1
2
3
4
5
7 National Drinking Water Advisory Council Water Security
s Working Group Final Report
9 Draft Report
10 Does Not Represent the Consensus of the WSWG
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 March 21,2005
-------�
DRAFT ..... Doss. Not RaprosaHt th« Consensus of tha W
Table of Contents
Executive Summary i
I. Introduction 13
Chartering and the Mission of the Working Group 14
Working Group Composition 15
Security-Sensitive Information 16
The Deliberative Process and Consensus 17
Scope and Application of WSWG Recommendations 18
II. Security 20
Approach to Developing Recommendations on Security 20
Summary of Recommendations on Security 21
One Size Does Not Fit All 22
Security Program Scope 24
Significant System Failures and Key Threats 26
Security Program Principles 28
Security Program Features 29
Ongoing Improvement 32
Improve Connections with Public Health 33
Support Development of Contaminant Monitoring Technologies 33
Relationship to the Multibarrier Approach, or Security Layering 34
III. Incentives 36
Approach to Developing Recommendations on Incentives 36
Summary of Recommendations on Incentives 37
Understanding the Consequences of Failing to Address Security 38
Clear, Appropriate Expectations for Performance 39
Recognition 40
Peer Review 41
Technical Assistance 42
Access to Security-Related Support and Planning 44
Financial Support 45
Rate-Setting Organizations 46
Verification Programs 47
Draft WSWG Report—3/21/05
-------�
DRAFT Do-as Mot Raprasssnt th Consensus of the W8WC3
Regulation 48
IV. Measures 50
Approach to Developing Recommendations on Measures 50
Attributes of Good Measures 51
Types of Measures Considered 52
Summary of Recommendations on Measures 53
Minimum Measures Utilities Should Use 53
Measures for Utilities to Consider 56
National Aggregate Measures 56
Other Measures Considered 61
Reporting 62
Appendix A
Appendix B
Appendix C
Appendix D
Features and Measures of an Active and Effective Security Program
Chart Showing Features of an Active and Effective Security Program and
Corresponding Measure that Utilities Should Use
Measures Utilities Should Consider
Individual Comments of WSWG Members
Attachment 1
Attachment 2
Attachment 3
Attachment 4
Roster of WSWG Members, Federal Resource Personnel, and
Outside Experts
WSWG Operating Procedures
Annotated Bibliography of Security References
Acronym List
Draft WSWG Report—3/21/05
-------�
DRAFT Doss Not Rssoreses>t. f.h
-------�
DRAFT ..... Does Mot Rssprass-'-st the Consensus of ths W8WC3
developing findings and recommendations. In the few instances where the Group did not reach
consensus, the range of views on the Group with respect to that issue are described.
The WSWG makes nineteen recommendations dealing with security practices and programs,
incentives, and measures. Recommendations address the basic scope and principles for active
and effective security programs, establish significant system failures and key threats that
security programs should consider, identify fourteen features that all active and effective
security programs should address, advise steps that government and others can take to support
and encourage utility security efforts and create a better climate for security, and recommend a
framework for measuring utility security progress.
A number of themes cut across the WSWG's recommendations and serve as the organizing
structure for this executive summary. Readers are encouraged to go beyond the executive
summary to the discussion of each recommendation in the full report to understand the depth
and context of the WSWG's deliberations and recommendations.
Set minimum expectations for security program outcomes with substantial
flexibility for design of utility-specific implementation approaches and
tactics
The centerpiece of the WSWG's recommendations is identification of fourteen features that all
active and effective security programs should address, and a corresponding set of
recommended program measures. Recommendation 5 establishes the fourteen features,
each of which are described in detail in Appendix A. Recommendation 17 identifies measures
that correspond to the program features. The Group expects the measures recommended in
Recommendation 18 to be used by all utilities to form the basis for utility-specific security self-
assessment and measurement programs. Recommendation 18 encourages utilities to
consider a list of additional measures that could be used to round out security measurement
programs.
Recommendation 2 addresses the scope of active and effective security program, and
emphasizes the need for programs to address protection of public health, safety, and
confidence. Recommendation 3 describes the potential significant system failures and key
Draft WSWG Report—3/21/05
Page ii
-------�
DRAFT Doss Hot Replant th« Consensus of this WSWO
threats that utilities should consider
when developing active and effective
security programs, and
Recommendation 4 lists principles of
active and effective security programs.
Finally, Recommendation 10
acknowledges the importance of clear
expectations about utility security
outcomes as an important incentive to
utilities' voluntarily adopting active and
effective security programs.
As a complement to the identification
of consistent security program
outcomes through descriptions of
security program scope, principles,
features, and measures, the WSWG
also emphasizes the need for
significant flexibility to tailor security
approaches and tactics to utility-
specific circumstances and operating
conditions. Water and wastewater
utilities come in all shapes and sizes—
there are large urban utilities and
small rural utilities. There are utilities
that rely on ground water and those
that rely on surface water. There are
utilities with inherently higher risk
operations in higher risk locations or
circumstances, and utilities that
operate with a lower risk profile.
Some utilities have multiple sources of
source water and redundant treatment
capacity, others do not. Some utilities
Features of an Active and Effective Security Program
'5- Make an explicit and visible commitment of the senior leadership
to security.
-•> Promote security awareness throughout the organizations.
••$• Assess vulnerabilities and periodically review and update
vulnerability assessments to reflect changes in potential threats
and vulnerabilities.
'-•> Identify security priorities and, on an annual basis, identify the
resources dedicated to security programs and planned security
improvements, if any.
•£• Identify managers and employees who are responsible for security
and establish security expectations for all staff.
**£• Establish physical and procedural controls to restrict access to
utility infrastructure to only those conducting authorized, official
business and to detect unauthorized physical intrusions.
<•> Employ protocols for detection of contamination consistent with the
recognized limitations in current contaminant detection,
monitoring, and surveillance, technology.
~> Define security-sensitive information, establish physical and
procedural controls to restrict access to security-sensitive
information as appropriate, detect unauthorized access, and
ensure information and communications systems will function
during emergency response and recovery.
•> Incorporate security considerations into decisions about
acquisition, repair, major maintenance, and replacement of
physical infrastructure; this should include consideration of
opportunities to reduce risk through physical hardening and the
adoption of inherently lower risk design and technology options.
•••;• Monitor available threat-level information; escalate security
procedures in response to relevant threats.
•:?•• Incorporate security considerations into emergency response and
recovery plans, test and review plans regularly, and update plans
as necessary to reflect changes in potential threats, physical
infrastructure, utility operations, critical interdependencies, and
response protocols in partner organizations.
••> Develop and implement strategies for regular, ongoing security-
related communications with employees, response organizations,
and customers.
•* Forge reliable and collaborative partnerships with the communities
they serve, managers of critical interdependent infrastructure, and
response organizations.
•';> Develop utility-specific measures of security activities and
achievements and self assess against these measure to
understand and document program progress.
Draft WSWG Report—3/21/05
Page Hi
-------�
DRAFT ..... Doss Mot Rspros«»t th« Consensus of the
may have large security budgets, while others may face difficult decisions about setting priorities
between security spending and other necessary spending. Political and public support or
interest may affect a utility's ability to implement security improvements. Legal barriers,
especially for public utilities, might affect, for example, utilities' ability to carry out employee
background checks or to implement other security approaches. These and other utility-specific
circumstances and operating conditions must inform development of specific security tactics. A
rigid approach that requires a certain type of fence or other access control, or a prescribed
information technology protection system or a standard set of personnel security policies would,
automatically, over-address security needs for some utilities and under-address security needs
for other utilities. It would under-invest in some places, and over-spend in others.
Recommendation 1 establishes the expectation of consistent security outcomes with
significant flexibility to tailor security approaches and tactics to utility-specific circumstances and
operating conditions.
The WSWG sees recommendations on security program scope, principles, features, and
measures coming together to inform individual utilities' development of utility-specific security
approaches and tactics. That is, in developing security programs appropriate to their specific
circumstances and operating conditions, utilities will address each program feature in light of the
program scope, principles, and measures described by the WSWG. The figure below illustrates
this relationship.
Program Features
-> Explicit commitment to
security
•> Security culture
> VA up to date
•* Security resources and
implementation priorities
•> Defined security roles and
employee expectations
• Intrusion detection & access
control
• Contamination detection
v Information protection &
continuity
•> Design and construction
standards
v Threat-level based protocols
•> ERP tested and up to date
~ Communications
•> Partnerships
• Utility-specific measures and
self assessment
Utility-specific security
programs address
program features and
measures in
consideration of utility-
specific circumstances
and operating
conditions
Incentives
motivate
adoption of
active and
effective
security
programs
Draft WSWG Report—3/21/05
Page iv
-------�
DRAFT Doss Hot fcapresent the Consensus of the WSWG
Keep security programs fresh and up-to-date and emphasize inherently
more secure practices
Nothing stays the same, and security programs should be no different. The features and
measures of active and effective security programs identified by the WSWG in
Recommendations 5 and 17 emphasize the importance of keeping assessments of
vulnerabilities and emergency response plans up-to-date as "living" documents. They also
stress the need for ongoing attention to security in annual planning and budgeting, and the need
to update utility-specific security approaches and tactics to incorporate lessons learned from
table top and field exercises and from any actual responses. Security program features and
measures also emphasize the need for utilities to take advantage of opportunities to improve
security through use of plant designs and operating choices that are inherently more secure or
lower the likelihood or potential consequences of a successful attack. Application of inherently
safer designs and operating procedures during plant construction, upgrades, and major
maintenance activities, may be the most efficient way for utilities to, over time, improve security.
Finally, security program features and measures stress that as technological and other
advances that give utilities opportunities to improve security should be seized.
Recommendation 6 addresses this need directly, by calling on utilities to use a continual
improvement approach to learn from implementation of security programs and to enhance
security overtime.
Create awareness and support for water security
In some ways, the water and wastewater utility industry is the silent critical infrastructure. In
many communities, even after the terrorist attacks of September 11, 2001, there may be little
awareness of the need to protect critical water and wastewater assets. The WSWG believes
strongly that utilities need help creating awareness of the importance of water security, both
within the industry and in the communities they serve. Utilities, especially small systems with
limited resources, also need a support system to help identify and implement practical, cost-
effective security programs.
Recommendation 9 calls on EPA, DHS, state agencies, and water and wastewater utility
organizations to provide information on the importance of active and effective security programs
to utility owners and operations, and to make owners and operators more aware of the benefits
Draft WSWG Report—3/21/05
Page v
-------�
DRAFT Does Mot R&pfftse!>t. t.b« Consensus of the> W8WQ
of active and effective security programs and of the potential negative consequences of failing
to address security. Recommendation 11 addresses recognition of security programs.
Recommendation 12 calls on EPA and others to build on existing successful peer review and
assistance programs, such as the Rural Community Assistance Corporation program and the
Georgia/National Rural Water Association Small System Peer Assistance Team, to establish a
peer review system for utility security. Advice from a trusted peer often will be the most
practical, affordable, and relevant way to deliver much needed help and support for security
efforts, especially in small systems. Recommendations 13 and 14 address the need for
technical assistance, including technology verification programs, to support security efforts, and
the need to support utilities' access to security-related support systems and infrastructure and
participation in table top and field exercises.
Recommendation 19 addresses awareness and support for security in a slightly different way,
by recommending three potential national aggregate measures of security progress. It should
be noted that the Group saw these national aggregate measures, which focus on utility self-
assessment of security program activities, as only a starting point and cautions against using
them to create a false sense of program achievement.
Invest in water security
Security will not improve without investment of time, attention, and money on the part of all
partners. Recommendation 8 calls on government to support and facilitate development and
distribution of reliable, affordable contaminant monitoring technologies. This is critical to
improve the security of distribution systems and to move beyond current reliance on monitoring
of public health anomalies to identify potential water contamination. Recommendation 15 calls
for additional, direct financial support of utility security efforts, and Recommendation 16
stresses the importance of education and information for utility oversight boards and rate-setting
agencies, so reasonable costs of utility security can be included in utility rates in a timely way.
Form strong, durable partnerships
Finally, throughout their deliberations, the WSWG returned to the need to support security with
strong, durable partnerships. Utilities will not, and should not, accomplish security alone. They
Draft WSWG Report—3/21/05
Page vi
-------�
DRAFT Doss Not Rapressrtt the Consensus of th&
must work within the larger security and response communities, and with their customers, to
improve security. The features and measures of active and effective security programs
identified by the WSWG in Recommendations 5 and 17 describe the importance of utilities
forging connections with local law enforcement, first responders, public health, and with the
communities and consumers they serve. In particular, the WSWG emphasizes the importance
of partnerships with communities in enhancing public confidence in utilities, improving the
effectiveness of security by relying on communities to notice and report suspicious events, and
increasing public support for utility security efforts. The WSWG also was particularly interested
in improving partnerships between utilities and the public health community. Recommendation
7 addresses this issue specifically by calling for strengthening of the relationship between water
and wastewater utilities and public health.
Draft WSWG Report—3/21/05
Page vii
-------�
DRAFT Doss Not R&presa>>t the Consensus of the W8WC3
1 Recommendations in Chronological Order
2
3 Recommendation 1: Water and wastewater utility security programs should achieve
4 consistent outcomes using utility-specific strategies and implementation approaches that are
5 tailored to individual utilities' circumstances and operating conditions.
6
7 Recommendation 2: Active and effective security programs should address protection of
8 public health, public safety (including infrastructure), and public confidence.
9
10 Recommendation 3: Active and effective security programs should consider seven significant
11 system failures and four key threats, as described below.
12
13 Recommendation 4: Active and effective security programs should be built around ten
14 principles, as described below.
15
16 Recommendation 5: Active and effective security programs should include fourteen features,
17 described below.
18
19 -> Make an explicit and visible commitment of the senior leadership to security.
20 ^ Promote security awareness throughout the organizations.
21 -* Assess vulnerabilities and periodically review and update vulnerability assessments to
22 reflect changes in potential threats and vulnerabilities.
23 •* Identify security priorities and, on an annual basis, identify the resources dedicated to
24 security programs and planned security improvements, if any.
25 ~> Identify managers and employees who are responsible for security and establish security
26 expectations for all staff.
27 •* Establish physical and procedural controls to restrict access to utility infrastructure to only
28 those conducting authorized, official business and to detect unauthorized physical
29 intrusions.
30 -* Employ protocols for detection of contamination consistent with the recognized limitations in
31 current contaminant detection, monitoring, and surveillance, technology.
32 ~> Define security-sensitive information, establish physical and procedural controls to restrict
33 access to security-sensitive information as appropriate, detect unauthorized access, and
Draft WSWG Report—3/21/05
Page viii
-------�
DRAFT Doss Mot Represent the Consensus of t
1 ensure information and communications systems will function during emergency response
2 and recovery.
3 -» Incorporate security considerations into decisions about acquisition, repair, major
4 maintenance, and replacement of physical infrastructure; this should include consideration
5 of opportunities to reduce risk through physical hardening and the adoption of inherently
6 lower risk design and technology options.
7 -* Monitor available threat-level information; escalate security procedures in response to
8 relevant threats.
9 •* Incorporate security considerations into emergency response and recovery plans, test and
10 review plans regularly, and update plans as necessary to reflect changes in potential
11 threats, physical infrastructure, utility operations, critical interdependencies, and response
12 protocols in partner organizations.
13 •;• Develop and implement strategies for regular, ongoing security-related communications with
14 employees, response organizations, and customers.
15 ~> Forge reliable and collaborative partnerships with the communities they serve, managers of
16 critical interdependent infrastructure, and response organizations.
17 -» Develop utility-specific measures of security activities and achievements and self assess
18 against these measure to understand and document program progress.
19
20 Recommendation 6: Water and wastewater utilities should reassess and seek to improve their
21 security programs on an ongoing basis.
22
23 Recommendation 7: Relationships between the water and wastewater utility sector and the
24 public health sector should be strengthened.
25
26 Recommendation 8: Development and distribution of reliable, affordable contaminant
27 monitoring technologies is important to improving utility security and should be facilitated and
28 supported by government
29
30 Recommendation 9: EPA, DHS, state agencies, and water and wastewater utility
31 organizations should provide information on the importance of active and effective security
32 programs to utility owners and operators and should make owners and operators more aware of
33 the benefits of active and effective security programs and of the potential negative
34 consequences of failing to address security.
Draft WSWG Report—3/21/05
Page ix
-------�
DRAFT Doss hlot Raprese^t th« Consensus of ths W8WG
1
2 Recommendation 10: EPA, DHS, state agencies, and water and wastewater utility
3 organizations should emphasize clear expectations for active and effective security programs
4 and clear measures of program performance, while providing the flexibility utilities need to tailor
5 security tactics and approaches to utility-specific circumstances and operating conditions.
6
7 Recommendation 11: EPA, DHS, state agencies, and water and wastewater utility
8 organizations should develop programs and/or awards that recognize utilities that develop and
9 maintain active and effective security programs and that demonstrate superior security
10 performance.
11
12 Recommendation 12: EPA, DHS, state agencies, and water and wastewater utility
13 organizations should support development and implementation of a voluntary utility security
14 peer technical assistance and review program.
15
16 Recommendation 13: EPA, DHS, state agencies, and water and wastewater utility
17 organizations should help utility owners and operations develop active and effective security
18 programs by providing different types of technical assistance, including technology verification
19 information.
20
21 Recommendation 14: EPA, DHS, and other federal and state agencies should support utility
22 security programs by helping utilities obtain access to needed security-related support systems
23 and infrastructure, and by supporting inclusion of utilities in security exercises.
24
25 Recommendation 15: Congress, EPA, DHS and other federal agencies should support
26 security enhancements with grant and loan programs focused on security.
27
28 Recommendation 16: Utility governing bodies should recognize costs associated with
29 implementing active and effective security programs. EPA, DHS, state agencies, and utility
30 organizations should provide educational and other materials to boards and rate setting
31 organizations to help them understand security costs.
32
33 Recommendation 17: At a minimum, utility self assessment and measurement should include
34 thirteen measures, described below.
Draft WSWG Report—3/21/05
Page x
-------�
DRAFT Doss Not Rapf«s«nt th« Consensus of the WSWCS
1
2 -s> Does a written, enterprise-wide security policy exist, and is the policy reviewed regularly and
3 updated as needed?
4 -^ Are incidents reported in a timely way, and are lessons learned from incident responses
5 reviewed and, as appropriate, incorporated into future utility security efforts?
6 -5- Are re-assessments of vulnerabilities made after incidents, and are lessons learned and
7 other relevant information incorporated into security practices?
8 •& Are security priorities clearly identified, and to what extent do security priorities have
9 resources assigned to them?
10 •*. Are managers and employees who are responsible for security identified?
11 r> To what extent are methods to control access to sensitive assets in place?
12 ~s Is there a protocol/procedure in place to identify and respond to suspected contamination
13 events?
14 •* Is there a procedure to identify and control security-sensitive information, is information
15 correctly categorized, and how do control measures perform under testing?
16 ^ Is there a protocol/procedure for incorporation of security considerations into internal utility
17 design and construction standards for new facilities/infrastructure and major maintenance
18 projects?
19 •* Is there a protocol/procedure for responses to threat level changes?
20 <* Do exercises address the full range of threats—physical, cyber, and contamination— and is
21 there a protocol/procedure to incorporate lessons learned from exercises and actual
22 responses into updates to emergency response and recovery plans?
23 «* Is there a mechanism for utility employees, partners, and the community to notify the utility
24 of suspicious occurrences and other security concerns?
25 -f Have reliable and collaborative partnerships with customers, managers of independent
26 interrelated infrastructure, and response organizations been established?
27
28 Recommendation 18: In developing their self-assessment and measurement programs, water
29 and wastewater utilities should consider the security program measures listed in Appendix C.
30
31 Recommendation 19: In considering measurement of water sector security progress EPA
32 should consider three measures described below.
33
Draft WSWG Report—3/21/05
Page xi
-------�
DRAFT Does Mot Raprassnt th« Consensus of
1 ••» Amount and degree of implementation of the fourteen features of an active and effective
2 security program based on self assessment.
3 -* Progress addressing high security priorities
4 •* Amount of Clean Air Act Section 112(r) hazardous substances on site, container size, and
5 potentially effected residential population inside the off-site consequence analysis area of a
6 worst-case scenario release.
Draft WSWG Report—3/21/05
Page xii
-------�
DRAFT Doss Not Rsspresusi>t the Consensus of thfj> WSWG
1 I. Introduction
2
3 Nationwide, over 160,000 water systems provide drinking water to over 300 million people.
4 Wastewater treatment systems serve approximately 75 percent of the U.S. population. These
5 systems are critical to the security of the United States not only because they deliver needed
6 drinking water supplies and wastewater collection and treatment services, but also because
7 they support the many vital services, such as fire suppression, that rely on a stable supply of
8 water. An attack, or even a credible threat of an attack, on water infrastructure could seriously
9 jeopardize the public health and economic vitality of a community.
10
11 As with other critical infrastructure sectors, concern over security at water utilities increased
12 dramatically after the September 11, 2001 terrorist attacks on the World Trade Center and the
13 Pentagon. Immediately after the September 11, 2001 attacks, the Environmental Protection
14 Agency (EPA) and the drinking water and wastewater industries launched a number of
15 initiatives to develop training and guidance on water security. As part of this effort, support was
16 provided for development of methodologies and training on assessment of water system
17 vulnerabilities and development of emergency response plans. Ongoing efforts to create the
18 Water Information Sharing and Analysis Center (WaterlSAC), a secure system that water and
19 wastewater utilities can use to disseminate security alerts and exchange ideas about security
20 related issues, were accelerated. In June 2002, President Bush signed the Public Health
21 Security and Bioterrorism Preparedness and Response Act (Bioterrorism Act). Among other
22 things, the Bioterrorism Act requires each community water system that serves more than 3,300
23 individuals to conduct "an assessment of the vulnerability of its system to a terrorist attack or
24 other intentional acts intended to substantially disrupt the ability of the system to provide a safe
25 and reliable supply of drinking water." The Bioterrorism Act also requires preparation—or where
26 necessary, revision—of "an emergency response plan that incorporates the results of
27 vulnerability assessments."
28
29 Investment, both public and private, in water security efforts also increased after the September
30 11, 2001 terrorist attacks. In fiscal year 2002, EPA awarded approximately $51 million in grants
31 to help the largest water utilities, those serving populations greater than 100,000, complete
32 vulnerability assessments. In HHl EPA expects to award 11111111 in financial support. Other
33 federal agencies also are investing in water security, as are the utilities themselves. In mm
Draft WSWG Report—3/21/05
Page 13
-------�
DRAFT ..... Doss Not Rapreswnt th« Consftnsus of the WSWG
estimates that utilities have spent {ftprj^rj on security improvements. To complement
2 direct financial support and investment in security, EPA, other federal agencies, and the water
3 sector itself are investing in ongoing efforts to develop security-related guidance.
4
5 As of |datej Irtupb^rl of utilities covered by the Bioterrorism Act have completed vulnerability
6 assessments, and |Httm&eJl have completed emergency response plans. While this represents
7 real progress, much work remains to be done. Understanding vulnerability is only the first step
8 in improving security. Many water systems that have completed their vulnerability assessments
9 are now considering what steps to take to address vulnerabilities identified. In the proliferation
10 of security-related guidance, products, services, and consultants that has appeared since the
1 1 September 1 1 , 2001 terrorist attacks, water utilities are faced with a complex set of decisions
12 about how best to invest what will inevitably be limited security funding. In this context, the
13 National Drinking Water Advisory Council (NDWAC), in consultation with EPA, chartered the
14 Water Security Working Group (WSWG or "the Group") to provide a forum for the many diverse
15 security-related interests to provide much needed guidance for NDWAC and EPA security-
16 related efforts.
17
18 Chartering and the Mission of the Working Group
19
20 The WSWG was established and charged by the NDWAC, an independent federal advisory
21 council under the Federal Advisory Committee Act. NDWAC advises, consults with, and makes
22 recommendations to EPA on matters related to EPA's activities, function, and policies under the
23 Safe Drinking Water Act. From time to time, the Council forms working groups to deliberate on
24 a specific area of interest and report back to the Council. The WSWG is one such group. The
25 NDWAC directed the WSWG to:
26
27 1. Identify, compile, and characterize best security practices and policies for drinking water
28 and wastewater utilities, and provide an approach for considering and adopting these
29 practices and policies at a utility level.
30 2. Consider mechanisms to provide recognition and incentives that facilitate a broad and
31 receptive response among the water sector to implement these best security practices
32 and policies, and make recommendations as appropriate.
Draft WSWG Report—3/21/05
Page 14
-------�
DRAFT Doss hlot Rapresa->t the Consensus of th»
1 3. Consider mechanisms to measure the extent of implementation of these best security
2 practices and policies, identify the impediments to their implementation, and make
3 recommendations as appropriate.
4
5 Early in their deliberations, the WSWG rejected use of the term "best" to describe their work on
6 security practices. The Group was concerned that defining "best" security practices would seem
7 too much like a prescription of specific activities across the water and wastewater sector. Given
8 the variety of utility-specific circumstances and operating conditions that exist in the water and
9 wastewater sector, the WSWG rejected the notion that such a prescription could be developed,
10 or, if developed, fulfilled. Instead, the Group chose to make recommendations identifying and
11 describing the scope, principles, and features of "active and effective" security programs, and to
12 make related recommendations on improving the climate for water and wastewater security.
13 Otherwise, the Group did not amend or modify its charge from the NDWAC.
14
15 Working Group Composition
16
17 The WSWG was made up of sixteen members representing a broad range of water security
18 perspectives. WSWG membership included participants from: large and small drinking water
19 and waste water treatment providers; rate setting organizations; technical assistance providers;
20 the public health community at the state and local level; academia; and environmental interest
21 groups. Working Group members were selected by EPA from among more than 80 nominated
22 individuals. Selections were made considering the expertise and experience needed to provide
23 advice on best security practices, incentives, and measures, and the desire to provide balanced
24 representation across the water sector. To facilitate communication between the NDWAC and
25 the WSWG, three members of the NDWAC were appointed to the WSWG.
26
27 The WSWG was supported by a number of resource personnel from federal agencies with
28 interest and expertise in water security. These included representatives from EPA, the
29 Department of Homeland Security (DHS), the Department of Defense (DoD), and the Centers
30 for Disease Control and Prevention (CDC). The WSWG also was supported by outside experts,
31 including an expert in emergency preparedness and response nominated by the National
32 Emergency Management Association. Federal resource personnel and outside experts
33 participated in WSWG deliberations by providing background, context, or other information or
Draft WSWG Report—3/21/05
Page 15
-------�
DRAFT Do-as Mot Rapresssnt th« Consensus of tho WS
1 expert opinion, as called upon to do so by a member of the WSWG or the facilitation team.
2 Federal resource personnel and outside experts did not participate in WSWG decision making.
3
4 A roster of WSWG members, federal resource personnel, and outside experts is provided as
5 Attachment 1.
6
7 Security-Sensitive Information
8
9 The WSWG established special procedures for deliberations on security-sensitive information.
10 For purposes of their deliberations, the WSWG agreed that security-sensitive information would
11 be identified as:
12
13 -> Information on system-specific, attributable tactical security procedures; or
14 ^ Integrated or aggregated detail on security (e.g., by aggregating information from previously
15 un-aggregated sources) that creates a clear picture of a specific targeting or attack
16 opportunity.
17
18 Information already available in the public domain in the same form and at the same level of
19 detail as discussed by the WSWG was not considered security sensitive.
20
21 WSWG meetings were closed to the public as necessary to provide a forum for WSWG
22 members to discuss security-sensitive information. Protocols for closure of WSWG meetings to
23 the public and discussion of security-sensitive information are included in the WSWG Operating
24 Procedures, in Attachment 2. The WSWG agreed that, to maximize the usability of their report,
25 they would strive to limit inclusion of security-sensitive information in the written materials they
26 consider and produce. In practice, the WSWG found that closing deliberations to the public
27 generally was not necessary, and that open meetings did not prevent substantive deliberations
28 on the features and measures of active and effective security programs. In instances where the
29 WSWG needed to discuss specific, attributable security tactics or examples, they used closed
30 sessions. Over the course of their {hSMjrsj of deliberations the WSWG conducted only |J|pursl in
31 closed session.
32
Draft WSWG Report—3/21/05
Page 16
-------�
DRAFT Does Not Raprftssnt th« Cosisftnnus of th«* WSWO
1 The Deliberative Process and Consensus
2
3 The WSWG met in person five times between July 2004 and April 2005 and had two full Group
4 conference calls during that period. Notices of Group meetings and full Group conference calls
5 were published in the Federal Register. Except where security-sensitive information was
6 discussed, meetings were open to the public. Opportunities for public comment were provided
7 at each meeting. Agendas and summaries of WSWG meetings are available on the EPA
8 NDWAC website, at www.epa.gov/
9
10 The WSWG used a consensus-based, collaborative, problem-solving approach to developing
11 findings and recommendations. In cases where the Group did not reach consensus, the range
12 of views on the Group are described. At the end of the consensus-based process, WSWG
13 members also had an opportunity to submit up to 3 pages of individual comments. {Numb«f|
14 WSWG members chose to submit Individual comments, which can be found in Appendix D.
15
16 The WSWG was served by two co-chairs. To facilitate communication with the NDWAC, one of
17 the WSWG co-chairs was also a member of NDWAC. This individual was identified by EPA and
18 the facilitation team in consultation with the three NDWAC members who serve on the WSWG.
19 The second co-chair was identified by the Group using a weight of preferences selection
20 process.
