because contaminants may be
introduced or delivered to the intake and
pass into the system in a concentrated form,
thus challenging the treatment system.

      •  Vulnerabilities:  Natural and man-
         made contamination; physical
         damage to the pipe or the gate
         house structure or the valve
         mechanisms in the gate house.
      •  Means  of protection: For the
         gate house: fencing, locks,
         alarms, redundancy, proper
         lighting, patrols. For the intake:
         multiple physical barriers, if there
         is a walkway - barbed wire  around fence, lock entrance to walkway.
      •  What to look for Signs of intrusion at the gatehouse such as cut fence, broken
         locks, doors, or windows; tampering with power or lighting; signs of contamination
         such as discarded equipment or containers; dead or dying fish; odors;
         discoloration of the water; boats or swimmers entering the restricted area around
         the intake; cars parked illegally or abandoned around the area.
Pumps should be protected from unauthorized access.
         Vulnerabilities: Physical damage to the structure itself; damage to the gates,
         controls, or valves.
         Means of protection: Area around the facility should be fenced and locked with
         tamper-proof locks; adequate lighting; area patrolled periodically; access
         restrictions on dam and roadways.
         What to look for Broken locks, cut fences, unknown vehicles parked in vicinity,
         unauthorized surveillance.
       DRINKING WATER SECURITY MODULE 4 — VULNERABILITIES

-------
4                     A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

        and
When looking at the treatment facilities, the water supplier will be looking at the physical
security of the facility and asking the following kinds of questions:

   >• Is the area around the facility fenced and locked?
   >• Are access roads gated and locked?
   >• Are the facilities staffed? For how long?
   X Is there adequate lighting?
   >• Are there tamper-proof locks?
   >• Are there other types of access controls?
   >• What types of alarms are in place and how are they
      monitored?
   >• Are the buildings locked?
   V Is the area patrolled periodically?
   >• Are the facilities inspected and, if so, how often?
   V Is a log kept?
   >• What are the delivery procedures?

   >• Treatment Plants:
      •  Vulnerabilities: Physical damage to the structure
         itself;  damage to pumps, filters, chemicals,
         storage tanks.
      •  Means of protection: Adequate lighting,  tamper
         proof  locks, alarm system, trimmed shrubbery,
         periodic patrol of area, limited access on roads
         into facility, appropriate warning signage in place
         (e.g.,  NO TRESPASSING, AUTHORIZED
         PERSONNEL ONLY).
      •  What  to look for Signs of break in such  as
         broken locks, doors, or windows; cut fence; unexplained changes in water quality.

   > Chemical Storage:
      Chlorine  is the most commonly used disinfectant in water treatment, but other
      chemicals are sometimes used which often have advantages over chlorine. The
      disinfection system can be tampered with to cause harm either by over- or under-
Protecting storage tanks may require extra
law enforcement patrols.
       DRINKlNG WATER SECURITY MODULE 4 — VULNERABILITIES

-------
Part 1: Drinking Water Security, Module 4 — Vulnerabilities
      feeding chlorine or turning it off completely. Chlorine gas is very dangerous if
      accidentally or intentionally released. Liquid chlorine (sodium hypochlorite) is
      dangerous if mixed with the wrong chemical, which can form chlorine gas. Powdered
      chlorine (calcium hypochlorite) is dangerous if stored with combustible material (e.g.,
      gasoline diesel, a dangerous fire hazard). Other commonly used disinfectants are
      chloramines, chlorine dioxide, and ozone.

      •  Vulnerabilities: Physical damage to the storage facility, tampering with the
         chemical feed system, tampering with the chemicals, intentional release of
         chlorine from gas cylinder.
      •  Means of protection: Tamper proof locks, delivery standard operating
         procedures, (e.g., require pre-notification from supplier for bulk deliveries,
         including driver identification and time of arrival); hazardous chemicals properly
         labeled and secured.
      •  What to look for Broken  locks, doors, window, discarded containers, deliveries
         at unusual times.

O Law enforcement should be familiar with general chemical delivery procedures and
schedules.  For example:

   >* Does the water system in your jurisdiction accept deliveries 24 hours a day or only
      during business hours?
   >• Are there  multiple delivery points or one central location?
   >• Do they receive large bulk deliveries from large tanker trucks or do they use smaller
      trucks with pallet deliveries?
   > Where do tanker trucks wait if they cannot make  delivery upon arrival?

IP Law enforcement should be familiar with the chemicals used at their local water utility
and have personal protective equipment as needed. Law enforcement should know
emergency response procedures established by the water supplier and their community. If
a release is determined at the facility, work with your local HAZMAT team to determine the
nature and  volume of the release
       DRINKING WATER SECURITY MODULE 4 —VULNERABILITIES

-------
6	A Water Security and Emergency Preparedness Training Workbook for Law Enforcement


Transmission lines are pipelines that transport raw water from its source to a water
treatment plant. After treatment, water is usually pumped into pipelines (transmission lines)
that are connected to a distribution grid. The distribution system is an underground network
of large and small pipes that transport water. The distribution system grid comes above the
ground through pipes and faucets in houses, hydrants on streets, and  storage tanks
throughout the system. The size of the pipes can vary from as little as  4 inches to 10 feet in
diameter.

      •  Vulnerabilities: Various pumps, pump stations, valves, fire hydrants, service
          connections. These all make convenient entry ways into the distribution system.
          Abandoned buildings with water service connections may make especially easy
          targets.
      •  Means of protection: Redundancy in the system, tamper proof locks, caps and
          covers on valve boxes and fire hydrants.
      •  What to look for Unauthorized or unmarked truck hooking up to a fire hydrant,
          unusual activity around abandoned buildings.

   > Finished Water Storage (storage tanks):
      •  Vulnerabilities: Contamination,  entry hatches, vents, area around tanks.
      •  Means of protection: Perimeter fences, access roads gated and locked, exterior
          lighting, vents adequately secured and/or filtered, tamper-proof locks on hatches,
          alarms monitored.
      •  What to look for Cut fences, broken locks, unauthorized vehicles in area
          around tank, triggered alarms.

W Law enforcement can provide assistance in working with the water suppliers in
surveillance and in responding to alarms at tanks. Working  with the water suppliers to limit
incidents and reduce false alarms would help maintain everyone's vigilance in securing
these important assets. Additionally, means of facility access for law enforcement should be
discussed.

W Remember: If tampering is suspected because the water supply was actually accessed,
then the local JTTF should be notified as soon as possible. This will initiate a chain of
events to provide the local LEO's with federal investigative and intelligence support.
       DRINKlNG WATER SECURITY MODULE 4 — VULNERABILITIES

-------
Part 1: Drinking Water Security, Module 4 — Vulnerabilities
            awl
The proper operation and maintenance of any water system ultimately depends on
management.

The employees of a water utility are generally its most valuable asset. They have
knowledge of the system and water quality, and may also have experience in dealing with
previous contamination threats. The day-to-day experience of water system personnel is an
invaluable tool to countering any attack.

      •  Vulnerabilities:  Physical, biological, chemical, and psychological threats; theft of
         sensitive documents (e.g., VA, ERP, plans of distribution system, employee
         personal info); disgruntled employees or contractors.

      •  Means of protection: Security policy, background checks done on employees,
         access codes strictly controlled, ID badges  required, restricted access to keys for
         equipment or vehicles.

The above descriptions are just some of the vulnerabilities associated with drinking water
systems and are in no way a complete list. Law enforcement is strongly encouraged to
contact the water suppliers in their jurisdiction and meet with them to discuss the specific
vulnerabilities of those water systems.

CJ Law enforcement might be called upon to help notify customers about water-related
issues in the event of a total electrical failure. There is always a need to have reliable
communications outside the utility with fire officials, emergency response teams, city
command  centers, and others.

(3r Law enforcement should know emergency response procedures established by the
water supplier  and communities.
       DRINKING WATER SECURITY MODULE l-i|

-------
                      A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

1.  Have you done a walk through of the water utilities in your jurisdiction with water system
   personnel?

2.  Are you familiar with the type of vulnerabilities particular to these systems?

3.  Do you know the critical contacts at the water utility? Do they know yours?

4.  Are there abandoned facilities in your community that someone could use to tap into the
   water system?

5.  Are you aware of the emergency response procedures of the water supplier and your
   community.

6.  Do you know who your local HAZMAT team is?

7.  Do you have access to distribution maps of the water system?
       DRINKING WATER SECURITY MODULE 4 —VULNERABILITIES

-------
    lodule 5—Incident
 Management
After completing this module, participants will be able to:

   >•  Understand the types of threat warnings.
   >•  Understand procedures for evaluating threat credibility.
   >  Understand the Incident Command System.
EPA has developed a "Response Protocol Toolbox" that provides information on how to
work through the process of determining whether a threat is real or a hoax. This Toolbox will
help everyone investigate these incidents thoroughly, safely, and methodically so that the
health of the water system personnel, the first responders, and the general public will be
protected, and panic will be avoided.
The goal of terrorism is to instill fear in the population, not
necessarily to cause damage or casualties. This fear can be
caused by the mere threat of contamination—if the threat is
not properly managed. For this reason, both threatened and
actual contamination incidents are a concern faced by the
public at large and, in particular, drinking water
professionals.
The first step in threat management is
evaluating the threat.
An important distinction is the difference between a contamination threat and a
contamination incident.
A threat is an indication that something may have been done to the water system, and may
or may not prove to be true. (Maybe a hatch door is found open.)
                           '''fa'*6" f >*s

-------
          An incident is a confirmed contamination event or attack on a water system that requires a
          response.

          Water contamination threats and incidents may be of particular concern due to the range of
          potential consequences:

             > Creating an adverse impact on public health within a population.
             >• Disrupting system operations and interrupting the supply of safe water.
             > Causing physical damage to system infrastructure.
             > Reducing public confidence in the water supply.
             >• Long-term denial of water and the cost of remediation and replacement.

          The threat management process involves two parallel and interrelated activities:

             >• Evaluating the threat.
             > Making decisions regarding appropriate actions to take in response to the threat.

          Historical evidence suggests that the probability of intentional contamination of the drinking
          water supply is low; however, experts agree that it is possible to contaminate a drinking
          water system, resulting in adverse public health consequences. The probability of a
          contamination threat is relatively high.

          The first critical step in evaluating a contamination threat is recognition of a threat warning
          (i.e., an unusual situation that may have presented the opportunity for contamination of the
          drinking water). The utility will likely be in the best position to observe a threat warning and
          evaluate whether or not the activity is possible (i.e., first decision point in the "Threat
          Evaluation" process).

          Types of threat warnings include:
Ife'-:
             >• Security breaches.
             >• Witness account.
             >• Direct notification by perpetrator.
             >• Public health notification.
             >• Notification by law enforcement.
             >• Notification by news media.
#te
A"*--

-------
   X Unusual water quality parameters.
   X Consumer complaint.

The following is a brief description of several types of threat warnings. To learn more, see
Module  1 of the EPA "Response Protocol Toolbox."

   >• Security breaches. This may be the most common type of threat warning
      encountered by a utility. In most cases, the security breach is most likely related to
      lax operations or typical criminal activity such as trespassing, vandalism, and theft
      rather than intentional
      contamination of the
      water. However, it
      maybe prudent to
      assess any security
      breach with  respect to
      the possibility of
      contamination.
   >- Witness account.
      Awareness of an
      incident may be
      triggered by a witness
      account of suspicious
      activity such as
      trespassing, breaking
      and entering, and
      other types of tampering. Utilities should be aware that individuals observing
      suspicious behavior near drinking water facilities will likely call 911 and not the water
      utility. In this case, the incident warning technically might come from law
      enforcement, as described below.
Law enforcement and water utilities must work together to preserve crime scenes.
      Direct notification by perpetrator. A threat may be made directly to the water utility,
      either verbally or in writing. Historical incidents would indicate that verbal threats
      made over the phone occur more frequently than written threats. While the
      notification may be a hoax, threatening a drinking water system is a federal crime

-------
   under the Safe Drinking Water Act as
   amended by the Bioterrorism Act and
   should be taken seriously.

>- Notification by public health
   agency. Notification from a public
   health agency or health care
   providers regarding increased
   incidence of disease.

>- Notification by law enforcement. A
   utility may receive notification about a
   contamination threat direct from law
   enforcement, including local, county,
   state, or federal agencies. As
   discussed previously, such a threat
   could be a result of suspicious activity
   reported to law enforcement, either
   by a perpetrator, a witness, or the
   news media. Other information, gathered through intelligence or informants, could
   also lead law enforcement to conclude that there may be a threat to the water
   supply. While law enforcement will have the lead in the criminal investigation, the
   utility has primary responsibility for the safety of the water supply and public health.
   Thus the utility's role will likely be to help law enforcement understand the public
   health implications of a particular threat, as well as the technical feasibility of
   carrying out a particular threat.