21
22 The role of the WSWG co-chairs was to act as a sounding board for the facilitation team
23 between WSWG meetings, open and close the WSWG meetings, assist the facilitation team in
24 running the meetings, and approve WSWG meeting summaries. The co-chairs also participated
25 in deliberations and decision making as full members of the WSWG. The co-chairs did not
26 determine the WSWG agenda, findings, or recommendations any more or less than other
27 WSWG members.
28
29 Additional detail on the WSWG process is available in the WSWG Operating Procedures,
30 Attachment 2.
31
Draft WSWG Report—3/21/05
Page 17
-------�
DRAFT D««s Mot Rspma«nt the Consensus of the WSWG
1 Scope and Application of WSWG Recommendations
2
3 The WSWG recommendations address all three parts of the charge give to the Group by the
4 NDWAC: security practices or programs; incentives; and measures. The WSWG developed
5 their recommendations to apply to all water and wastewater utilities irrespective of size, location,
6 ownership, or regulatory status. The Group recognizes that the Bioterrorism Act requirements
7 for water security apply only to community water systems that serve 3,300 or more people;
8 however, it does not intend to limit its recommendations to such systems. While the
9 Bioterrorism Act encompasses approximately 91 percent of the population served by drinking
10 water systems, it addresses only 16 percent of systems. The vast majority of systems serve
11 populations of 3,300 or fewer. In total, approximately 9 percent of the population served by
12 drinking water systems is served by systems that serve 3,300 or fewer people.
13
14 The WSWG decided not to limit its recommendations to community water systems that serve
15 3,300 or more people for three reasons. First, the Group believes that all utilities, regardless of
16 type and size, need to take steps to address security. Although threats may be greater or lesser
17 depending on utility-specific circumstances and operating conditions, no utility is immune from
18 attack. Second, the fourteen elements of an active and effective security program contain
19 considerable flexibility to allow for utility-specific security tactics and approaches. This
20 encourages utilities to tailor security programs to the level of resources they can devote to
21 security and to nest security efforts in broader utility operations designed to safeguard water
22 quality and utility infrastructure. The WSWG believes that steps needed to address the features
23 of an active and effective security program are, in many cases, consistent with the steps needed
24 to maintain technical, management, and operational performance capacity related to overall
25 water quality, and that many small utilities may be able to craft active and effective security
26 programs with minimal, if any, capital investment.
27
28 Third, the WSWG's recommendations on active and effective security programs create
29 voluntary guidelines. While the Group encourages all utilities to consider these
30 recommendations and to develop active and effective security programs, there currently are not
31 federal regulations on water security and, the Group as a whole is not recommending federal
32 regulations. Without regulations, it is up to individual utilities and their communities to decide to
33 make the effort they determine is appropriate for their specific circumstances. (For additional
Draft WSWG Report—3/21/05
Page 18
-------�
DRAFT Doss h!ot Rapffts?s-nt. the Consensus of ihf* W &WG
1 information on the WSWG's diversity of views on the role that regulation should play in water
2 security, see discussion in Chapter II of this report.)
3
Draft WSWG Report—3/21/05
Page 19
-------�
DRAFT ..... Doss. hjot Raproasni the Consensus of t
1 II. Security
2
3 The first part of the WSWG charge was to "identify, compile, and characterize best security
4 practices and policies for drinking water and wastewater utilities and provide an approach for
5 considering and adopting these practices and policies at a utility level." Early in their
6 deliberations, the WSWG rejected use of the term "best" to describe their work on security
7 practices. The Group was concerned that defining "best" security practices would seem too
8 much like a prescription of specific activities across the water and wastewater utility sector.
9 Given the variety of utility-specific circumstances and operating conditions that exist in the water
10 and wastewater sector, the WSWG rejected the notion that such a prescription could be
11 developed, or, if developed, fulfilled. Instead, the Group chose to identify and describe the
12 scope, principles, and features of "active and effective" security programs, and to make a series
1 3 of related recommendations on improving the climate for water and wastewater security.
14
15 Approach to Developing Recommendations on Security
16
17 The WSWG began deliberations on security practices and programs by considering the current
18 body of security-related guidance. This included preparing a detailed annotated bibliography of
19 security-related references (Attachment 3), reviewing the security literature, and identifying and
20 considering common security-related themes. The WSWG also considered presentations on
21 security from Group members and outside experts. From these initial deliberations the WSWG
22 identified twelve principles to guide their recommendations on active and effective security
23 programs. The principles are a distillation of the common interests and values of WSWG
24 members and set the stage on which the Group's security-related recommendations should be
25 reviewed.
26
27 ••> Don't reinvent the wheel; understand and use existing information, adding new value.
28 ••* Limit inclusion of security-sensitive information to maximize the utility of the product and
29 ensure it can be distributed and used.
30 ••;> Seek to maximize benefits by emphasizing actions that have the potential to both improve
31 the quality or reliability of utility service, and to enhance security.
32 •!.•• Programs should have measurable goals and timelines.
Draft WSWG Report—3/21/05
Page 20
-------�
DRAFT DOSJS Not Rapraaisnt th« Consensus of the WSWG
1 --» Be attentive to concerns that more clearly defining security practices may create liability
2 concerns, especially for smaller utilities which may not have the resources to implement all
3 security enhancements immediately.
4 ~> Be aware that, in some jurisdictions, political or organizational interest in security may be
5 diminishing, making it more difficult for utility operators to gain the support and resources
6 needed for security enhancements.
7 <*• Recognize the need to tailor security programs and practices to utility-specific
8 characteristics, such as whether a utility is urban or rural, and whether it is small, medium, or
9 large in size.
10 •* Recognize constraints and barriers, but do not let them define security recommendations.
11 For example, where a practice is desirable, but implementation is constrained,
12 recommendations could call for the practice and recognize and recommend ways to
13 overcome constraints.
14 •* Address prevention as a key aspect of enhancing security.
15 •* Inherently safer practices, or practices that have a lower risk potential, also have potential to
16 enhance security.
17 <* The relationship between practices that increase safety and those that increase security
18 must be recognized and managed. Safety and security may complement each other, may
19 be neutral, or may conflict. For example, a SCADA system provides valuable operating
20 safety information but also may introduce a vulnerability that someone could use to cause
21 harm or mislead operators. Similarly, permanently locking a door for security reasons might
22 create a safety barrier to an emergency exit.
23 •-» Develop recommendations should be developed in a transparent way, and they should
24 encourage transparency in individual utilities' security-related decisions, so that the basis for
25 decisions is easily understood and communicated to utility staff, partners, customers and the
26 public.
27
28 Summary of Recommendations on Security
29
30 The WSWG developed eight recommendations on security. Recommendation 1 calls for
31 utilities to achieve consistent security outcomes with significant flexibility to tailor security
32 approaches and tactics to utility-specific circumstances and operating conditions.
33 Recommendations 2 through 4 address the scope of active and effective security programs,
34 significant system failures and key threats that should be considered, and program principles.
Draft WSWG Report—3/21/05
Page 21
-------�
DRAFT Doss Mot R&pressitt th« Consensus of the
1 Recommendation 5 identifies the features that should be present in all active and effective utility
2 security programs. Recommendation 6 calls on utilities to use a continual improvement
3 approach to learn from implementation of security programs and enhance security over time.
4 Recommendations 7 and 8 call for improving the climate for water and wastewater security by
5 improving connections between the utility and public health communities and improving the
6 reliability and affordability of physical and chemical contaminant monitoring technologies.
7
8 One Size Does Not Fit All
9
10 Recommendation 1: Water and wastewater utility security programs should achieve
11 consistent outcomes using utility-specific tactics and implementation approaches that
12 are tailored to individual utilities' circumstances and operating conditions.
13
14 The first thing the WSWG discussed and agreed upon was the need to provide individual
15 utilities the means to tailor security tactics and approaches to utility-specific circumstances and
16 operating conditions. At the same time the Group also recognized the need to create clear
17 expectations and promote consistency in security program outcomes. The Group struck this
18 balance using an approach that is centered around recommending that all utilities address
19 fourteen common features of active and effective security programs (detailed in
20 Recommendation 5) in the context of utility-specific circumstances and operating conditions.
21
22 All water and wastewater utilities should address security in an informed and systematic way;
23 consider their specific circumstances and operating conditions; and develop, implement,
24 monitor, and improve specific security tactics to create an active and effective security program
25 appropriate to utility-specific conditions. The WSWG discussed this as developing
26 recommendations that define "what to do" instead of "how to do it." Using this approach, the
27 Group makes recommendations that describe the scope of active and effective security
28 programs (Recommendation 2), the significant system failures and key threats utilities should
29 consider (Recommendation 3), security program principles (Recommendation 4) and security
30 program features (Recommendation 5). It is left to individual utilities to determine how best to
31 craft a security program that addresses these recommendations in a way that is appropriate to
32 their specific conditions.
33
Draft WSWG Report—3/21/05
Page 22
-------�
DRAFT Doss Not Raprft$ss>l th« Consensus of the* WS
1 Water and wastewater utilities come in all shapes and sizes—there are large urban utilities, and
2 small rural utilities. There are utilities that rely on ground water and those that rely on surface
3 water. There are utilities with inherently higher risk operations in higher risk locations or
4 circumstances and utilities that operate with a lower risk profile. Some utilities have multiple
5 sources of source water and redundant treatment capacity; others do not. Some utilities may
6 have large security budgets; others may face difficult decisions about setting priorities between
7 security spending and other necessary spending. Political and public support or interest may
8 affect a utility's ability to implement security measures. Legal barriers, especially for public
9 utilities, might affect, for example, utilities' ability to carry out employee background checks, or
10 to implement other security approaches. These and other utility-specific circumstances and
11 conditions must inform development of specific security tactics. A rigid approach that requires a
12 certain type of fence or other access control, or a prescribed information technology protection
13 system, or a standard set of personnel security policies would, automatically, over-address
14 security needs for some utilities and under-address security needs for other utilities. It would
15 under-invest in some places, and over-spend in others. The WSWG discussed this using the
16 catch phrase "one size does not fit all."
17
18 The WSWG recognizes that their approach will result in considerable variability in the specific
19 security tactics and approaches individual utilities implement. Some utilities may—and may
20 need to—create distinct security programs, with new security managers and security staff.
21 Other utilities may appropriately address the program features simply by ensuring existing
22 managers and staff addresses security concerns as part of their responsibilities. Some utilities
23 may—and may need to—invest heavily in physical hardening of infrastructure and access
24 control. (Physical hardening involves designing in the means to make a facility harder to attack
25 [or appear harder to attack] and to reduce the effect of any attack that may take place.) Other
26 utilities may rely more heavily on timely intrusion detection and response. This variability is to
27 be expected and is appropriate to the variability inherent in utility circumstances and operations.
28 The WSWG emphasizes that the important outcome is that all utilities, regardless of size or
29 circumstance, should address security in an informed and systematic way, should consider their
30 specific circumstances and operating conditions, and should develop, implement, monitor, and
31 improve specific security tactics to create an active and effective security program appropriate
32 to utility-specific conditions.
33
Draft WSWG Report—3/21/05
Page 23
-------�
DRAFT Do-as Not Rcspressnt the Consensus of the WSWG
1 Security Program Scope
2
3 Recommendation 2: Active and effective security programs should address protection
4 of public health, public safety (including infrastructure), and public confidence.
5
6 After agreeing on the importance of defining security outcomes that all utilities should achieve—
7 and at the same time agreeing on the need to tailor security tactics and approaches to utility-
8 specific circumstances and operating conditions—the WSWG turned to describing the scope of
9 an active and effective security program.
10
11 The main outcome of an active and effective security program is to ensure reliable operation of
12 water and wastewater infrastructure, and reliable drinking water and waste water collection and
13 treatment services. Reliable, clean water is needed for consumption and for the prevention of
14 disease and maintenance of public health; reliable water also is needed for operation of waste
15 water collection and treatment facilities and other facilities necessary to public health. Reliable
16 water at sufficient pressure is needed to fight fires, operate industrial facilities, and cool
17 industrial and other operations. Reliable water treatment is needed to prevent uncontrolled—or
18 untreated, or not fully treated—wastewater discharges from fouling beaches, water bodies, and
19 even drinking water supplies, with serious public health, environmental, and economic
20 consequences.
21
22 The WSWG discussed which of these adverse consequences active and effective security
23 programs should address and agreed that protection should be provided across the full range of
24 adverse consequences that might be brought about if a water or wastewater utility were to be
25 compromised. The WSWG defined these as: adverse consequences for public health; adverse
26 consequences for public safety; and adverse consequences for public confidence. The Group
27 agreed that active and effective security programs should protect against all these potential
28 adverse consequences, although they recognized some might be more of a concern than others
29 based on utility-specific conditions. For example, when a utility provides the only potential
30 source of water for firefighting, protection of public safety by ensuring the continued reliability of
31 a supply of firefighting water might need special attention. Similarly, interruption of wastewater
32 collection and treatment services for a large metropolitan area is different from interruption of
33 such services for a small town. The group also discussed the need to avoid adverse
34 consequences regardless of the means that might bring such consequences about. Whether a
Draft WSWG Report—3/21/05
Page 24
-------�
DRAFT Doss Mot Rapmssni the Consensus of th» WSWG
1 water supply is interrupted because of accident, vandalism, or terrorist attack matters less than
2 the actions needed to bring a system back on line. In addition to making water and wastewater
3 utilities safer from attack, active and effective security programs will have the collateral benefit
4 of improving responses to accidents and reducing the impact of natural disasters and successful
5 vandalism.
6
7 The WSWG discussed "protect against" as meaning the design and implementation of utility-
8 specific security tactics and approaches that seek to minimize adverse outcomes by preventing
9 or being well prepared to respond to and recover from an attack or other event such as
10 vandalism. Active and effective security programs, therefore, will include elements of
11 prevention (through access and intrusion detection and control, contaminant detection and
12 monitoring, physical hardening of systems, inherently safer design and construction choices,
13 and controlling access to security-sensitive information), preparedness (through having plans
14 and procedures in place and building the successful partnerships and communication
15 mechanisms needed to prevent and respond to an attack), and response, consequence
16 management, mitigation, and recovery. Each of these aspects of protection are addressed
17 more fully in the fourteen features of active and effective water security programs described in
18 Recommendations.
19
20 The WSWG believes that creating and sustaining public confidence deserves special
21 consideration. Many of the WSWG members who own or operate water and wastewater utilities
22 were particularly concerned about sustaining public confidence. Reliable, safe water is an
23 expectation in the United States. Any real or perceived threat to the safety of the water supply
24 could—even if no sickness or death occurs—have a significant adverse effect on public health
25 and safety and the economy by causing customers to mistrust water supplies. Utility operators
26 are very concerned about this potential outcome, and about the ability of a utility to effectively
27 recover from a loss of public confidence. Later recommendations on developing reliable
28 partnerships and on communication contemplate that all utilities will take steps to create and
29 sustain public confidence as part of an active and effective security program.
30
Draft WSWG Report—3/21/05
Page 25
-------�
DRAFT Doss hjof Rapressi>t the Consensus of tha WS
1 Significant System Failures and Key Threats
2
3 Recommendation 3: Active and effective security programs should consider six
4 significant system failures and four key threats, as described below.
5
6 After discussing the scope of active and effective security programs, the WSWG discussed the
7 specific potential significant system failures that should be guarded against and the types of
8 potential threats that might bring about significant system failures. Significant system failures
9 are those that, if they occur, are likely to disrupt or endanger public health, safety, or
10 confidence. The WSWG identified six significant system failures water and wastewater utilities
11 should consider when developing an active and effective security program.
12
13 ^ Loss of pressurized water for a significant part of the system.
14 •••* Long-term loss of water supply, treatment, or distribution.
15 -* Catastrophic release or theft of on-site hazardous chemicals affecting public health.
16 "j> Adverse impacts to public health or confidence resulting from a contamination threat or
17 incident.
18 -* Long-term loss of wastewater treatment or collection capacity.
19 »> Use of the collection system as a means of attack on other targets.
20
21 Key threats are actions that have the potential, individually or in combination, to cause a
22 significant system failure. The WSWG defined four key threats that water and wastewater
23 utilities should consider when developing an active and effective security program.
24
25 *£ Physical disruption of core facilities, such as chemical storage, or interdependent
26 infrastructure, such as power and transportation, either through direct physical targeting or
27 as a result of collateral damage.
28 -•> Chemical, biological, or radiological material used to contaminate water supplies or
29 infrastructure.
30 •& Cyber attack on information technology assets to disrupt service and/or obtain confidential
31 information.
32 -* Use of conveyance tunnels or storm, sanitary, or combined sewers to stage an attack
33 against utilities or other targets.
34
Draft WSWG Report—3/21/05
Page 26
-------�
DRAFT ..... Ooss ^ot Rspmssint th«? Consensus of ths VVS
1 The WSWG emphasizes that these significant system failures and key threats are meant only
2 as a standard set of possibilities a utility should consider when choosing security priorities and
3 tactics for its specific active and effective security program. Consideration of the significant
4 • system failures and key threats will inform how utilities set specific security priorities and choose
5 security tactics and approaches, but the lists of major system failures and key threats do not
6 prejudge or demand any particular set of security tactics or approaches.
7
8 The exact definition of significant system failure for any given utility also will depend on utility-
9 specific conditions. For instance, what constitutes a "significant" part of a water distribution
10 system may be different for a large urban utility than for a small rural utility. Similarly, what
1 1 constitutes a "long-term" loss of collection or treatment capacity may be different depending on
12 backup or redundant systems, viable temporary alternatives, amount of material collected, and
1 3 environmental or economic sensitivity of receiving waters.
14
15 Some significant system failures and key threats will be more relevant to some utilities than
16 others. For instance, some utilities may be particularly concerned about cyber attack or use of
17 conveyance tunnels or storm, sanitary, or combined sewers to attack utility or other targets.
18 Other utilities, because of the nature of their operating systems or the size or location of their
19 infrastructure, may be less concerned about these potential threats. It is important for utilities to
20 consider the significant system failures and key threats critically, in light of their specific
21 circumstances and operating conditions. For some utilities other potential significant system
22 failures or key threats may be more important than those mentioned here.
23
24 In the context of significant system failures and key threats the WSWG also discussed
25 transportation of hazardous chemicals, such as chlorine. The Group feels strongly that utility
26 owners and operators should be aware of the schedules for hazardous chemicals being
27 transported to their facilities, the amount of hazardous chemicals in transit, and the expected
28 arrival dates. This information should be used to coordinate and collaborate with individuals
29 responsible for hazardous chemical transportation to enhance the security of hazardous
30 chemicals in transit, even as the primary responsibility for security of chemicals in transit
31 remains with the owners/operators of the transportation service.
32
Draft WSWG Report—3/21/05
Page 27
-------�
DRAFT Doss Mot Rsprassnt th« Consensus of the WS
1 Security Program Principles
2
3 Recommendation 4: Active and effective security programs should be built around
4 eleven principles, as described below.
5
6 In their deliberations on the scope and features of active and effective security programs, the
7 WSWG identified eleven principles that apply across utility circumstances and operating
8 conditions. These principles should be used by utility owners and operators to guide
9 identification of utility-specific security tactics and approaches. They are meant to provide a
10 thematic sense of the types of security tactics and approaches the WSWG believes will be most
11 effective across the widest range of utilities.
12
13 1. Security should be part of organizational culture and the day-to-day thinking of front-line
14 employees, emergency responders, and management.
15 2. A strong commitment to security by organization leadership and by the supervising body
16 such as the utility board or rate-setting organization is critical to success.
17 3. There is always something that can be done to improve security. Even when resources
18 are limited, the simple act of increasing organizational attentiveness to security will
19 reduce threat potential and increase responsiveness. Preparedness itself can help deter
20 attacks.
21 4. Prevention is a key aspect of enhancing security.
22 5. Movement towards practices that are inherently safer (i.e., have a lower risk potential)
«
23 may enhance security.
24 6. Security programs require ongoing management and monitoring and an ongoing budget
25 commitment. A continual reassessment model, where changes are implemented over
26 time as experience with security increases, may be useful.
27 7. Consideration of security issues should begin as early as possible in facility construction
28 (i.e., it should be a factor in building plans and designs).
29 8. The relationship between practices that increase safety and those that increase security
30 must be recognized and managed. Safety and security may complement each other,
31 may be neutral, or may conflict. For example, a SCADA system provides valuable
32 operating safety information but also may introduce a vulnerability that someone could
33 use to cause harm or mislead operators. Similarly, permanently locking a door for
34 security reasons might create a safety barrier to an emergency exit.
Draft WSWG Report—3/21/05
Page 28
-------�
DRAFT ..... Doss Not Represent the Consensus of the W8WG
1 9. Strong relationships with response partners and the public strengthen security and
2 public confidence.
3 10. Investment in security should be reasonable considering utilities' specific circumstances.
4 Where threat potential or potential consequences are greater, greater investment likely
5 is warranted.
6 11. Products and deliberations should be developed in a transparent way and should
7 encourage transparency in individual utilities' security-related decisions, consistent with
8 the need to hold security sensitive information (i.e., attributable information about utility-
9 specific vulnerabilities and tactics) closely. $$wt& W$W® jtt$*$Nf$ ftftl*
1 0 cbocena a&o&f ##s bvSet Tfefe *ssw 'cmiimte® & 6* yucter scfcVe {fetfoerstwt m
12
13 The WSWG emphasizes that, as with the recommendations on program scope and features,
14 these principles for active and effective security programs do not prejudge or prescribe specific
15 security tactics or approaches. As discussed earlier in this report, there will be wide variability in
16 security tactics and approaches across utilities, and this variability is appropriate given the
17 range of utility-specific circumstances and operating conditions. Again, the important outcome is
18 that all utilities, regardless of size or circumstance, should address security in an informed and
19 systematic way, consider their specific circumstances and operating conditions, and develop,
20 implement, monitor, and improve specific security approaches and tactics to create an active
21 and effective security program appropriate to utility-specific conditions.
22
23 Security Program Features
24
25 Recommendation 5: Active and effective security programs should include fourteen
26 features, described below.
27
28 From their agreement on the scope and principles of active and effective security programs and
29 the need to tailor specific security tactics and approaches to utility-specific circumstances and
30 operating conditions, the WSWG turned to defining the common features of active and effective
31 security programs. The idea behind defining common features of active and effective security
32 programs is to provide for consistency in security program outcomes, guide utilities'
33 consideration and selection of specific security tactics and approaches, and create a foundation
34 from which improvements in security can, overtime, be measured and described.
Draft WSWG Report— 3/21/05
Page 29
-------�
DRAFT Doss Mot R&presant th« Consensus of the WSWG
1
2 The fourteen program features described by the WSWG purposefully define high-level security
3 program outcomes. They were selected from among many potential features of security
4 programs as those that, in the experience and view of the WSWG, are most important to
5 increasing security and most relevant across the broad range of utility circumstances and
6 operating conditions. The fourteen features are listed below.
7
8 1. Make an explicit and visible commitment of the senior leadership to security.
9 2. Promote security awareness throughout the organizations.
10 3. Assess vulnerabilities and periodically review and update vulnerability assessments to
11 reflect changes in potential threats and vulnerabilities.
12 4. Identify security priorities and, on an annual basis, identify the resources dedicated to
13 security programs and planned security improvements, if any.
14 5. Identify managers and employees who are responsible for security and establish
15 security expectations for all staff.
16 6. Establish physical and procedural controls to restrict access to utility infrastructure to
17 only those conducting authorized, official business and to detect unauthorized physical
18 intrusions.
19 7. Employ protocols for detection of contamination consistent with the recognized
20 limitations in current contaminant detection, monitoring, and surveillance, technology.
21 8. Define security-sensitive information, establish physical and procedural controls to
22 restrict access to security-sensitive information as appropriate, detect unauthorized
23 access, and ensure information and communications systems will function during
24 emergency response and recovery.
25 9. Incorporate security considerations into decisions about acquisition, repair, major
26 maintenance, and replacement of physical infrastructure; this should include
27 consideration of opportunities to reduce risk through physical hardening and the
28 adoption of inherently lower risk design and technology options.
29 10. Monitor available threat-level information; escalate security procedures in response to
30 relevant threats.
31 11. Incorporate security considerations into emergency response and recovery plans, test
32 and review plans regularly, and update plans as necessary to reflect changes in
33 potential threats, physical infrastructure, utility operations, critical interdependencies, and
34 response protocols in partner organizations.
Draft WSWG Report—3/21/05
Page 30
-------�
DRAFT Doss hJof Rapmsss^t t.b
-------�
DRAFT Doss Not fepressnt th« Consensus of the
1
2 Ongoing Improvement
3
4 Recommendation 6: Water and wastewater utilities should reassess and seek to improve
5 their security programs on an ongoing basis.
6
7 Ongoing reassessment and improvement of security programs is important to keep programs
8 "fresh" and effective, and take advantage of emerging approaches and new technologies.
9 Ongoing reassessment also will increase the effectiveness and efficiency of security programs
10 and organizations over time. In an ongoing reassessment and improvement system there is
11 regular, explicit evaluation of tactics and approaches and thoughtful assessment of how these
12 tactics and approaches might be improved. Utilities should undertake regular and explicit
13 evaluation and testing, or exercising, of their security programs; document program failures; and
14 identify program improvements. These evaluations are best undertaken by a team of
15 individuals that includes not only line and executive managers responsible for security, but also
16 line employees who have security-related duties. Implementation of security programs should
17 be thoroughly documented and monitored, so that progress in improving security programs can
18 be identified and evaluated and further changes and improvements made. At a fundamental
19 level, a system of continual reassessment and improvement is about the attitude a utility takes
20 towards security. Like developing a security-improvement culture (discussed in
21 Recommendation 5), successful reassessment and improvement approaches rely on
22 employees at all levels of an organization making a commitment to doing their part to improve
23 security.
24
25 A commitment to continual reassessment and improvement is critically enabled by clear,
26 measurable goals for security performance and timelines for achieving this performance. Later
27 in this report, the WSWG recommends a series of measures related to each of the fourteen
28 security program features. These measures form a starting point from which utilities can
29 develop security-related goals.
30
Draft WSWG Report—3/21/05
Page 32
-------�
DRAFT Doss Mot Raprftssint th« Coswmsus of 1h«* V^SWCS
1 Improve Connections with Public Health
2
3 Recommendation 7: Relationships between the water and wastewater utility sector and
4 the public health sector should be strengthened.
5
6 Historically, connections between water and wastewater utilities and the public health
7 community have tended to be ad hoc. Water and wastewater utilities and public health
8 organizations need to develop stronger working relationships so they are better prepared to
9 detect problems, and respond and recover in the event of an emergency. Opportunities for
10 collaboration between water and wastewater utilities and public health agencies should be
11 provided through commitment to regular communication, and ongoing joint training, planning,
12 and exercises. It also is important for utilities and public health organizations to plan together
13 for consistency of messages in a utility-related emergency. Coordination is important at all
14 levels of the public health community—national public health, county health agencies, and
15 health-care providers such as hospitals.
16
17 Information sharing between utilities and public health agencies can enhance detection and
18 response. For example, increased complaints to water utilities or public heath agencies could
19 indicate a problem when coupled with other public health surveillance data or routine water
20 quality monitoring data. Given current limitations on physical and chemical monitoring
21 technologies, attention to public health data may be the main form of contaminant detection and
22 monitoring for water-related health problems.
23
24 It may be helpful for utilities and public health organizations to establish formal agreements on
25 coordination. These agreements could ensure regular exchange of information between utilities
26 and public health organizations and outline roles and responsibilities during response to and
27 recovery from an emergency.
28
29 Support Development of Contaminant Monitoring Technologies
30
31 Recommendation 8: Development and distribution of reliable, affordable contaminant
32 monitoring technologies is important to improving utility security and should be
33 facilitated and supported by government
34
Draft WSWG Report—3/21/05
Page 33
-------�
DRAFT Doss. hJot Rsspfosusi>t tho Consensus of the WJ5WC3
1 In the feature of an active and effective security program, the WSWG calls on utilities to employ
2 protocols for detection of contamination consistent with the recognized limitations in current
3 contaminant monitoring technologies. Currently, utilities' ability to undertake chemical,
4 biological, and radiological monitoring of contamination is limited in large part by the lack of
5 reliable or affordable technology and the lack of guidance or experience to interpret monitoring
6 results. While development of instruments and methodologies for chemical, biological, and
7 radiological monitoring for contamination already is an evolving area with research underway,
8 more progress is needed to provide for more direct and real time methods for contaminant
9 monitoring and interpretation of monitoring data. The WSWG strongly encourages government
10 to continue and increase financial and other support for the development of chemical, biological,
11 and radiological monitoring technologies, and to assist utilities in creating protocols and
12 guidance for interpretation of contaminant monitoring data.
13
14 Relationship to the Multibarrier Approach, or Security Layering
15 [Some WSWG members have expressed concern about this discussion.
16 lt«s issue continues to be tmder active deliberation in the WSWG, and the
17 text below may change based on the Group's final deliberations.l
18
19 The WSWG sees its approach to security recommendations and the fourteen features of an
20 active and effective security program as consistent with the widely used multibarrier approach to
21 drinking water safety. In a multibarrier approach, multiple barriers covering the full scope of
22 utility infrastructure are chosen in consideration of utility-specific circumstances and operating
23 conditions and are implemented as an integrated, seamless system. In security, this approach
24 is called protection in depth, or security layering. A multibarrier or security layering r approach
25 calls on utilities to use a combination of public involvement and awareness, partnerships, and
26 physical, chemical, operational, and design controls to increase overall program performance.
27 Multibarrier or security layering approaches recognize that a combination of efforts throughout a
28 utility will be more robust than reliance on any single tactic or point of influence. By relying on
29 multiple, integrated barriers spanning the breadth of utility infrastructure, the protection offered
30 by a multibarrier or layering approach is greater than the sum of its individual parts.