X Notification by  news media. A threat to contaminate the water supply might be
   delivered to the news media, or the media may discover a threat. A conscientious
   reporter would immediately report such a threat to the police, and either the reporter
   or the police would immediately contact the water utility. This level of professionalism
   would provide an opportunity for the utility to work with the media and law
   enforcement to assess the credibility of the threat before any broader notification is
   made.
Law enforcement will have the lead in any criminal investigation.

-------
     it Is the        s
The goals of threat response and management for a water utility are to evaluate the threat,
take necessary steps to protect public health while the threat is being evaluated, confirm
the threat, remediate the water system, if necessary, and return the system to safe normal
operation as soon as possible.

The threat management process is considered in three successive stages: "possible,"
"credible," and "confirmed." It is important to stress that the response to an incident will be
based on incomplete information. Not everything about the incident can be known in the
timeframe in which response decisions must be made.

For example, decisions to isolate a portion of a water system, issue a boil order, or issue a
do-not-drink order may have to be made before water quality test results  are provided by a
laboratory to confirm a contamination incident.

Continued emergency response training allows water suppliers, state officials, and law
enforcement to gain an understanding of how to best make decisions without complete
information.
A threat is deemed "possible" if the circumstances indicate the opportunity for
contamination.

Example of a possible threat:

   X Opened fence to a water tank with the lock cut and lying on the ground, or a phone
      call to the utility telling the utility that the system has been harmed.

The evaluation to determine if a threat is "possible" should be conducted quickly, with a 1-
hour goal to determine if additional actions are needed.
Once a threat is considered possible, additional information will be necessary to determine
if the threat is "credible." The threshold at the "credible" stage is higher than that at the
possible stage, and in general there must be information to corroborate the threat in order
for it to be considered "credible." Often this information is circumstantial but, if enough

-------
indicators suggest something has taken place, then additional response decisions need to
be made. Steps should be initiated to confirm the incident and positively identify the
contaminant.

The actions to decide if a threat is "credible" should proceed quickly, with a goal of making
this determination within 2 to 8 hours.

Preliminary site characterization information will help determine whether a threat is credible.
In addition, water suppliers and state drinking water officials should be in contact with other
supporting agencies, including law enforcement, to gather information to guide the
assessment.

Cp Law enforcement and water utilities need to work together to preserve crime scenes
while at the same time allowing water personnel access to facilities as necessary. The
expertise of law enforcement agencies (local, state, and federal) will be critical in evaluating
the credibility of a contamination threat. They may have knowledge of recent criminal
activity in the area that might help establish credibility or support advanced stages of the
investigation. The Water Utility Emergency Response Manager (WUERM) should be
available to provide expertise on the drinking water system to law enforcement during the
threat evaluation.

                                                          •
A contamination  incident is "confirmed" once  conclusive evidence is obtained.Confirmation
implies that definitive evidence and information have been collected to establish the
presence of a harmful contaminant in the drinking water. Definitive evidence that a system
has been contaminated is sought to "confirm" a threat and classify it as an "incident." The
best information is reliable water quality testing data from  a laboratory using known
analytical methods. This information  may not be available right away, especially for
biological testing data, because it can take 24 to 48 hours to receive results. Other sources
of evidence such as eye witness reports, physical evidence from a location in the water
system, or reports by the perpetrators themselves may be adequate to confirm an incident.

      Is the
While many entities are involved in a threat evaluation, the Incident Command System
(ICS) is the accepted model for managing emergencies. This model allows its users to
adopt an organizational structure to fit any situation regardless of jurisdictional boundaries.

-------
The ICS is extremely flexible and can grow or shrink to meet the changing needs of an
incident. The organization that assumes responsibility for incident command will vary with
the nature and severity of the incident. During the course of managing a contamination
threat, the individual designated as incident commander may change as different
organizations assume  responsibility for managing the situation.

Among the various organizations that may assume incident command responsibility during
an intentional contamination situation are:

   >• Water Utility will likely be responsible for incident command during the initial stages
      of a situation. The utility will retain this responsibility by default unless or until another
      organization (with proper authority) assumes command. The Water Utility
      Emergency Response Manager (WUERM) would probably serve as incident
      commander while the utility maintains overall responsibility for managing the crisis.

   >- Drinking Water  Primacy Agency may assume incident command when the utility
      lacks the resources to manage the threat.

   >* Public Health Agency (state or local) may assume incident command if the
      situation is a public health crisis (without links to terrorism).

   V Local Law Enforcement may assume incident command when criminal activity.
      (excluding federal crimes such as terrorism) is suspected. Law enforcement will
      have the lead in the criminal investigation and will determine whether or not a crime
      has been committed.  EPA CID may assume incident command when the federal
      crime of tampering with  a public water supply is suspected. EPA CID will have the
      lead in the criminal investigation and will determine whether or not an environmental
      crime has been  committed.

   >• FBI will assume incident command when a crime is suspected to have a nexus to
      terrorism.

If an organization other than the utility assumes incident command, the utility will play a
supporting role during the threat management process. Regardless of which organization is
in charge of managing  the overall situation, the water utility will maintain responsibility for
the water system.
                            '                 '"'

-------
The National Response Plan (NRP) establishes a comprehensive all-hazards approach to
manage domestic incidents. The NRP includes the best practices and procedures from
several incident management disciplines (e.g., homeland security, emergency
management, law enforcement, firefighting, public works, public health, responder and
recovery worker health and safety, emergency medical services,  and the private sector)
and combines then into one. It outlines how federal departments  and agencies will work
together and how the federal government will coordinate with state, local, and tribal
governments and the private sector during incidents.  For additional information on the
National Response Plan (NRP) go to http://www.dhs.gov/dhspublic/interapp/editorial/
editorial_0566.xml.

For more information on the threat management process, please see Module 2 of the
Response Protocol Toolbox, which can be obtained at EPA's Water Security Web site
(http://www.epa.gov/watersecurity).
O Law enforcement will have the lead in the criminal investigation and will determine
whether or not a crime has been committed.

%P Law enforcement will assist in the evaluation of any possible threats posed by
secondary devices if a confirmed event has occurred.
€p Law enforcement and water utilities need to work together to preserve crime scenes,
while at the same time allowing water utility personnel access to facilities as necessary.
€P Local law enforcement may assume responsibility for incident command in situations in
which criminal activity is suspected. EPACID may assume incident command when the
federal crime of tampering with a public water supply is suspected. EPA CID will have the
lead in the criminal investigation and will determine whether or not an environmental crime
has been committed.

-------
1.  What is the difference between a contamination threat and a contamination incident?

2.  What are some of the threat warnings you might encounter from a water utility?
3. Is there a special notification form?
4.  Do you have a diagram of the building facilities of the water utility?

5.  Would you be able to access the water utility to respond if there was an incident?

6.  Do you have keys to any locks or access codes?

7.  Do you know the water utilities emergency response plan and have you practiced with
   them?

-------

-------
Module
After completing this module, participants will be able to:

   >• Recognize the framework for evaluating a water contamination threat.
   >- Describe some of the actions that might be implemented in response to a
      contamination threat.
      do          to
Each water system is unique with respect to age, operation, and complexity. Distribution
systems are particularly unique in that many are complex and often an undocumented mix
of new and old components.

There are many ways to gain a better understanding of a particular water system, one of
which is through its vulnerability assessment.

Meet with your water utility managers and ask them to share what areas they identified as
key locations that are vulnerable to intentional contamination.

IP Law enforcement can assist a water utility in improving physical security around its
plant.

      do          to
The employees of your water utility are generally its most valuable asset in preparing for
and responding to water contamination threats and incidents. They have knowledge of the
system and water quality, and may also have experience in dealing with previous
contamination threats. The day-to-day experience of water system personnel is an
invaluable tool to countering any attacks.

-------
      do           to
Water systems were required to revise their emergency response plans to reflect the
findings of their vulnerability assessments and to address terrorist threats.

IP Law enforcement should have a copy of the utility's emergency response plan and
should practice with the utility. How can you practice with a water utility? EPA has
developed a Tabletop Exercise CD with several different scenarios involving a water utility.
This is a great training tool to bring together all the essential response personnel involved in
a water incident, allowing them to practice their roles and to revise any parts of their plan as
necessary, (http://cfpub.epa.gov/safewater/watersecurity/tools.cfm#cd).

IP Law enforcement should also coordinate with their local EPA CID office.
Once a contamination threat has been deemed "possible," relatively low-level response
actions are appropriate. Two response actions that a water utility might consider at this
stage are:

   >-  Site characterization.
   >-  Immediate operational response.

Site characterization is one of the critical activities intended to gather information to support
the "credible" stage. Site characterization is defined as the process of collecting information
from an investigation site in order to support the evaluation of a drinking water
contamination threat. This process will normally take place within 2-8 hours of the initial
event. Site characterization activities include the site evaluation, field safety screening,
rapid field testing of the water, and sample collection. The investigation site is the focus of
site characterization activities, and if a suspected contamination site has been identified, it
will likely be designated as the primary investigation site. The results of site characterization
are of critical importance to the threat evaluation process. Law enforcement serves an
integral role in the site characterization process. Certain elements of the site
characterization process are to be considered law enforcement investigative functions.
These include the supervision of the preservation of the crime scene and the evaluation of
information and physical evidence that may be present at the investigation site. The law

-------
enforcement evaluation of any existing physical evidence, including forensic evidence, may
aid in the determination of the threats credibility.

Immediate operational response actions are primarily intended to limit the potential for
exposure of the public to the suspect water while site characterization activities are
implemented. An example of an operational response is isolation of a tank by pumping
water into the tank or valving out a tank. These actions generally would not affect
consumers and thus generally would not require public notification.

IP Law enforcement can help by working with the water supplier on any threat or incident
that may occur. What you think is inconsequential may have an impact on the water
system, its operation, and  public health.

i| a K%  y. •             # i¥   ^   f,    a Mi§ |5       H »     j:  js  ff,^,.  , Sib #te,&4 W& -(A « !&**. 1 *» ?? ***»£' $"R &"£ JTv ^%
wwHe!If ifj^^ijC^ii'Slw* dC&iGiilo SOCICiiH-Ut Cl^ ^-Cfil^lCi€/*% €#ij cl^ cil v  <&<*It^iJllJlf^  -^^cijgj^? s
The response actions considered at the "credible" stage may involve more effort and have a
greater impact than those considered at the "possible" stage. Three response actions that a
water utility might consider at this stage are:

   >- Sample analysis.
   X Continuation of site characterization activities.
   >• Public health response.

Sample analysis and continuation of site characterization are part of the ongoing threat
evaluation and are intended to gather information to "confirm" whether a contamination
incident did or did not occur. Public health response actions are intended to prevent or limit
exposure of the public to the suspect water and are more protective  and have a greater
impact on the public than the operational response action considered at the possible stage.
An example of a public health response action is issuance of a "Do Not Drink" notice.

Know the clearly established communications responsibilities. In an emergency, a water
supplier may need  to notify large numbers of residents quickly. In the past, local law
enforcement has been essential in assisting water supply personnel in notifying the public
of emergencies (e.g., "DO NOT DRINK" orders).

-------
C£* Local law enforcement may be asked to participate in public notification strategies.
Know the clearly established communications responsibilities. In the past, local law
enforcement has been essential in assisting water utility personnel in notifying the public of
emergencies.
                                                                         _
Once a contamination incident has been confirmed, it will be necessary to move into full
response mode. Organizations that may be actively engaged in the response include the
drinking water primacy agency, the public health agency, emergency response agencies,
and law enforcement. All of these participating organizations will likely be coordinated under
' & '^ >¥§V , \ Ife Threat B«<ton Stage ' V , , ' \ v ' ' \ " "
'• • Location of security breach.
•Time of security breach.
sfe & ' Information from alarms.
^S« „ • Observations when security breach
§V was discovered.
jc • Additional details from the threat
warning.
.^.^ -Was there an opportunity for
;^:;iy contamination?
f^ • Has normal operational activity been
ruled out?
-..— ,KX • Have other "harmless" causes been
'^fL ruled out?
, lir
. ^ j| • Notifications within utility.
"*:§% • Locallaw enforcement agencies.
./Jf,, -EPACID
• Isolate affected area.
>>| . -Initiate site characterization.
^r1|; • Estimate spread of suspected
, g_r contaminant.
;j| ,:. • Consult external information
"-r sources.
^''J!^. - Credible'1^ 'i
• Results of site characterization at
location of security breach.
• Previous security incidents.
• Real time water quality data from the
location of security breach.
• Input from local law enforcement.
• Do site characterization results
reveal signs of contamination?
• Is this security breach similar to
previous security incidents?
• Does other information (e.g., water
quality) corroborate threat?
• Does law enforcement consider this
a credible threat? EPA CID, FBI,
JTTF
• Drinking water primacy agency.
• State/local public health agency.
•EPACID, FBI
• Implement appropriate public health
protection measures.
• Plan for alternate water supply.
•Analyze samples.
• Perform site characterization at
additional investigation sites.
Confirm^ory 1
• Results of sample analysis.
• Contaminant information.
• Results of site characterization at
other investigation sites.
• Input from primacy agency and
public health agency.
•Were unusual contaminants
detected during analysis? Do they
pose a risk to the public?
• Do site characterization results
reveal signs of contamination?
• Is contamination indicated by a
"preponderance of evidence?"
• Emergency response agencies.
• National Response Center.
• Other state and federal assistance
providers.
•Characterize affected area.
• Revise public health protection
measures as necessary.
• Provide alternate water supply.
• Plan remediation activities.

-------
existing incident command structures designed to manage emergencies at the state or local
level. States and local entities likely have established their own response plans, which
would be in effect if the incident were managed at this level. In any case, the utility will still
have a role in the implementation of full response actions; however, it will generally act in a
technical support role.

The following is an example of a threat warning with a contamination management threat
matrix presented. This is a tabular summary that lists the following at each stage of the
threat evaluation:

   >- Information considered during the threat evaluation.
   >* Factors considered during the threat evaluation.
   > Potential notifications unique to a specific stage of a particular threat warning.
   X Potential response actions.
Security Breach
          to                 of          to
O Law enforcement should meet water supply personnel
face-to-face and should know officials' vehicles and
identification badges or card type.

IP Water suppliers and law enforcement should share
critical contact lists.

& Law enforcement can share information with police
dispatchers on drinking water sources and critical facilities as
well as the water utility's critical contact list.

H* Before an incident, law enforcement should work with the
water utility on how to protect the crime scene.
O Law enforcement can work with the water utility and Neighborhood Watch groups to
build awareness around suspicious activities near critical water sources and structures.

-------
     cici         us
EPA provides guidance to water utilities at each threat alert level of the Homeland Security
Advisory System. Work with your water supplier to see what assistance law enforcement
can offer at various threat levels. Also know what operational changes may take place at
different threat levels. The following is a brief review of the Homeland Security Advisory
System and examples of suggested preventative measures. For more detailed information
see the EPA document Guarding Against Terrorist and Security Threats: Suggested
Measures for Drinking Water Utilities (August 2004).

Water utilities focus on the continuing assessment of their facilities and developing, testing,
and implementing their emergency response plans. Water utilities should post emergency
evacuation plans in an accessible, secure location near the entrance for immediate access
by law enforcement.

Intruders, trespassers, and those detained for tampering should be prosecuted to the
fullest extent possible.

Blue
General Risk of Terrorist Attacks
Protective measures by the water utility focus on activating employee and public
information plans, exercising communication channels with response teams and local
agencies, and reviewing and exercising emergency plans.

The water utility will reaffirm communication and coordination protocols (embedded in the
utility's emergency response plan) with local authorities such as police and fire
departments, HAZMAT teams, hospitals, and other first responders.

Access to mission-critical facilities should be controlled.
The water utility is also encouraged to develop intelligence contacts with state and local law
enforcement, EPA CID field offices, FBI field offices, and the Water Information Sharing and
Analysis Center (WaterlSAC).

-------
Protective measures should focus on increasing surveillance of critical facilities;
coordinating response plans with allied utilities, response teams, and local agencies; and
implementing emergency plans, as appropriate.

The water utility may ask law enforcement to increase surveillance activities in source water
and finished water areas.

HJ Law enforcement should also have the critical contact lists available for all water utility
personnel.
        of

Protective measures by the water utility should focus on limiting facility access to essential
staff and contractors, and coordinating security efforts with local law enforcement officials
and the armed forces, as appropriate.

Red
Severe iisk of Terrorist Attack
Protective measures should focus on the decision to close specific facilities and the
redirection of staff resources to critical operations. As appropriate, water utilities will request
increased law enforcement and /or security agency surveillance, particularly of critical
assets and otherwise unprotected areas.

-------
1.  Do you know what threats are of concern to the water systems in your jurisdiction?

2.  Do you know the key utility personnel contacts for the water systems in your
   jurisdiction?

3.  Do you have a copy of the water utility emergency response plans for the utilities in your
   jurisdiction, and have you conducted any exercises with the utilities to test the plan?

4.  Are you familiar with the response actions your utilities might take to possible, credible,
   or confirmed incidences?
5.  Have you worked with the water utility personnel to explain how they should protect a
   potential crime scene?

6.  Do you work with the utilities in your jurisdiction to provide appropriate assistance for
   changing National and local threat levels?

-------
Summary
The following law enforcement actions are suggested throughout Part 1: Drinking Water
Security.

CP Note: Utilities consider their Vulnerability Assessment a "sensitive" document.

HP During heightened alerts, law enforcement might be asked to increase patrols of these
areas.

HP Law enforcement can provide some assistance working with water systems in
surveillance and in response to alarms at tanks. Working with water systems to reduce
incidents or false alarms will help maintain everyone's vigilance in securing these important
drinking water assets.

IP Law enforcement should learn the areas of a treatment facility that may store hazardous
materials.
O Law enforcement may want to check whether their town has a hydrant-use policy that
they can help enforce. Always check and see whether or not somebody hooked up to a
hydrant should really be there. Remember: Tampering with a fire hydrant is tampering with
a public water system - a federal offense.

© Law enforcement should get to know personnel at their water treatment facility and
become familiar with the operation:

   >• Meet your water supply personnel face-to-face.
   >• Know the key contacts and their telephone numbers.
   >- Know their official vehicles and any identifying logos or insignias.
   >• Know what type of identification card they have, if any.

O1 Law enforcement should be aware of a water system's "single points of failure" and
pay special attention to them, especially in times of heightened threat levels.

-------
                      A Water Security and Emergency Preparedness Training Workbook for Law Enforcemerr
CSJ Law enforcement may be able to assist a water utility in identifying local and regional
threats and in determining what assets are vulnerable. Law enforcement also may be able
to assist the utility in becoming a less attractive target.

Cr Law enforcement's role in assisting water utilities might focus on:

   X  Surveillance.
   >  Patrols.
   X  Communications/24 hr. contacts.
   X  Physical security.
   >•  Site control.
   >•  Public notification.
   >•  Investigations.
   >*  Threat warnings.
   X  Liaison with state and federal law enforcement and intelligence resources.

Cf Law enforcement may be asked to increase patrols in the vicinity of reservoirs.
Protecting so many assets is challenging and may at times cross lines of jurisdictions and
require area-wide cooperation.

w Law enforcement should be familiar with general chemical delivery procedures and
schedules. For example:
   >• Does the water system in your jurisdiction accept deliveries 24 hours a day or only
      during business hours?
   >- Are there multiple delivery points or one central location?
   >• Do they receive large bulk deliveries from large tanker trucks or do they use smaller
      trucks with pallet deliveries?
   >•' Where do tanker trucks wait if they cannot make delivery upon arrival?

w Law enforcement should be familiar with the chemicals used at their local water utility
and have personal protective equipment as needed. If a release is determined at the facility,
work with a local HAZMAT team to determine the nature and volume of the release.

-------
© Law enforcement can provide assistance in working with the water suppliers in
surveillance and in responding to alarms at tanks. Working with the water suppliers to limit
incidents and reduce false alarms would help maintain everyone's vigilance in securing
these important assets. Additionally, means of facility access for law enforcement should be
discussed. Should an alarm sound, local law enforcement are encouraged to coordinate
with their local EPA CID office or their local FBI office.

CS> Law enforcement might be called upon to help notify customers about water-related
issues in the event of a total electrical failure. There is always a need to have reliable
communications outside the utility with fire officials, emergency response teams, city
command centers, and others.

IP Law enforcement should know emergency  response procedures established by the
water supplier and communities.

lip Law enforcement and water utilities need to work together to preserve crime scenes
while at the same time allowing water personnel access to facilities as necessary. The
expertise of law enforcement agencies (local and state) might be particularly helpful in
evaluating the credibility of a contamination threat. They may have knowledge of recent
criminal activity in the area that might help establish credibility or support advanced stages
of the investigation. The Water Utility Emergency Response Manager (WUERM) should be
available to provide expertise  on the drinking water system to law enforcement during the
threat evaluation.
O Law enforcement can assist a water utility in improving physical security around its
plant.

CP Law enforcement should have a copy of the utility's emergency response plan and
should practice with the utility. How can you practice with a water utility? EPA has
developed a Tabletop Exercise CD with several different scenarios involving a water utility.
This is a great training tool to bring together all the essential response personnel involved in
a water incident, allowing them to practice their roles and to revise any parts of their plan as
necessary, (http://cfpub.epa.gov/safewater/watersecurity/tools.cfmfed).  Law enforcement
should also coordinate with their local EPA CID office.

-------
w Law enforcement can help by working with the water supplier on any threat or incident
that may occur. What you think is inconsequential may have an impact on the water
system, its operation, and public health.
 & Local law enforcement may be asked to participate in public notification strategies.
O Law enforcement should meet water supply personnel face-to-face and should know
officials' vehicles and identification badges or card type.
© Water suppliers and law enforcement should share critical contact lists.

IP Law enforcement can share information with police dispatchers on drinking water
sources and critical facilities as well as the water utility's critical contact list.
O Before an incident, law enforcement should work with the water utility on how to protect
the crime scene.
HJ Law enforcement can work with the water utility and Neighborhood Watch groups to
build awareness around suspicious activities near critical water sources and structures.

O Law enforcement should also have the critical contact lists available for all water utility
personnel.

-------
lodule  1—Backgroi
           law             be
Like safe drinking water, properly treated wastewater is critical to public health. While the
public is much less sensitive to wastewater than it is to drinking water, wastewater
treatment systems are important to every day life.

Wastewater systems provide
essential services to
residential, commercial, and
industrial customers by
collecting and treating
wastewater and discharging
it into receiving waters. We
don't realize that the quality
of the water in our nation's
lakes,  rivers, and streams
depend on  properly treated
wastewater. We also take  for
granted the proper
functioning of the collection
system. For example, what
would  happen if we weren't
able to flush our toilets due to a disturbance in the sewer line?
                     Wastewater treatment systems may be subject to a growing number of threats.
                                                                  •n •*+

-------
In today's uncertain times, there are a growing number of threats that could undermine a
wastewater system. The focus of this training workbook is to increase the awareness of
local law enforcement personnel to some of those threats and other security issues
surrounding wastewater treatment facilities and the collection system.

Wastewater treatment is the "last line of defense" against water pollution. Our community's
wastewater treatment plant is a vital part of the nation's effort to protect water resources.

Actual disruptions of collection systems and wastewater treatments occur infrequently, and
typically not at levels  posing near-term health concerns. Nonetheless, with the threats of
such events increasing, greater vigilance by law enforcement, wastewater facilities, and
government is vital to ensure that such events do not occur in the wastewater systems of
this country.

      do you      to
To assist wastewater  utilities with the job of protecting our wastewater systems, law
enforcement should understand the potential threats to a wastewater system. You also
need to understand how a wastewater system operates, how each component functions,
where they are located, and what they look like.

Understanding your local wastewater system operations, critical resources, and
vulnerabilities, and knowing the utilities' contacts will help  law enforcement better respond
to potential threats and incidents.

Sabotaging a publicly owned treatment works by introducing a hazardous substance is
covered by a number of federal Clean Water Act (CWA) criminal  provisions.

In general, a knowing violation of a regulatory requirement of the CWA by a person who
knows at the time that another person was thereby placed in imminent danger of death or
serious bodily injury is a federal environmental crime for which up to a 15-year prison term
is authorized. (33 U.S.C. § 1319 (c) (3).

More specifically, the  knowing introduction of any pollutant or hazardous substance into a
sewer system or publicly owned treatment works which a  person knew or reasonably
should have known could cause personal injury or property damage is a federal
    _ .&
     ','s.
                     ;"^:Ll' ;iT'x'7^l .- /**:- ;ta/«^
                          ' <      -.  ** , t*> ,,           f * -^*+'11 JH,^-? ** Hj,!1*
                        '  "* ^  *^'-l.'<'*'* «5~ !*• -'x             , % F*  ^*J

-------
environmental crime for which up to a 3-year prison term is authorized.  (33 U.S.C. § 1319
And, the knowing tampering with or rendering inaccurate any monitoring device or method
used pursuant to the CWA is a federal environmental crime for which up to a 2-year prison
term is authorized. (33 U.S.C. § 1319 (c) (4). (For more information: http://www.epa.gov/
rSwate r/cwa . htm ) .

Whist has            iiiittofistily1?
Although the Public Health Security and Bioterrorism Preparedness and Response Act of
2002 (Bioterrorism Act) was  directed  specifically at public drinking water facilities, EPA
strongly encourages wastewater facilities to look at their facilities in the same way. Below is
a brief description of the requirements of the Act.
Law enforcement should be familiar with how components of a wastewater treatment system work.