31
32 The WSWG's recommendations on security also take a multibarrier or security layering
33 approach. They call on utilities to understand the specific, local circumstances and conditions
Draft WSWG Report—3/21/05
Page 34
-------�
DRAFT Doss ?tot Rapre*;s!>t the Consensus of the WSWG
1 under which they operate and to develop an enterprise-wide security program tailored to those
2 specific circumstances and operating conditions. The WSWG recommends an integrated
3 combination of utility-specific tactics that address:
4
5 ^ prevention through intrusion detection and access control, contaminant detection and
6 monitoring, physical hardening of systems, inherently safer design and construction choices,
7 and controlling access to security-sensitive information;
8 -:# preparedness through having plans and procedures in place and building the successful
9 partnerships and communication mechanisms needed to prevent and respond to an attack;
10 and
11 ~> response, consequence management, mitigation, and recovery in the event of an attack.
12
13 WSWG recommendations call on utilities to address security in all elements of utility
14 infrastructure: from source water to distribution, through collection and wastewater treatment,
15 and to consider the full scope of potential significant system failures and key threats that must
16 be protected against.
17
18 The performance of an enterprise-wide, integrated security program will be more robust than the
19 performance of the combination of un-integrated, individual security tactics. Utilities that have a
20 multibarrier approach to drinking water quality in place may be able to use that program as the
21 basis for a security layering program. The WSWG encourages utilities to apply security layering
22 thinking to security and to learn from multibarrier drinking water quality approaches when
23 establishing security layering programs.
Draft WSWG Report—3/21/05
Page 35
-------�
DRAFT Ooss hSot R&prsssnt the Consensus of the WS
1 III. Incentives
2
3 The second component of the mission given to the Water Security Working Group (WSWG or
4 Group) by the National Drinking Water Advisory Council (NDWAC) was to "consider
5 mechanisms to provide recognition and incentives that facilitate a broad and receptive response
6 among the water sector to implement best security practices and policies, and make
7 recommendations as appropriate."
8
9 Approach to Developing Recommendations on Incentives
10
11 The WSWG began deliberations on incentives by considering what an incentive is. The Group
12 discussed that incentives are created by identification of desired behaviors and desired benefits.
13 If the desired behavior is broad implementation of active and effective security programs,
14 incentives will come from identification of the benefits, or reasons that might motivate utility
15 owners/operators to implement and maintain active and effective security programs.
16
17 The WSWG emphasizes that because of the nature of the utility business and the
18 responsibilities of utility owners/operators relative to public health and safety, most utilities are
19 motivated to implement active and effective security programs as part of their commitment to
20 serving their customers and communities by providing clean, reliable water and reliable sanitary
21 services. Most utilities see themselves as implementing a public trust, and take these
22 responsibilities very seriously. Most utility owners/operators and their families live in the cities
23 and towns that they serve, and have a deep commitment to furthering safe, healthy
24 communities. At the same time, the WSWG recognized that even with this motivation,
25 resources in utilities are not unlimited, and time, attention, and capital investment in security
26 improvements must compete against other priorities. As more time elapses since the terrorist
27 attacks of September 11, 2001, and new, successful attacks are not mounted, attention to
28 security may wane.
29
30 The WSWG discussed incentives as a way to help security improvements remain of high
31 concern and compete more effectively for attention and funding against other utility priorities. In
32 this context, the WSWG identified several benefits to utilities that could flow from
33 implementation and maintenance of active and effective security programs as a direct result of
Draft WSWG Report—3/21/05
Page 36
-------�
DRAFT ..... Doss Not Rapmseni th« C»nse?ssus; of the
1 the use of security practices and/or the adoption of effective incentives that enhance the
2 attractiveness of adopting or improving security practices to utilities.
3
4 •* More efficient/effective operations through inherently more productive practices.
5 -* More safe and secure working environment and community.
6 •* More solid, comprehensive business plan.
7 -* Better understanding and support in the community may help rate payers tolerate higher
8 rates corresponding to safer operating conditions.
9 -* Potential reduction in liability, with resultant reductions in insurance costs or premiums by
10 demonstrating actions consistent with industry guidelines for active and effective security
1 1 programs (conversely, if an active and effective security program is not implemented, liability
12 may increase). $&m& WBWQ mm&b&r& haw &xpr&s$etf M»m$t in giving an mampte q?
13 r&f<8mnc& ,t& sosbsteftffeteif &mt mmrme& casts' may &e re&uceti «$fc improved secan^
1 4 MttftttttM? ftytw. #w *tiw$te'&M&itt*$ p&ass $wtt'1fom &MW&
15 •* Regulatory flexibility might be offered if, for example, a permit or regulatory violation is
16 caused as a consequence of a successful attack.
17 <* More reliable and trusted utility performance and products, increasing community approval
1 8 ratings and public trust.
19 ^ Financial support for implementation of security improvements.
20
21 Summary of Recommendations on Incentives
22
23 The WSWG developed a number of recommendations on incentives. Recommendation 9
24 addresses the need to reinforce the importance of active and effective security programs and
25 the potential for negative consequences if security is not addressed. Recommendation 10
26 addresses the need to establish clear expectations and measures for active and effective
27 security programs. Recommendation 11 addresses recognition of security programs.
28 Recommendation 12 calls on EPA and others to establish a peer review system for utility
29 security. Recommendations 13 and 14 address technical assistance and other support for utility
30 security efforts. Recommendations 15 and 16 address funding for security by calling for direct
31 financial support and for education for utility oversight boards and rate-setting agencies.
32
33
34
Draft WSWG Report— 3/21/05
Page 37
-------�
DRAFT ..... Doss hJol Represent: the Consensus of the WSWCS
2
3
4 Understanding the Consequences of Failing to Address Security
5
6 Recommendation 9: EPA, DHS, state agencies, and water and wastewater utility
7 organizations should provide information on the importance of active and effective
8 security programs to utility owners and operators and should make owners and
9 operators more aware of the benefits of active and effective security programs and of the
10 potential negative consequences of failing to address security.
11
12 Information is a powerful motivator for action. In the utility community, trusted information
13 comes largely from utility organizations such as the American Water Works Association, the
14 Water Environment Federation, the Association of Metropolitan Sewerage Agencies, the
15 Association of Metropolitan Water Agencies, and the National Rural Water Association. Federal
16 and state agencies and officials also have a role to play in providing information. Because
17 utilities have many priorities, and competition for resources may be great, it is important that
18 security remain a high-profile concern.
19
20 While positive reinforcement of the importance of active and effective security programs may
21 provide adequate motivation for many utilities that are already interested in improving security, it
22 is also necessary to ensure that utilities have information about the potential negative
23 consequences of failing to address security. For utilities that are not yet motivated to address
24 security, information on the potential negative consequences of failing to act may be the factor
25 that prompts them to begin to take action. The WSWG identified a number of potential negative
26 consequences of failing to address security; these include increasing the potential for attack,
27 vandalism, or other interruption to utility services by making the utility an "easy" target; reduced
28 response capabilities in the event of an emergency; and potential liability if an attack or other
29 event interrupted utility services, injured people or property, or otherwise caused harm.
30
31 Information on the benefits of an active and effective security program and the potential
32 negative consequences of failing to address security also will raise public awareness of utility
33 security issues and may thereby increase public support for utility security efforts. Utilities are
34 very interested in what the public — their customers — want, and are very concerned about
Draft WSWG Report— 3/21/05
Page 38
-------�
DRAFT Ocas hJot feprossnt th« Consensus of ths WSWG
1 maintaining high levels of public support. Public pressure and support for security
2 improvements will assist utilities that are already taking steps to address security by providing
3 another argument in support of security investments, and may serve as further motivation for
4 utilities that have not yet addressed security issues.
5
6 Clear, Appropriate Expectations for Performance
7
8 {Sam® W£W&M&mb8r&ti&v&expfe^eticoncern about iffxt.on dear eipad&ffes. This jssm
9
10
11
12 Recommendation 10: EPA, DHS, state agencies, and water and wastewater utility
13 organizations should emphasize clear expectations for active and effective security
14 programs and clear measures of program performance, while providing the flexibility
15 utilities need to tailor security tactics and approaches to utility-specific circumstances
16 and operating conditions.
17
18 One of the key benefits of the WSWG effort is that it establishes clear expectations (see
19 recommendations 1-8) and measures (see recommendations 17-20) for active and effective
20 security programs. Because the WSWG is made up of many stakeholders, these expectations
21 are endorsed by a wide range of interested parties, including small and large utilities, public
22 health advocates and regulators, first responders, and environmental and public health interest
23 organizations. Establishing clear expectations is, on its own, a powerful motivator for utilities. It
24 creates an industry benchmark that utilities recognize and establishes a potential basis against
25 which decision makers within utility organizations, oversight agencies, financial and insurance
26 markets, peers, customers, and the public can evaluate progress. It is important to continue to
27 emphasize clear expectations for outcomes of active and effective security programs—to create
28 a yardstick against which utilities can measure themselves and to establish expectations about
29 performance industry wide. The WSWG emphasizes that this may be a particularly important
30 role for water and wastewater utility organizations, given their trusted status in the water sector
31 and considering the constraints on EPA, DHS and state resources.
Draft WSWG Report—3/21/05
Page 39
-------�
DRAFT Doss Hot Represent the Consensus of the W8WG
1 Recognition
2
3 Recommendation 11: EPA, DHS, state agencies, and water and waste water utility
4 organizations should develop programs and/or awards that recognize utilities that
5 develop and maintain active and effective security programs and that demonstrate
6 superior security performance.
7
8 Peer pressure and peer recognition are important in any profession. In the utility community,
9 owners and operators tend to be highly aware of the accomplishments of their peers and
10 attuned to peer recognition. Programs like the Partnership for Safe Water, the National
11 Biosolids Partnership, the American Water Works Association Exemplary Source Water
12 Protection Award and Public Communications Achievement Award, the Association of
13 Metropolitan Sewerage Agencies Peak Performance Award, the National Rural Water
14 Association Excellence Awards, and the Association of Metropolitan Water Association's Gold
15 and Platinum awards for Competitiveness Achievement and Sustained Competitiveness serve
16 to motivate utility action and recognize high achievement. Awards such as these can improve
17 utilities' standing in their communities, and increase public support and trust.
18
19 By developing awards focused on security performance and improvement, EPA and water and
20 wastewater utility organizations will continue to raise the profile of security in the utility industry,
21 reinforce the importance of developing and maintaining active and effective security programs,
22 and motivate utilities to enhance and accelerate security improvements. As award and
23 recognition programs are developed it will be important to remain sensitive to potential risks
24 associated with calling attention to security performance—in particular, some members were
25 concerned that security awards could make award-winning utilities more attractive targets by
26 drawing attention to them. This concern might be mitigated by incorporating security
27 considerations as an additional element of existing award programs that recognize overall
28 superior performance rather than developing stand alone security awards. Recognition also
29 might be provided by inviting utilities to participate as peer reviewers or experts in a utility
30 security peer review program. Award and recognition programs also should recognize that in
31 some cases the changes to utility operations needed for active and effective security programs
32 are more extensive—and may be more difficult to bring about—than the types of operational
33 changes or performance addressed by existing utility award programs.
34
Draft WSWG Report—3/21/05
Page 40
-------�
DRAFT Doss Not Raproses^t th« Gen&fcrjsus of t
1 As discussed in recommendation 10 on development of clear expectations for water security,
2 development of award and recognition programs may be a particularly important role for water
3 and wastewater utility organizations, given their generally trusted status in the water sector and
4 considering the constraints on EPA, DHS and state resources.
5
6 Peer Review
7
8 Recommendation 12: EPA, DHS, state agencies, and water and wastewater utility
9 organizations should support development and implementation of a voluntary utility
10 security peer technical assistance and review program.
11
12 As discussed in recommendation 13 on technical assistance, forging connections between
13 peers is a highly effective means to deliver assistance. Technical assistance and circuit rider
14 programs such as those put in place by the Rural Community Assistance Partnership, and the
15 National Rural Water Association succeed because they rely on individuals with similar
16 backgrounds and responsibilities working together to learn from one another. For example, in
17 2000 the Dade County Water & Sewer Authority worked with other South Georgia utilities to
18 develop the Small System Peer Review Team. The Team matches experts from small, rural
19 water systems that have information or advice to share with small systems that need help.
20 What began in South Georgia has now spread to Kentucky, Mississippi, Virginia, and Tribal
21 Governments on the East Coast. Remarkable results have been achieved, in Georgia, Safe
22 Drinking Water compliance rates have climbed from 73% before the program to 96% today.
23
24 A utility security peer technical assistance and review program would motivate utilities to seek
25 help in developing active and effective security programs and, by delivering the help in a way
26 that is practical, easy-to-use, and respected, inspire utilities to take action. Programs such as
27 those put in place by the Rural Community Assistance Partnerships, the National Rural Water
28 Association, the Small System Peer Review Team, and the QualServe Self Assessment and
29 Peer Review Program can serve as models for successful peer approaches.
30
31 In addition to helping utilities put active and effective security programs in place, a successful
32 peer review program can increase confidence in utility security programs. Earlier in this report
33 (see feature #14) the WSWG recommended that active and effective security programs should
34 include utility-specific measures of program achievement and regular self assessment. Peer
Draft WSWG Report—3/21/05
Page 41
-------�
DRAFT Doss Mot Rapressnt the Consensus of the WSWCS
1 review could be an important complement to utility self assessment by offering confirmation of
2 self assessment findings or alternative views and advice on needed security improvements.
3
4 Technical Assistance
5
6 Recommendation 13: EPA, DHS, state agencies, and water and wastewater utility
7 organizations should help utility owners and operations develop active and effective
8 security programs by providing information on different types of technical assistance,
9 including technology verification information.
10
11 Where utilities already are motivated to address security issues, technical assistance programs
12 can provide critical added expertise or support that is needed to make good intentions towards
13 security a reality. Where a utility is not yet motivated to address security issues, technical
14 assistance can provide the support needed to make security approachable enough to overcome
15 resistance. Currently, there are many effective technical assistance programs and resources
16 designed to assist utility owners and operators in their efforts to comply with the requirements of
17 the Bioterrorism Act of 2002 and to improve water and wastewater security. These include EPA
18 guidance documents such as the Response Protocol Toolbox, ongoing training and assistance
19 efforts offered by states, EPA, and utility industry associations, circuit rider programs such as
20 those put in place by the National Rural Water Association and the Rural Community Assistance
21 Partnership, ongoing federally-funded research into security approaches and products and
22 comparative information on security products such as the EPA Security Product Guides, and
23 online, accessible libraries of information on contaminants and other security-related topics such
24 as the WaterlSAC. It is important that these efforts continue and be expanded.
25
26 In particular, utilities would be helped in their efforts to implement active and effective security
27 programs by reliable, practical information on the performance capabilities of various security
28 technologies. As security has become a higher-profile concern in the utility industry, a
29 proliferation of security vendors has come forward to market a vast array of security-related
30 tools and technologies. Independent verification of the performance of these tools and
31 technologies, such as that provided through EPA's Technology Testing and Evaluation Program
32 (TTEP) would be a valuable incentive to utilities and would help ensure that utilities get the most
33 benefit from their investments in security. The primary focus of the TTEP program is the testing
34 of commercially available technologies with a keen eye toward focusing on the end users'
Draft WSWG Report—3/21/05
Page 42
-------�
DRAFT Doss hJof Rapressnt. the Consensus of tho>
1 security needs. Homeland security technologies for detection, monitoring, treatment,
2 decontamination, computer modeling, and design tools will be tested against a wide range of
3 performance characteristics, requirements, and specifications. Performance results will be
4 reported in testing summaries and side-by-side comparisons between products.
5
6 In providing technical assistance, EPA and water and wastewater utility organizations should
7 keep in mind that different types of assistance may work better for different utilities, depending
8 on utility-specific circumstances and operating conditions. For example, smaller utilities without
9 staff specifically dedicated to security might be best helped through question and answer
10 hotlines, in-person assistance and training, or periodic workshops. Larger utilities with a
11 security staff may be able to make better use of studies, guidance documents, or other
12 approaches.
13
14 The WSWG emphasizes that regardless of the type of technical assistance, there are three
15 important elements of technical assistance that should be considered as this recommendation is
16 implemented.
17
18 First, assistance must be relevant to the receiver. EPA and others should reach out to the utility
19 community to ascertain what information, tools, and training they would find most valuable. This
20 should recognize that the needs of large utilities likely are different from the needs of small
21 utilities, and that tailored, or different, materials may be needed for different audiences.
22
23 Second, assistance is best received when it comes from a respected peer. Every effort should
24 be made to involve utility owners and operators and their peers in developing and providing
25 technical assistance to themselves. Circuit rider and technical assistance programs such as
26 those put in place by the Rural Community Assistance Partnership, the National Rural Water
27 Association, and peer review programs such as the Small System Peer Review Team, and the
28 QualServe Self Assessment and Peer Review Program succeed because they rely on
29 individuals with similar backgrounds and responsibilities working together to learn from one
30 another.
31
32 Third, assistance materials must be easy to use and accessible. The vast majority of utilities
33 are small systems that will not have staff specifically dedicated to security and will have limited
34 time, attention and resources to devote to security. It is critical that technical assistance
Draft WSWG Report—3/21/05
Page 43
-------�
DRAFT Doss Not Rspressnt th« (Consensus of the WSWO
1 information be well organized, clearly written, and focused on practical, implementation-oriented
2 steps that utility operators can take to improve security. Whenever possible, checklists, tables,
3 or other devices should be used to provide information in an easily accessible way. No one has
4 time to pour through a fifty-page document to find the information relevant to them. In particular,
5 utilities would be helped by easy-to-use information about effective security program
6 approaches and tactics, case studies, model and/or example policies, procedures, templates
7 and agreements, checklists, and other practical information. EPA and states should consult
8 further with utilities to understand what types of technical assistance programs and documents
9 are currently considered helpful and should build upon, support, or replicate successful models.
10
11 Access to Security-Related Support and Planning
12
13 Recommendation 14: EPA, DHS, and other federal and state agencies should support
14 utility security programs by helping utilities obtain access to needed security-related
15 support systems and infrastructure, and by supporting inclusion of utilities in security
16 exercises.
17
18 For utilities to succeed in improving security, they need to become an integral part of the web of
19 security-related improvements that have been put into place since the terrorist attacks of
20 September 11, 2001. Including utilities in this way will directly improve utility security, reinforce
21 the idea of security partnerships between utilities, law enforcement, and first responders, and
22 improve communication between utilities and their partners. In particular, utilities need access
23 to secure joint incident command communication technologies and related security
24 communication band-width, and they need to be part of law enforcement's planning for
25 communications in the event of an emergency. Utilities also should take an active role in
26 collaborative partnerships and mutual aid and mutual assistance agreements. An example of
27 the latter is the Water and Wastewater Agency Response Network, which provides
28 reimbursable mutual assistance and indemnification for water and wastewater agencies
29 throughout California. Similarly, representatives of Milwaukee Water Works, the Milwaukee
30 Health Department, the Department of Public Works, Milwaukee Metropolitan Sewerage District,
31 State of Wisconsin Division of Health, and Wisconsin Department of Natural Resources meet
32 monthly in a Water-Health Technical Committee to exchange information, review watershed
33 testing and epidemiological reports, and discussed shared water quality and health goals.
34 Finally, utilities should be part of local and regional disaster and emergency response planning
Draft WSWG Report—3/21/05
Page 44
-------�
DRAFT Doss fef Rapressi>t the Consensus of tha WSWG
1 and preparation, and should be included in joint table-top and other exercises such as the
2 TOPOFF3 exercise currently in progress. This inclusion will foster testing of utility security
3 approaches and tactics and encourage closer connections, and better communication and
4 partnership with law enforcement, public health, and other first responders.
5
6 Financial Support
7
8 Recommendation 15: Congress, EPA, DHS and other federal agencies should support
9 security enhancements with grant and loan programs focused on security.
10
11 Federal government spending on security has increased dramatically since the terrorist attacks
12 of September 11, 2001. The Federal government supports utility investments in security by
13 providing grant support to states public health, emergency preparedness and response, and
14 environmental agencies so that these organizations can provide support for utilities, making
15 some grants directly available to utilities, and providing grant and other support to utility industry
16 associations, research institutions, and others to support efforts to provide training, technical
17 assistance, and development of assistance tools for water security. It is important that this
18 financial support continue and expand, and that funds are focused on efforts that directly
19 support utility security improvements and made available to all utilities regardless of ownership
20 status. The WSWG particularly supports direct grants to utilities to assist with security
21 improvements.
22
23 As a complement to direct financial support dedicated specifically to security, EPA and other
24 federal agencies also should increase funding in existing financial assistance programs, such as
25 the Drinking Water State Revolving Fund and the Wastewater State Revolving Fund (loan funds
26 for improvements to drinking and wastewater infrastructure), so that funds are available for all
27 critically needed improvements, including security improvements. WSWG acknowledge that, as
28 a practical matter, given the current underfunding of the Drinking Water State Revolving Fund
29 and the Wastewater State Revolving Fund, it is difficult (if not impossible) to fund in a timely way
30 investments needed to improve water quality and meet new maximum contaminant limit
31 standards. The WSWG emphasizes that new, increased, directed funding for the Drinking
32 Water State Revolving Fund and the Wastewater State Revolving Fund is needed if they are to
33 be considered practical methods of security funding. The Group emphasizes the need for new
34 resources dedicated to security - it is not the Group's intention for federal agencies to simply
Draft WSWG Report—3/21/05
Page 45
-------�
DRAFT Doss Mot Rssprese^t th« Consensus of the W8WG
1 shift funding from existing water programs to water security, or to simply re-prioritize spending
2 from the Drinking Water State Revolving Fund or the Wastewater State Revolving Fund.
3
5
6
7
9
10 Rate-Setting Organizations
11
12 Recommendation 16: Utility governing bodies should recognize costs associated with
13 implementing active and effective security programs. EPA, DHS, state agencies, and
14 utility organizations should provide educational and other materials to boards and rate
15 setting organizations to help them understand security costs.
16
17 For most utilities, rates are set by or in consultation with a governing body. Public utilities
18 generally have boards or other oversight organizations that are responsible for rate setting.
19 Private utilities generally are overseen by state utility commissions or other rate-setting
20 organizations. These governing bodies must balance many considerations in determining
21 allowable utility rates, and must form opinions about how much money and other resources are
22 needed to operate a utility, when capital improvements are needed, and other issues. Because
23 security improvements can represent significant capital investments, and because development
24 of active and effective security programs, even where capital investments are not needed,
25 requires resources, it is important that utility oversight boards and rate-setting organizations are
26 aware of security costs and provide for timely, appropriate recovery of security costs. Although
27 rate-setting organizations need reasonable information to document security costs, for
28 information security reasons, the amount and nature of the information provided to rate-setting
29 organizations to support increases in rates due to security costs must be balanced and
30 managed.
31
Draft WSWG Report—3/21/05
Page 46
-------�
DR AK-T ..... Doss hSot Rapfessftt the Consensus of this
1 Verification Programs
2
3 The WSWG considered programs that would provide for independent, third-party verification of
4 active and effective security programs as a possible method of enabling other incentives by
5 verifying utilities' security performance and as a means to increase consumer confidence in
6 utility activities. Ultimately, except for verification of the performance of security technologies as
7 discussed in recommendation 13, the Group rejected the notion that independent, third-party
8 verification programs were the most effective way to provide incentives for utilities to develop
9 active and effective security programs. The Group rejected independent, third-party verification
1 0 programs for a number of reasons.
11
12 First water and wastewater utilities use different design basis threats in their vulnerability
13 assessments, work towards multiple outcomes of interest, and, in addressing the features of
14 active and effective security programs, will create many and varied utility-specific security
15 approaches and tactics corresponding to many and varied utility-specific circumstances and
16 operating conditions. This variability would make independent, third-party verification difficult
17 and potentially resource intensive, given the need for an independent third-party to become
18 familiar with utility-specific circumstances and operating conditions at a level that would allow
19 review of security decisions, and could limit the usefulness of third-party assessments. Other
20 concerns about third party certification include lack of independence of third party certifiers, lack
21 of standards to qualify third party certifiers, lack of transparency and oversight, and lack of
22 resources for some small utilities to engage third party certifiers. Ultimately, the WSWG was not
23 convinced the potential benefits relative to incentives or consumer/regulatory confidence
24 potentially associated with third-party verification were sufficient to justify the difficulties and
25 resources needed to establish a third-party verification program. Instead, the WSWG believes
26 that, at this time, self assessment and peer review are the best ways both to encourage utilities
27 to implement active and effective security programs and provide for an appropriate level of
28 review and confirmation of utilities' efforts.
29
30 fSome W$W& irfeffito&rs #fv©. $xpf$$s&d:,$Qnc@rrt £&o#? text on varfobftify. . Thisissm contrasts
3 1 m M wkftr'afeSt* fam&mtfo m m vqsw&t «& $*>, && *&&&, m&y '&tw§& JMOMT ito 8*
33
Draft WSWG Report—3/21/05
Page 47
-------�
DRAFT ..... Doss Mot Represent, the Consensus of the WSWG
1 Regulation
2
3
4
6
7
8 When EPA announced the formation of the WSWG, the Agency expressed its intention to
9 facilitate "the development of voluntary best security practices." In the Group's deliberations,
10 when the topic arose, EPA reiterated its intention to move towards voluntary standards or
1 1 guidelines for active and effective security programs. Nonetheless, WSWG members choose to
12 talk about the possibility of water security regulations.
13
14 WSWG members have a range of views about the use of regulations as a way to motivate
15 implementation and maintenance of active and effective security programs. Some members
16 believe that well-crafted regulations would be a powerful and appropriate motivator. Members
17 who support regulations believe that regulations could be developed that establish the broad
18 outlines and expectations of utility programs, but leave significant flexibility for individual utilities
19 to design programs and choose security tactics that are practical given utility-specific
20 circumstances and operating conditions. Members who support appropriate regulation observe
21 that, without regulation, it is increasingly difficult for security implementation priorities to
22 compete for attention and funding against priorities that do have a regulatory mandate.
23
24 Some other members are not supportive of regulation. Members who do not support regulation
25 believe that regulations are not necessary to prompt utilities to implement and maintain active
26 and effective security programs. They note the significant investments in security already made
27 by water and wastewater utilities, and further observe that, given this progress, any regulatory
28 effort would likely result in some utilities having to re-do security programs that are already in
29 place and functioning well. Members who do not support regulation believe that it would be
30 difficult to craft sufficiently flexible regulatory frameworks that could accommodate the types of
31 significant flexibility in utility-specific security approaches and tactics that utilities need, and that
32 regulations would tend to create a "one-size-fits-aH" approach.
33
Draft WSWG Report—3/21/05
Page 48
-------�
DRAFT Do-as. Moi Rapress^t tine Consensus of tm>> WSWG
1 Regardless of their views on regulation, WSWG members agree that it is important for utilities to
2 step up to the challenge of voluntarily implementing active and effective security programs. The
3 Group recognizes that in the absence of substantial progress by the industry, EPA or DHS may
4 decide that security regulations are needed. This potential for regulation in the future is a
5 powerful motivator for utilities to voluntarily design and implement active and effective security
6 programs.
Draft WSWG Report—3/21/05
Page 49
-------�
DRAFT Doss Mot Raprftssnt the Consensus of the-
1 IV. Measures
2
3 The third component of the mission given to the Water Security Working Group (WSWG or
4 Group) by the National Drinking Water Advisory Council (NDWAC) was to "consider
5 mechanisms to measure the extent of implementation of these best security practices and
6 policies, identify the impediments to their implementation, and make recommendations as
7 appropriate." WSWG deliberations about measures focused on mechanisms to measure the
8 extent of implementation of active and effective security programs at individual utilities and
9 throughout the water sector.
10
11 Approach to Developing Recommendations on Measures
12
13 In deliberations about measures, the WSWG was guided by a number of principles.
14
15 •* As a starting point, measures must help individual utilities to better understand their own
16 performance relative to the utility-specific active and effective security program efforts.
17 •* Walk before you run—in the beginning, simple, binary (e.g., yes/no) measures focused on
18 activities may be appropriate for some measures at some utilities; over time utilities should
19 strive for measures of program achievement and performance.
20 ••;:• Strict comparability across utilities is not supportable for all measures at this time.
21 -? You need to know what you plan to do before you can measure it—clear security policies,
22 plans, and priorities are important precursors to effective measurement.
23 -* Who will measure, who will use the measure, and how it will be used are important to the
24 acceptance of the measure by utilities and the ability of customers and the public to trust
25 measurement results.
26 -* A measure's baseline should not penalize proactive organizations.
27 -••f Developing and tracking a measure should not compromise security.
28
29 From these principles, the WSWG developed a three-part approach to measures. First, earlier
30 in this report (see Recommendation 5, feature #14) the Group recommends that water and
31 wastewater utilities should develop utility-specific security program measures as part of an
32 active and effective security program. Measures should be appropriate to utility-specific
33 circumstances and operating conditions and should reflect the specific security approaches and
Draft WSWG Re po rt—3/21 /05
Page 50
-------�
DRAFT Doss Not Rapros«;>t th« Consensus of tha WSWG
1 tactics a utility has chosen. In Appendix C, the Group lists a number of measures that utilities
2 should consider when developing utility-specific measurement programs. While they will not be
3 applicable to all utilities, measures listed in Appendix C represent the WSWG's best thinking on
4 a menu of good measures utilities might choose from.
5
6 Second, the WSWG identified a number of particular measures that address critical security
7 needs and apply regardless of utility size or circumstances. These measures are listed in
8 recommendation 18. They are related to particular features of an active and effective security
9 program, and represent the minimum necessary for credible self-assessment and
10 measurement.
11
12 Third, the WSWG identified three measures that, when reported by individual utilities and
13 aggregated nationally would provide a practical basis for understanding and evaluating sector-
14 wide security progress.