-------
                  and                      and         Act of
Title IV of the Public Health Security and Bioterrorism Preparedness and Response Act of
2002 (Bioterrorism Act) requires drinking water utilities serving more than 3,300 people to:

   V Develop vulnerability assessments (VAs).
   V Develop emergency response plans (ERPs).
   X Enhance security inside and outside facilities.
   >- Coordinate with existing Local Emergency Planning Committees (LEPCs).

The Bioterrorism Act also:

   >• Expands EPA emergency powers to include "a threatened or potential terrorist
      attack...."
   >• Increases penalties for persons who tamper or threaten to tamper with public water
      systems.
EPA has developed a number of guidance materials relating to wastewater security. See
the Resources section of this workbook and visit http://www.epa.gov/safewater/water
security.

-------
                   2—Wastewater
Treatment Systems
After completing this module, participants will be able to:
   >• Identify the wastewater treatment facilities in their community.
   X List and describe critical components of a wastewater system.
   >• Identify other wastewater systems' assets in their jurisdiction.

     Is a
Wastewater is any source of water that enters the sewer system. It includes substances
such as human waste, food scraps, oils, soaps, and chemicals. Wastewater is derived from
residential, commercial, and industrial activities. Commercial and industrial activities (such
as acid cleaning from plating shops) also produce wastewater that must be treated prior to
release to the environment.
Industrial activities are more
prone to discharge toxic
pollutants.  In addition to
home and business
production, wastewater can
also be generated by storm
runoff (referred to as inflow)
and interception of ground
water (infiltration). Because
of potentially harmful
substances that wash off
roads, parking lots, and
rooftops, this water also
                        Wastewater treatment removes organic matter and other pollutants to improve the
must be treated.            quality of wastewater so it can be discharged to a stream, river, lake, or coastal waters.

-------
Wastewater is treated in a wastewater treatment facility prior to being discharged to a
receiving water (i.e., river, lake, stream, or ocean). In 2002, the nation's wastewater
infrastructure consisted of approximately 16,000 publicly owned wastewater treatment
plants; 100,000 major pumping stations; 600,000 miles of sanitary sewers; and 200,000
miles of storm sewers. The per capita volume of wastewater produced by a community
ranges from about 50 to 250 gallons per day, depending on sewer uses.

                            of a
All wastewater treatment systems consist of two basic
components: a collection system (which includes sanitary
sewer, pump station, and collection basin) and a treatment
facility.
                                                         The collection system conveys wastewa-
                                                         ter to the treatment plant.
Sewers are underground, watertight conduits that convey
wastewater from its source of generation to a treatment facility. Flow through the system
can be driven by gravity or it can be pumped. A main sewer line carries the liquid from large
areas to the treatment plant. Manholes are located at regular intervals (about every 300
feet) to allow access to the pipes for inspection and
cleaning. Every manhole is a point of entry into the
collection system. The sewer/stormwater collection lines
may be running along or directly under critical/sensitive
buildings and structures.  Lift stations are included in the
collection system when gravity flow is not  possible. A
pumping station can be installed to lift the wastewater to an
intercepting sewer at a higher level, or it can discharge to a
force main that conveys the wastewater to the  treatment
plant. Unlike drinking water distribution systems, a wastewater collection system does not
act under pressure. Therefore, access to the system through manholes and catch basins is
not only a possibility, it is a serious concern.  In the event of a hazardous material entering
the system, the potential for a disaster (e.g., an explosion) and disruption to basic services
is immense.
Manholes provide access to sewer mains.
           a
Wastewater treatment combines chemical and biological processes that are designed to
remove organic matter and other pollutants from solution. The processes are usually

-------
arranged in a "treatment train" to improve the quality of the wastewater to a degree to which
it can be discharged to the environment.

A wastewater treatment plant is typically composed of primary and secondary treatment
processes, as described below.

Primary treatment removes 40-50 percent of the solids.

   >• Sanitary sewers. Carry wastewater from homes and businesses to the treatment
      plant.

   >- Bar screens. Let water pass, but not trash (such as rags or sticks). The trash is
      collected and properly disposed of, usually in a landfill.

   > Grit chamber. A large tank that slows down the flow of water. This allows sand, grit,
      and other heavy solids to settle at the bottom. Later, they are removed and disposed
      of, usually in a landfill.

   >• Primary sedimentation tank. Lets smaller particles settle. Scrapers or other devices
      collect the solid matter that remains (called "primary sludge") plus scum or grease
      floating on top of the tank.

Secondary treatment completes the process, so that 85-90 percent of the pollutants are
removed.

   >• Aeration tank. Supplies large amounts of air to a mixture of wastewater, bacteria,
      and other microorganisms. Oxygen in the air speeds the growth of helpful
      microorganisms, which consume harmful organic matter in the wastewater.

   >• Secondary sedimentation tank. Allows the microorganisms and solid wastes to form
      clumps and settle. Some of this mixture, called "activated sludge," can be mixed with
      air again  and reused in the aeration tank.

   >• Disinfectant. Chlorine or  another disinfectant is usually added to the wastewater
      before it leaves the treatment plant.  The disinfectant kills disease-causing
      organisms in the water.

-------
The treated water is usually discharged to a nearby waterway such as a stream, lake, river,
or coastal water source.  It can also be used on land for agriculture and other purposes and
may undergo further tertiary treatment depending on the use.

Electricity is used to operate pumps in the collection system and process the wastewater
within the treatment facility. This is important when considering how an impact to one
sector, such as energy, can adversely impact the water sector, including wastewater
collection and treatment.

In recent years, wastewater treatment systems have increased their reliance on supervisory
control and data acquisition (SCADA) systems and distributed control systems (DCSs) for
remote command and control of system components. Use of SCADA/DCS technologies
allows tighter control of the treatment process, improved system efficiency, and decreased
costs.
The operation and maintenance of any wastewater system ultimately depends on
management and its commitment to maintaining a structurally sound and safe system. The
proper administration and operation of a wastewater system depend on two important
assets: employees and computer systems.
The employees of a wastewater facility are
generally its most valuable asset. They have
knowledge of the system, and may also
have experience in dealing with previous
contamination threats or incidents. The
importance of knowledgeable and
experienced personnel is highlighted by the
complexity of most wastewater treatment
systems.

Do you know the people who operate your
wastewater system? This is a key point that
cannot be emphasized enough.
Among a wastewater treatment system's most valuable assets
are its employees.

-------
IP Law enforcement should get to know personnel at their
wastewater treatment facility and become familiar with the
operation:

   X Meet your wastewater personnel face-to-face.

   >• Know the key contacts and their telephone numbers.
                                                        Law enforcement should be able to
   >- Know their official vehicles and any identifying logos    recognize treatment system vehicles.
      orinsignias.

   V Know what type of identification card they have, if any.

The day-to-day experience of wastewater system personnel is an invaluable tool to
countering any attacks.

                               (SGADA)
A SCADA system is typically defined as a computer-based monitoring and control system
that centrally collects, displays, and stores information from remotely located data collection
transducers and sensors in order to  support the supervised remote control of equipment,
devices, and automated functions.

Every component of the wastewater system pumping and treatment operation depends on
energy and is highly automated. Although these operations are backed up by manual
controls, damage could be done if power was disrupted or if the automated systems were
temporarily lost due to cyber attack.
Wastewater utilities operate interdependent^ with other utilities.

Wastewater systems are connected to other infrastructures through dependencies and
interdependencies. They may depend upon:

   X Electric power for pumps, treatment, operations, repairs, security systems,
      computers, common rights-of-way.

-------
   >- Diesel or propane fuel for backup power generation, transportation and utility
      vehicles.

   >• Natural gas for heating and cooling systems and for back-up power generation.

   >• Telecommunications for voice and data communications and automated meter
      reading systems, general operations, remote monitoring, communications with
      emergency responders, common rights-of-way.

   >- Transportation for delivery of chemicals and materials, for operations, maintenance,
      and repair, for transport of emergency responders and equipment, and for common
      rights-of-way.

   >• Chemicals such as chlorine and other treatment chemicals.

   >• Banking and finance, which are important for company operations.

   >* Postal and shipping, which are important to company operations.

It is important to consider how an incident in one sector can adversely affect the wastewater
utility.

-------
1.   Where are the wastewater treatment systems in your jurisdiction?


2.  Have you visited your wastewater treatment facilities, met personnel, and done walk

   throughs?


3.  Where does the treated wastewater go after it leaves the facilities?


4.  Where are key manholes or access points in the collection systems?


5.  Does the wastewater system have chlorine gas on site?


6.  What are the chemicals at the treatment facility?


7.  Are you  aware of the chemical delivery procedures?


8.  Where are the pump stations?


9.  Does the wastewater utility have an emergency power source?


10. Do you have copies of the wastewater facility's emergency response plans?
                                          tf     N >\
                                      %3. rj- 1{   .

-------

-------
                                    «_	:
 Module  3—Threats

      Ing
After completing this module, participants will be able to:

   >* Understand different threats to wastewater systems.
   >• Be familiar with potential types of contamination.
Contamination threats. Threats may come from chemicals stored or used on site for
treatment, or they may come from flammable and explosive substances introduced into the
collection system. Threats against chemicals stored and used on site for treatment are
intended to create acute releases and expose large populations. Top targets at wastewater
treatment plants are likely to be chlorine and
sulfur dioxide.
Damage or destruction to the physical
infrastructure. Physical threats can range
from general vandalism to the use of
explosives. Targeting specific facilities within
a wastewater system, a perpetrator may
wish to vandalize, break in, destroy, or
disrupt that facility's equipment and
operations. There are many ways to disrupt
the different functions of a wastewater
treatment facility. They include  threats to
destroy or disable collection or treatment
processes. Tactics may include destruction
with hand tools, explosive devices, or
weapons fired from a distance. A trained
and determined adversary can  be expected
to lodge an attack against the asset most
Equipment located outside a treatment plant may be vulnerable.
             WASTEWATER SECURITY MODULE 3 -— THREATS

-------
                      A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
likely to maximize damage or mission failure, often referred to as a "single point of
failure." Included in this category are main lift pumps, large-diameter conveyances, unique
pieces of equipment, electrical switchgear, and process controls.

Disruption to computer systems. Wastewater systems  increasingly depend on electronic
controls for operation. Cyber threats are intended to disrupt or disable operations or result
in data or identity theft. In addition, a cyber
threat applied to a customer information
management system could be a very
damaging event requiring a great deal of
time and effort to rectify.

Disruption to other utilities (e.g.,
electricity, transportation). The  tie
between the power and the water sectors  is
one of the key infrastructure
interdependencies. The power failure of
August 14, 2003, and  its effects on drinking
water and wastewater facilities varied from a
momentary loss of power to days without
power and water services. The lesson learned by these facilities was the need to review
their vulnerability assessments and emergency response plans in order to address power
outages in their plans. They also recognized the  need to review and update their plans on
how to notify or recall needed employees in emergencies.
Computer systems may be subject to direct attack or to
disruptions in electrical service to a wastewater treatment plant.
                              of ai
The consequences of one of the above threats on a wastewater system are varied. We
shall offer some general thoughts on the subject here, but to find out the specific
consequences that would affect the wastewater system in your jurisdiction, you need to
meet with your wastewater system personnel.

One factor that affects the severity of the consequences of an attack is the amount of
redundancy built into a wastewater system. If the wastewater's main lift pump is the only
pump it has for the conveyance of wastewater to the treatment plant and that pump is lost,
"a single point of failure," then losing that pump is a much larger problem.


-------
Part 2: Wastewater Security, Module 3 — Threats
O Law enforcement should work closely with their wastewater system to learn what the
system's "single points of failure" are and pay special attention to them, especially in
times of heightened threat levels.
Wastewater systems must identify their critical assets and consider questions such as:

   X What is the easiest target?
   X What will affect the system or its customers the most?
   X What are the terrorists' goals?
   X What are the terrorists' constraints?

Asking and answering the right questions will help wastewater system personnel determine
the nature of an attack. Remember that many things must go as planned to result in
casualties. History says this isn't that easy; however, it is relatively easy to disrupt service
or destroy public confidence.

O Law enforcement may be able to assist a wastewater utility in determining what assets
are vulnerable, and  law enforcement may be able to assist the utility in becoming a less
attractive target.

IP Law enforcement can provide some assistance in working with wastewater personnel in
surveillance and  in responding to alarms. Working with wastewater personnel to reduce
incidents or false alarms will help maintain everyone's vigilance in securing these important
assets

IP Law enforcement's role in assisting wastewater utilities might focus on:
   X Surveillance.
   > Patrols.
   X Communications/24hr. contacts.
   X Physical security.
   X Site control.
   X Public Notification.
   X Investigations.
   X Threat warnings.
   X Liaison  with state and federal law enforcement and intelligence resources.
                                                     	m

-------
                                                                                	ll	.	
4                     A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

It is vitally important that law enforcement take very seriously any threat to a wastewater
system and notify wastewater contacts. If notified, wastewater treatment personnel can
then take action to minimize risk to the public.
1.  What are the potential threats to wastewater?

2.  Can you name a few contaminants that might be used in an attack against a
   wastewater utility?

3.  Can you think of a few places in your jurisdiction that might make an attractive place to
   add contaminants to the wastewater system?

4.  What can law enforcement do to assist a wastewater utility in becoming a less attractive
   target?


-------

Module 4—Vulnerabilities
                      se
After completing this module, participants will be able to:

   > Understand vulnerable areas of wastewater systems.
   >• Understand some of the chemical concerns at wastewater systems.
   >• Understand ways of working with wastewater system personnel to protect their
     wastewater systems.
Wastewater treatment personnel are
encouraged to look at their system, identify
the threats to each component, and
estimate the potential effects of those
threats on their system and its operations.
The following is a brief description of some
of the vulnerabilities of wastewater systems.
This is not intended to be a complete
overview. Law enforcement should talk with
wastewater personnel to understand their
system's specific vulnerabilities and how
they plan on protecting them.


            ef a.
Physical damage to or the destruction of key
components of the wastewater treatment
system is considered to be the most likely
threat against a wastewater treatment
Physical damage to equipment and infrastructure is the biggest
threat to a wastewater system.

-------
2                     A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

system. Because of the large size of most wastewater collection systems, security is an
issue. Access to trunk lines is readily available through regularly spaced manholes that are
mostly unprotected. Similarly, lift stations and pumps are readily accessible to the terrorist.
Physical damage to a treatment plant could potentially disrupt operations for several days
to months, depending on the type and amount of damage done. For example, a flammable
substance could be placed into the collection system to use the collection system as a pipe
bomb to damage or destroy targets in and around the system, recognizing that the sewer
system may provide access to targets (such as government buildings, military installations,
stadiums, or convention centers where publicized events are occurring).

Shortly after 5:15 a.m. on Friday, February 13, 1981, two women going to work drove under
a railroad overpass. There was a gigantic blast, and their car was hurled into the air and
landed on its side. More than 2 miles of 12-foot diameter sewer line had been destroyed.
No one was seriously hurt. Thousands of gallons of hexane had spilled into the sewer lines.
A spark from the women's car apparently ignited the hexane.

The two miles of sewer was turned into an open trench and remained that way until the end
of the summer. It took 20 months to repair the sewer lines and several more months to
complete work on the street.
       -
In 1992 there were at least 9 separate explosions in the sanitary sewage system. The
cause of the explosions was gasoline leaking from the state run pipeline into a sanitary
sewer collection line. The explosions killed at least 215 people and caused 15 blasts that
created a 20-foot-deep trench along sewer mains in a 20-block area.
Most wastewater systems are located close to major economic activity, including high-risk
government facilities. Chlorine storage and its distribution system, located outside, can
make them a visible and vulnerable target. Chemical deliveries can create access issues
and potential for "contamination" of wastewater treatment and the surrounding
neighborhood if not properly delivered.
         WASTEWATER SECURITY MODULE 4 — VULNERABIUTIES

-------
Part 2: Wastewater Security, Module 4 — Vulnerabilities
An ammonia leak at an East Baton Rouge, Louisiana, wastewater treatment facility was
determined to be caused by criminals who sought to steal the plant's process ammonia,
which is also a key ingredient in the manufacture of illegal drugs such as
methamphetamine.
A corrosive gas that formed in the sewage treatment plant when a chemical was delivered
through the wrong pipe forced the evacuation of homes and businesses more than a third
of a mile away. No injuries were reported. The plant remained in operation, its
effectiveness reduced. It was about 2 1/2 hours after a crew from the bulk transport company
erroneously pumped what is believed to be 100 gallons of ferric chloride from a stainless-
steel 20-foot truck through the wrong fill pipe into a tank containing 4,200 gallons of sodium
hypochlorite. Separately, the chemicals are benign but make a toxic acid when mixed. The
resulting chemical reaction produced a rumbling at the bottom of the plant from the creation
of the invisible hydrogen chloride gas.  The gas began expanding in the plastic sodium
hypochlorite tank. It forced  its way through vents in the holding tank and the plant's doors
and windows into the air, and began drifting up the street. The plant could not be shut
down since there was no way to stop the flow of sewage, estimated at close to 4 million
gallons a day. The evacuation zone was set at one-third of a mile.  Detectives began
conducting interviews even as firefighters were blocked by high chlorine levels from
entering the basement holding room where the chemicals continued  to stew. The area
would not  be safe until the following morning.
Increased reliance on Supervisory Control and Data Acquisition (SCADA) technologies
makes the wastewater treatment process more susceptible to cyber attack. Although most
industry officials believe that firewalls provide adequate protection, a relatively proficient
hacker with some basic knowledge about the wastewater treatment system could exploit
this vulnerability.
       • 18
On April 23, 2000, police stopped a car on the road to Deception Bay and found a stolen
computer and radio transmitter inside. Using commercially available technology, someone
had turned his vehicle into a pirate command center for sewage treatment along Australia's
Sunshine Coast. The perpetrator's arrest solved a mystery that had troubled the Maroochy

-------
4	A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

Shire Wastewater System for 2 months. Somehow the system was leaking hundreds of
thousands of gallons of putrid sludge into parks, rivers, and the manicured grounds of a
Hyatt Regency hotel. Janelle Bryant of the Australian Environmental Protection Agency
said, "Marine life died, the creek turned black, and the stench was unbearable for
residents." Until the suspect's capture, during his 46th successful intrusion, the utility's
managers did not know how the attacks were accomplished. To sabotage the system, the
suspect set the software on his laptop to identify itself as "pumping station 4," then
suppressed all alarms. He was the "central control system" during his intrusions with
unlimited command of 300 SCADA nodes governing sewage and drinking water alike. "He
could have done anything he liked to the fresh water," said Paul Chisholm, chief executive
of Hunter Watertech.


In this case, the threat is the use of one infrastructure to damage other forms of
infrastructure. While there are few examples of such a threat, the blackout in the Northeast
and Midwest United States in August 2003 demonstrated the interdependences among
multiple infrastructures and that such a threat is possible.


A lack of emergency back-up power at several regional wastewater treatment plants during
the Northeast blackout of 2003 caused the release of millions of gallons of raw sewage.
Several sewage plants lost back-up power on August 14, 2003, including one unable to
start its stand-by generators when New York's Con Edison went dark. More than 423 million
gallons of waste from 9 treatment plants or pumping stations in New York and New Jersey
was dumped into the Hudson River, New York Harbor, and  other area waterways before
power was restored.

All of these threats may come about through:

   X A natural disaster.
   >- Vandalism.
   X Employee sabotage.
   >• Terrorist sabotage.
   >- Computer hacking.
   >• Illicit dumping of chemicals into the sewer.
         WASTEWATER SECURITY MODULE 4 — VULNERABILITIES

-------

Part 2: Wastewater Security, Module 4 — Vulnerabilities
  t Law enforcement's role in assisting wastewater systems might focus on:

   >• Communications/contacts.
   X Surveillance.
   X Patrols.
   V Site control.
   X Investigations.
   X Liaison with state and federal law enforcement and intelligence resources.
1.  Have you done a walk through of the wastewater utilities in your jurisdiction with
   wastewater system personnel?

2.  Are you familiar with the type of vulnerabilities particular to these systems?

3.  Do you know the wastewater plant!s critical contacts? Do they know yours?

4.  Are there abandoned facilities  in your community that someone could use to tap into the
   wastewater system?

5.  Are you aware of treatment plant personnel or "unofficial" personnel entering
   manholes?


-------

-------
                      5
After completing this module, participants will be able to:

   >• Understand the types of threat warnings.
   >• Understand procedures for evaluating threat credibility.
   X Understand the Incident Command System.

One goal of terrorism can be simply to instill fear in a population, not necessarily to cause
damage or casualties. This fear can be caused by the mere threat of contamination if the
threat is not properly managed. For this reason, both threatened and actual contamination
incidents are a concern faced by the public at large and, in particular, wastewater system
professionals. In the past, wastewater systems have focused on protecting against
vandalism, theft, and natural disasters. Now, they must consider terrorist threats.

      are      of                    .
A threat is an indication that something may have been done to the wastewater system,
and may or may not prove to be true.

An incident is a confirmed contamination
event or disruption of a wastewater system
and requires a response.

Contamination threats and incidents  may be
of particular concern due to the range of
potential  consequences:
                                          Managing an incident may require familiar tools.
   >• Adverse  impacts on public health or
      the environment if untreated wastewater is discharged to a receiving water.

-------
   X The disruption of system operations and the interruption of wastewater treatment.
   X Physical damage to system infrastructure.
   X Long-term denial of wastewater services and the cost of remediation and
      replacement.

The threat-management process involves two parallel and interrelated activities:

   X Evaluating the threat.
   X Making decisions regarding appropriate actions to take in  response to the threat.

Historical evidence suggests that the probability of intentional disruption of the wastewater
treatment process is low; however, experts agree that it is possible to disrupt wastewater
treatment or use the infrastructure as a conduit for other activities that could result in
adverse public health and environmental consequences. The probability of a disruption
threat does exist.

The first critical step in evaluating  a threat is the recognition of a  threat warning. The utility
likely will be in the best position to observe a threat warning and  evaluate whether or not
the activity is possible (i.e., first decision point in the "Threat Evaluation" process).

Types of threat warnings include:

   X Security breaches.
   X Witness account.
   X Direct notification by perpetrator.
   X Public health or environmental notification.
   X Notification by law enforcement.
   X Notification by news media.
   X Unusual water quality parameters.
   X Consumer complaint.

The following is a brief description of several types of threat warnings. To  learn more, see
Module 1 of the EPA "Response Protocol Toolbox."

   X Security breaches. A security breach is an unauthorized  intrusion into a secured
      facility that may be discovered through direct observation, an alarm trigger, or signs

-------
Eyewitnesses may report potential threats
   of intrusion. Security breaches are probably the most common threat warnings, but
   in most cases are related to day-to-day operation and maintenance in the
   wastewater system. Other security breaches may be due to criminal activity such as
   trespassing, vandalism, or theft.

>• Witness account. A threat warning may come from an individual who directly
   witnesses suspicious activity, such as trespassing, breaking and entering, or some
   other form of tampering. The witness could be either
   a utility employee or a bystander. As a result, the
   witness report may come directly to the utility, or it
   may be directed to a 911 operator or law
   enforcement  agency. If the witness reports the
   incident to a law enforcement agency, a written or
   verbal  report  from the police may provide some
   insight into the event. It is important for the utility to
   have a relationship with local law enforcement agents, since individuals observing
   suspicious behavior near wastewater facilities will likely call 911 or law enforcement
   rather than the wastewater utility.

>• Direct  notification by perpetrator. A threat may be made to the wastewater utility,
   either verbally or in writing. Verbal threats made over the phone are historically the
   most common type of direct threats from perpetrators: however, written threats have
   also been delivered to utilities. A direct  notification should be evaluated with  respect
   to both the nature of the threat and the  specificity of information provided in the
   threat. In the  case of a phone threat,  the caller  should be questioned about the
   specifics of the  threat: time and location of the  incident, name and amount of the
   contaminant,  reason for the attack, the  name and location of the caller, etc.

>> Notification by  public health agency. Notification from a public  health agency or
   health  care providers regarding increased incidence of disease; or notification from
   an environmental agency about fish kills or other environmental impacts.

> Notification by  law enforcement. A utility may receive notification  about a
   contamination threat direct from law enforcement, including local, county, state, or
   federal agencies. As discussed previously, such a threat could be a result of
   suspicious activity reported to law enforcement either by a  perpetrator, a witness, or

-------
      the news media. Other information, gathered through intelligence or informants,
      could also lead law enforcement to conclude that there may be a threat to the
      wastewater system. While law enforcement will have the lead in the criminal
      investigation, the utility has primary responsibility for the safety of the wastewater
      facility and environmental and public health. Thus the utility's role will likely be to
      help law enforcement to appreciate the public health and environmental implications
      of a particular threat as well as the technical feasibility of carrying out a particular
      threat.

   >• Notification by news media. A threat to contaminate the wastewater treatment
      process might be delivered to the news media, or the media may discover a threat.
      A conscientious reporter would immediately report such a threat to the police, and
      either the reporter or the police would immediately contact the wastewater utility.
      This level of professionalism would provide an opportunity for the utility to work with
      the media and law enforcement to assess the credibility of the threat before any
      broader notification is made.
      Is
The goals of threat response and management for a wastewater utility are to evaluate the
threat, take necessary steps to protect public health and the environment while the threat is
being evaluated, confirm the threat, remediate the wastewater system, if necessary, and
return the system to safe normal operation as soon as possible.

The threat-management process is considered in three successive stages: "possible,"
"credible," and "confirmed." It is important to stress that the response to an incident will
be based on incomplete information. Not
everything about the incident can be known
in the timeframe in which response
decisions  must be made.
Continued emergency response training
allows wastewater suppliers, state officials,
and law enforcement to gain an
understanding of how to best make
decisions without  complete information.
Evaluating a threat begins with the wastewater system.