15
16 Attributes of Good Measures
17
18 As part of their deliberations, the WSWG discussed and identified eight attributes of a "good"
19 measure, as follows.
20
21 >* Objective. More objective items make better measures than subjective items.
22 <* Measurable. Items that can be measured by standard, accepted methods or devices, with
23 standard units of measure, are better than items that have less accepted or standard
24 methods or devices of measurement.
25 -& Defined. Items that use standard, well understood definitions of key terms make better
26 measures than items where key terms are less well defined.
27 •"? Trackable. Items that support tracking changes in performance over time against a stable
28 baseline make better measures than items that do not have a stable baseline or cannot be
29 tracked over time.
30 ~> Relevant/useful. Items that are relevant and useful to day-to-day utility operations, core
31 business functions, and the utility owners and operators who are expected to gather and use
32 measurement data make better measures than items that are less relevant to utility
33 operations. Measures that speak to program achievement or performance generally are
34 more relevant and useful than measures of program activities.
Draft WSWG Report—3/21/05
Page 51
-------�
DRAFT Does Hot Raprose»t the Consensus of the WSWC3
1 ••» Specific. The more specific the item being measured, the better.
2 •* Communicable/understandable. Items that can be easily communicated and understood
3 within a utility and to external partners and the public make better measures than items that
4 are more difficult to communicate to non-utility audiences.
5 •* Generalizable/comparable. Items that can be compared among utilities or aggregated to
6 describe sector-wide progress make better measures than items that cannot be compared
7 or generalized.
8
9 The WSWG discussed the attributes of good measures as broad indicators or preferences,
10 rather than strict criteria. The Group recognized and was comfortable that (1) there is
11 considerable overlap among attributes, and (2) not all measures described or recommended by
12 the Group will exhibit all attributes of good measures. The attributes of good measures are
13 considerations that the Group used in identifying, describing, and recommending measures;
14 however the Group may describe or recommend measures that do not exhibit all the attributes
15 of good measures.
16
17 Types of Measures Considered
18
19 The WSWG considered two types of measures: measures of activity and measures of
20 achievement. Measures of activity generally address inputs to a security program—that is, they
21 consider whether a utility has addressed each feature of an active and effective security
22 program by conducting program activities, such as establishing policies and procedures,
23 assigning responsibilities, and conducting activities (e.g., inspections, training, drills). The
24 WSWG believes a sense of security outcomes/achievement can be inferred from activity
25 measures, because activity measures assess the extent to which utilities are paying attention to
26 security issues and the extent to which utilities have addressed the features of active and
27 effective security programs.
28
29 Measures of achievement generally address the results of activities—that is, whether the way
30 utilities have addressed individual features of an active and effective security program actually
31 improves utility security. Achievement measures address whether and how activities are
32 working to achieve program goals or outcomes. The Group believes both measure types are
33 valuable and appropriate for water and wastewater security programs.
34
Draft WSWG Report—3/21/05
Page 52
-------�
DRAFT Doss Not Represent. th« OOHSMSOSUS of the WSWG
1 Summary of Recommendations on Measures
2
3 The WSWG makes three recommendations on measures. Recommendation 17 identifies
4 measures that apply regardless of utility-specific security tactics and approaches and
5 establishes the expectation that all utilities will include these measures in their utility-specific
6 measurement programs. Recommendation 18 encourages utilities to consider the list of good
7 measures that the WSWG developed when establishing utility-specific measurement programs.
8 Finally, Recommendation 19 addresses national, aggregate measures of sector-wide security
9 progress.
10
11 fT&xtvtt s&tett mmpambiitym&fGd &> ctfewssim '
-------�
DRAFT Doss Mot Rspresss>t the Consensus of tha WSWG
1 «3» Are security priorities clearly identified, and to what extent do security priorities have
2 resources assigned to them?
3 <* Are managers and employees who are responsible for security identified?
4 -* To what extent are methods to control access to sensitive assets in place?
5 ^ Is there a protocol/procedure in place to identify and respond to suspected contamination
6 events?
7 •*> Is there a procedure to identify and control security-sensitive information, is information
8 correctly categorized, and how do control measures perform under testing?
9 •* Is there a protocol/procedure for incorporation of security considerations into internal utility
10 design and construction standards for new facilities/infrastructure and major maintenance
11 projects?
12 ^ Is there a protocol/procedure for responses to threat level changes?
13 <•* Do exercises address the full range of threats—physical, cyber, and contamination—and is
14 there a protocol/procedure to incorporate lessons learned from exercises and actual
15 responses into updates to emergency response and recovery plans?
16 -•? Is there a mechanism for utility employees, partners, and the community to notify the utility
17 of suspicious occurrences and other security concerns?
18 •* Have reliable and collaborative partnerships with customers, managers of independent
19 interrelated infrastructure, and response organizations been established?
20
21 The measures identified here are not the only measures a utility might use in their self-
22 assessment and measurement program; rather, they are specific aspects of implementing the
23 features of an active and effective security program the WSWG believes are critically important
24 and apply regardless of utility size, circumstance, or operating conditions. In large part, they are
25 activity measures. They consider whether a utility has addressed each feature of an active and
26 effective security program by conducting program activities, such as establishing policies and
27 procedures, assigning responsibilities, and conducting inspections, training, and drills
28 associated with each feature. Over time, it may be desirable for water sector stakeholders to
29 work further with EPA and other federal agencies and stakeholders to develop supplemental
30 measures more specifically focused on program achievement.
31
32 The measures identified by Recommendation 18 are specifically tied to each feature of active
33 and effective security programs. They describe the minimum effort necessary for measurement
34 and self assessment. Each is phrased as a question. In some cases the answer may be a
Draft WSWG Report—3/21/05
Page 54
-------�
DRAFT Doss h)of Represent the Consensus of th& W8WG
1 simple yes/no; in others more information may be needed. The WSWG emphasizes it is
2 recommending these measures as part of utility-specific self-assessment programs. In other
3 words, the only audience for these measures is the utility doing the measuring and anyone with
4 whom the utility elects to share information. (For example, a utility might elect to share
5 measurement information with a peer reviewer in the context of a voluntary peer review.)
6 Utilities should use these measures to candidly and thoughtfully evaluate their security
7 performance and to identify opportunities to further improve their security posture.
8
9 Readers are encouraged to refer to Appendix A for a discussion of each feature and measure.
10 These discussions include information on the WSWG's views about how each feature might be
11 implemented, examples of successful implementation strategies, and identification of challenges
12 to overcome. Appendix B shows the recommended features of an active and effective security
13 program and the associated recommended measures.
14
15 Note that, consistent with their early agreement that "one size does not fit all" and recognition
16 that utilities will develop specific security approaches and tactics appropriate to individual utility
17 circumstances and operating conditions, the WSWG decided not to recommend strict
18 comparability of measurement results among utilities at this time. The Group discussed
19 examples of other industries that have developed strict comparability across installations, such
20 as the nuclear power industry, and recognized that the water utility sector does not now have
21 the types of commonalities of quantitative methodology for risks and benefits, standardized
22 analyses on assets to be evaluated, level of detail, and evaluation parameters, probability of
23 occurrence of design basis threats, and agreed-upon data on the reliabilities and failure
24 probabilities of security approaches and tactics that tend to support strict comparability. A
25 number of WSWG members were interested in taking steps to create these commonalities over
26 time, and to move toward measures that would support strict comparability among utilities while
27 preserving the necessary flexibility for utilities to choose security approaches and tactics that
28 are appropriate to their specific circumstances and operating conditions.
29
so
31 ft*u?300$Kttt« & a* wdtor ae&a* '&®iw®$m to ft* WSW& ma-fa*
32
33
Draft WSWG Report—3/21/05
Page 55
-------�
DRAFT Doss Mot Represent th« Consensus of the WSWC3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Measures for Utilities to Consider
Recommendation 19: In developing their self-assessment and measurement programs,
water and wastewater utilities should consider the security program measures listed in
Appendix C.
During their deliberations to identify measures that all utilities should use, the WSWG identified
numerous other potential measures of active and effective security programs. The measures
recommended above for all utilities to use are the minimum necessary to create a foundation for
a successful utility security self-assessment and measurement program. Utilities should
supplement the measures recommended above with additional measures that reflect the
specific security approaches and tactics they have chosen and that are appropriate to their
specific circumstances and operating conditions. In Appendix C, the WSWG lists measures
considered during its deliberations. Utilities should consider these measures when developing a
utility-specific self-assessment and measurement program. While all the measures listed in
Appendix C will not be applicable to every utility, they cover many of the elements of a
successful measurement program that the WSWG recommended earlier (existence of program
policies and procedures, training, testing/exercising, and implementing schedules and plans;
see feature #14) and represent the WSWG's best thinking on what would constitute good
measures.
National Aggregate Measures
Recommendation 20: In considering measurement of water sector security progress
EPA should consider three measures described below.
Draft WSWG Report—3/21/05
Page 56
-------�
DRAFT ..... Doss Mot R&pr«ss;>t the Consffosus of th» WSW
1 After exploring and identifying measures all utilities should use, the WSWG explored measures
2 of national, sector wide, aggregate progress. The Group considered a number of measurement
3 areas, focused on the potential to indicate:
4
5 •* Progress implementing "active and effective" security programs;
6 >* Progress reducing security-related risk, including reductions in the number of high risk
7 assets; and
8 •* Progress reducing the risk potential inherent in utility operations.
9
10 As discussed earlier in this report (see Recommendation 17), the WSWG recognizes difficulties
1 1 and limitations associated with the ability to establish strict comparability among utilities at this
12 time, and the inherently qualitative and subjective nature of measures currently available to the
13 sector. Members also were concerned about the potential for national aggregate measures that
14 could not be adequately confirmed or verified creating a false sense of security or an otherwise
15 inaccurate view of water sector progress. For these reasons, the Group approached
16 discussions of national, aggregate measures with caution. At the same time, the Group
17 acknowledges that EPA has been called upon to develop national aggregate measures, and
18 that the ability to credibly demonstrate security progress in the water sector is valuable to all
19 stakeholders. From these deliberations, the Group identified three potential measures of
20 national, sector-wide, aggregate security progress that it believes are supported by data that all
21 utilities with active and effective security programs will have. The three national, sector-wide,
22 aggregate measures identified by the WSWG are:
23
24 1. Amount and degree of implementation of the fourteen features of an active and effective
25 security program based on self assessment.
26 2. Progress addressing high security priorities.
27 3. Amount of Clean Air Act 112(r) hazardous substances present on site and potentially
28 affected residential population inside the off-site consequence analysis area of a
29 potential hazardous substance release.
30
31 Each measure is discussed in more detail below. As discussed later in this report (see the
32 section on Reporting), the WSWG chose not to address reporting of measures, believing that
33 choices about reporting are instead best addressed by EPA. At the same time, the Group
34 emphasizes that, particularly with respect to aggregate measures addressing progress
Draft WSWG Report— 3/21/05
Page 57
-------�
DRAFT Doss !\)ot Represent t.h« Consensus of th& W8WC3
1 implementing active and effective security programs and progress addressing high security
2 priorities, it must be acknowledged that if tracking of these measures is based only on voluntary
3 self-reporting by utilities it may be difficult to assess the completeness and accuracy of sector
4 progress, and there is high potential to create a false sense of progress or security.
5
6 Amount and degree of implementation of the fourteen features of an active and effective
7 security program based on self assessment
8
9 Earlier in this report (see Recommendation 5, feature #14), the WSWG identifies the features of
10 an active and effective security program, and recommends that utilities carry out self
11 assessment of their progress towards implementing active and effective security programs. The
12 WSWG also recommends a specific set of measures that tie to each of the program features
13 (see Recommendation 17). This national, aggregate measure would provide an indication of
14 the degree of implementation of each of the fourteen features of an active and effective security
15 program. Utilities would assess their degree of implementation of each of the fourteen features
16 based on evaluation of the feature-related measures, using a "high, medium, low" scale. A
17 "high" rating would indicate a utility has fully addressed a program feature; a "medium" rating
18 would indicate a utility is in the process of addressing a program feature (i.e., it has begun but
19 not completed work); and a "low" rating would indicate a utility has not begun, or cannot yet
20 begin, to address a program feature. The Group also discussed this as a stoplight concept,
21 where fully addressed program features are green, features that are in progress are yellow, and
22 features not yet begun are red. This measure will provide a sense of the number and percent of
23 utilities fully addressing each feature of an active and effective security program, and the
24 number and percent of utilities making progress towards fully addressing all program features.
25 Examining progress on a feature-by-feature basis using the feature-related measures should
26 indicate where additional attention is needed—features for which progress is limited or lacking
27 across the sector may benefit from additional assistance or guidance.
28
29 The WSWG initially considered this measure in a substantially simpler form where utilities would
30 use a simple yes or no to indicate whether they had addressed each feature of an active and
31 effective security program. The Group rejected this binary approach because it would not
32 recognize efforts underway and likely would misrepresent the water sector's progress and
33 continuing efforts to implement active and effective programs. The WSWG anticipates that
34 many utilities will address the fourteen features over several years, making more or less
Draft WSWG Report—3/21/05
Page 58
-------�
DRAFT Do-as Not Raprossnt th« Consensus of ths> WSWG
1 progress in each area depending on utility-specific circumstances and operating conditions.
2 The high/medium/low approach the Group ultimately decided to recommend is designed to
3 provide a more nuanced sense of utility security progress.
4
5 Progress addressing high security priorities
6
7 Under the Bioterrorism Act, community water systems serving over 3,300 people are required to
8 assess system vulnerabilities. Earlier in this report (see Recommendation 5, feature #3), the
9 WSWG recommended that all utilities (including utilities serving fewer than 3,300 people that
10 were not addressed by the Bioterrorism Act) maintain an assessment of vulnerabilities as a
11 living document. Utilities have available to them a number of standard publicly or commercially
12 available vulnerability assessment methodologies. Each of these methodologies is different,
13 and produces slightly different reports. Some methodologies, such as the RAM-W or VSAT
14 methodologies, are very quantitative, and produce quantitative vulnerability reports. Other
15 methodologies, such as the SEMS methodology, produce more narrative reports or checklists
16 and have been used by many smaller utilities.
17
18 Regardless of the methodology used, one of the outcomes of any robust assessment of
19 vulnerabilities is a sense of utility-specific situations that present a high-risk from a security
20 standpoint (i.e., a set of high-risk security vulnerabilities). As discussed earlier in this report
21 (see Recommendation 3, features #3 and #4), these high security risks should translate into a
22 clear set of utility-defined high-priority actions to improve security. This measure would track,
23 on a snapshot basis, the total number of high-priority security actions identified by each utility,
24 and the number and percent of utility-identified high-priority security actions fully addressed, in
25 progress, and yet to be started. The result of this measurement would be (1) a sense of the
26 total number of high-priority security actions in the water sector, and (2) a sense of the overall
27 progress of the water sector in making security improvements by addressing high-risk security
28 vulnerabilities, and the number of high-risk security vulnerabilities remaining.
29
30 In their deliberations on a measure of progress addressing high security priorities, the WSWG
31 discussed issues associated with the baseline against which progress would be measured. The
32 Group acknowledges that an initial baseline must be established and that this baseline may
33 change over time as utilities update their vulnerability assessments. For example, if a utility
34 changes its design basis threat assumptions, this may result in a change to the utility's baseline
Draft WSWG Re po rt—3/21 /OS
Page 59
-------�
DRAFT Oo«s Mot R&pfftssi>t th«? Consensus of the
1 list of high-priority security actions. Provided basic threat and operating conditions do not
2 change, a utility should expect the total number of high-risk vulnerabilities (and the related total
3 number of high-priority security actions) to decrease in reassessments of vulnerability over time
4 as security improves. Of course, the number of high-risk vulnerabilities also might increase over
5 time as a result of increased attention to security, greater funding, or lessons learned from
6 exercises and actual event responses. The WSWG emphasizes that the number of high
7 security priorities will, in all cases, be simply a snapshot of the current state of the industry and
8 an opportunity for the industry to demonstrate security progress by communicating the number
9 of high-priority vulnerabilities addressed.
10
11 The Group recognizes that the Bioterrorism Act applies only to larger systems, those that serve
12 populations of 3,300 or more, and that smaller systems may not yet have completed
13 vulnerability assessments. This will be an important feature of structuring the details of this
14 progress measure. For example, it may be that the baseline of total high-risk vulnerabilities
15 present in the water sector will appear to go up in initial years as smaller systems complete
16 assessments of vulnerability and put active and effective security programs in place.
17
18 Amount of Clean Air Act Section 112(r) hazardous substances on site, container size,
19 and potentially effected residential population inside the off-site consequence analysis
20 area of a worst-case scenario release
21
22 Under Section 112(r) of the Clean Air Act, facilities at which certain types of a hazardous
23 substance are stored or used must carry out modeling and other analysis to determine the
24 potential effects of a sudden, catastrophic air release of these substances and to determine the
25 potentially effected population. In 2004, approximately 1,900 drinking water and 1,200
26 wastewater utilities reported the results of internal assessments of potential chemical release
27 impacts. This measure would draw only on these already reported data to evaluate progress in
28 reducing the potential worst case consequences of a successful attack on chemical storage at
29 water utilities. As a complement, this measure also would assess the amount of Clean Air Act
30 112(r) hazardous substances maintained on site and the storage container size. (Both these
31 data are already part of Section 112(r) reporting.) In that way, the measure will recognize water
32 sector progress in taking steps towards inherently safer practices by reducing or eliminating
33 reliance on hazardous substances, and by transitioning to smaller containers.
34
Draft WSWG Report—3/21/05
Page 60
-------�
DRAFT Doss hlol Represent th« Corssonsus of tte WSWG
1 The WSWG notes a number of very important caveats to Section 112(r) data. Most importantly,
2 utilities do not control the number of people who choose to live near their infrastructure and,
3 therefore, cannot control the size of potentially effected populations in off-site consequence
4 analysis areas. Utilities might undertake aggressive hazardous substance reduction efforts that
5 are masked, at least in part, by population infill which they do not control. In addition, efforts to
6 reduce the inherent hazards associated with water and wastewater treatment cannot be
7 simplified to a recommendation to totally eliminate use of hazardous substances. While
8 reduction in the use of hazardous substances is important, total elimination may not be feasible
9 or desirable, particularly in the wastewater treatment industry, due to concerns in some
10 situations about the robustness of treatment approaches that rely on other disinfection methods.
11
12 Other Measures Considered
13
14 The WSWG considered, but ultimately decided not to recommend, a national, sector wide,
15 aggregate measure of progress related to improvement in utility contaminant detection efforts.
16 Earlier in this report (see Recommendation 5, feature #7), the WSWG called on utilities to
17 employ protocols for detection of contamination consistent with the recognized limitations in
18 current contaminant monitoring technologies. The Group also recognized and expressed
19 concern that utilities' abilities to undertake chemical, biological, and radiological monitoring of
20 contamination are limited in large part by the lack of reliable or affordable technology and the
21 lack of guidance or experience with how to interpret monitoring results. (See Recommendation
22 8.) At the same time, the Group is keenly interested in rapid development of practical
23 contaminant detection approaches and in improving contaminant detection in the water sector,
24 and was interested in the role a national, sector wide, aggregate measure of progress in
25 contamination detection could play in creating pressure on EPA and other government agencies
26 to promote and support rapid development of practical contaminant detection approaches.
27
28 Because current limitations in contaminant detection technologies create a barrier to meaningful
29 measurement of progress, ultimately, the WSWG decided to place a national, sector wide,
30 aggregate measure related to contaminant detection in a "wait and see" category. The Group
31 reiterates its concern that utilities' abilities to undertake chemical, biological, and radiological
32 monitoring of contamination are limited in large part by the lack of reliable or affordable
33 technology and the lack of guidance or experience with how to interpret monitoring results, and
34 again strongly encourages government to continue and increase financial and other support for
Draft WSWG Report—3/21/05
Page 61
-------�
DRAFT Doss Hot Represent th Consensus of the WS
1 the development of chemical, biological, and radiological monitoring technologies, and to assist
2 utilities in creating protocols and guidance for interpretation of contaminant monitoring data. As
3 progress in developing practical contaminant detection approaches is made, the Group
4 encourages EPA and other government agencies to continue to explore a national, sector wide,
5 aggregate measure of contaminate detection performance.
6
7 Reporting
8
9 The WSWG is not making a specific recommendation on reporting methods or frequency for
10 national, sector wide, aggregate measures. To the extent EPA determines national reporting is
11 needed, the Agency should address reporting methodologies and frequencies in collaboration
12 with the water sector at that time.
Draft WSWG Report—3/21/05
Page 62
-------�
DRAFT Does Ufit Rapras«s>t the Consensus; of the
1 Appendix A: Features and Measures of an Active and
2 Effective Security Program
3
4 In Recommendation 5, the WSWG identified fourteen features of active and effective security
5 programs to provide for consistency in security outcomes across utilities, guide utilities'
6 consideration and selection of specific security approaches and tactics, and create a foundation
7 from which improvements in security can, overtime, be measured and described.
8
9 The fourteen program features define high-level security program outcomes, rather than specific
10 security approaches or tactics. They were selected from among many potential features of
11 security programs as those that, in the experience and view of the WSWG, are most important
12 to increasing security and most relevant across the broad range of utility circumstances and
13 operating conditions. The features are broadly drawn to allow individual utilities to tailor security
14 approaches and tactics to utility-specific circumstances and operating conditions. At the same
15 time, they are sufficiently important and relevant that they apply across the full range of utility
16 conditions and should be addressed by all utilities. The WSWG emphasizes that significant
17 variability in implementation of the program features is to be expected and is appropriate;
18 however, to have an active and effective security program, utilities should address each feature
19 and develop specific implementation approaches and tactics tailored to their circumstances.
20
21 In Recommendation 17 the WSWG identified security program measures that relate to each
22 feature. Like the program features, these measures are sufficiently broad to apply across the
23 range of utility circumstances and operating conditions, and sufficiently important that they are
24 recommended for all utilities as the basis of a utility-specific security measurement program.
25 Each feature and measure is described in detail below.
26
Draft WSWG Report—3/21/05
Page 63
-------�
DRAFT Doss Mot R&pressnt the Con&unsus of ths WS
1 1. Explicit commitment to security
2 f.t Feature—Water and wastewater utilities should make an explicit and visible
3 commitment of the senior leadership to security.
4
5 Active and effective security programs do not exist in a vacuum—they are integral parts of the
6 organizations they serve. To reinforce this idea, utilities should create an explicit, visible, easily
7 communicated, enterprise-wide commitment to security.
8
9 Many water and wastewater utilities might make an explicit and visible commitment to security
10 by incorporating security into a utility-wide mission or vision statement. Mission or vision
11 statements, if used, should be simple, but complete. They should address the full scope of an
12 active and effective security program—that is, protection of human health and the environment,
13 protection of human safety (including infrastructure protection), and protection of economic
14 vitality and public confidence. They also should place security in the context of water and
15 wastewater utilities' overall core operations, and recognize utilities' commitments to serving the
16 public trust.
17
18 As with any enterprise-wide commitment, the process of development of an explicit and visible
19 commitment to security may be just as important as the actual language of the statement that
20 emerges from the process. Utilities should use this process as an opportunity to raise
21 awareness of security throughout the organization, and to help every facet of the enterprise to
22 recognize the contribution they can make to enhancing security.
23
24 Utilities also might make an explicit and visible commitment by promulgating an enterprise-wide
25 security policy, or set of policies. If used, these policies, like a mission or vision statement,
26 should address the full scope of an active and effective security program and should be
27 developed using a process that raises awareness of security throughout the organization.
28
29 No matter the approach used, the important outcome is that a utility make an explicit
30 commitment to incorporating security into day-to-day operations, and that this commitment be
31 visible to all employees and customers.
32
Draft WSWG Report—3/21/05
Page 64
-------�
DRAFT Doss i\>ot Rapr«se;>t the Consensus of th» WSWG
1 1.2 Measure #1—Does a written, enterprise-wide security policy exist, and is the policy
2 reviewed regularly and updated as needed?
3
4 As discussed earlier in this report (see feature #1), to be successful, active and effective
5 security programs cannot exist in a vacuum—they should be integral parts of the organizations
6 they serve. Recommended measure #1 establishes the expectation that, as part of their self
7 assessment and measurement efforts, utilities will ask themselves whether they have an
8 enterprise-wide security policy and whether the policy is being appropriately maintained. Note
9 that recommended measure #1 contemplates that, as part of an active and effective security
10 program a utility will develop a written, enterprise-wide security policy, establish a schedule for
11 regular review of the policy, and update the policy as needed. The Group debated whether it is
12 necessary for an enterprise-wide policy on security to be written and ultimately determined
13 written policies are needed to help make a utility's commitment to security visible and tangible
14 throughout the organization. The Group has chosen not to specify a timeframe for what
15 constitutes "regular" review of an enterprise-wide security policy; utilities should establish
16 timeframes appropriate to their specific circumstances and operating conditions. Many WSWG
17 members believe review of an enterprise-wide security policy should be carried out at least once
18 every year, as part of a yearly review of security performance, and that yearly security reviews
19 should be incorporated into yearly enterprise-wide planning and budgeting activities. Integrating
20 security into wider organization planning and budgeting in this way has the potential to highlight
21 instances where a security improvement may also create operational improvement (or vice
22 versa) and will reinforce security as part of the overall organization culture.
23
24 2. Security culture
25 2.2 Feature—Water and wastewater utilities should promote security awareness
26 throughout their organizations.
27
28 Every person in a utility organization has something to contribute to enhancing security, and
29 every person should be expected to make their contribution. The objective of a security culture
30 should be to increase security by making security awareness a normal, accepted, and routine
31 part of day-to-day operations. The importance of a security culture cannot be overstated. The
32 best security plans and procedures in the world will not work if they are not implemented—and
33 implementation relies on line staff and managers. Workers on the front lines of an organization
Draft WSWG Report—3/21/05
Page 65
-------�
DRAFT Doss Mot Rspressnt the Consensus of the
1 are the people most likely to have occasion to notice something out of the ordinary that may
2 signal a threat to security. Attentiveness on the parts of these individuals, and willingness to
3 bring potential security issues to the attention of others, is something a utility can implement to
4 improve security regardless of size or location.
5
6 Creating a security culture involves efforts that are easily described and very tangible, and
7 efforts that are less easy to describe and less tangible. Examples of tangible efforts include:
8 employee training; incorporating security into job descriptions, performance standards, and
9 evaluations; creating and maintaining a security tip line and suggestion box for employees;
10 making security a routine part of staff meetings and organization planning; making security
11 visible in day-to-day operations through use of badges and signs; and creating and
12 implementing measures of security activities and progress.
13
14 Some utilities have created a security management team or oversight committee, a group of
15 department heads and other leaders in the organization that meets regularly to establish
16 security procedures, set security priorities, and ensure cross-organization coordination. A
17 security oversight committee creates a solid, lasting foundation on which a security program and
18 a security culture can be built. At some utilities, the security oversight committee is also
19 responsible for responding in real-time to threats and security events. This combination of
20 oversight and response duties keeps security policy connected to the practical side of security
21 implementation.
22
23 Less tangible efforts to instill a culture of security throughout an organization are fully as
24 important as the more tangible efforts, but are difficult to describe. In general, they have to do
25 with those in positions of authority in an organization rewarding attentiveness to security,
26 creating a culture where reporting of problems or suspicious events is the norm, and leading by
27 example. For example, those in leadership positions might make a point of following security
28 procedures visibly; if badges are required, they would wear security badges. Employees who
29 raise security concerns and who demonstrate attentiveness to security would be acknowledged
30 and rewarded, and awareness programs would give employees timely and useful information
31 about current threats and what to look for. All employees would be given an opportunity to
32 contribute to security, not just by wearing identification and following procedures but also by
33 reporting suspicious or threatening events and making suggestions for furthering security
Draft WSWG Report—3/21/05
Page 66
-------�
DRAFT Doss Mot Rapros«s>t the Consensus of the WSW8
1 improvements, for which they would receive timely acknowledgement or feedback to reinforce
2 the value of reports and suggestions.
3
4 2.2 Measure—Are incidents reported in a timely way, and are lessons learned from
5 incident responses reviewed and, as appropriate, incorporated into future utility security
6 efforts?
7
8 Feature #2 establishes the expectation that as part of an active and effective security program a
9 utility will promote security awareness throughout its organization. This measure highlights a
10 key element of security awareness—the ability of an organization to quickly identify security
11 incidents and to incorporate lessons learned into future security efforts. As part of implementing
12 this measure, the WSWG believes utilities should pay particular attention to circumstances, if
13 any, where it becomes clear that a security incident was not reported in a timely way. This
14 might be the case, for example, where employees are aware a lock or other security barrier is
15 damaged but do not report it, so the damage is instead discovered by an internal utility audit or
16 other security check. These circumstances are important indications of the extent to which
17 security tactics and approaches are working on the "front lines" of an organization and are a key
18 measure of the presence (or absence) of a security culture. Measure #2 also recommends
19 utilities explicitly review responses to security incidents and incorporate lessons learned into
20 future security efforts as appropriate. This ongoing learning and adapting as utilities gain
21 experience with security is key to increasing the protectiveness of a security program and to
22 creating a security culture. Note that the Group chose not to establish a standard timeframe for
23 what constitutes 'timely" reporting of incidents. Instead, utilities should establish incident
24 reporting expectations appropriate to their specific circumstances and operating conditions.
25
26 3. Up-to-date assessment of vulnerability
27 3.1 Feature—Water and wastewater utilities should assess vulnerabilities and
28 periodically review and update vulnerability assessments to reflect changes in potential
29 threats and vulnerabilities.