-------
A threat is deemed "possible" if the circumstances indicate the opportunity for
contamination.

Example of a possible threat:

   >- A phone call to the utility telling the utility that the system has been harmed.

The evaluation to determine if a threat is "possible" should be conducted quickly, with a 1-
hour goal to determine if additional actions are needed.
Once a threat is considered possible, additional information will be necessary to determine
if the threat is "credible." The threshold at the "credible" stage is higher than that at the
possible stage, and in general there must be information to corroborate the threat in order
for it to be considered "credible." Often this information is circumstantial but, if enough
indicators suggest something has taken place, then additional response decisions need to
be made.  Steps should be initiated to confirm the incident.

The actions to decide if a threat is "credible" should proceed quickly, with a goal of making
this determination within 2 to 8 hours.

Preliminary site characterization information will help determine if a threat is credible. In
addition, wastewater suppliers and state wastewater officials should be in contact with
other supporting agencies, including law enforcement, to gather information to guide the
assessment.

The expertise of law enforcement agencies (local, state, and federal) will be critical in
evaluating the credibility of a threat. They may have knowledge of recent criminal activity in
the area that might help establish credibility or support advanced stages of the
investigation.
A contamination incident is "confirmed" once conclusive evidence is obtained.
Confirmation implies that definitive evidence and information have been collected to
establish the validity of the threat and classify it as an "incident." Laboratory analyses or

-------
other sources of evidence such as eye witness reports, physical evidence from a location in
the wastewater system, or reports by the perpetrators themselves may be adequate to
confirm an incident.

      Is
While many entities are involved in a threat evaluation, the Incident Command System
(ICS) is the accepted model for managing emergencies. It allows its users to adopt an
organizational structure to fit any situation regardless of jurisdictional boundaries. The ICS
is extremely flexible  and can grow or shrink to meet the changing needs of an incident. The
organization that assumes responsibility for incident command will vary with the nature and
severity of the incident. During the course of managing a contamination threat, the
individual designated as incident commander may change as different organizations
assume responsibility for managing the situation.

The various organizations that may assume incident command responsibility during an
intentional contamination situation include:

   >• Wastewater Utility will likely be responsible for incident command during the initial
      stages of a situation. The utility will retain this responsibility, by default unless or until
      another organization (with proper authority) assumes command.

   >> Wastewater Primacy Agency may assume incident command when the utility lacks
      the resources to manage the threat.

   >• Public Health Agency (state or local) may  assume incident command if the
      situation is a public health crisis (without links to terrorism).

   >• Local Law Enforcement may assume  incident command when criminal activity
      (excluding federal crimes such as terrorism) is suspected. Law enforcement will
      have the lead in the criminal investigation and will determine whether or not a crime
      has been committed.  EPA CID may assume incident command when the federal
      crime of tampering with  a public water supply is suspected. EPA CID will have the
      lead  in the criminal  investigation and will determine whether or not an environmental
      crime has been committed.

-------
   >• FBI will assume incident command when a crime is suspected to have a nexus to
      terrorism.

If an organization other than the utility assumes incident command, the utility will play a
supporting role during the threat-management process. Regardless of which organization is
in charge of managing the overall situation, the wastewater utility will maintain responsibility
for the wastewater system.

The National Response Plan (NRP) establishes a comprehensive all-hazards approach to
managing domestic incidents. The NRP includes the best practices and procedures from
several incident management disciplines (e.g., homeland security, emergency
management, law enforcement, firefighting, public works, public health, responder and
recovery worker health and safety, emergency medical services, and the private sector)
and combines then into one. The NRP outlines how federal departments and agencies will
work together and how the federal government will coordinate with state, local, and tribal
governments and the private sector during incidents. For additional information on the
National Response Plan (NRP) go to http://www.dhs.gov/dhspublic/interapp/editorial/
editorial_0566.xml.

For more information on the threat management process, please see Module 2 of the
Response Protocol Toolbox, which can be obtained at EPA's Water Security Web site
(http://www.epa.gov/watersecurity).                                       •-'••.

IP Law enforcement will have the lead in the criminal investigation and  will determine
whether or not a crime has been committed.

IP* Law enforcement and wastewater utilities need to work together to preserve crime
scenes, while at the  same time allowing wastewater personnel access to facilities as
necessary.

HP Local law enforcement may assume responsibility for incident command  in situations in
which criminal activity is suspected.
                                                                                      ,.

-------
                                          •                               •    •    .

1.  What is the difference between a threat and an incident?

2.  What are some of the threat warnings you might encounter from a wastewater facility?

3.  Do you have a diagram of the building facilities and a map of the pump stations within
   the collection system of the wastewater system?

4.  Would you be able to access the wastewater treatment plant to respond if there were an
   incident?

5.  Do you have access codes or keys to any locks?

6.  Do you know the wastewater treatment plant's emergency response plan and have you
   practiced with plant personnel?

-------
Module 6—Response

After completing this module, participants will be able to:

   >•  Recognize the framework for evaluating a
      wastewater threat.
   >•  Describe some of the actions that might be
      implemented in response to a contamination threat.
      do
Each wastewater system is unique with respect to age,
operation, and complexity. Wastewater systems are
particularly unique in that many are complex and often an
undocumented mix of new and old components.
Each wastewater system's physical plant
and infrastructure are unique.
There are many ways to gain a better understanding of a
particular wastewater system, one of which is through its vulnerability assessment, if one
has been conducted.
€P Meet with your wastewater personnel and ask them to share what areas they identified
as key locations that are vulnerable to threats. Law
enforcement can assist a wastewater plant in improving its
physical security.
      do you      to

The employees of your wastewater facility are generally its
most valuable asset in preparing for and responding to
Law enforcement should get to know the
employees of their local system.

-------
wastewater threats and incidents. They have knowledge of the system and may also have
experience in dealing with previous threats.
      do           to

Wastewater systems should revise their emergency response plans to reflect the findings
of any vulnerability assessment performed in order to address terrorist threats.
w Law enforcement should have a copy of the utility's emergency response plan and
should practice with utility personnel. How can you practice with a wastewater facility? EPA
has developed a Tabletop Exercise CD with several different scenarios involving a
wastewater utility. This is a great training tool to bring together all the essential response
personnel involved in a water incident, allowing them to practice their roles and to revise
any parts of their plan as necessary (http://cfpub.epa.gov/safewater/watersecurity/
tools.cfm#cd).

O Law enforcement should coordinate with their local EPA CID office.

      do you      to                     ose
A sewer use ordinance sets forth uniform requirements for users of the Publicly Owned
Treatment Works. It is essential to have knowledge of local laws regarding manhole
tampering, unlawful entry, etc.
                                         at
Once a threat has been deemed "possible," relatively low-level response actions are
appropriate. Two response actions that might be considered at this stage are:

   X  Site characterization.
   >•  Immediate operational response.
Site characterization is one of the critical activities intended to gather critical information to
support the "credible" stage. Site characterization is defined as the process of collecting
information from an investigation site in order to support the evaluation of a wastewater
threat. This process will normally take place within 2-8 hours of the initial event. Site
characterization activities include the site evaluation, field safety screening, rapid field
testing of the water, and sample collection. The investigation site is the focus of site

-------
characterization activities, and if a suspected contamination site has been identified, it will
likely be designated as the primary investigation site. The results of site characterization are
of critical importance to the threat evaluation process. Law enforcement serves an integral
role in the site characterization process. Certain elements of the site characterization
process are to be considered law enforcement investigative functions. These include the
supervision of the preservation of the crime scene and the evaluation of information and
physical evidence that may be present at the investigation site. The law enforcement
evaluation of any existing physical evidence, including forensic evidence, may aid in the
determination of the threats credibility.

Immediate operational response actions are primarily intended to limit the potential for
exposure of the public to the suspect contaminant while site characterization activities are
implemented. For example, if the wastewater utility believes someone has tampered with its
chemical feed system, shutting down the chemical feed system would be an operational
response.


The response actions considered at the "credible" stage may involve more effort and have
a greater impact than those considered at the "possible" stage.

Three response  actions that might be considered at this stage are:

   >• Sample analysis.
   >• Continuation of site characterization activities.
   >• Public health response.

Sample analysis and continuing of site characterization are part of the ongoing threat
evaluation and are intended to gather information to "confirm" whether a contamination
incident did or did not occur.
Public health response actions are intended to prevent or limit exposure of the public to the
suspect contaminant; they are more protective and have a greater impact on the public than
the operational response considered at the possible stage.
Of Local law enforcement may be asked to participate in public notification strategies.
Know the clearly established communications responsibilities. In the past, local law

-------
enforcement has been essential in assisting wastewater personnel in notifying the public of
emergencies.
                                        at the                         .
Once a contamination incident has been confirmed, it will be necessary to move into full-
response mode. Organizations that may be actively engaged in the response include the
wastewater primacy agency, the public health agency, emergency response agencies, and
law enforcement. All of these participating organizations likely will be coordinated under
existing incident command structures designed to manage emergencies at the state or local
level. States and local entities likely have established their own response plans that would
be in effect if the incident were managed at this level. In any case, the wastewater system
•Jk 0>; ••••• "f
"Possible
• Location of security breach.
_ * • Time of security breach.
jg*^. . information from alarms.
gj , • Observations when security breach
- ^ was discovered.
"g • Additional details from the threat
warning.
•Was there an opportunity for
contamination?
"c • Has normal operational activity been
- *| ruled out?
•''3 • Have other "harmless" causes been
'< §S ? ruled out?
' ill ^
««^e -Notifications within utility.
%5sS3< • Local law enforcement agencies.
«'//*» • EPACID
-'/ • Isolate affected area.
4»i|f ' Vitiate site characterization.
£r!!jg • Estimate spread of suspected
saSSg. ; contaminant.
rS;§ ' Consult external information
%P* sources.
,'; Threat Evaluation Stage
Credible
• Results of site characterization at
location of security breach.
• Previous security incidents.
• Input from local law enforcement.
•Do site characterization results
reveal signs of contamination?
• Is this security breach similar to
previous security incidents?
• Does other information (e.g., water
quality) corroborate threat?
• Does law enforcement consider this
a credible threat? EPACID, FBI, JTTF
•State agency.
•State/local public health agency.
•EPACID, FBI.
• Implement appropriate public health
protection measures.
•Analyze samples.
• Perform site characterization at
additional investigation sites.
',,. , ' *?^\ ,
Confirmatory
• Results of site characterization at
other investigation sites.
• Input from primacy agency and
public health agency.
•Were unusual contaminants
detected during analysis? Do they
pose a risk to the public?
• Do site characterization results
reveal signs of contamination?
• Is contamination indicated by a
"preponderance of evidence?"
• Emergency response agencies.
• National Response Center.
•Other state and federal assistance
providers.
• Characterize affected area.
• Revise public health protection
measures as necessary.
• Plan remediation activities.

-------
will still have a role in the implementation of full response actions; however, it will generally
act in a technical support role.

The following is an -example of a threat warning with a contamination management threat
matrix presented. This is a tabular summary that lists the following at each stage of the
threat evaluation:
   >• Information considered during the threat evaluation.
   V Factors considered during the threat evaluation.
   X Potential notifications unique to a specific stage of a particular threat warning.
   >• Potential response actions.
Security Breach
                                   ¥*
                        •>>

                                                             '
IP Law enforcement should meet wastewater personnel face-to-face and should know
officials' vehicles and identification badge or card type.

IP Wastewater systems and law enforcement should share critical contact lists.
IP Law enforcement can share information with police
dispatchers on critical wastewater facilities as well as the
wastewater system critical contact list.

IP Before an incident, law enforcement should work with the
wastewater system on how to protect the crime scene.

IP Law enforcement can work with the wastewater system
and Neighborhood Watch groups to build awareness around
suspicious activities near critical wastewater structures.

IP Law enforcement should be aware of a wastewater
system's "Single Points of Failure" and pay special attention
to them, especially in times of heightened threat levels.

-------
     efo             the
EPA provides guidance to water-sector utilities at each threat alert level. Work with your
wastewater facility to see what assistance law enforcement can offer at various threat
levels. Also know what operational changes may take place at different threat levels. The
following is a brief review of the Homeland Security Advisory System. For more detailed
information see the EPA document Guarding Against Terrorist and Security Threats:
Suggested Measures for Wastewater Utilities (August 2004).
Protective measures for the wastewater utility should focus on ongoing facility assessments
and the development, testing, and implementation of emergency response plans.
Wastewater utilities should post emergency evacuation plans in an accessible, secure
location near the entrance for immediate access by law enforcement, fire response, and
other first responders.

Blue
General Risk of Terrorist Attack
Protective measures should focus on activating employee and  public information plans,
exercising communication channels with response teams and local agencies, and
reviewing and exercising emergency plans.

The wastewater utility will reaffirm communication and coordination protocols (embedded in
the utility's emergency response plan) with local authorities such as police and fire
departments, HAZMAT teams, hospital, and other first responders. The wastewater utility is
also encouraged to develop intelligence contacts with state and local law enforcement, EPA
CID field  offices,  FBI field offices, and Water Information Sharing and Analysis Center
(Water ISAC).
Protective measures should focus on increasing surveillance of critical facilities;
coordinating and practicing emergency response plans with allied utilities and response
teams and local agencies; and implementing emergency plans, as appropriate.

-------
IP The wastewater utility may ask law enforcement to increase surveillance activities in
remote or isolated reaches of the service are where illicit dumping might occur.

IP Law enforcement should also have the critical contact lists available for all wastewater
utility personnel.
Protective measures by the wastewater utility should focus on limiting facility access to
essential staff and contractors and coordinating security efforts with local law enforcement
officials and the armed forces, as appropriate.

IP Law enforcement may be asked to increase surveillance, particularly of critical assets
and otherwise unprotected areas.

Red
Sewere Risk of Terrorist Attack
Protective measures should focus on the decision to close specific facilities and the
redirection of staff resources to critical operations. As appropriate, wastewater utilities will
request increased law enforcement or security agency surveillance, particularly of critical
assets and otherwise unprotected areas.

-------
1.  Do you know what threats are of concern to the wastewater systems in your
   jurisdiction?

2.  Do you know the key utility personnel contacts for the wastewater systems in your
   jurisdiction?

3.  Do you have a copy of the wastewater utility emergency response plans for the utilities
   in your jurisdiction and have you conducted any exercises with the utilities to test the
   plan?

4.  Are you familiar with the response actions your utilities might take to possible, credible,
   or confirmed incidents?

5.  Have you worked with wastewater utility personnel to explain how they should protect a
   potential crime scene?
6. Do you work with the utilities in your jurisdiction to provide appropriate assistance for
   changing national and local threat levels?

-------
Sumi
The following are bullets of all the law enforcement actions suggested throughout Part II:
Wastewater Security.

HP Law enforcement should get to know personnel at their wastewater treatment facility
and become familiar with the operation:

   >• Meet your wastewater personnel face-to-face.
   V Know the key contacts and their telephone numbers.
   X Know their official vehicles and any identifying logos or insignias.
   >• Know what type of identification  card they have, if any.

W Law enforcement should be aware of a wastewater system's "single points of failure"
and pay special attention to them, especially in times of heightened threat levels.

© Law enforcement may be able to assist a wastewater utility in determining what assets
are vulnerable, and law enforcement may be able to assist the utility in becoming a less
attractive target.

IP Law enforcement can provide some assistance in working with wastewater personnel in
surveillance and in responding to alarms. Working with wastewater personnel to reduce
incidents or false alarms will help maintain everyone's vigilance in securing these important
assets

IP Law enforcement's role in assisting wastewater utilities might focus on:

   >• Surveillance.
   > Patrols.
   >• Communications/24hr.  contacts.
   X Physical security.
   >• Site control.
   V Public Notification.
   >• Investigations.

-------
                      A Water Security and Emergency Preparedness Training Workbook, for Law Enforcement
   >- Threat warnings.
   >• Liaison with state and federal law enforcement and intelligence resources.-

O Law enforcement's role in assisting wastewater systems might focus on:

   >• Communications/contacts.
   V Surveillance.
   >• Patrols.
   >- Site control.
   X Investigations.
   X Liaison with state and federal law enforcement and intelligence resources.

IP Law enforcement will have the lead in the criminal investigation and will determine
whether or not a crime has been committed.
Cp Law enforcement and wastewater utilities need to work together to preserve crime
scenes, while at the same time allowing wastewater personnel access to facilities as
necessary.

w Local law enforcement may assume responsibility for incident command in situations in
which criminal activity is suspected.

C* Meet with your wastewater personnel and ask them to share what areas they identified
as key locations that are vulnerable to threats. Law enforcement can assist a wastewater
plant in improving its physical security.

Ci* Law enforcement should have a copy of the utility's emergency response plan and
should practice with utility personnel. How can you practice with a wastewater facility? EPA
has developed a Tabletop Exercise CD with several different scenarios involving a
wastewater utility. This is a great training tool to bring together all the essential response
personnel involved in a water incident, allowing them to practice their roles and to revise
any parts of their plan as necessary (http://cfpub.epa.gov/safewater/watersecurity/
tools.cfm#cd).

-------
iEr Local law enforcement may be asked to participate in public notification strategies.
Know the clearly established communications responsibilities. In the past, local law
enforcement has been essential in assisting wastewater personnel in notifying the public of
emergencies.

© Law enforcement should meet wastewater personnel face-to-face and should know
officials' vehicles and identification badge or card type.

IP Wastewater systems and law enforcement should share critical contact lists.

IP Law enforcement can share information with police dispatchers on critical wastewater
facilities as well as the wastewater system critical contact list.

O Before an incident, law enforcement should work with the wastewater system on how to
protect the crime scene.

IP Law enforcement can work with the wastewater system and Neighborhood Watch
groups to build awareness around suspicious activities near critical wastewater structures.

IP Law enforcement should be aware of a wastewater system's "Single Points of Failure"
and pay special attention to them, especially in times of heightened threat levels.

IP The wastewater utility may ask law enforcement to increase surveillance activities in
remote or isolated reaches of the service are where illicit dumping might occur.

IP Law enforcement should also have the critical contact lists available for all wastewater
utility personnel.

IP Law enforcement may be asked to increase surveillance, particularly of critical assets
and otherwise unprotected areas.
                                    1C*» rl

-------

-------
Resources
U.S. Environmental Protection Agency (EPA) Security Initiatives
http://cfpub.epa.gov/safewater/watersecurity/index.cfm

Response Protocol Toolbox: Planning for and Responding to Drinking Water Contamination
Threats and Incidents (RPTB), Interim Final; December 2003. The RPTB is composed of
six interrelated modules that focus on different aspects of planning a response to
contamination threats and incidents long before they occur. The RPTB is a planning tool,
and it should be integrated into a user's specific emergency response planning activities in
order to effectively manage an actual threat.
http://cfpub.epa.gov/safewater/watersecurity/home.cfm?program_id=8#response_toolbox

Response Protocol Toolbox: Planning for and Responding to Drinking Water Contamination
Threats and Incidents, Interim Final; August 2004; Response Guidelines.
http://www.epa.gov/safewater/watersecurity/pubs/rptb_response_guidelines.pdf

Guarding Against Terrorist and Security Threats: Suggested Measures for Water Utilities,
revised August 2004.

Guarding Against Terrorist and Security Threats: Suggested Measures for Wastewater
Utilities, revised August 2004.

The Top Ten List for Water Supply Emergency Preparedness and Security for Law
Enforcement.
http://www.epa.gov/safewater/watersecurity/pubs/brochure_security_top10.pdf

Water Sector-Specific Plan.
http://www.epa.gov/safewater/watersecurity/pubs/plan_security_watersectorspecificplan.pdf

Water Watchers — Helping to Protect Your Local Water System - a brochure for citizens.
http://www.epa.gov/safewater/watersecurity/pubs/brochure_security_waterwatchers.pdf

CDC Emergency Preparedness and Response: http://www.bt.cdc.gov/

-------
2                    A Water Security and Emergency Preparedness Training Workbook for Law Enforcement

U.S. EPA's List of Drinking Water Contaminants & Maximum Contaminant Levels (MCLs):
http://www.epa.gov/safewater/mcl.htmWmcl

U.S. Coast Guard. 2001 "Chemical Hazards Response Information System" http://
www.chrismanual.com

U.S. Army. 2002 "Toxic Chemical Agent Safety Standards"
http://www.usapa.army.mil/pdffiles/p385_61.pdf

Water Security Product Guide
http://cfpub.epa.gov/safewater/watersecurity/tools.cfm

Center for Nonproliferation Studies, Monterey Institute of International Studies
http://www.cns.miis.edu

American Water Works Association: http://www.awwa.org

Water Environment Research Foundation: http://www.werf.org

Department of Homeland Security (DHS): http://www.dhs.gov

National Response Center (NRC) and National Response Team (NRT): http://www.nrt.org

National Incident Management Training
http://www.fema.gov/emergency/nims/index.shtm

National Infrastructure Protection Plan: http://www.dhs.gov/nipp

EPA's Safe Drinking Water Hotline
(800) 426-4791

-------
Appendix A: Forms


These forms are  mainly for water utilities, but may prove useful to

law enforcement.

Threat Evaluation Worksheet

INSTRUCTIONS
The purpose of this worksheet is to help organize information about a contamination threat warning that would
be used during the Threat Evaluation Process, The individual responsible for conducting the Threat
Evaluation (e.g., the Water Utility Emergency Response Manager [WUERM]) should complete this worksheet.
The worksheet is generic to accommodate information from different types of threat warnings; thus, there will
likely be information that is unavailable or not immediately available. Other forms in the Appendices are
provided to augment the information in this worksheet.
THREAT WARNING INFORMATION

    Date/Time threat warning discovered:

    Utility Name and Address:  	__
    Name/Number of person who discovered threat warning:
    Type of threat warning:
       D  Security breach        D
       D  Written threat          D
       D  Public health notification D
     Witness account            D
     Unusual water quality       D
     Other	
       Phone threat
       Consumer complaints
    Identity of the contaminant:       D Known       D Suspected
       If known or suspected, provide additional detail below
                                   D  Unknown
       D  Chemical


       Describe 	
D  Biological
D  Radiological
    Time of contamination:          D Known       D Estimated
       If known or estimated, provide additional detail below
       Date and time of contamination:

       Additional Information:    	
                                   D Unknown
    Mode of contamination:         D Known       D Suspected
       If known or suspected, provide additional detail below
       Method of addition:     D Single dose
                D Overtime
                                   D Unknown
       D Other


-------
                     A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
   Amount of material:
   Additional Information:
Site of contamination:            D Known        D Suspected
   If known or suspected, provide additional detail below

   Number of sites:     	   	
                               D Unknown
   Provide the following information for each site.

   Site#1
   Site Name: 	
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other  	
   Address:
D  Treatment plant
Q  Elevated storage tank
D  Hydrant
D  Pump station
D  Finished water reservoir
D  Service connection
   Additional Site Information:
   Site #2
   Site Name:
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other
   Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D  Pump station
D  Finished water reservoir
D  Service connection
   Additional Site Information:
   Site #3
   Site Name:
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other	
   Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D  Pump station
D  Finished water reservoir
D  Service connection
   Additional Site Information:

-------
                                           -
Appendix A — Forms
ADDITIONAL INFORMATION

    Has there been a breach of security at the suspected site?         D Yes      D No
       If "Yes", review the completed 'Security Incident Report' (Appendix A, page 7)

    Are there any witness accounts of the suspected incident? D Yes  D No
       If "Yes", review the completed 'Witness'Account Report' (Appendix A, page 11)

    Was the threat made verbally over the phone?                   D Yes      D No
       If "Yes", review the completed 'Phone Threat Report' (Appendix A, page 15)
    Was a written threat received?
              D Yes
           D No
    Are there unusual water quality data or consumer complaints?
              D Yes
           D No
    Are there unusual symptoms or disease in the population? D Yes  D No
     Is a 'Site Characterization Report' available?
D  Yes
D No
    Are results of sample analysis available?
D  Yes
D  No
    Is a 'Contaminant Identification Report' available?
    D Yes       D  No
     Is there relevant information available from external sources?
       Check all that apply
              D Yes D No
       D  Local law enforcement   D  FBI                        D   DW primacy agency
       D  Public health agency     D  Hospitals / 911 call centers    D   US EPA / Water ISAC
       D  Media reports           D  Homeland security alerts     D   Neighboring utilities
       D  Other

       Point of Contact:	
       Summary of key information from external sources (provide detail in attachments as necessary):

-------
                          A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
THREAT EVALUATION

     Has normal activity been investigated as the cause of the threat warning?   D Yes D  No
       Normal activities to consider
           D Utility staff inspections                   D Routine water quality sampling
           D Construction or maintenance             D Contractor activity
           D Operational changes                    D Water quality changes with a known
                                                        cause
           D Other 	_^	

     Is the threat'possible'?         D  Yes        D No

       Summarize the basis for this determination:   	  ^_^_
       Response to a 'possible' threat:
         D None                         D Site characterization
         D Increased monitoring/security   D Other	
           D Isolation/containment
     Is the threat'credible'?         D Yes        D  No

       Summarize the basis for this determination:  	
       Response to a 'credible' threat:
         D Sample analysis           D  Site characterization     D Isolation/containment
         D Partial EOC activation      D  Public notification        D Provide alternate water
                                                                   supply
         D Other
     Has a contamination incident been confirmed?  D  Yes