30
31 A utility understands and assessment of their vulnerabilities is a key building block of an active
32 and effective security program. Understanding and assessment of vulnerabilities establishes
33 critical security needs, evaluates and describes utility-specific circumstances and operating
Draft WSWG Report—3/21/05
Page 67
-------�
DRAFT Doss Not R&pmasnt the Consensus of the WSWG
1 conditions that define vulnerability, and identifies the security enhancement priorities that will
2 drive security planning. Over time, utilities should expect that the conditions that defined their
3 initial assessments of vulnerability will change—they may become less vulnerable because of
4 changes to circumstances, infrastructure, or operating conditions, or they may become more
5 vulnerable because of changing threat or attack probabilities. Threats will change over time and
6 security improvements will change a utility's susceptibility to ongoing and new threats. Because
7 circumstances change, utilities should continually adjust their security enhancement and
8 maintenance priorities so they remain responsive to vulnerabilities.
9
10 This recommendation establishes the expectation that utilities should maintain their
11 understanding and assessment of vulnerabilities as a "living document" that reflects current
12 security-related conditions. To accomplish this objective, utilities should periodically review and
13 update their assessment of vulnerabilities and risks, including the design basis threat used as
14 the foundation of the vulnerability assessment. The timing for review will vary across utilities,
15 depending on the degree to which security-related conditions are changing and resources are
16 available. Utilities should consider their individual circumstances and establish and implement a
17 schedule for review of their vulnerabilities. At a minimum, the WSWG believes all utilities
18 should reassess their vulnerabilities and risks at least once every three to five years. Conditions
19 that might prompt more frequent review of vulnerabilities include major facility construction
20 projects, adding new facility infrastructure (by construction or acquisition), new information
21 about specific threats, and significant attacks or other events that would cause reconsideration
22 of utility vulnerability. Many WSWG members believe utilities would be well served by reviewing
23 their assessments of vulnerability annually, and believe an annual review should take place.
24
25 Reviews of vulnerabilities should be carried out by those involved in the security program and
26 knowledgeable of utility operations. An executive should be included to provide an ongoing
27 conduit of information to and from management, and so that management's awareness of
28 security continues to grow. The information considered during the review should be
29 documented, and any changes to the understanding or assessment of vulnerabilities also
30 should be documented, so utilities can form a long-term basis for decision making, and track
31 their progress over time.
32
33 The WSWG notes that there are a number of publicly or commercially available methodologies
34 utilities can use to help them understand and assess vulnerabilities, and new methodologies are
Draft WSWG Report—3/21/05
Page 68
-------�
DRAFT Doss hjot Represent the Consensus of the WSW6
1 being developed. These methodologies may be very helpful to utilities in that they create a
2 standard process for vulnerability assessment that can be replicated so changes in vulnerability
3 can be measured over time. The WSWG is not recommending use of any particular
4 vulnerability assessment methodology. Rather, utilities should use the methodology that best
5 suits their particular circumstances, taking care to ensure consideration of the significant system
6 failures and key threats or methods of attack recommended for consideration earlier in this
7 report (see Recommendation 3).
8
9 3.2 Measure—Are re-assessments of vulnerabilities made after incidents, and are
10 lessons learned and other relevant information incorporated into security practices?
11
12 Feature #3 establishes the expectation that utilities should maintain their assessments of
13 vulnerabilities as living documents that reflect current threats and utility-specific security tactics
14 and approaches. This measure recommends utilities re-assess vulnerabilities after incidents
15 and incorporate lessons learned and other relevant information into security practices. For
16 example, lessons learned in re-assessing vulnerabilities after incidents might help a utility
17 improve its practices for access detection and control. Or, lessons learned might help a utility
18 identify new security priorities and change the way it invests security resources. As discussed
19 throughout this report, the WSWG believes strongly in the importance of ongoing, thoughtful
20 reassessment and adaptation as a way to keep security programs "fresh" and effective, take
21 advantage of emerging approaches and new technologies, and perpetuate a security culture
22 throughout an organization.
23
24 4. Resources dedicated to security and security implementation
25 priorities
26 4.1 Feature—Water and wastewater utilities should identify security priorities and, on an
27 annual basis, identify the resources dedicated to security programs and planned security
28 improvements, if any.
29
30 No organization can sustain focus on a priority in the absence of dedicated resources. Utility
31 security is no different. To ensure utilities sustain focus on their ongoing security programs and
32 on security improvement priorities, this recommendation establishes the expectation that
Draft WSWG Report—3/21/05
Page 69
-------�
DRAFT Doss hJot Represent th« Consensus of thft WSWG
1 utilities, through their annual capital, operations and maintenance, and staff resources plans,
2 should identify and set aside resources consistent with their specific identified security needs.
3
4 The WSWG highlights three ways that utilities might invest resources in security.
5
6 First, and perhaps most importantly, utilities can and should "invest" in security by increasing the
7 amount of time and attention that executive and line managers give to security. It is important
8 not to underestimate the value of these contributions—just increasing attentiveness will improve
9 security even if no other changes or investments are made. Utilities might ensure this extra
10 attentiveness by including security in semi-annual performance reviews and progress reports, or
11 by making security a standing item on executive management agendas.
12
13 Second, utilities will invest staff time and resources in security by including security
14 considerations in budgets for personnel and training. For some larger utilities, this might include
15 adding new staff dedicated to security. For others, particularly smaller utilities, it may mean
16 specific acknowledgment that existing staff are taking on new security-related responsibilities.
17 In both cases, utilities should account and plan for the staff costs associated with security
18 responsibilities. Utilities also might dedicate resources to security by including security training
19 and exercises in their annual operations plans. Even when training and exercises are absorbed
20 by regular operating budget categories, it should be acknowledged that these expenses will
21 occur, and that covering these security-related expenses may represent a decision to do less of
22 something else.
23
24 Third, and perhaps most obviously, many utilities will make ongoing capital investments in
25 security. Capital investments might include physical hardening of structures, investment in
26 monitoring devices, purchase of emergency response equipment, and design and construction
27 of new facilities and infrastructure.
28
29 The WSWG recognizes that utilities always must balance resource allocations among a number
30 of important obligations. To reflect their ongoing commitment to security and to, over time,
31 balance resource allocations among security improvements and other organizational priorities,
32 utilities should establish clear security improvement priorities.
33
Draft WSWG Report—3/21/05
Page 70
-------�
DRAFT Doss Not Raprossnt the Consensus of tho WSW0
1 One way that utilities might record their security improvement priorities is in a security
2 improvement plan. Security improvement plans create a clear sense of security priorities and
3 place those priorities in the context of other organizational priorities. Successful security
4 improvement plans address what a water or wastewater utility will do relative to all features of
5 an active and effective security program, not only those associated with physical hardening or
6 access control, and not only those that require significant capital investment. So, for example, a
7 successful security improvement plan will address activities that help to build a security culture
8 in an organization and activities associated with building community partnerships, just as much
9 as it addresses investments an organization will make in new equipment to improve security.
10
11 Whatever means utilities use to document their security improvement priorities, these priorities
12 should be clearly recorded in a living document that change over time. Security improvement
13 priorities should be reviewed, along with other annual plans and investments, with top utility
14 executives at least once a year. This review might include an update/status report on security
15 enhancements undertaken to date, a high-level review of remaining vulnerabilities and risks,
16 and a description/identification of priorities for the upcoming and future years. Over time, this
17 type of annual review will give utilities the information they need to carry out trend analysis,
18 document progress, and form opinions on whether the level of resource investment in security is
19 appropriate.
20
21 To the extent appropriate, utilities might integrate a security improvement plan with other annual
22 operating plans. Such integration may provide a valuable opportunity for utilities to continue to
23 integrate security into day-to-day management, operations, and tracking. It also may serve to
24 highlight areas where a potential security improvement would also create value for another part
25 of the organization; for example, where a monitoring protocol that improves security also
26 improves operations by allowing operators to fine-tune treatment systems more efficiently and
27 effectively. In general, the WSWG believes that utilities are best served by incorporating
28 security considerations into the enterprise-wide capital and operating budgets and plans that are
29 already prepared.
30
31 It is important to note that the WSWG is not recommending a standard dollar amount of security
32 investment that would be appropriate for all utilities. As discussed earlier in this report (see
33 Recommendation 1), each individual utility must tailor their security approaches and tactics to
34 their specific circumstances. For some utilities, it may be necessary and practical to make large
Draft WSWG Report—3/21/05
Page 71
-------�
DRAFT Does Mo! R&fyresant th« Consensus of th
1 capital investments in security, or to invest in dedicated security staff. For other utilities,
2 especially smaller utilities, the potential for capital investment may be much less—and much
3 less needed—and new security-related responsibilities and attentiveness will be absorbed into
4 existing staff responsibilities. The key is that utilities make some investment and that whatever
5 the level of investment of a particular utility, the investment is made consciously and in light of a
6 thoughtful assessment of vulnerabilities and related security improvement priorities.
7
8 4.2 Measure—Are security priorities clearly identified, and to what extent do security
9 priorities have resources assigned to them?
10
11 Some WSWG members believe informed identification of security priorities and corresponding
12 resource decisions are the keys to an active and effective security program. Feature #4
13 establishes the expectation that utilities will identify and set aside resources consistent with their
14 specific identified security needs in their annual capital, operations, and maintenance budgets,
15 and staff resources plans. This measure establishes the expectation that utilities will monitor the
16 extent to which priorities are identified and resourced. Note that the WSWG does not assume
17 all security priorities will have resources assigned to them. The Group recognizes that utilities
18 may have security priorities in which they cannot afford to invest. This measure reflects the
19 Group's belief in the importance of utilities recognizing and monitoring these situations, and
20 understanding utilities' ability to invest in security over time.
21
22 5. Defined security roles and employee expectations
23 5.1 Feature—Water and wastewater utilities should identify managers and employees
24 who are responsible for security and establish security expectations for all staff.
25
26 While all utility employees likely have a contribution to make to security, establishing overall
27 responsibility for ensuring a utility's security plans are implemented and maintained is important
28 to creating a sense of accountability for security and providing for security-related leadership.
29 Explicit identification of security responsibilities also is important for development of a security
30 culture. Accountability for security should be clearly fixed with an individual or individuals, and
31 established at a high enough level to ensure that security is given management attention and to
32 make security a priority for line supervisors and staff.
33
Draft WSWG Report—3/21/05
Page 72
-------�
DRAFT Doss Not Raprasent th« Consensus of th
1 WSWG members defined a number of crucial security-related roles and responsibilities utilities
2 might consider, including security program implementation management, physical intrusion and
3 contamination detection, and incident command roles during emergency response and
4 recovery. At a minimum, utilities should identify a single, designated individual responsible
5 overall for security, even if other security roles and responsibilities will likely be dispersed
6 throughout the organization. In addition, security expectations should be included in job
7 descriptions and annual performance reviews for all employees with security responsibilities.
8 Even when security is not a full-time duty, there should be an assigned manager in the utility
9 who is responsible for operating a meaningful security program.
10
11 The WSWG emphasizes that implementation of this recommendation will differ, potentially
12 substantially, depending on a utility's specific circumstances. For example, large, urban utilities
13 might create a security department with a director and staff fully dedicated to security program
14 implementation. Alternatively, a small, rural utility might assign all security program
15 implementation responsibilities as part of one individual's job.
16
17 5.2 Measure #5—Are managers and employees who are responsible for security
18 identified?
19
20 Feature #5 reflects the WSWG belief that accountability for security should be clearly fixed with
21 an individual or individuals, and established at a high enough level within the organization to
22 ensure security is given management attention and to make security a priority for line
23 supervisors and staff. This measure recommends that utilities should assess whether they have
24 clearly fixed responsibility for security by evaluating whether they have identified managers and
25 employees with security responsibilities. As described earlier in this report, it is important to
26 recognize that the WSWG is not recommending a specific security staffing or management
27 structure. Large, urban utilities may create a security department with a director and staff.
28 Smaller utilities may assign all security responsibilities to an existing employee or to a general
29 manager. Both approaches are consistent with the WSWG's recommendation, provided the
30 responsibility for security is clearly understood and there is accountability for security with
31 organization leadership.
32
Draft WSWG Report—3/21/05
Page 73
-------�
DRAFT Doss Not Rapfosss>t. the Consensus of the WSWG
1 6. Access control and intrusion detection
2 6.7 Feature—Water and wastewater utilities should establish physical and procedural
3 controls to restrict access to utility infrastructure to only those conducting authorized.
4 official business and to detect unauthorized physical intrusions.
5
6 Intrusion detection and access control is a cornerstone of all active and effective security
7 programs. Utilities should implement measures to deter unauthorized intrusions to facilities and
8 operations, and to detect unauthorized access to utility assets in a manner that is timely and
9 enables the utility to respond effectively.
10
11 Access control will involve both physical and procedural means to restrict access to treatment
12 facilities and to the supply/distribution/collection networks for the purposes of deterring physical
13 harm and/or the introduction of harmful chemical, biological, or other substances into the water
14 supply/treatment/distribution and wastewater collection/treatment systems. Examples of
15 physical access controls include fencing critical areas, locking gates and doors, installing
16 barriers at site access points, and installing tamperproof devices at key distribution points.
17 Procedural examples include inventorying keys, changing access codes regularly, requiring
18 security passes to pass gates and access sensitive areas, establishing a security presence at
19 facility gates, requiring all visitors to have scheduled appointments, requiring visitors to sign in at
20 a front desk and display identification at all times, implementing chemical delivery and testing
21 procedures including chain of custody control, limiting delivery hours, and checking all deliveries
22 to ascertain nature of material.
23
24 Monitoring for physical intrusion can include such physical enhancements as maintaining well-
25 lighted facility perimeters, monitoring with closed caption TV, installing motion detectors, and
26 utilizing intrusion alarms. Procedurally, the use of neighborhood watches, regular employee
27 rounds, and arrangements with local police and fire departments can support identifying unusual
28 activity in the vicinity of facilities.
29
30 All employees, including contractors and temporary workers, with unescorted access to facilities
31 should have their identity verified through background checks to reduce the possibility that ill-
32 intentioned individuals are present in an organization. WSWG members believe effective
33 background checks are a very useful way to verify employee identity, establish citizenship,
34 criminal activity, and work eligibility, and to confirm the individual is not on a current terrorist
Draft WSWG Report—3/21/05
Page 74
-------�
DRAFT Doss h)c>1 Represent the Oan&ft-nsus of the WSWG
1 watch list. Group members support using background checks for these purposes even as they
2 recognize that some publicly-funded utilities may face legal barriers or constraints on their ability
3 to use background checks, particularly for existing employees. The Group encourages public
4 agencies to work to overcome these barriers so that they can use background checks to
5 enhance security.
6
7 Utilities also should establish the means to readily identify all employees. Many utilities find that
8 use of identification badges or other photo identification is an efficient way to identify
9 employees. Photo identification badges can be displayed by all employees at all times, in plain
10 sight. For some utilities, it has been helpful to tie identification badges into systems of access
11 control, allowing only certain employees access to security-sensitive or other critical areas;
12 these systems also can be used to quickly deny access to any individual in the event of an
13 emergency or a security-related concern.
14
15 The WSWG notes that individual utilities may choose to place more or less emphasis on access
16 control versus intrusion detection. For example, some small utilities have recognized that, as a
17 practical matter, it may be very difficult to control access to remote, unguarded infrastructure
18 and have chosen, therefore, to invest more heavily in systems or procedures that detect
19 unauthorized access (intrusion) and enable the utility to respond appropriately.
20
21 6.2 Measure—To what extent are methods to control access to sensitive assets in place?
22
23 Feature #6 calls on utilities to establish physical and procedural controls to detect unauthorized
24 intrusions and restrict access to utility infrastructure to only those conducting authorized, official
25 business. This measure highlights a key subset of efforts to detect intrusions and control
26 access by focusing on sensitive assets. The Group is not describing a standard list of sensitive
27 utility assets or a particular set of approaches or tactics that should be used to detect and
28 control access. Rather, utilities should identify sensitive assets based on their specific
29 circumstances and operating conditions and should develop and implement utility-specific
30 access control approaches and tactics. There are a number of ways that utilities might assess
31 the "extent" to which methods to detect intrusions and control access are in place. For example,
32 utilities just beginning to develop a security program might measure the number and percent of
33 sensitive assets protected by access control methods. Utilities with more experience might test
34 intrusion detection and access control methods at sensitive assets and measure their
Draft WSWG Report—3/21/05
Page 75
-------�
DRAFT Does Mot Rapffiss»t the Consensus; of the WS
1 performance. Over time, measure #6 contemplates that utilities will have well functioning
2 intrusion detection and access control methods in place for all sensitive assets.
3
4 7. Contamination detection, monitoring, and surveillance
5 7.1 Feature—Water and wastewater utilities should employ protocols for detection of
6 contamination consistent with the recognized limitations in current contaminant
7 detection, monitoring, and surveillance, technology.
8
9 Contamination detection, contaminant monitoring, and surveillance are different but related
10 elements of a contamination warning system. The WSWG discussed three points with respect
11 to contamination detection, monitoring, and surveillance: physical monitoring or surveillance for
12 contaminants; monitoring or surveillance of contamination surrogates; and connections with
13 customers and public health providers.
14
15 Physical monitoring or surveillance for chemical, biological, and radiological contamination is an
16 evolving area, with research underway to provide for more direct and real time methods.
17 Currently, physical monitoring and surveillance for contamination is limited in large part by the
18 lack of reliable or affordable technology and the lack of guidance or experience with how to
19 interpret monitoring or surveillance results. In later recommendations (see Recommendation 8),
20 the WSWG addresses the need to support development of practical, real-time contaminant
21 monitoring and surveillance systems and protocols to help utilities evaluate and respond to
22 contaminant monitoring and surveillance data. The American Society of Civil Engineers in
23 conjunction with the American Water Works Association, and the Water Environment
24 Federation, with a grant from EPA, recently issued Guidelines for Designing an Online
25 Contaminant Monitoring system. These Guidelines provide information on assessing the need
26 for a contaminant monitoring system, locating instruments and sensors, and responding to
27 suspected contamination events. While encouraging use of online contaminant monitoring or
28 surveillance systems where they can be put into place, this document also recognizes that
29 much of the basic scientific and engineering knowledge needed is not yet available and that the
30 instrumentation needed to accomplish the job directly also is not available in the marketplace.
31 Until progress can be made in development of practical and affordable online contaminant
32 monitoring and surveillance systems, most utilities must use other approaches to contaminant
33 monitoring and surveillance.
Draft WSWG Report—3/21/05
Page 76
-------�
DRAFT Doss Not Raprassnt the Oosi&sosus of th* WS
1
2 In the absence of practical technologies for contaminant monitoring and surveillance, routinely
3 monitored physical and chemical parameters hold some potential to act as contamination
4 surrogates (signaling possible contamination problems), but this potential is limited. Until new
5 technologies are reliable and affordable, some utilities are trying to use careful monitoring of
6 physical and chemical contamination surrogates, and use surrogate data as an indicator of
7 possible contamination problems. Physical and chemical contamination surrogates include
8 pressure change abnormalities, free and total chlorine residual, heterotrophic plate count, high
9 volume total fecal coliform analysis, temperature, dissolved oxygen, conductivity, total dissolved
10 solids; turbidity; pH, color, odor, and taste. Many utilities already measure these parameters on
11 a regular basis to control plant operations and confirm water quality; more closely monitoring
12 these parameters may create operational benefits for utilities that extend far beyond security.
13 For example, by more closely monitoring water quality parameters, one utility was able to more
14 effectively target chlorination, thereby reducing operating costs, and chlorine usage. At the
15 same time, there are limited data and experience correlating changes in routinely collected
16 physical or chemical monitoring data with actual contamination events. Often, the relevance of
17 changes in these data to security can be difficult to interpret and, therefore, is difficult for utilities
18 to act upon from a security perspective.
19
20 Finally, utilities also should thoughtfully monitor customer complaints and improve connections
21 with local public health networks to detect public health anomalies. While the WSWG
22 emphasizes that using customers as indicators of potential contamination problems is far less
23 than ideal, at a practical level, until contaminant monitoring technologies are improved, attention
24 to customer complaints and public health anomalies are an important way to detect potential
25 contamination problems and other water quality concerns. Utilities should consider customer
26 complaints from a security-related perspective and should forge closer connections and
27 partnerships with their local public health communities so that public health anomalies can be
28 evaluated for water security implications. (The need to strengthen connections with public
29 health also is addressed in Recommendation 7.)
30
31 7.2 Measure—Is there a protocol/procedure in place to identify and respond to suspected
32 contamination events?
33
Draft WSWG Report—3/21/05
Page 77
-------�
DRAFT Doss Mot Rsprassni th« Consensus of the WSWG
1 Feature #7 calls on utilities to employ protocols for detection of contamination consistent with
2 the recognized limitations in current contaminant detection technologies. As discussed earlier in
3 this report, the WSWG recognizes and is concerned that utilities' abilities to undertake chemical,
4 biological, and radiological monitoring of contamination are limited in large part by the lack of
5 reliable or affordable technology and the lack of guidance or experience with how to interpret
6 monitoring results. Earlier recommendations call for aggressive financial and technical support
7 for development of cost-effective, reliable contamination monitoring devices. At the same time,
8 the WSWG believes that, as part of an active and effective security program, utilities should
9 employ protocols for detection of contamination consistent with current recognized limitations.
10 Efforts might begin with a close monitoring of routine water quality testing for anomalies that
11 could signal a contamination event, monitoring public health anomalies, and monitoring
12 customer complaints. Over time, contaminant detection efforts might be expanded to include
13 periodic regular testing for contamination, or event-based contamination testing (i.e., testing in
14 the event of a specific threat, or identified security breach). In the future, practical, in-line, real-
15 time parameter-specific contaminant detection approaches may become available.
16
17 Regardless of the approach to contaminant detection a utility uses, recommended measure #7
18 highlights a crucial aspect of the success of contaminant detection: the existence of a protocol
19 to identify and respond to suspected contamination events.
20
21 8. Information protection and continuity
22 8.1 Feature—Water and wastewater utilities should define security-sensitive information.
23 establish physical and procedural controls to restrict access to security-sensitive
24 information as appropriate, detect unauthorized access, and ensure information and
25 communications systems will function during emergency response and recovery.
26
27 Information technology (IT) systems are critical to the smooth and consistent operation of water
28 and wastewater utilities, and maintaining access to information and telecommunications
29 systems during an emergency is critical to effective response. This recommendation
30 establishes the expectation that utilities should protect IT systems, including SCADA systems,
31 define and protect security-sensitive and vital information, and plan for effective communications
32 during and after emergency responses.
33
Draft WSWG Report—3/21/05
Page 78
-------�
DRAFT Doss Mot R&present th« Consensus of thi> WSWG
1 With respect to protecting IT systems, the WSWG discussed two areas of emphasis: (1)
2 restricting access to critical IT systems (such as SCADA) to authorized personnel conducting
3 official utility business, and (2) maintenance of an uninterruptible power supply.
4
5 Protecting IT systems largely involves using physical hardening and procedural steps to limit the
6 number of individuals authorized to access critical IT systems and to prevent access by
7 unauthorized individuals. Procedural steps might include restricting remote access to data
8 networks; safeguarding critical data through backups and storage in safe places; establishing
9 procedures to restrict network access; and implementing policies to ensure that IT contractors
10 and their products will not negatively affect IT systems. Examples of physical steps to harden
11 SCADA and IT networks include installing and maintaining firewalls; screening the network for
12 viruses; separating business systems from operational systems; installing a system for virus
13 protection; ensuring security and location of SCADA system components; encrypting access via
14 modem to utility networks—including wireless networks; conducting regular penetration
15 evaluations; avoiding connecting modems to desktop systems on the secure network; allowing
16 remote access only from utility computers; and establishing and regularly changing computer
17 system access codes.
18
19 Utilities also should strive for continuous operation of IT systems, even in the event of an attack,
20 by providing for an uninterruptible power supply and the use of back up power generators or
21 other back up power means.
22
23 It is also important to control access to security-sensitive information on utility operations or
24 technical details that could aid terrorist planning and operations. The first step in this process is
25 to review information sources to identify those containing security-sensitive information. This
26 review will need to consider facility maps and blueprints, operations details, hazardous material
27 utilization, tactical level security program details, and any other information that may contain
28 information on utility operations or technical details that could aid in planning or execution of an
29 attack. Identification of security-sensitive information should consider all ways that utilities might
30 use and make public information: for example, many utilities may at times engage in competitive
31 bidding processes for construction of new facilities or infrastructure. While there is an interest in
32 ensuring that such bidding processes are in fact competitive, care also should be taken to
33 safeguard security-sensitive information. Some utilities use bid pre-qualification systems to
34 screen potential bidders for security purposes and then restrict access to security-sensitive
Draft WSWG Report—3/21/05
Page 79
-------�
DRAFT Doss hJof Represent th« Consensus of the WSW8
1 information to screened bidders. Because many utilities are public or quasi-public agencies and
2 all utilities operate to serve the public trust, typically this review also will include developing an
3 understanding of local freedom of information or sunshine act requirements to ensure access
4 procedures fully comply with such requirements.
5
6 When security-sensitive information is identified, utilities should develop access restrictions and
7 procedures to safeguard the information. At the same time, utilities also should develop
8 procedures that make security-sensitive information available to employees and others who
9 need it. If access restrictions are so severe as to limit practical use of information by
10 employees, the restrictions likely will not be followed and security could be compromised. The
11 WSWG is not recommending a standard definition of security-sensitive information or a
12 standard set of protocols to control access to such information. The water sector may wish to
13 continue to work with federal agencies and with community and public interest stakeholders to
14 create guidelines for identification of security-sensitive information and for providing appropriate
15 access to such information. In the absence of such guidelines, utilities should develop protocols
16 to identify and provide appropriate access to security-sensitive information based on their
17 specific circumstances and operating conditions.
18
19 In addition to controlling access to security sensitive information, utilities should take steps to
20 ensure the preservation of information critical to the continuity of operations. These steps could
21 include the identification of information needed to sustain day-to-day operations and
22 arrangements for the back up and safe keeping of such information.
23
24 With respect to telecommunications, utilities should take steps to ensure the maintenance of
25 critical internal and external communications in the event of an attack. In the event of an
26 emergency, conventional telecommunications networks will come under severe pressure and
27 may fail. Utilities should plan for this possibility and should evaluate the need and means for
28 providing back up systems that will maintain contact with police, fire, and other first response
29 organizations and maintain internal communication with employees to ensure safety and to
30 coordinate response activities.
31
Draft WSWG Report—3/21/05
Page 80
-------�
DRAFT Does hioi &apres«nt the Consensus; of the WSWG
1 8.2 Measure—Is there a procedure to identify and control security-sensitive information,
2 is information correctly categorized, and how do control measures perform under
3 testing?
4
5 Feature #8 calls on utilities to establish physical and procedural controls to define security-
6 sensitive information, restrict access to such information as appropriate, and detect
7 unauthorized access. This measure recommends that utilities should assess whether they have
8 the tools in place to define and restrict access to security-sensitive information and evaluate
9 their performance by reviewing whether information is correctly categorized and determining
10 how access control methods perform under testing. Testing of access control methods might
11 take a number of forms. For example, a utility might test paper document protection methods
12 by submitting and monitoring response to inappropriate document requests. Testing of
13 electronic information protection methods might involve monitoring the performance of firewalls
14 or other cyber protection devices. The WSWG is not recommending specific testing protocols
15 or frequency; instead, utilities should determine the testing that is most appropriate to their
16 specific security tactics and approaches. The WSWG emphasizes that it does believe some
17 testing of information access control measures is necessary to maintain an active and effective
18 security program.
19
20 The WSWG also is not recommending a standard definition of security-sensitive information or
21 a standard set of protocols to control access to such information. As discussed earlier in this
22 report, the water sector may wish to continue to work with federal agencies and with community
23 and public interest stakeholders to create guidelines for identification of security-sensitive
24 information and for providing appropriate access to such information. In the absence of such
25 guidelines, utilities should develop protocols to identify and provide appropriate access to
26 security-sensitive information based on their specific circumstances and operating conditions.
27
Draft WSWG Report—3/21 /05
Page 81
-------�
DRAFT Doss Not Rssprossnt the Consensus of the W8WC3
1 9. Design and construction
2 9.f Feature—Wafer and wastewater utilities should incorporate security considerations
3 into decisions about acquisition, repair, major maintenance, and replacement of physical
4 infrastructure: this should include consideration of opportunities to reduce risk through
5 physical hardening and the adoption of inherently lower risk design and technology
6 options.
7
8 Over the long term, utilities have the opportunity to reduce their vulnerability and risk, in part by
9 redefining the physical context in which they operate. This occurs as utilities make investments
10 in new real estate, infrastructure assets and repair and/or replace existing infrastructure assets.
11 All such activities at utilities are guided by design and construction standards that direct and
12 constrain the choices the organization will make. Utilities should incorporate security-related
13 considerations into these standards, with the intent to reduce their inherent security risk over
14 time.
15
16 To be effective, design and construction standards should address two dimensions of security
17 risk: physical hardening of critical assets; and the adoption of inherently lower security risk
18 technologies and approaches. Physical hardening of critical assets is designed to deter and/or
19 help mitigate physical damage, service disruption, or other serious consequences in the event
20 of attack. Physical hardening involves designing in the means to make a facility harder to attack
21 (or appear harder to attack) and to reduce the effect of any attack that may take place. This
22 typically involves considerations such as the location of critical infrastructure relative to
23 perimeter areas and the natural shielding provided to infrastructure by the choice of building
24 materials (e.g., concrete reinforced walls versus structural glass).
25
26 The adoption of inherently lower security risk technologies and approaches involves considering
27 how design and technology choices reduce the likelihood or extent of the consequences of
28 concern. Such choices should further consider opportunities for reducing safety risk in addition
29 to security risk. For example, certain treatment technologies may be less dependent upon the
30 storage and utilization of hazardous chemicals, reducing both security and safety risks. Another
31 example might be the purchase of additional buffer real estate which can serve both to increase
32 the stand-off and detection distance of a water supply or critical facility and provide source water
33 protection potential.
34
Draft WSWG Report—3/21/05
Page 82
-------�
DRAFT Doss Not Rspressnt the 0»rs&ftm;us of the WS
1 It is important to recognize that to incorporate security considerations into design choices,
2 utilities need information about the types of security design approaches and equipment that are
3 available and the performance of these designs and equipment in multiple dimensions. For
4 example, utilities would want to evaluate not just the way that a particular design might
5 contribute to security, but would also look at how that design would affect the efficiency of day-
6 to-day plant operations, and worker safety. The recently issued American Water Works
7 Association Security Guidelines for Water Utilities and the Water Environment Federation's
8 Security Guidance for Wastewater/Stormwater Utilities provide information for designers and
9 owners/operators of water and wastewater utilities on design approaches and upgrades that
10 improve security and reduce vulnerability. Other documents, such as the EPA Security Product
11 Guides, provide information that can help utility owners and operators evaluate design options
12 to optimize design choices.
13
14 9.2 Measure—Is there a protocol/procedure for incorporation of security considerations
15 into internal utility design and construction standards for new facilities/infrastructure
16 and major maintenance projects?
17
18 As discussed earlier in this report, utilities have the opportunity to reduce their vulnerability and
19 risk over the long term, in part by better incorporating security into utility design. Consistent with
20 its principle of emphasizing prevention and encouraging use of inherently safer (i.e., lower risk)
21 practices, the WSWG emphasizes the opportunity that design choices create to improve
22 security. Feature #9 establishes the expectation that utilities will incorporate security
23 considerations into decisions about acquisition, repair, and replacement of physical
24 infrastructure and consider opportunities to reduce risk potential through physical hardening and
25 the adoption of inherently lower risk design and technology options. This measure recommends
26 that utilities verify they are bringing security considerations forward as early in the design
27 process as practicable by incorporating security into internal utility design and construction
28 standards, planning, and budgeting. Recommended measure #9 also emphasizes the
29 importance of considering security during design and construction both of new facilities and
30 infrastructure and major maintenance activities, as these activities likely are more common than
31 new construction.
32
Draft WSWG Report—3/21/05
Page 83
-------�
DRAFT Doss Mot R&pressnt th
-------�
DRAFT Doss Not Rapr8sss>t ifc« Consensus of th>i WSWO
1 Monitoring threat information should be a regular part of the security-program manager's job,
2 and utility-, facility- and region-specific threat levels and information should be shared with those
3 responsible for security and other key security staff. As part of security planning, utilities should
4 develop systems to access threat information, procedures that will be followed in the event of
5 increased industry or facility threat levels, and should be prepared to put these procedures in
6 place immediately, so that adjustments are seamless. Enhanced security procedures might
7 include, for example: notification to first responders that threat levels have increased, posting
8 signs or otherwise notifying line staff and managers, further reducing/controlling access to the
9 utility or increasing contaminant monitoring.
10
11 10.2 Measure—Is there a protocol/procedure for responses to threat level changes?
12
13 By altering security practices in response to specific threats, utilities are better prepared to
14 respond to events and reinforce security as a regular part of day-to-day utility operations.
15 Feature #10 calls on utilities to monitor threat-level information with an emphasis on information
16 related to utility- and water-sector specific, and to escalate security procedures in response to
17 increased threats as part of an active and effective security program. This measure
18 emphasizes the importance of the planning element associated with feature #10, by
19 recommending utilities evaluate whether they are prepared to take appropriate action in
20 response to changing threat information. The WSWG is not recommending a specific threat
21 threshold for action, or specific actions to take. Utilities should identify the types of threat levels
22 and information they will respond to, and the specific responses they will take, based on their
23 specific circumstances and operating conditions.
24
25 Note that there was a range of views among WSWG members about the relative utility of the
26 national threat levels published by the Department of Homeland Security. The Group does not
27 assume utilities need to implement special security procedures in response to changes in the
28 National threat level. The Group is more concerned about attentiveness to threats that are
29 specific to a region, utility, or the water sector more generally. The WSWG also notes that
30 threats need not be of a terrorist nature to prompt utilities to implement special security or other
31 procedures. Many utilities already have developed special operational procedures that can be
32 put in place in response to storms or other natural disasters threats. These procedures might
33 be used as the basis for special security procedures.
34
Draft WSWG Report—3/21/05
Page 85
-------�
DRAFT ..... Doss hJof Rapress^t the Consensus of the
1 11. Emergency response and recovery plans
2 •/?.•/ Feature — Emergency response and recovery plans should incorporate security
3 considerations, be tested and reviewed regularly, and updated as necessary to reflect
4 changes in potential threats, physical infrastructure, utility operations, critical
5 interdependencies, and response protocols in partner organizations.
6
7 Emergency response and recovery plans describe who will do what in the event of an
8 emergency. They are the critical document for establishing emergency response and recovery
9 roles and priorities, and for assuring the continued safety of utility operations during and
10 immediately after an emergency response. Over time, the conditions that defined utilities' initial
11 emergency response and recovery plans will change; their plans and priorities should be
12 changed and updated accordingly.
13
14 This recommendation establishes the expectation that utilities should incorporate security
15 considerations into their emergency response and recovery plans, and should maintain these
16 plans as "living documents." In incorporating security considerations into their emergency
17 response and recovery plans, utilities also should be aware of the National Incident
18 Management System guidelines, established by the Department of Homeland Security, and of
19 regional and local incident management commands and systems, which tend to flow from the
20 national guidelines. In addition to describing many of the parameters of incident command
21 (such as which agencies will command responses to which types of incidents), documents
22 developed in support of the National Incident Management System guidelines define the types
23 of equipment and other activities that can be funded with Homeland Security Grants. These
24 documents are available
25
26 The timing for review and updating of emergency response and recovery plans will vary across
27 utilities, depending on the degree to which security-related conditions are changing and any
28 applicable state-level planning requirements. Utilities should consider their individual
29 circumstances and establish, develop, and implement a schedule for review and update of
30 emergency response and recovery plans that are appropriate to their circumstances. At a
31 minimum, the WSWG believes that all utilities should review and (as needed) update their
32 emergency response and recovery plan at least once every year. Conditions that might prompt
33 more frequent review of emergency response and recovery plans include major facility
34 construction projects, adding new facility infrastructure (by construction or acquisition), new
Draft WSWG Report— 3/21/05
Page 86
-------�
DRAFT' Do«s Mot Rapr«ss»t. the Consensus of the W8WG
1 response protocols in related critical infrastructure (such as the electric power sector), changes
2 in response protocols or capabilities of emergency response organizations, and new information
3 about specific threats. Utilities also might find it useful to review emergency response and
4 recovery plans after any event that causes the plan to be implemented—so that lessons from
5 the event response can be incorporated into the plan and used in the future. Many utilities have
6 found it useful to update their emergency response and recovery plans on a "page basis" to
7 ensure strict tracking of versions and to ensure that all responders have up-to-date information.
8 Using this approach, replacement plan pages would be sent to all responders at least once per
9 year when plans are reviewed and updated.
10
11 The WSWG emphasizes that emergency response and recovery plans and planning should
12 include not just the details of response activities, but also a discussion of the circumstances that
13 would prompt implementation of the plan and who will make decisions about plan
14 implementation. Utility plans should be thoroughly coordinated with emergency response and
15 recovery planning in the larger community. Coordination is important not just with response
16 organizations, but also with other critical infrastructure sectors such as electric power, and with
17 public health providers. Coordination and education related to emergency response and
18 recovery planning are also important for utility customers. Some utilities have found it helpful for
19 customers to be aware that their utility has an emergency response and recovery plan in place
20 and to have information on what, if anything, the plan might call for them to do. For example, if
21 plans call for customers to be asked to boil water under certain circumstances, they will be more
22 likely to correctly carry out this precaution if they have advance information preparing them for
23 the possibility. Some utilities have formed relationships with local public health providers and
24 the Red Cross to prepare public service announcements and other education information about
25 response to utility emergencies.
26
27 This recommendation also establishes the expectation that utilities should test or exercise their
28 emergency response and recovery plans regularly. Plans might be tested through training and
29 table-top drills and exercises or through real-time simulated responses. The WSWG believes it
30 is particularly helpful to carry out these tests in concert with representatives of critical
31 interdependent infrastructure sectors, and with first responders. Some utilities have found it
32 useful to participate in routine meetings of individuals with security, response, or law
33 enforcement responsibilities. Establishing these collaborative partnerships helps in developing
34 and facilitating implementation of emergency response and recovery plans. It also provides a
Draft WSWG Report—3/21/05
Page 87
-------�
DRAFT Doss Mot Raprosss>t the Consensus of ths
1 routine, relatively informal mechanism to trade up-to-date information on threats and potential
2 threats, security approaches, and response plans and capabilities. Utilities may wish to refer to
3 the EPA "Tabletop Exercise Planning guide for Public Drinking Water Systems" (January 2005)
4 for additional information on planning and implementing tabletop exercises.
5
6 11.2 Measure—Do exercises address the full range of threats—physical, cyber, and
7 contamination— and is there a protocol/procedure to incorporate lessons learned from
8 exercises and actual responses into updates to emergency response and recovery
9 plans?
10
11 Feature #11 establishes the expectation that utilities will incorporate security considerations into
12 their emergency response and recovery plans, that plans will be tested and reviewed regularly,
13 and that plans will be updated as needed to reflect changes in potential threats, physical
14 infrastructure, utility operations, critical interdependencies, and response protocols in partner
15 organizations. This measure emphasizes the importance of testing and exercising of
16 emergency response plans by recommending utilities evaluate whether exercises address the
17 full range of physical, cyber, and contamination threats. It also reinforces the need for
18 emergency response and recovery plans to be maintained as "living documents" by
19 recommending utilities evaluate whether they are prepared to incorporate lessons learned from
20 exercises and response into plan updates. Consistent with its focus on ongoing improvement in
21 security programs (see Recommendation 6), the WSWG believes strongly in the importance of
22 ongoing, thoughtful reassessment as a way to keep security programs "fresh" and effective,
23 take advantage of emerging approaches and new technologies, and perpetuate a security
24 culture throughout an organization.
25
26 12. Internal and external communications
27 12.1 Feature—Water and wastewater utilities should develop and implement strategies
28 for regular, ongoing security-related communications with employees, response
29 organizations, and customers.
30
31 This recommendation establishes the expectation that utilities should develop and implement
32 communication strategies with key partners to increase security and be better prepared to
33 respond to an emergency, whether caused by an accident, natural disaster, vandalism, or
Draft WSWG Report—3/21/05
Page 88
-------�
DRAFT ..... Doss Not Raprftsssnt. the Conserjsus of the
1 terrorist attack. Training utility workers and inviting community members to recognize and
2 report unusual or suspicious events or activities is one of the best ways that utilities can improve
3 their security posture. During an emergency, rapid, confident response may be critical to
4 safeguarding public and environmental health. One of the keys to both these outcomes is
5 communication.
6
7 The WSWG believes that effective communication strategies consider key messages; who is
8 best equipped/trusted to deliver the key messages; the need for message consistency,
9 particularly during an emergency; and the best mechanisms for delivering messages and for
10 receiving information and feedback from key partners. These elements likely will vary
1 1 depending on the audience with whom a utility is trying to communicate. The WSWG highlights
12 three key audiences for communication strategies: utility employees, response organizations,
13 and customers.
14
15 With respect to utility employees, reliable, ongoing communication strategies are a key part of
16 creating an active and effective security culture. Communications strategies should maintain
17 employee security awareness, motivate staff to take security seriously, provide ways for staff to
18 notify appropriate security or other personnel about unusual or suspicious events or activities,
19 ensure employee safety during an event, and enable effective employee participation during
20 event response. This might be accomplished through regular security awareness briefings and
21 the incorporation of security considerations into regular training activities. Efforts need to
22 ensure that staff can distinguish between normal and unusual activity (both on and off site and
23 in their professional and personal lives), understand how to notify management of suspicious
24 activity, understand the nature of and restrictions on access to sensitive information and
25 facilities, understand event-related safety procedures, and participate effectively in event
26 response activities.
27
28 With respect to response organizations, communication strategies should focus on ensuring
29 clarity and reliability in the event of an emergency. As discussed under feature #8, in the event
30 of an emergency, conventional telecommunications networks will come under severe pressure
31 and may fail. In this context, utilities should evaluate the need and means for providing back up
32 systems that will enable maintaining contact with police, fire, and other first response
33 organizations, as well as maintaining internal communication with employees to ensure safety
34 and to coordinate response activities.
Draft WSWG Re po rt— 3/2 1 105
Page 89
-------�
DRAFT Doss Not Rapressnt the Consensus of the
1
2 With respect to customers, communication strategies should especially consider the most
3 effective ways to reach consumers with information, both in terms of delivery mechanism and
4 source, and of providing a mechanism for customers to communicate with appropriate security
5 or other personnel about unusual or suspicious events or activities. For example, some
6 customers may be more inclined to pay attention to information that comes from the public
7 health community than information that comes from a utility. Some delivery mechanisms might
8 work well for customers who are at home during the day, but other mechanisms might be
9 needed for customers who work during the day, or travel frequently. In the event of an
10 emergency, plans should be in place to reliably get information out to people who need it, even
11 if normal communication mechanisms are compromised. Some utilities have found it useful to
12 invest in ongoing outreach and communication with customers to build trust, partnership, and
13 open lines of communication well in advance of any service-related problem or security
14 emergency.
15
16 Communication strategies also should address who is authorized to speak for a utility in the
17 event of an emergency and ensure that person has pre-prepared communication materials and
18 messages that can be tailored to the specifics of an event. It may be helpful to practice
19 communication strategies and messages with local political leaders who will have a role in
20 public communication during an actual public health emergency before an emergency occurs.
21 This will ensure that local political leaders have accurate expectations about how an actual
22 public health emergency will be handled, and will reduce the likelihood that the public could
23 receive mixed or conflicting messages.
24
25 12.2 Measure—Is there a mechanism for utility employees, partners, and the community
26 to notify the utility of suspicious occurrences and other security concerns?
27
28 The WSWG believes strongly that effective two-way communication within utilities and between
29 utilities and their partners and customers in surrounding communities is one of the most
30 important assets of an active and effective security program. Feature #12 describes in detail
31 the WSWG's thoughts on the importance of internal and external communication and
32 expectations for communication efforts in active and effective security programs. Measure #12
33 highlights one of the main reasons the WSWG believes communication is important: effective
34 communication strategies can dramatically increase a utility's ability to identify utility-specific
Draft WSWG Report—3/21/05
Page 90
-------�
DRAFT ..... Doss Mot RapresKivt: th« Corss-ensus of th(* WS
1 security threats. Training utility workers and inviting community members to recognize and
2 report unusual or suspicious events and other security concerns is one of the best ways utilities
3 can improve their security posture. Residents who live near utility infrastructure and observe
4 comings and goings on a daily basis are often the best able to notice changes that may signal
5 an increasing threat. The WSWG is not prescribing a specific method utilities should use to
6 provide for notification; utilities should develop notification strategies best suiting their particular
7 circumstances, communities, and operating conditions. Over time, it also will be important for
8 utilities to evaluate the effectiveness of communication mechanisms - this could be done by
9 surveying or incorporation of testing of communication mechanisms in tabletop or field
10 exercises.
11
12 Note that by highlighting this element of internal and external communications, the WSWG is
13 not intending to minimize other elements of this feature described earlier. In particular, the
14 Group expects that as part of developing active and effective security programs, utilities also will
15 develop and implement strategies to ensure reliable and clear communication during
16 emergencies.
17
18 13. Partnerships
19 13.1 Feature — Water and wastewater utilities should forge reliable and collaborative
20 partnerships with the communities they serve, managers of critical interdependent
21 infrastructure, and response organizations.
22
23 During an actual response is not the opportune time to begin to develop good working
24 relationships with managers of interdependent infrastructure, such as power supply, or first
25 responders. Utilities should identify and reach out to'key partners. This should include reaching
26 out to communities, managers of interdependent infrastructure, and first responders in advance
27 of an emergency so that they are better prepared to work together if an emergency were to
28 occur. The objective of developing reliable, collaborative partnerships with these individuals is
29 to improve security across interdependent infrastructures, improve vigilance towards security
30 concerns, and improve responsiveness in the event of an attack.
31
32 Effective partnerships not only build collaborative working relationships, they also clearly define
33 roles and responsibilities so that people can work together seamlessly if an emergency were to
Draft WSWG Report—3/21/05
Page 91
-------�
DRAFT Doss Mot Rsspmssnt th« Consensus of the W8WC3
1 occur. These partnerships are essential to a utility's ability to enhance security and to respond
2 effectively to emergencies. Developing reliable and collaborative partnerships involves reaching
3 out to managers and key staff in other organizations to build understanding of their security
4 concerns and planning and to share information about the utility's security concerns and
5 planning. It is important to emphasize the need for reciprocity in these relationships—it is just
6 as important for the utility to understand and be able to work with the power sector as it is for the
7 power sector to understand and be able to work with the utility.
8
9 In many cases, reaching out to interdependent infrastructure and response organizations may
10 have unforeseen benefits to daily operations. For example, one utility has worked with the local
11 police and fire departments to enter information on their critical infrastructure into the police and
12 fire secure global positioning system, so that police and fire responders are automatically
13 notified of the presence of water utility infrastructure within 1000 yards of a response call. This
14 day-to-day interaction has increased awareness of, and attentiveness to, water infrastructure in
15 a way that will automatically increase security. In another case, arrangements were made for a
16 24-hour on-call utility worker to stay at a local firehouse with the 24-hour on-call fire personnel.
17 This enabled the city to dispatch the utility worker for hydrant vandalism, rather than sending a
18 fire truck, which saved the fire department time and money. The utility benefited from better
19 accommodations for their worker and a closer, more collaborative relationship with the fire
20 department.
21
22 It is also important for utilities to develop partnerships with the communities and customers they
23 serve. Partnerships help to build credibility within communities and establish public confidence
24 in utility operations. In the event of an emergency, these relationships likely will provide a
25 foundation of common understanding and trust upon which confidence can be restored.
26 Partnerships with communities also can provide real-time security enhancements, particularly
27 for rural and ex-urban utilities. People who live near utility infrastructure can be the eyes and
28 ears of the utility, and can be encouraged to notice and report changes in operating procedures
29 or other suspicious behaviors. Neighborhood watches and other programs can help customers
30 feel connected to the utility, make them aware of security considerations, and enhance both
31 community partnership and security at little cost. Effective community partnerships can have
32 the important collateral benefit of increasing public support for security improvements and
33 security-related spending and any associated inconveniences (such as construction sites) or
34 rate increases.
Draft WSWG Report—3/21/05
Page 92
-------�
DRAFT Doss hJot Rspressnt th« Consensus of the WSWG
1
2 f 3.2 Measure—Have reliable and collaborative partnerships with customers, managers of
3 independent interrelated infrastructure, and response organizations been established?
4
5 Partnerships are a natural outgrowth of effective communications; effective partnerships will
6 improve security across interdependent infrastructure, improve vigilance towards security
7 concerns, and improve the speed and quality of emergency response. Feature #13 establishes
8 the expectation that utilities will forge reliable and collaborative partnerships with the
9 communities and customers they serve, managers of critical interdependent infrastructure, and
10 response organizations as part of establishing active and effective security programs. This
11 measure recommends utilities evaluate the quality of these partnerships.
12
13 The WSWG emphasizes the importance of utilities undertaking a critical and thoughtful
14 evaluation of partnerships as part of this measure. The Group is not recommending a specific
15 method to evaluate partnerships; however, it strongly encourages utilities to engage partners in
16 a dialogue as part of evaluation and to provide a forum in which partners can offer informed and
17 candid observations and suggestions for improvement. As discussed earlier in this report, the
18 WSWG is recommending these measures as part of utility-specific self-assessment programs.
19 Utilities should use the opportunity that self assessment provides to be realistic and thoughtful
20 about their performance and opportunities to further improve their security posture.
21
22 14. Measures and Self Assessment
23 14.1 Feature—Water and wastewater utilities should develop utility-specific measures of
24 security activities and achievements and should self assess against these measure to
25 understand and document program progress.
26
27 It is an axiom of modern organizations that what gets measured gets done. As part of an active
28 and effective security program, water and wastewater utilities should develop utility-specific
29 measures that they can use to understand and track progress, activities, and achievement.
30 Measures should be appropriate to utility-specific circumstances and operating conditions and
31 should reflect the specific security approaches and tactics a utility has chosen. Measures help a
32 utility verify that an active and effective security program is in place and help to document
33 program outcomes. Although each utility's measures will be different, just as each utility's
Draft WSWG Report—3/21/05
Page 93
-------�
DRAFT Doss Mot Represent tho Consensus of ths
1 specific security approaches and tactics will be different, the WSWG recommends that utilities
2 consider measures of a number of common types of activities and achievements, including the
3 following.
4
5 ^ Existence of program policies and procedures. The WSWG anticipates that, as part of their
6 specific security approaches and tactics, most, if not all, utilities will choose to develop some
7 policies and procedures related to security. For example, as part of developing an explicit,
8 visible commitment to security (feature #1), many utilities may choose to develop an
9 overarching security policy. As part of intrusion detection and access controls (feature #6),
10 many utilities may choose to develop employee identification procedures and visitor
11 identification procedures and access limitations. Where utilities have chosen to develop
12 policies and procedures as part of their specific security program approaches or tactics, the
13 existence of these policies and procedures should be documented as part of implementing
14 an active and effective security program.
15 •-:» -Training. The WSWG anticipates training on security approaches and tactics will be part of
16 most, if not all, utility security programs. Where security-related training is planned, utilities
17 should measure whether the training has been carried out as planned and the effectiveness
18 of training as part of implementing an active and effective security program.
19 •* Testing. As a complement to documenting where security-related policies and procedures
20 are in place, utilities that choose to develop policies and procedures as part of their specific
21 security approaches and tactics should test and measure whether staff (including
22 contractors) are operating consistently with established security-related policies and
23 procedures. These tests can take a variety of forms including observing staff activity,
24 retroactive review of security related activities, table top and field exercises, and after action
25 reviews of lessons learned security activities and emergency responses.
26 ^ Implementing schedules and plans. As part of developing an active and effective security
27 program, individual utilities will develop utility-specific schedules and plans. For example,
28 utilities will develop schedules and plans for carrying out regular updates to assessments of
29 vulnerabilities (feature #3) and emergency response plans (feature #11). Where these
30 schedules and plans are in place, utilities should measure whether they carry out updates in
31 accordance with schedules and plans.
32
33 In addition to recommending that utilities establish utility-specific measurement and self-
34 assessment programs, the WSWG recommends a number of specific security measures that
Draft WSWG Report—3/21/05
Page 94
-------�
DRAFT Dosss. hioi Rspfftss»t the Consensus of the WS
1 apply across the full range of utility circumstances and operating conditions (see
2 recommendation 18). The Group emphasizes that the measures recommended later in this
3 document are intended to form the basis of a utility-specific measurement program, not replace
4 utility-specific measures.
5
6 Once security measures are in place, utilities should regularly conduct self assessments of their
7 security programs and track progress against their measures. At a minimum, the WSWG
8 believes self assessments should be done annually, as part of an annual security program
9 review. The WSWG reiterates that self assessment should be based on consideration of the
10 specific measures a utility has put in place. The Group does not assume that self assessment
11 will include annual conduct of a full assessment of vulnerabilities, although some utilities may
12 choose to update their assessments of vulnerabilities annually. The WSWG also recommends
13 establishing a voluntary, utility security peer technical assistance and review process to
14 complement, as individual utilities deem desirable, utility self assessments (see
15 recommendation 12).
Draft WSWG Report—3/21 /OS
Page 95
-------�
DRAFT—Doss Not Represent the Consensus o? the WSWG
1 Appendix B: Chart Showing Features of an Active and Effective Security Program and
2 Corresponding Measure that Utilities Should Use
Feature
Explicit commitment to
security
Security culture
Up-to-date assessment
of vulnerability
Resources dedicated to
security and security
implementation
priorities.
Defined security roles
and employee
expectations
Access control and
detection
Contamination
detection, monitoring
and surveillance
Information protection
and continuity
Feature
Water and wastewater utilities should make an explicit
and visible commitment to security.
Water and wastewater utilities should promote security
awareness throughout their organizations.
Water and wastewater utilities should assess
vulnerabilities and periodically review and update
vulnerability assessments to reflect changes in potential
threats and vulnerabilities.
Water and wastewater utilities should identify security
priorities and, on an annual basis, identify the resources
dedicated to security programs and planned security
improvements, if any.
Water and wastewater utilities should identify managers
and employees who are responsible for security and
establish security expectations for all staff.
Water and wastewater utilities should establish physical
and procedural controls to restrict access to utility
infrastructure to only those conducting authorized, official
business and to detect unauthorized physical intrusions.
Water and wastewater utilities should employ protocols
for detection of contamination consistent with the
recognized limitations in current contaminant detection,
monitoring, and surveillance, technology.
Water and wastewater utilities should define security-
sensitive information, establish physical and procedural
Measure
Does a written, enterprise-wide security policy exist,
and is the policy reviewed regularly and updated as
needed?
Are incidents reported in a timely way, and are
lessons learned from incident responses reviewed
and, as appropriate, incorporated into future utility
security efforts?
Are re-assessments of vulnerabilities made after
incidents, and are lessons learned and other relevant
information incorporated into security practices?
Are security priorities clearly identified, and to what
extent do security priorities have resources assigned
to them?
Are managers and employees who are responsible
for security identified?
To what extent are methods to control access to
sensitive assets in place?
Is there a protocol/procedure in place to identify and
respond to suspected contamination events?
Is there a procedure to identify and control security-
sensitive information, is information correctly
Draft WSWG Report—3/21/05
Page 96
-------�
DRAFT—Does Not Represent the Consensus of the WSWG
Feature
Feature
Measure
controls to restrict access to security-sensitive
information as appropriate, detect unauthorized access,
and ensure information and communications systems will
function during emergency response and recovery.
categorized, and how do control measures perform
under testing?
Design and
construction
Water and wastewater utilities should incorporate
security considerations into decisions about acquisition,
repair, major maintenance, and replacement of physical
infrastructure; this should include consideration of
opportunities to reduce risk through physical hardening
and the adoption of inherently lower risk design and
technology options.
Are security considerations incorporated into internal
utility design and construction standards for new
facilities/infrastructure and major maintenance
projects?
Threat level-based
protocols
Water and wastewater utilities should monitor available
threat-level information, escalate security procedures in
response to relevant threats.
Is there a protocol/procedure of responses that will
be made if threat levels change?
Emergency response
and recovery plans are
tested and up-to-date
Emergency response and recovery plans should
incorporate security considerations, be tested and
reviewed regularly, and updated as necessary to reflect
changes in potential threats, physical infrastructure, utility
operations, critical interdependencies, and response
protocols in partner organizations.
Do exercises address the full range of threats—
physical, cyber, and contamination— and is there a
protocol/procedure to incorporate lessons learned
from exercises and actual responses into updates to
emergency response and recovery plans?
Internal and external
communications
Water and wastewater utilities should develop and
implement strategies for regular, ongoing security-related
communications with employees, response
organizations, and customers.
Is there a mechanism for utility employees, partners,
and the community to notify the utility of suspicious
occurrences and other security concerns?
Partnerships
Water and wastewater utilities should forge reliable and
collaborative partnerships with the communities they
serve, managers of critical interdependent infrastructure,
and response organizations.
Have reliable and collaborative partnerships with
customers, managers of independent interrelated
infrastructure, and response organizations been
established?
Measures and Self
Assessment
Water and wastewater utilities should develop utility-
specific measures of security activities and achievements
and should self assess against these measure to
understand and document program progress.
NA—Not applicable.
Draft WSWG Report—3/21/05
Page 97
-------�
DRAFT Doss. Not Rqsprassnt the Consensus of tha WSWG
1 Appendix C: Measures Utilities Should Consider
2
3 During their deliberations to identify measure that all utilities should use, the WSWG identified
4 numerous other potential measures of active and effective security programs. The measures
5 recommended above for all utilities to use are the minimum necessary to create a foundation for
6 a successful utility security self-assessment and measurement program. Utilities should
7 supplement the measures recommended above with additional measures that reflect the
8 specific security approaches and tactics they have chosen and that are appropriate to their
9 specific circumstances and operating conditions.
10
11 This Appendix lists measures that the WSWG considered during its deliberations, and that it
12 recommends utilities should consider when developing a utility-specific self-assessment and
13 measurement program. While all the measures listed here will not be applicable to every utility,
14 they cover many of the elements of a successful measurement program that the WSWG
15 recommended earlier (existence of program policies and procedures, training,
16 testing/exercising, and implementing schedules and plans; see feature #14) and represent the
17 WSWG's best thinking on what would constitute good measures.
18
19 Feature 1: Explicit Commitment to Security
20
21 ^ Are written security policies and procedures established? (y/n)
22 * Are procedures/protocols updated routinely? (y/n)
23 -* Is there a public education program for customers and public officials? (y/n)
24 •?> Are agreements with emergency response partners in place? (y/n)
25 «* Is there an explicit commitment to security? (y/n)
26 ^ Does the commitment to security address the full scope of the security program? (y/n)
27
28 Feature 2: Security Culture
29
30 -* Are all management and staff security trained? (y/n)
31 -> Is there documentation of incidents and associated responses? (y/n)
Draft WSWG Report—3/21/05
Page 98
-------�
DRAFT Doss htof Raprassni t.h« Consensus of th» WJJWG
1 ••> How many incidents/suspicious incidents are reported? (Measure raw number of incidents
2 and changes in the number of incidents over time.)