       Summarize the basis for this determination:  	
D No
       Response to a confirmed incident:
         D Sample analysis           D  Site characterization
         D Full EOC activation         D  Public notification
         D Initiate remediation and recovery
         D Other	
      D Isolation/containment
      D Provide alternate water supply
     How do other organizations characterize the threat?
Organization
n Local Law
Enforcement
D FBI
D Public Health
Agency
Evaluation



HI Possible
H Credible
H Confirmed
"3 Possible
H Credible
D Confirmed
I] Possible
H Credible
HI Confirmed
Comment





-------
Appendix A — Forms
d Drinking Water
Primacy Agency
D Other
D Other
d Possible
D Credible
d Confirmed
d Possible
D Credible
d Confirmed
d Possible
d Credible
d Confirmed



SIGNOFF
  Name of person completing this form:
     Print name  	
     Signature   	
Phone Number
                   Date/Time:


-------

-------
Appendix A — Forms
Security Incident Report Form


INSTRUCTIONS
77?e purpose of this form is to help organize information about a security incident, typically a security breach,
which may be related to a water contamination threat.  The individual who discovered the security incident,
such as a security supervisor, the Water Utility Emergency Response Manager (WUERM), or another
designated individual may complete this form.  This form is intended to summarize information about a
security breach that may be relevant to the threat evaluation process. This form should be completed for
each location where a security incident was discovered.
DISCOVERY OF SECURITY INCIDENT
     Date/Time security incident discovered:
     Name of person who discovered security incident:
     Mode of discovery:
       D  Alarm (building)
       D  Video surveillance
       D  Suspect confession
       D  Other  	
                      D  Alarm (gate/fence)           D
                      D  Utility staff discovery         D
                      D  Law enforcement discovery
                             Alarm (access hatch)
                             Citizen discovery
    Did anyone observe the security incident as it occurred?          D Yes
       If "Yes", complete the Witness Account Report' (Appendix A, page 11)
                                                                 D No
SITE DESCRIPTION
    Site Name: 	
    Type of facility
            D  Source water
            D  Ground storage tank
               Distribution main
               Other  	
n
n
    Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D   Pump station
D   Finished water reservoir
D   Service connection
    Additional Site Information:
BACKGROUND INFORMATION
    Have the following "normal activities" been investigated as potential causes of the security incident?
       D Alarms with known and harmless causes      D  Utility staff inspections
       D Routine water quality sampling               D  Construction or maintenance
       D Contractor activity                          D  Other 	•      	
    Was this site recently visited priorlo the security incident?
       If "Yes, "provide additional detail below

       Date and time of previous visit:	
                                                       D Yes
                                          D  No
       Name .of individual who visited the site:

-------
                          A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
       Additional Information:
     Has this location been the site of previous security incidents?
       If "Yes, "provide additional detail below
       Date and time of most recent security incident:

       Description of incident;
   D  Yes
 D  No
       What were the results of the threat evaluation for this incident?
            D  'Possible'               D  'Credible'
   D  'Confirmed'
     Have security incidents occurred at other locations recently?           D Yes
       If "Yes", complete additional 'Security Incident Reports' for each site

       Name of 1st additional site:	
       Name of 2nd additional site: 	
       Name of 3rd additional site: 	
                 D No
SECURITY INCIDENT DETAILS

    Was there an alarm(s) associated with the security incident?
       If "Yes, "provide additional detail below
D Yes
       Are there sequential alarms (e.g., alarm on a gate and a hatch)?     D Yes

       Date and time of alarm(s):	'

       Describe alarm(s): 	;	
D No


   D No
     Is video surveillance available from the site of the security incident?
        If "Yes, "provide additional detail below
       Date and time of video surveillance:

       Describe surveillance:	
        D Yes
      D No
     Unusual equipment found at the site and time of discovery of the security incident:
       D Discarded PPE (e.g., gloves, masks)          D Empty containers (e.g., bottles, drums)
       D Tools (e.g., wrenches, bolt cutters)           D Hardware (e.g., valves, pipe)
       D Lab equipment (e.g., beakers, tubing)         D Pumps or hoses
       D None                                      D Other	
       Describe equipment:

-------
Appendix A — Forms
     Unusual vehicles found at the site and time of discovery of the security incident:
       D Car/sedan                    D  SUV                      D Pickup truck
       D Flatbed truck                 D  Construction vehicle        D None
       D Other	

       Describe vehicles (including make/model/year/color, license plate #, and logos or markings):
     Signs of tampering at the site and time of discovery of the security incident:
       D Cut locks/fences                           D Open/damaged gates, doors, or windows
       D Open/damaged access hatches              D Missing/damaged equipment
       D Facility in disarray                          D None
       D Other	;	___
       Are there signs of sequential intrusion (e.g., locks removed from a gate and hatch)?
       Describe signs of tampering:
                D
                n
Yes
No
     Signs of hazard at the site and time of discovery of the security incident:
       D Unexplained or unusual odors                D Unexplained dead animals
       D Unexplained dead or stressed vegetation      D Unexplained liquids
       D Unexplained clouds or vapors                D None
       D Other	
       Describe signs of hazard:
SIGNOFF
  Name of person responsible for documenting the security incident:

     Print name  	

     Signature   	      •	
Date/Time:


-------

-------
Appendix A — Forms
                                                               11
 Witness Account Report Form

INSTRUCTIONS
 The purpose of this form is to document the observations of a witness to activities that might be considered
an incident warning. The individual interviewing the witness, or potentially the witness, should complete this
form.  This may be the Water Utility Emergency Response Manager (WUERM) or an individual designated by
incident command to perform the interview. If law enforcement is conducting the interview (which may often
be the case), then this form may serve as a prompt for "utility relevant information" that should be pursued
during the interview. This form is intended to consolidate the details of the witness account that may be
relevant to the threat evaluation process.  This form should be completed for each witness that is interviewed.
BASIC INFORMATION
     Date/Time of interview:
     Name of person interviewing the witness:

     Witness contact information
        Full Name:	
        Address:	
        Day-time phone:
        Evening phone:
        E-mail address:
     Reason the witness was in the vicinity of the suspicious activity:
WITNESS ACCOUNT
     Date/Time of activity:

     Location of activity:
       Site Name:
       Type of facility
           D  Source water
           D  Ground storage tank
           D  Distribution main
           D  Other	
       D  Treatment plant
       D  Elevated storage tank
       D  Hydrant
      D  Pump station
      D  Finished water reservoir
      D  Service connection
       Address:
       Additional Site Information:
    Type of activity
       D Trespassing
       D Theft
       D Other
D  Vandalism
D  Tampering
D  Breaking and entering
D  Surveillance


-------
12
A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
       Additional description of the activity
    Description of suspects
       Were suspects present at the site?

       How many suspects were present?
                     D  Yes
D  No
       Describe each suspect's appearance:
Suspect #
1
2
3
4
5
6
Sex






Race






Hair color






Clothing






Voice






       Where any of the suspects wearing uniforms?
       If "Yes," describe the uniform(s): 	
                             D  Yes
            D  No
       Describe any other unusual characteristics of the suspects:
       Did any of the suspects notice the witness?
       If "Yes," how did they respond:
                           D Yes
        D No
v<

shicles at the site
Were vehicles present at th
Did the vehicles appear to t
How many vehicles were pr
Describe each vehicle:
Vehicle #
1
2
3
4
5
6
Type






e site? D Yes D No
>elong to the suspects? D Yes D No
esent?

Color






Make






Model






License plate






       Where there any logos or distinguishing markings on the vehicles?
       If "Yes," describe: 	___	
                                                D Yes
                          D No

-------
Appendix A — Forms
                                                          13
        Provide any additional detail about the vehicles and how they were used (if at all):
     Equipment at the site
       Was any unusual equipment present at the site?

       D Explosive or incendiary devices
       D PPE (e.g., gloves, masks)
       D Tools-(e.g., wrenches, bolt cutters)
       D Lab equipment (e.g., beakers, tubing)
       D Other	
                        D Yes
             D No
               D Firearms
               D Containers (e.g., bottles, drums)
               D Hardware (e.g., valves, pipe, hoses)
               D Pumps and related equipment
        Describe the equipment and how it was being used by the suspects (if at all):
     Unusual conditions at the site
       Were there any unusual conditions at the site?
       D Explosions or fires
       D Dead/stressed vegetation
       D Other
D  Fogs or vapors
D  Dead animals
                        D Yes
             D No
D  Unusual odors
D  Unusual noises
       Describe the site conditions:
     Additional observations
       Describe any additional details from the witness account:
SIGNOFF
  Name of interviewer:

      Print name  	

      Signature   	

  Name of witness:

      Print name  	
Signature      	
                              Date/Time:
      Date/Time:


-------

-------
Appendix A — Forms
                                                        15
Phone Threat Report Form

INSTRUCTIONS
This form is intended to be used by utility staff that regularly answer phone calls from the public (e.g., call
center operators).  The purpose of this form is to help these staff capturer as much information from a
threatening phone call while the caller is on the line.  It is important that the operator keep the caller on the
line as long as possible in order to collect additional information. Since this form will be used during the call, it
is important that operators become familiar with the content of the form. The sections of the form are
organized with the information that should be collected during the call at the front of the form (i. e., Basic Call
Information and Details of Threat) and information that can be completed immediately following the call at the
end of the form (i.e., the description of the caller).  The information collected on this form will be critical to the
threat evaluation process.

Remember, tampering with a drinking water system is a crime under the SDWA Amendments!

THREAT NOTIFICATION
    Name of person receiving the call:	
    Date phone call received:

    Time phone call ended: _
    Originating number:
              Time phone call received:

              Duration of phone call: 	
              Originating name:
        If the number/name is not displayed on the caller ID, press *57 (or call trace) at the end of the call
        and inform law enforcement that the phone company may have trace information.
    Is the connection clear?
     D Yes
    Could call be from a wireless phone? D Yes

DETAILS OF THREAT
    Has the water already been contaminated?

    Date and time of contaminant introduction known?
       Date and time if known: 	
        D No

        D No


D  Yes

     D Yes
                                 D No
                                       D No
    Location of contaminant introduction known?
       Site Name:   	   	
                     D Yes
                        D  No
       Type of facility
           D  Source water
           D  Ground storage tank
           D  Distribution main
           D  Other  	
D Treatment plant
D Elevated storage tank
D Hydrant
             D  Pump station
             D  Finished water reservoir
             D  Service connection
       Address:-
       Additional Site Information:


-------
18
A Water Security and Emergency Preparedness Training Workbook for Law Enforcement
    Name or type of contaminant known?
       Type of contaminant
           D  Chemical               D  Biological

       Specific contaminant name/description:  	
                                  D Yes            D No

                                          D  Radiological
    Mode of contaminant introduction known?
       Method of addition:     D Single dose

       Amount of material:	
       Additional Information:
                                  D Yes            D No
                       D  Over time         D Other 	
    Motive for contamination known?

            D  Retaliation/revenge
            D  Other  ^^___
       Describe motivation:
                        D  Yes

             D  Political cause
D  No

    D  Religious doctrine
CALLER INFORMATION
    Basic Information:
       Stated name: 	.
       Affiliation: 	
       Phone number: _
       Location/address:
    Caller's Voice:
       Did the voice sound disguised or altered?        D  Yes

       Did the call sound like a recording?             D  Yes

       Did the voice sound?       D Male / D  Female

       Did the voice sound familiar?                   D  Yes
          If 'Yes,' who did it sound like? 	
       Did the caller have an accent?
          If'Yes,'what nationality?  	
       How did the caller sound or speak?
          D Educated
          D Irrational
          D Reading a script
                          D Yes
                  D Well spoken
                  D Obscene
                  D Other 	
                                               D No

                                               D No

                                          D Young / D Old

                                               D No
         D  No
    D Illiterate
    D Incoherent
                                 !	APPENDIX A	!

-------
Appendix A — Forms
                            17
       What was the caller's tone of voice?
          D Calm                D  Angry           D  Lisping
          D Excited              D  Nervous         D  Sincere
          D Slow                D  Rapid           D  Normal
          D Soft                D  Loud            D  Nasal
          D Laughing            D  Crying           D  Clear
          D Deep                D  High             D  Raspy
          D Other
   D  Stuttering/broken
   D  Insincere
   D  Slurred
   D  Clearing throat
   D  Deep breathing
   D  Cracking
       Were there background noises coming from the caller's end?
          D Silence
          D Voices                    describe         •	
          D Children                   describe    	
          D Animals                   describe	
          D Factory sounds            describe    	
          D Office sounds              describe    	
          D Music                     describe	
          D Traffic/street sounds        describe	
          D Airplanes                  describe    	
          D Trains                     describe    	
          D Ships or large boats        describe    	

          D Other:	
SIGNOFF
  Name of call recipient:

      Print name  	

      Signature   	
  Name of person completing form (if different from call recipient):
     Print name	
     Signature     •	
Date/Time:
Date/Time:

-------

-------

-------
°°'     Recycled/Recyclable • Printed on 100% Postconsumer, Process Chlorine Free Recycled Paper

-------