3 -* Are incidents and responses reviewed with staff? (y/n)
4 ~s> Are lessons learned from incidents and incident response incorporated into future planning?
5 (y/n)
6 -» Are there incidents that were not reported or not reported in a timely way? (y/n)
7 <* Were responses to incidents consistent with established policies and procedures? (y/n)
8 -s> Are there efforts to promote security awareness throughout the utility? (y/n)
9 -* Are security policies and procedures followed? (y/n)
10 -* Is there a process/protocol by which suggestions for security improvements can be made by
11 employees and the public? (y/n) How many suggestions are made? Are suggestions
12 followed up on in a timely way? (y/n)
13 •* Is there a way to keep up to date on security improvements and good security
14 practices/models from other utilities? (y/n)
15
16 Feature3: Up-to-Date Assessment of Vulnerability
17
18 -*> Is there a procedure or protocol that establishes an internal periodic re-assessment of
19 vulnerability (including design basis threat) and a schedule for this re-assessment? (y/n)
20 * Is the periodic re-assessment done? (y/n)
21 -* Is it done on schedule? (y/n)
22 -* Is a re-assessment of vulnerabilities conducted after incidents? (y/n)
23 •••?• Is follow-up conducted after each re-assessment to incorporate changes, lessons learned,
24 and security improvements into security practices? (y/n)
25 -* Are conditions that drive changes in vulnerability identified and tracked? (y/n)
26 •>> Are reviews of vulnerability carried out by a team of employees from both security and
27 operations? (y/n)
28
Draft WSWG Report—3/21/05
Page 99
-------�
DRAFT Doss No! R&presant th« Consensus of the W8WG
1 Feature 4: Dedicated Security Resources and Security Implementation
2 Priorities
3
4 •* Are solutions to vulnerabilities (steps to take to reduce vulnerabilities or reduce potential
5 consequences) identified and built into security plan (y/n), prioritized (y/n), and given a time
6 frame to complete (y/n)?
7 •••> Have solutions to vulnerabilities and measures to mitigate potential consequences been
8 considered and evaluated for importance and ability to fund, and funding decisions been
9 made? (y/n)
10 ~» Do solutions to vulnerabilities and measures to mitigate potential consequences have
11 resources assigned to them? (Measure number and type with assigned resources and total
12 percentage with resources assigned.)
13 ~> What number of high-priority security improvements (solutions to vulnerabilities) has been
14 addressed? (Measure raw number of vulnerabilities addressed.)
15 •* How many milestones have been accomplished from the security plan? (Measure raw
16 number of accomplishments.)
17 •••? How many capital improvement dollars have been spent on security? (Measure raw dollar
18 amount.)
19 <* How many operational improvements have been made? (Measure raw number of
20 improvements.)
21 v?> How many changes have been made in maintenance activities? (Measure raw number of
22 activities.)
23 -* Are the skills needed to implement security improvements identified and available? (y/n)
24 -> Are resources dedicated to security identified on an annual basis? (y/n)
25 ** Are planned security improvements, if any, identified? (y/n)
26
27 Feature 5: Defined Security Roles and Employee Expectations
28
29 ™s Does management/utility board support adoption of security policies? (y/n)
30 * Are security roles/responsibilities included in job descriptions, employee evaluations, or
31 other documentation of responsibilities? (y/n)
32 »$ Does staff receive training relative to their security roles/responsibilities (y/n) and is the
33 training ongoing (y/n)?
34 -* Is performance of security roles/responsibilities part of performance evaluations? (y/n)
Draft WSWG Report—3/21/05
Page 100
-------�
DRAFT Doss Not Rapffts«»t th« Consensus of th» WSWG
1 ~» Have managers and employees who are responsible for security been identified? (y/n)
2 -* Are background checks performed for current and new employees, including contractors?
3 (y/n)
4 -* Are there means to readily identify all employees, contractors, and visitors? (y/n)
5
6 Feature 6: Intrusion Detection and Access Control for the Physical Plant
7
8 -*• Is there a procedure/protocol on intrusion detection and access control? (y/n)
9 -> Are the procedures/protocols tested regularly? (y/n)
10 -> Are non-public spaces protected from casual trespass? (y/n)
11 -* Is there a way to control access to sensitive assets? (y/n)
12 ~> Is a security perimeter established (y/n) and is there technology to monitor the established
13 security perimeter (y/n)?
14 * Are all utility employees and contractors identified? (y/n)
15 -*• Are visitors to the utility checked in and escorted? (y/n)
16 »> Is access denied to persons who no longer qualify for access? (y/n)
17 * Can individuals who are not eligible for access talk their way in to restricted areas? (y/n)
18 -» Is there a means to control vehicular access? (y/n)
19 <* Are intrusions detected and responded to in a timely way? (y/n)
20 ^ Are there policies and/or procedures for monitoring chemical delivery schedules and
21 safeguarding chemical deliveries? (y/n)
22 •* Are the chemical delivery policies/procedures tested regularly? (y/n)
23
24 Feature 7: Contamination Detection
25
26 -» Is there a system of monitoring for contaminant detection? (y/n)
27 •*• What type of monitoring is being used?
28 •* Is there a system to keep up-to-date on emerging technologies for contamination detection
29 and monitoring?
30 ~> Have connections been established with public health networks to detect, interpret, and act
31 upon public health anomalies? (y/n)
32 -? Are customer complaints monitored and evaluated for possible indications of contamination
33 events? (y/n)
Draft WSWG Re po rt—3/21105
Page 101
-------�
DRAFT Doss hjof R&pfO8es>t the Consensus of th» WSWG
1 ••-> Have protocols been established for interpreting and responding to indications of public
2 health anomalies? (y/n)
3
4 Feature 8: Information Protection and Continuity
5
6 ~> Are there policies and procedures in place that categorize and control security information?
7 (y/n)
8 -* Are these policies used/followed? (y/n)?
9 -> Is there a training program for information security policies/procedures? (y/n)
10 -3- Is there regular testing of information security policies/procedures? (y/n)
11 -*• How does implementation of the policies and procedures perform under testing—is
12 information secure? (Measure performance against testing benchmarks.)
13 ~> Are documents correctly categorized relative to security content? (y/n and measure number
14 and percentage correctly categorized.)
15 •* Is there a dedicated lead information officer for both paper and electronic information? (y/n)
16 »> Is there an employee training program for information security? (y/n)
17 -a- Is security incorporated into design standards for new information systems? (y/n)
18 -*• Can the IT firewall be breached? (Measure number of total attempts and number and
19 percentage of attempts that are wholly or partially successful.)
20 ••* Are information security considerations incorporated into decisions about design and
21 acquisition of new systems or updates to current systems? (y/n)
22
23 Feature 9: Design and Construction
24
25 •* Is there a protocol in place for examining the potential multiple benefits of design choices,
26 with an emphasis of designs that more fully address security? (y/n)
27 -> Have security considerations been incorporated into internal utility design and construction
28 standards? (y/n)
29 -* Do these standards include consideration of opportunities to reduce both security and safety
30 risk through the adoption of inherently lower risk design and technology options? (y/n)
31 -> Are there policies/procedures in place to ensure that facilities remain secure during
32 construction? (y/n)
33 -* Is there a training program on these policies/procedures? (y/n)
Draft WSWG Report—3/21/05
Page 102
-------�
DRAFT ..... Dosss hjot Rapr«ss»t th« Oarssansus of th» WSW
1 ••» Are these policies/procedures tested regularly? (y/n)
2 -;> Is security considered in both design of new facilities/infrastructure and in major
3 maintenance projects? (y/n)
4
5 Feature 10: Threat-Level Based Protocols
6
7 ^> Is an active system in place to identify and assess threat level changes, with an emphasis
8 on geographic- and industry-specific threats? (y/n)
9 ~» Is a list of sources of threat level information created/updated? (y/n)
10 •»/ Has utility developed procedure/protocol of responses that will be made if threat levels
1 1 change? (y/n)
12 ~> Are responses undertaken when needed? (y/n and measure the percent of times correct
13 response undertaken.)
14 -^ How much time does it take to make change relative to established objective? (Measure
1 5 time and change in time over time.)
16
17 Feature 11: Emergency Response and Recovery Plans Tested and Up-to-
18 Date
19
20 •* Does the ERP incorporate security-related threats and responses consistent with the
21 assessment of vulnerabilities? (y/n)
22 •'* Is response staff identified and trained? (y/n)
23 ^ What were the results of planned and unplanned drills/exercises? (Measure quality of
24 response.)
25 ••>> Do exercises set specific objectives and test them? (y/n)
26 ^ How long does it take for full organization to fully mobilize relative to established objective?
27 (Measure time and change in time over time.)
28 •"> How long does it take for individuals to mobilize relative to established objective? (Measure
29 time and change in time over time.)
30 >* Is there a high, medium or low rating of coordination with other responders during an
31 exercise? (Measure with survey results.)
32 -> How well do exercises test performance?
Draft WSWG Report—3/21/05
Page 103
-------�
DRAFT Doss Mot Rsspfs«si>t th« Consensus of tho WSWG
1 -•» Are there protocols/procedures to incorporate lessons learned from exercises and actual
2 responses into updates to the ERP? (y/n)
3 -» Do exercises address the full range of threats—physical, cyber, contamination? (y/n)
4 •* Are security considerations incorporated into emergency response plans? (y/n)
5 •* Are emergency response plans updated in response to changes in security considerations?
6 (y/n)
7 -*• Do emergency response plans reflect an awareness of the National Incident Management
8 System Guidelines? (y/n)
9 ^ Has a schedule for review, reflective of individual utility security-related conditions, been
10 established? (y/n)
11 ~> Has the emergency response plan been reviewed at least once per year? (y/n)
12 ^ Were emergency response plans reviewed and updated as needed in response to such
13 changes as major facility construction projects, new facility infrastructure, and/or new
14 information regarding threats? (y/n)
15 •* Is the emergency response plan thoroughly coordinated with emergency response planning
16 in the larger community? (y/n)
17 •* Has the emergency response plan been tested regularly? (y/n)
18 * Are there contingency plans in place in case of failure of primary response systems or
19 partnerships? (y/n)
20
21 Feature 12: Internal and External Communication
22
23 •* Has a list of organizations/individuals to communicate with established? (y/n)
24 * Has a schedule/cycle of contact established? (y/n)
25 -* Has that schedule of contacts been met or exceeded? (y/n and measure percent of contacts
26 met or exceeded on schedule)
27 -» Do partner organizations know what utility thinks they should know? (Measure with survey
28 data.)
29 -> Is the community aware of its role in improving security and what to watch for? (y/n)
30 »-> Is there a mechanism for employees to make suggestions for security improvements? (y/n)
31 ^ Is there a mechanism for employees to get information about security practices? (y/n)
32 <* Are security issues included as part of routine employee briefings and staff meetings? (y/n)
33 ••> Is information disseminated to employees, as appropriate, when security practices change?
34 (y/n)
Draft WSWG Report—3/21/05
Page 104
-------�
DRAFT Doss Mot Rapf88Si>t th« Consensus of tha VVS'A'G
4
1 ~> Is information disseminated to employees, as appropriate, when threat levels change? (y/n)
2 •* Is there redundancy in communication technologies? (y/n)
3 -*> Is there a way for partners and the community to make suggestions for security
4 improvements? (y/n)
5 -* Is there a way for partners and the community to notify the utilities of suspicious occurrences
6 or other security concerns? (y/n)
7
8 Feature 13: Partnerships
9
10 •% Are key partners identified? (y/n)
11 <* Has a joint communications plan been established? (y/n)
12 <* Have communications been undertaken consistent with the plan? (y/n)
13 »» How many meetings with responders have taken place per year? (Measure raw number.)
14 -* Have the needs of partners been met in joint exercises? (Measure with survey data.)
15 ^ Have reliable and collaborative partnerships with served communities, managers of
16 interdependent infrastructure, and response organizations been established? (y/n)
17
Draft WSWG Report—3/21/05
Page 105
-------�
DRAFT Doss Mot Rspresssit t.h« Consensus of the WSWG
1 Appendix D: Individual Comments of WSWG Members
2
3
4
DrattWSWG Report—3/21/05
Page 106
-------�
DRAFT ..... Does Mot Raprossnt the Consensus of the WSWO
Attachment 1: Roster of WSWG Members, Federal Resource
Personnel, and Outside Experts
lona! unn
Contact Information
Co-Chairs
Mr. David Binning
Director
Planning & Engineering
Fairfax Water
8560 Arlington Boulevard
Fairfax, Virginia 22031
Phone: (O) 703-289-6325
dbinning@fairfaxwater.org
Dr. Rebecca Head*
Health Officer/Director
Monroe County Health Department
2353 Ouster Road
Monroe, Ml 48161-9769
Phone: 734-240-7800
rebecca_head@monroemi.org
Members
Mr. Doug Anderton
General Manager
Dade County Water & Sewer Authority
P.O. Box 1047
250 Bond Street
Trenton, Georgia 30752
Phone: (O) 706-657-4341
Phone: (C) 423-991-0096
danderton5@aol.com or danderton@tvn.net
Mr. Paul Bennett
New York City Department of Environmental
Protection, Director of Security Planning
465 Columbus Ave
Valhalla, NY 10595
Phone: (0)914-773-4512
pbennett@dep.nyc.gov
Honorable John W. Betkoski, III*
Commissioner
Connecticut Department of Public Utility
Control
10 Franklin Square
New Britain, Connecticut 06501
Phone: 860-827-2803
john.betkoski@po.state.ct.us or assistant
melissa.lupacchino@po.state, ct. us
Mr. Nick Catrantzos
Security & Emergency Manager
Metropolitan Water District of Southern
California
700 N. Alameda Street
Los Angeles, California 90012
Phone: (0)213-217-7134
ncatrantzos@mwdh2o.com
Mr. Jeff Cooley
Alabama State Coordinator
Community Resource Group, Inc.
Rural Community Assistance Program
1110HillcrestRoad#2D
Mobile, Alabama 36695
Phone: (O) 251-776-6635
Phone: (C) 251-454-2978
jcooley@crg.org or crg-al@msn.com
Mr. Michael Gritzuk
Director
City of Phoenix Water Services Department
200 W. Washington Street, 9th Floor
Phoenix, Arizona 85003-1611
Phone: (O) 602-262-6627
michael.gritzuk@phoenix.gov
Draft WSWG Report—3/21/05
Page 107
-------�
DRAFT Doss Mo! Raprasant th« Consensus of the VVSWC3
Mr. Gregg Grunenfelder
Chief Administrator
Environmental Health Division
Washington State Department of Health
P.O. Box 47820
Olympia, Washington 98504-7820
Phone: (O) 360-236-3053
gregg.grunenfelder@doh.wa.gov
Mr. H. J. "Bud" Schardein
Executive Director
Louisville & Jefferson County Metropolitan
Sewer District
700 West Liberty Street
Louisville, KY 40203
Phone: (O) 502-540-6346
Email: bennett@msdlouky.org or assistant
schardei@msdlouky.org
Ms. Jennifer Nuzzo
Center for Biosecurity
University of Pittsburgh Medical Center
The Pier IV Building
621 E. Pratt Street, Suite 210
Baltimore, Maryland 21202
Phone: (0)443-573-3315
jnuzzo@upmc-biosecurity.org
Mr. Paul Drum
Senior Advisor
Working Group on Community Right-to-
Know
POBox 15465
Washington, DC 20003
Phone: (O) 202-548-4020
orum@crtk.org
Mr. Roger Selburg
Manager
Division of Public Water Supplies
Illinois Environmental Protection Agency
P.O. Box 19276
Springfield, Illinois 62794-9276
Phone: (0)217-785-8653
roger.selburg@epa.state.il.us
Mr. David Siburg
General Manager
Kitsap Public Utility District
PUD#1 of Kitsap County
1431 Finn Hill Road
P.O. Box 1989
Poulsbo, Washington 98370-0933
Phone: (O) 360-779-9163, ext. 703
Phone: (C) 360-620-7680
dave@kpud.org
Ms. Diane VanDe Hei
Executive Director, Association of
Metropolitan Water Agencies
1620 I Street, NW, Suite 500
Washington, DC 20006
Phone: (O) 202-331-2820
vandehei@amwa.net
Mr. John S. Young, Jr.*
Vice President
Operations and Investment Performance
American Water Works Service Co., Inc.
1025 Laurel Oak Road
Voorhees, New Jersey 08043
Phone: 856-346-8250
jyoung@amwater.com
Designated Federal Official
Mr. Marc Santora
Environmental Protection Agency
Office of Ground Water and Drinking Water
Water Security Division, Security Assistance
Branch
1200 Pennsylvania Avenue, NW
Room 2368J / Mail Code (4608 M)
Washington, DC 20460
Phone: (O) 202-564-1597
Fax: 202-564-8513
santora.marc@epa.gov
US EPA Federal partners
Ms. Janet Pawlukiewicz
Environmental Protection Agency
pawlukiewicz.janet@epa.gov
202-564-3779
Mr. David Travers
Environmental Protection Agency
travers.david@epa.gov
202-564-4638
Ms. Debbie Newberry
Environmental Protection Agency
newberry.debbie@epa.gov
202-564-1415
Draft WSWG Report—3/21/05
Page 108
-------�
DRAFT Doss Not Rapressnt the Consensus of tha
Other Federal Partners
Dr. Richard Getting
Centers for Disease Control and Prevention
Environmental Engineer
Environmental Health Services Branch
National Center for Environmental Health
4770 Buford Highway, Mail Stop F28
Atlanta, GA 30341
Phone: (770) 488-7067
Fax: (770) 488-7310
richard.gelting@cdc.hhs.gov
Mr. Mark D. Miller, R.S., M.P.H.
Alternate for Mr. Richard Getting
Commander, U.S. Public Health Service
Senior Environmental Health Officer
Center for Disease Control and Prevention
National Center for Environmental Health
Environmental Health Services Branch
4770 Buford Highway, NE (F28)
Atlanta, Ga 30341-3724
Phone: 770-488-7652
Fax: 770-488-7310
mdmiller@cdc.gov
Mr. John Laws
Coordinator-Water / Wastewater-Dams Sector
specialist, U.S. Department of Homeland
Security, Information Analysis & Infrastructure
Protection (IAIP), Infrastructure Coordination
Division (ICD), Infrastructure Coordination
Analysis Office (ICAO)
703-235-5404 New Office
703-883-7651 Office
887-205-6674 pager
703-883-4589 fax
John. Iaws2@dhs.gov
jlaws@mitre.org
Ms. Nancy Wong
Department of Homeland Security
Infrastructure Coordination Division
c/o Department of Commerce
1401 Constitution Avenue, NW
Suite 6095
Washington, DC 20230
Phone: 202-482-9055
Fax: 202-482-7499
nancy.wong1@dhs.gov
Mr. Timothy J. Mukoda, Maj, USAF, BSC
Chief, Environmental Operations
AFMSA/SGPE
110 Luke Ave, Room 405
Boiling AFB, DC 20032
Phone: (202) 767-4327
Fax: (202) 767-5053 (fax)
timothy.mukoda@pentagon.af.mil
Mr. Jasper Welsch,
Mississippi Emergency Management Agency
P.O Box 4501
Jackson, MS 39296-4501
Phone:601-360-0055
Fax: 601-352-8314
jwelsch@msema.org
Facilitation Support Team
Mr. Rob Greenwood
Ross & Associates Environmental
Consulting, Ltd.
Suite 1207
1218 Third Avenue
Seattle, WA 98101
Phone:206-447-1805
Fax: 206-447-0956
rob.greenwood@ross-assoc.com
Ms. Elizabeth McManus
Ross & Associates Environmental
Consulting, Ltd.
Suite 1207
1218 Third Avenue
Seattle, WA 98101
Phone:206-447-1805
Fax: 206-447-0956
elizabeth.mcmanus@ross-assoc.com
Mr. Elijah Levitt
Ross & Associates Environmental
Consulting, Ltd.
Suite 1207
1218 Third Avenue
Seattle, WA 98101
Phone:206-447-1805
Fax: 206-447-0956
elijah.levitt@ross-assoc.com
Draft WSWG Report—3/21/05
Page 109
-------�
DRAFT Doss Not Raprftsss>t th« Consensus of the W8WG
Mr. Ryan Orth
Ross & Associates Environmental
Consulting, Ltd.
Suite 1207
1218 Third Avenue
Seattle, WA 98101
Phone: 206-447-1805
Fax: 206-447-0956
ryan.orth@ross-assoc.com
Draft WSWG Report—3/21/05
Page 110
-------�
DRAFT Doss hlot Rasrosant the Consensus of the
Attachment 2: WSWG Operating Procedures
Final Operating Procedures
Establishment and Mission
The Water Security Working Group (WSWG) is established and charged by the National
Drinking Water Advisory Council (NDWAC). The Mission of the WSWG is to provide findings
and recommendations to the NDWAC that:
(1) identify, compile, and characterize best security practices and policies for drinking
water and wastewater utilities and provide an approach for considering and adopting
these practices and policies at a utility level;
(2) consider mechanisms to provide recognition and incentives that facilitate a broad and
receptive response among the water sector to implement these best security practices
and policies, and make recommendations as appropriate; and
(3) consider mechanisms to measure the extent of implementation of these best security
practices and policies, identify the impediments to their implementation, and make
recommendations as appropriate.
The WSWG rejected use of the term "best" to describe their work on security practices; instead,
the group will identify and describe the components of "active and effective" security programs
for water and wastewater utilities. In addition, the WSWG interprets the scope of its
deliberations to include all water and wastewater operations, from source water to tap and from
collection system to discharge.
WSWG findings and recommendations will be presented to the NDWAC for the Council's
consideration. The WSWG will not issue findings or make recommendations directly to EPA or
any other agency or entity, although, of course, individual members are not restricted from
discussing their views as they so choose. Upon receipt of the WSWG findings and
recommendations, the NDWAC will consider the findings and recommendations and may pass
them to EPA unchanged, or may amend them to reflect their own views, or may choose not to
forward findings and recommendations to EPA.
Participants and Participation
Working Group members were selected by EPA from among more than 80 nominated
individuals. Selections were made considering the expertise and experience needed to provide
advice to the NDWAC (and, through the NDWAC, to EPA) on best security practices, incentives,
and measures, and were based on the need to provide balanced and complete representation
Draft WSWG Report-3/21/05
Page 111
-------�
DRAFT Does Hot Represent the Consensus; of t
across the water sector. To facilitate communication between the NDWAC and the WSWG,
three members of the NDWAC are also members of the WSWG.
Direct participation of all WSWG members is essential to the success of the Working Group. For
that reason members are asked to make every effort to attend Working Group meetings and
participate in Working Group conference calls. Members who are not able to attend a particular
meeting or conference call may send an alternate. The alternate must be a peer of the WSWG
member. In an emergency situation, an association staff member may serve as an alternative;
however, in accordance with the ground rules for NDWAC working groups, this will be allowed
only once in the duration of the WSWG. Alternates may be asked to contribute to WSWG
deliberations by offering their opinion and expertise; however, they will not participate in WSWG
decision making.
WSWG members are encouraged to frame observations in terms of needs and interests, not in
terms of positions; opportunities for finding solutions increase dramatically when discussion
focuses on needs and interests. Collaborative problem solving depends on mutual respect and
careful listening among members. Meetings and conference calls will be structured to support a
respectful atmosphere, encourage the development of trust and understanding, and provide for
participation of all WSWG members. WSWG members agree to act in good faith in all aspects
of their deliberations and consensus building. Members agree to refrain from characterizing the
views of other parties in general, and particularly in any discussions that they may choose to
have with the press.
WSWG members are welcome to be accompanied to the meetings by staff or other personnel,
who may observe the WSWG meeting and offer comments or observations consistent with the
operating procedures for public observation and comment.
It is the expectation that all WSWG members will participate through the entire process and that
the Working Group's final report will reflect the consensus or the range of views that exist within
the group relative to best security practices, incentives, and measures. However, any party may
withdraw from the Working Group at any time without prejudice. In the event a member decides
to withdraw from the process, he or she will be respectfully requested to communicate the
reasons for the withdrawal, and may be replaced by another representative of similar expertise
and interest.
Co-Chairs
The WSWG will be served by two co-chairs. One of the co-chairs will be a member of the
WSWG who is also a member of NDWAC. This individual will be identified by EPA and the
facilitation team in consultation with all three of the NDWAC members who serve on the
WSWG. The second co-chair will be a member of the WSWG who is identified by the group
using a weight of preferences model.
The role of the WSWG co-chairs is to act as a sounding board for the facilitation team between
WSWG meetings, open and close the WSWG meetings, assist the facilitation team in running
the meetings, and approve WSWG meeting summaries after the facilitation team has addressed
comments by WSWG members. The co-chairs also participate in deliberations and decision
making as full members of the WSWG. The co-chairs do not determine the WSWG agenda,
findings, or recommendations any more or less than any other WSWG member.
Draft WSWG Report --3/21/05
Page 112
-------�
DRAFT' Doss ifcf 8apf88«s>t th« Consensus of ths> WSWG
Reporting to the NDWAC
The WSWG will identify which members of the working group will report to the NDWAC on the
group's findings and recommendations. It is not assumed that the co-chairs will be the members
of the WSWG who report to the NDWAC. WSWG members who are also members of the
NDWAC may, in the course of discussions with the NDWAC, provide informal updates on
WSWG deliberations and progress based on the final meeting summaries, speaking for
themselves as members of the WSWG not representing the full Group. For the winter 2004
NDWAC meeting, the WSWG agrees that the three WSWG members who also are NDWAC
members will provide an update to the NDWAC on WSWG activities and progress.
Facilitation
The Working Group will be supported by a neutral, third-party facilitation team. The facilitation
role includes: developing draft agendas, meeting summaries, report documents, and other
materials; running the WSWG meetings; focusing and facilitating Working Group discussions to
ensure that the perspectives of all WSWG members come forward; working with Working Group
members and EPA between meetings and conference calls to support understanding and
consensus building; working with Working Group members and EPA to identify, organize,
synthesize, and provide information and other material needed to support Working Group
deliberations; and, in general, coordinating Working Group activities.
Federal Resource Personnel and Outside Experts
In addition to the facilitation team, the WSWG will be supported by a number of resource
personnel from Federal Agencies with interest and expertise in water security. This will include
representatives from the Environmental Protection Agency (EPA), Department of Homeland
Security (DHS), Department of Defense (DoD), and the Centers for Disease Control and
Prevention (CDC). As needed, and as resources allow, the Working Group also may choose to
consult with, or the facilitation support team may identify, additional outside experts or
individuals on specific subject matters. To date, one outside expert, an individual with technical
expertise in emergency response, has been identified.
Federal resource personnel and outside experts may sit at the table during WSWG meetings so
as to be easily accessible to Working Group members and may make presentations to the
WSWG; however, their support of Working Group discussions is strictly to provide background,
context, or other information or expert opinion, as called upon to do so by a member of the
WSWG or the facilitation team. Federal resource personnel and outside experts will not
participate in WSWG decision making. Federal resource personnel and outside experts will be
copied on all WSWG materials, including draft documents.
WSWG Members' Staff and Supporting Organizations
WSWG members may be staffed by individuals from their organizations or by individuals from
sponsoring/nominating organizations. Every effort will be made to facilitate WSWG members'
participation in the WSWG process by ensuring that staff has access to WSWG materials,
including internal draft documents. However, staff are not members of the Working Group. To
the extent that staff prepares draft comments or other responses for the WSWG member they
support, staff must do so in coordination with and as a representative of the WSWG member;
actual comments or responses must be submitted by the WSWG member, not by staff.
Draft WSWG Report--3/21/05
Page 113
-------�
DRAFT Doss hJoi R&pressnt the Consensus of ths
Decision Making and Consensus
The WSWG will use a collaborative, problem-solving approach, and strive to reach consensus.
Consensus is defined as findings and recommendations that all can "live with." If the Working
Group does not reach consensus on a particular issue, the range of views on the Working
Group with respect to that issue will be described. Ranges of views, if necessary, will be
described in the text of the Working Group's report and will not be attributed to individual
members or interests unless the WSWG reaches consensus on an approach to attribution.
Working Group members also will have an opportunity to submit up to three pages of individual,
attributed comments. Individual comments will be appended to the Working Group report
without modification.
Task Team*
The WSWG may choose to establish Task Teams to work on information gathering and analysis
related to specific elements of best security practices, incentives, and measures between
meetings of the full WSWG. Task Team members must be WSWG members and Task Team
meetings are not open to the public.
Meeting Materials and Summaries and Electronic Communication
As much as possible, meeting agendas and supporting materials will be distributed by the
facilitation team at least one week before WSWG meetings and conference calls. After WSWG
meetings and conference calls, summaries of key discussion points, tentative areas of
agreement and action items will be prepared by the facilitation team and provided to Working
Group members for review. As much as possible, these summaries will be distributed within
two weeks of the meeting or conference call.
All WSWG documentation and correspondence will be distributed to all WSWG members.
Electronic communication mechanisms (largely email) will be used to the greatest extent
possible to distribute WSWG meeting materials, summaries, and references.
Draft Documents
The WSWG will work with two types of draft documents: (1) WSWG internal drafts and (2)
public drafts. It is important to understand that, in general, both types of drafts are public
documents, available for public review upon request to the extent provided for under the
Freedom of Information Act and other applicable public disclosure laws. The distinction
between the two types of drafts documents has to do with when and how they are distributed.
WSWG internal draft documents will be marked "Internal Draft Working Document—Does Not
Represent the Consensus of the WSWG." In general, WSWG internal draft documents are draft
meeting summaries and discussion materials prepared by the facilitation team for WSWG
consideration.
To encourage a full and candid exchange of views among WSWG members, internal draft
documents will not be distributed beyond WSWG members and staff, federal partners, identified
outside experts, and the facilitation team. Note that internal draft documents are likely subject
to further distribution, including distribution to the press, based on requests under the Freedom
of Information Act or other applicable public disclosure laws. If such a request is made, the
WSWG will be notified.
Draft WSWG Report--3/21/05
Page 114
-------�
DRAFT Doss htoi Raprossnt the Consensus of tha WSWG
Public draft documents will be marked "Public Draft Working Document—Does Not Represent
the Consensus of the WSWG." Public drafts are draft documents that are discussed during the
open sessions of full WSWG meetings and are therefore available to the public at the meeting.
Meeting agendas, final meeting summaries, and presentations made to the WSWG by non-
WSWG members are not draft documents.
WSWG Copy List for WSWG internal Draft Documents
A copy list will be maintained for distribution of WSWG internal draft documents. The list will
include WSWG members' staff, federal partners, identified outside experts, and the facilitation
team. As described earlier in this document, staff may include individuals from
sponsoring/nominating organizations who are specifically identified by a WSWG member as
staff to the member. To the extent that staff prepares draft comments or other responses for the
WSWG member they support, staff must do so in coordination with and as a representative of
the WSWG member; actual comments or responses must be submitted by the WSWG member,
not by staff.
The copy list for internal draft documents will be provided to WSWG members, and if individuals
are added to or subtracted from the list, the WSWG will be notified.
WSWG Copy List for Non-Draft Documents
A copy list will be maintained for the WSWG for distribution of non-draft documents. This list will
include individuals who have requested that they be kept up to date on the WSWG process, and
may include members of the press. The copy list for non-draft documents will be provided to
WSWG members, and if individuals are added to or subtracted from the list, the WSWG will be
notified.
FACA, Of*en and cte»*d Meetings, am* Public comment
The WSWG chartering entity, the NDWAC, is a Federal advisory committee established and
operating under the requirements of the Federal Advisory Committee Act (FACA). The WSWG
is a working group to the NDWAC and is not a Federal advisory committee.
Consistent with the ground rules for Working Groups established by the NDWAC, WSWG
meetings will be announced in the Federal Register.
In general WSWG meetings will be open to the public for observation and will include an
opportunity for members of the public to offer oral and written comments. Meetings and
conference calls of the full WSWG that are open to the public will be taped.
The WSWG may decide to close portions of their meetings to the public to provide a forum for
discussion of security-sensitive information, as described below.
Security Sensitive Information
The WSWG may have occasion to discuss security-sensitive information. For purposes of
WSWG deliberations, the group agrees that security-sensitive information is:
Draft WSWG Report-3/21/05
Page 115
-------�
DRAFT Doss Not Rapres«nt the Consensus of t
• Information on system-specific, attributable tactical security procedures; or
• Integrated or aggregated detail on security (e.g., by aggregating information from previous
un-aggregated sources) that creates a clear picture of a specific strike opportunity.
Information that is already available in the public domain in the same form and at the same level
of detail discussed by the WSWG is not security sensitive.
WSWG meetings will be closed to the public as necessary to provide a forum in which WSWG
members can discuss potentially sensitive information related to specific security tactics used by
individual utilities. As much as possible, closed meeting sessions will be scheduled to be
convenient for those attending the portions of WSWG meetings that are open to the public (e.g.,
they will be at the beginning or end of meetings). During closed meetings, the following
protocols will be used.
• The meeting will be open only to WSWG members, federal resource personnel, facilitation
support contractors, and identified outside experts.
• The general topics of discussion covered during the closed portion of the meeting will be
documented in the meeting summary; discussion details will not be summarized.
• Any meeting materials that are distributed during the closed portion of the meeting will be
collected at the end of the meeting unless they are deemed suitable for public disclosure.
• The WSWG will evaluate discussions that occur during a closed meeting at the end of the
meeting and determine if any security-sensitive information was discussed that requires
protection going forward. The Group agrees that a low threshold for identification of
security-sensitive information is appropriate, and that any individual member can distinguish
information as security sensitive.
• Members who choose to raise or discuss tactical level security-sensitive information or other
integrated security-sensitive information will indicate that they consider the information they
are sharing security sensitive. Unless permission is given by the person who shared the
security-sensitive information, members will not attribute any information that a fellow
member asserts is security sensitive; furthermore, members will not discuss such
information outside closed WSWG meetings, provided such information is not already
available in the public domain in the same form and at the same level of detail.
• The closed portion of the meeting will not be taped.
The WSWG agrees that to maximize the usability of their Report, they will strive to limit inclusion
of security sensitive information in the written materials they consider and produce.
Communications with the Press
Recognizing that the way in which Working Group deliberations are publicly characterized will
affect the group's ability to reach consensus, WSWG members and other parties involved in the
WSWG process are encouraged to refer inquiries from the press to the facilitation team or to
final meeting summaries or other final WSWG materials. Individuals who choose to speak with
the press agree to limit remarks to personal views and to refrain from characterizing the views
of, or attributing comments to, the full WSWG, other individual members, or the NDWAC.
Draft WSWG Report--3/21/05
Page 116
-------�
DRAFT Doas h)ot R»pr«s«i>t: t.h« Consensus of the WSWG
Schedule
The WSWG will provide a final report of their findings and recommendations to the NDWAC in
time for the Council's spring 2005 meeting. It is anticipated that the Council will meet in May
2005, and that the final WSWG report will be completed and provided to the Council in April
2005. The WSWG will commence with its first conference call on July 6, 2004. It is anticipated
that the group will meet in person five times and will meet by conference call four to six times.
Draft WSWG Report-3/21/05
Page 117
-------�
DRAFT Doss Not Repressnt th« Consensus of the WSWG
Attachment 3: Annotated Bibliography of Security
Resources
American Chemistry Council. Responsible Care Security Code of Management Practices.
Washington, DC: American Chemistry Council, accessed on-line October 2004. URL:
http;//www.americancMmJ^
3b3af1da8685256ccd005946c8/$FILE/ResponsibleCareSecu^
The ACC outlines the key elements of a security program under the Responsible Care
management system. Members of Responsible Care use the code as a set of
guidelines as they start implementing and reviewing their own security programs.
American Chemistry Council. Implementation Guide for Responsible Care Security Code of
Management Practices. Washington, DC: American Chemistry Council, July 2002. URL:
httpV/www.americanchemistry.com^
3b3af1da8685256ccd005946c8/$FILBResponsible%20Care%20Site%20Security%20G
uidance.pdf
This guide provides detailed strategies and examples for implementing the Responsible
Care Security Code of Management Practices. It is a resource guide for the Responsible
Care companies who are interested in improving the development, management, and
planning of their new security programs.
American Chemistry Council. Responsible Care Management System. Washington, D.C.:
American Chemistry Council, August 15, 2003, accessed on-line October 2004. URL:
http://www.americanchemistry.com/rc.nsf/2febeebd340dda4a8525680b004b7f4a/baa1c
Od054bf7539852569fc005747c9/$FILE/RCMS%20Technical%20Specification%20-
%2008-15-03.pdf
This document is a full explanation of Responsible Care's management systems and
guiding principles. It explains the elements of the management system in detail and
covers topics that include planning, operations, corrective action, preventative action,
management review for chemical companies that are taking part in the program.
American Chemistry Council. Site Security for the U.S. Chemical Industry. American Chemical
Council, Chlorine Institute, and the Synthetic Organic Chemical Manufactures
Association. October 2001. URL: http://www.cl2.com/SecurityguidanceACC.pdf
http_://w_ww.accnewsmedia.com/docs/100/89.pdf
This document serves as a general guide for the chemical industry to review general
laws concerning security. The American Chemistry Council, the Synthetic Organic
Chemical Manufacturers Association, and The Chlorine Institute, Inc discuss the benefits
and steps needed to be taken to develop improved security programs.
American Chemistry Council, Chemtrec, The Chlorine Institute, et al. Transportation Security
Guidelines for the U.S. Chemical Industry. Additional authors: Compressed Gas
Association & the National Association of Chemical Distributors. Washington, DC: 2001.
URL: http://www.accnewsmedia.com/docs/300/250.doc?DocTvpelD=4&TrackiD=
Draft WSWG Report--3/21/05
Page 118
-------�
DRAFT (30555 Mot Raprsssnt th« Consensus of the WSWG
This set of guidelines covers the benefits of developing a transportation security
program, risk-based security assessments, and helpful resources. It targets
transportation officials, business managers, plant managers, and others who are
responsible for the secure transportation of their chemical supplies and other business
materials.
American Water Works Association (AWWA). Emergency Planning for Water Utilities. Denver,
CO: AWWA Manual M-19 (Fourth Edition), ISBN: 1-58321-135-7, 2001.
URL (to order on-line): http.://www.awwa.org/bQokstore/producicfm?jd=30Q 19
This planning guide for water utilities presents principles and practices for emergency
planning. The approach focuses on how to apply organizational knowledge and
experience within a specific system, determine the system vulnerabilities, address
deficiencies, and plan for alternate strategies when needed. It includes sections on
hazard summary; vulnerability assessment; mitigation actions; preparedness planning,
and emergency response, recovery, and training.
American Water Works Association (AWWA). New Horizons: Critical Infrastructure Protection.
Denver, CO: AWWA DVD or VMS Tape, 2001. URL (to order on-line):
http://www.awwa.org/bookstore/product.cfm7ids64226
The goal of this 26 minute video is to generate conversations among water utility
managers and selected community leaders about water utility security. It seeks to
address the question: 'How ready or safe is your water supply to hostile acts of
aggression?' The video also discusses infrastructure vulnerability, emergency response
plans, contamination, cyber attack, and other intentional acts of destruction.
American Water Works Association Research Foundation & the United States Environmental
Protection Agency. Security Practices Primer for Water Utilities. Subject Area: Efficient
and Customer Responsive Organization, Denver, CO and Washington, DC, 2004. (DFO)
URL (to order): http://www.awwarf.org/research/TopicsAndProiects/execSum/2925.aspx
This primer is an initial assessment of water security for utilities that wish to address
pressing security concerns. It covers several topic areas including employee
background checks and security training, mail screening, coordination with local medical
care providers, and information and communications security.
Association of Drinking Water Administrators & National Rural Water Association. Security
Vulnerability Self-Assessment Guide for Small Drinking Water Systems Serving
Populations between 3,300 and 10,000. November 13, 2002. URL (on-line download is
free): www.asdwa.org/docs/2002/FINAL1 OKSvstemVAtpoll 11302.pdf
This guide was designed to help drinking water systems serving populations of between
3,300 and 10,000 persons to identify critical components of vulnerability assessments,
complete assessments required under the Bioterrorism Act, and identify security
measures to be implemented.
Association of Metropolitan Sewage Agencies. Asset Based Vulnerability Checklist for
Wastewater Utilities. Washington, DC: 2002. URL (on-line download is free):
http://www,arnsa-cleanwater.org/pubs/2002avcheck.pdf
Draft WSWG Report--3/21/05
Page 119
-------�
DRAFT Doss Hot Raproseot the Consensus of tha
The Asset Based Checklist is intended for wastewater managers as a means to evaluate
their overall assets, and to subsequently secure and protect their organization based on
the evaluation. The checklist breaks assets into five categories: the physical plant, the
people (i.e. staff), the knowledge base, the information technology, and the customers.
It provides a system for prioritizing risk and includes steps to improve risk management.
Association of Metropolitan Sewage Agencies. Legal Issues in a Time of Crisis Checklist.
Washington D.C: 2002. URL (to order on-line):
The Checklist is designed to assist wastewater utilities with assessing the legal issues
that arise from bioterrorist acts or other crisis situations. It targets public utility attorneys
and utility managers who are concerned about crisis management, emergency planning,
and response mechanisms, and layouts out the possible and detailed steps needed in
planning to avoid legal complications.
Bernowsky, Joseph, P.E. Water System Security: A Field Guide. Washington, DC: American
Water Works Association (AWWA), ISBN 1-58321-193-4, 2002. URL (to order on-line):
http://www,aww
This field guide provides tools for small and medium sized water utilities to assess
vulnerabilities, write emergency plans, review threats, examine mitigation measures,
implement new security policies, select and install new technology, and carry-out
recovery & response from an emergency event. It includes a computer disk with
documents and a list of information sources included in the appendix.
Burns, Nicolas L., et al. Security Analysis and Response for Water Utilities. Washington, DC:
AWWA, 2001 . (Available as a supplement to AWWA Manual M-1 9).
This concise 20-page guide written in 2001 is now a supplement to Manual M-19:
Emergency Planning for Water Utilities. M-19 focuses mainly on natural disasters such
as earthquakes and severe storms. This guide reviews international acts of terrorism,
hazard assessment, vulnerability assessment, crisis communications, mitigation, and
development of a response plan in a post 9/1 1 world.
Blaha, Frank J. Small system security-there is help and hope. American Water Works
Association Journal. Denver, CO: Vol.95, Iss. 7; pg. 31, July 2003. Available through
Proquest's ABI/INFORM Trade & Industry database.
This article focuses on small and medium sized water utilities that are looking to use the
Security Vulnerability Self-assessment Guide for Small Drinking Water Systems Serving
Populations between 3,300 and 10,000. The tools addressed were developed as a
partnership between NRWA, ASDWA, and the EPA. The article reviews each of the six
technical issues or elements outlined by the US EPA.
Booth, Ron, Chuck: Hewell, and Dan Ryan. Technical Security and Countermeasures White
Paper for Water Utilities. The National Council for Public-Private Partnerships,
Washington, DC: December 12, 2001.
URL: http://ncppp.org/inthenews/waterwhitepaper.htmi
Draft WSWG Report -3/21/05
Page 120
-------�
DRAFT Doss htof Rapreasnt !*)« Consensus of the
This is a general analysis of measures and damages that water utilities may expect from
terrorist threats. The types of threats and damages are analyzed briefly and categorized
into four areas: physical damage, damage to chemical storage areas,
biological/chemical attack indicators, and cyber terrorism. The paper includes a "Facility
Security Survey," which is a detailed checklist of questions for a vulnerability
assessment (Appendix A).
Bramwell, Moses J. Champlin Water Works Seeks Right Level of Security Against Terror
Threats. Journal of the American Water Works Association (AWWA). Vol. 94(4):54-56.
Denver, CO: AWWA, April 2002. Available through Proquest's ABI/INFORM Trade &
Industry database.
This article is a case study that examines how a water utility in Champlin, Minnesota
worked to improve their security. It reports on the benefits of having a wireless security
system, customizing security systems to fit needs and objectives, and educating alarm
and security companies as well staff on new security procedures or designs.
Cody, Betsy & Opeland, Claudia. Terrorism and Security Issues Facing the Water Infrastructure
Sector. Washington, DC: Congressional Research Service (CRS), Updated May 2003.
URL: http://www.ncseon!ine.orq/NLE/CRS/abstract.cfm?NLEid=39364
This brief report is a legislative analysis of Federal responses to the call for improved
security in critical water related infrastructure. It reviews the details of legislation
focusing on wastewater utilities (H.R. 866 and S. 1039) and details the various budget
proposals for water security improvements until May 2003.
Denileon, Gay Porter. The who, what, why, and how of counter terrorism issues. American
Water Works Association Journal. Denver, CO: Vol. 93, Iss. 5; pg. 78, 8 pgs, May
2001. Available through Proquest's ABI/INFORM Trade & Industry database.
This white paper provides a history of water sector security issues in the late 1990's and
before September 11th, 2001. It analyzes the Presidential Decision Directive 63 which
established the National Infrastructure Protection Center and looks at how the US EPA
became the lead agency on "critical water infrastructure protection issues for the water
supply sector." It also includes a checklist of security measures for utilities to consider.
Dyches, Kim. Drinking Water System Emergency Response Guidebook. Utah Department of
Environmental Quality, Salt Lake City, UT: November 2002.
URL:http://drinkinQwater.utah.gov/documents/compiiance/emerqencvresponseQuide.pdf
This guidebook's goal is to help private and public utilities design or prepare a disaster/
emergency response plan. It covers several key areas including organizational
structure, implementation, how to prioritize needed repairs, dispatching personnel and
equipment, requests for emergency response or aid, and the notification of the public/
how to prepare press releases. It also includes a "Recovery Checklist," which includes
steps to recover from a water-related emergency.
Garcia, Mary Lynn. The Design and Evaluation of Physical Protection Systems. Sandia
National Laboratories. Butterworth-Heinemann, ISBN: 0750673672, February 2001.
URL: (to order) http://www-campusi.com
Draft WSWG Report--3/21/05
Page 121
-------�
DRAFT Doss Mel Rspmasnt the Consensus of tha W8WG
This book is a guide to determine the objectives of a security system or program, design
the security system in detail, and evaluate the components and performance of the
security system. It is targeted towards security students and professionals in the field.
The book includes a sample model for performance analysis of security systems to
estimate or evaluate performance against threats.
Gelting, Richard J, PhD, & Miller, Mark D. Linking Public Health and Water Utilities to Improve
Emergency Response. Southern Illinois University - Carbondale, IL: Journal of
Contemporary Water Research & Education, Issue 129 - Water and Homeland Security,
October 2004. URL: http://www.ucowr.siu.edu/updates/129/gelting.pdf
This article reviews the necessary connections between medical service providers, water
utilities, and public health officials in the case of a bioterrorist water contamination event.
The authors state that the link between emergency responder and water utility managers
will directly influence the speed and success of a community's response.
Hebert, Robert E., A Brief Discussion of Water Security Issues Following the September 11,
2001 Terrorist Attacks. Washington, DC: The National Council for Public and Private
Partnerships, December 12, 2001.
URL: http://ncppp.org/inthenews/waterdiscussion.html
This article discusses threats to the nation's water systems on a general level. It is
targeted for an audience of elected officials, city managers, and private utility owners.
The author organizes his discussion of security into three categories or "pillars":
prevention, detection, and response.
Hickman, Major Donald C. Chemical and Biological Warfare Threat: USAF Water Systems at
Risk. Air University, Maxwell Air Force Base, AL: September 1999.
URL: http://www.au,af,mil/au/awc/awcgate/cpc-pubs/hickm
The strategy paper examines systems and ideas to identify critical infrastructure points
that may be vulnerable to chemical or biological weapons attack. The author reviews
four areas to improve security and protection of the USAF water systems: vulnerability
assessments, re-evaluation of conventional wisdom on chemical and biological
weapons, and a review of how engineering and management of water systems are
outsourced by the USAF.
The Homeland Security Council. Planning Scenarios: Executive Summaries (Created for Use in
National, Federal, State, and Local Homeland Security Planning Activities). The
Homeland Security Council: David Howe, Senior Director for Response and Planning.
Washington, DC: July 2004.
URL: http://www.altheim.com/lit/planning_scenarios_exec_summary.html
The Homeland Security Council has developed a list of 15 scenarios that all national,
state level, and local planning officials should use in security and safety program
development.
Lancaster-Brooks Khafra, Engineering Consultant. Water Terrorism: An Overview of Water &
Wastewater Security Problems and Solutions, Journal of Homeland Security, Northern
Virginia: February 2002.
URL: http:/Avww.homelandsecuritv.org/iournal/articles/dispiayArticle.asp?article=:31
Draft WSWG Report--3/21/05
Page 122
-------�
DRAFT D«as Mot Rapffissmt the Consensus of the WS
In this article, the author reviews measures to defend water utilities from malevolent
threats of vandalism and terrorism. The article lists different types of infrastructure that
need protection and examines some measures that utilities have adopted for securing
them. It also includes a practical list of questions to review in the "Generic Basic Water
System Evaluation."
Landers, Jay. Safeguarding Water Utilities. Civil Engineering: The Magazine of the American
Society of Civil Engineers. Vol. 72, No. 6, June 2002.
The article draws a basic map of where the thinking on water security is going through
mid-2002. The article includes interviews with experts throughout the sector and
touches on several key areas of concern including: redundancy in security systems,
determining infrastructure needs, and looking at cost considerations of new
methodologies. The article also touches on the differences between a performance-
based approach and one based more on compliance.
Mayes Larry W., PhD, PE, PH. (Ed.) Water Supply Systems Security. McGraw-Hill, New York,
NY: 2004. URL (to order): http^Mww,campysj.corn
This book is written by a team of security experts and provides broad coverage of
security systems for the water sector. Topics include a review of reliability
methodologies, modeling methods for early warning systems, frameworks to improve the
security of a water system over time, case studies taken from the field, analysis systems
for contamination response, safeguards against cyber threats, and specialized systems
for remote monitoring and networks.
National Biosolids Partnership. Elements of an Environmental Management System for
Biosolids. Excerpted chapter (pp.8-15): Element by Element Requirements.
Alexandria, VA: Final Interim Draft, May 1, 2002.
This chapter excerpted from an NBP guidance document addresses 17 elements which
are prudent in developing an effective Environmental Management System.
Schlegel, Julie. Automated distribution system monitoring supports water quality, streamlines
systems management, and fortifies security. American Water Works Association
Journal. Denver, CO: Vol. 96, Iss.. 1; pg. 44, 3 pgs, January 2004.
In this article, the author discusses the benefits of real time water quality monitoring and
its management applications for water utility management. The article briefly reviews
how multiple water quality parameters are monitored simultaneously, the ways in which
real-time data can improve water utility management, and how distribution monitoring
may ameliorate security.
Tiemann, Mary. Safeguarding the Nation's Drinking Water: EPA and Congressional Actions.
Washington, DC: Congressional Research Service (CRS), Updated March, 2003.
URL: http://www,ncseonline.org/NLE/CRS/abstract,cfrn?NLEjd==34419
This CRS report is a general analysis of Federal legislation including the Homeland
Security Act of 2002 (the creation of the Department of Homeland Security), the Public
Draft WSWG Report-3/21/05
Page 123
-------�
DRAFT Doas hJot Repressnt the Consensus of
Health and Bioterrorism Preparedness Act of 2002, and appropriations for water security
activities through March of 2003.
US EPA. Drinking Water Security website. New England Office, Boston, MA: July 2004.
URL: http://www.epa.gov/ne/eco/drinkwater/dw-security.htrnl
The introductory article and collection of links provides sources of information on
vulnerability assessment for water utilities. The article summarizes current work and
progress on water security in the Northeast EPA Region.
US EPA. Emergency Response Plan Guidance for Small and Medium Community Water
Systems to Comply with the Public Health Security and Bioterrorism Preparedness and
Response Act of 2002. Washington DC: US EPA Office of Water, EPA 816-R-04-002,
April 2004.
URL: http://www.epa.gov/safewater/security/pdfs/quide_smajl_mediurn_erp.pdf
EPA published this guide for small and medium community water systems (serving
populations between 3,301 and 99,999) to assist them in their effort to develop and
revise Emergency Response Plans (ERPs). The document is target audience includes
"key authorities with critical roles during emergency response or remediation actions
from a drinking water contamination threat or incident."
US EPA. Guarding Against Terrorist and Security Threats: Suggested Measures for Drinking
Water Utilities, Washington DC: Revised August 2004. URL:
http://www.dhs.ca.gov/ps/ddwem/homeland/Appendix/Appendixl %2QUSEPAthreatlevei
qucemarch %2031 .pdf
This threat guide uses the Green, Blue, Yellow, Orange, Red threat levels developed by
DHS. It also outlines measures that water utilities should consider at each given threat
level.
US EPA. Guidance for Water Utility Response, Recovery, and Remediation Actions for Man-
Made and/or Technological Emergencies. Washington, DC: US EPA Office of Water,
EPA 810-R-02-001, April 2002. URL: http://www.epa.gov/safewater/securitv/er-
quidance.pdf
This guide is purely reactive in nature as it focuses on the steps water utilities must take
in response to man-made or technological problems. It includes information on incident
types, guidance development, response planning, notification considerations, sample
collection, identification, chain of custody (of samples), SCADA intrusions, structural
damage resulting from an international act, and notification from health officials.
US EPA. Instructions to Assist Community Water Systems in Complying with the Public Health
Security and Bioterrorism Preparedness and Response Act of 2002. Washington, DC:
US EPA Office of Water, EPA 810-B-02-001, January 2003.
URL: http://www.epa.gov/safewater/security/util-inst.pdf
This document is aimed at water utility managers who have questions about complying
with the Public Health Security and Bioterrorism Preparedness and Response Act of
2002. It answers questions as to instructions at a glance, determining the size of the
Draft WSWG Re port--3/21/05
Page 124
-------�
DRAFT Doss hJof. RapfO8«t>t the Consensus of the WSWG
utility, compliance requirements, key dates, and ways in which to submit the information
back to EPA.
US EPA. Large Water System Emergency Response Plan Outline: Guidance to Assist
Community Water Systems in Complying with the Public Health Security and
Bioterrorism Preparedness and Response Act of 2002. Washington DC: US EPA Office
of Water (4601M), EPA 810-F-03-007, July 2003.
URL: http://www.epa.gov/safewater/securitv/pdfs/erp-iong-outline.pdf
This document is similar intent to the previous, but targeted at larger community water
systems (CWS). It covers different topics that include emergency planning processes,
emergency response plans, identification of alternative water sources, chain of
command charts, communications procedures, personnel safety, equipment, property
protection, training exercises (or drills), emergency action procedures, incident specific
emergency action procedures, next steps, and other references.
US EPA's Drinking Water Academy. Learner's Guide to Security Considerations for Small
Drinking Water Systems: Major Security Considerations When Performing a Sanitary
Survey of a Small Water System. Washington, DC: US EPA Office of Water, publication
EPA 816-R-03-013, August 2003. (DFO)
URL (to order a hard copy): http://www.epa.gov/OGWDW/dwa/resources.html
The Learner's Guide is a tool to be used by community water systems serving fewer
than 10,000 people. It was developed as part of a partnership with the Association of
State Drinking Water Administrators (ASDWA) and the EPA Drinking Water Academy's
Sanitary Survey Workgroup. It examines a multiple barrier approach to security, utility
management, water sources, water pumps, the water treatment process, storage
facilities, and distribution systems at small water utilities.
US EPA. Response Protocol Toolbox: Planning for and Responding to Contamination Threats
to Drinking Water Systems. Washington, D.C.: December 2003 to April 2004. (DFO).
URL: http://www.epa.gQv/safewater/securjtv/ertgQis.htrnl#tooibox
The goal of this EPA Toolbox is to assist water utilities to "effectively and appropriately
respond to intentional contamination threats and incidents." It was written and revised
by the EPA in partnership with the Metropolitan Water District of Southern California. It
targets water utilities, laboratories, emergency responders, state drinking water
programs, technical assistance providers, public health and law enforcement officials. It
includes an overview and six separate modules (or tools) that can be used
independently.
US EPA's Drinking Water Academy, & the National Environmental Training Association. DVD
Video- Security Considerations: Small Water Systems. Are We Ready? Can We
Respond? Can We Recover? Washington, D.C.: 2003. (DFO)
A video produced for state and local water systems interested in improving their security
programs. The video focuses on key topics in water security. The video is based on
EPA's "Learner's Guide to Security Considerations for Small Drinking Water Systems:
Major Security Considerations When Performing a Sanitary Survey of a Small Water
System."
Draft WSWG Report--3/21/05
Page 125
-------�
DRAFT Doss Mot R«;pres«s>t. th« Consensus of the WSWG
US EPA. Security Product Guide: Water and Wastewater Security Program Guide. Washington
D.C: US EPA website, 2004.
Overview— URL: http://www.epa.gov/safewater/securitv/quide/index.html
Table of Contents—
URL:http://www.epa.gov/safewater/security/guide/tableofc^
The web-based guide provides information on products that may help utilities improve
physical and cyber security measures. The guide evaluates products that are applicable
to improving distribution systems, wastewater collection systems, pumping stations,
treatment processes, main plant and remote sites, personnel entry, chemical delivery
and storage, SCADA, and control systems for water and wastewater treatment systems.
US EPA. Survey Results on Information Used by Water Utilities to Conduct Vulnerability
Assessments. Washington DC: US EPA Office of the Inspector General, Report No.
2004-M-001, January 20, 2004.
URL: http://www.epa.qov/oiQ/reports/2004/20040120-2004-M-0001.pdf
The survey evaluates the information that some utilities used in the process of writing
their vulnerability assessments. It examines the "usefulness of information provided to
water utilities by the EPA and others, to discuss other security concerns that water
utilities have expressed, and to look at performance indicators that may measure
improvements in water security levels or programs."
US EPA. Table Top Exercise CD ROM: Train-the-Trainer Materials Description (from trainings
organized by the US EPA for the Response Protocol Toolbox). Washington DC: US EPA
Office of Water Security, August 2004.
The target audience for this CD ROM is water utility managers and staff as well as their
partners in the response community. The goal of the CD is to improve and strengthen
the relationships between water utilities and emergency response groups before an
incident occurs. The CD includes an introduction, tabletop exercises, and train-the-
trainer materials for training workshops (based on the RPTB modules) for printing and
distribution.
US EPA. Top Ten List for Small Ground Water Suppliers. Boston, MA: US EPA Northeast
Office website, 2004.
URL: http://www.epa.gQv/ne/eco/drinkwater/pdfs/drinkjngH2Ofactsheet.Mf
This top ten list is a "how to" fact sheet prepared by the EPA's Northeast Office. It
allows small water utilities to quickly examine a short list of tasks and actions which will
indicate their preparedness for a water related emergency.
US EPA. Water Security Website. Washington, DC Office of US E: accessed August 2004.
URL: http://cfpub.epa.gov/safewater/watersecuritv/
This official US EPA water security page provides information on VA's, emergency
planning, security enhancements, legislation and directives, trainings, grants, other tools,
publications, and related links. It is an important source of materials and information for
a water utility manager and interested officials.
Draft WSWG Report--3/21/05
Page 126
-------�
DRAFT Does Mot Rapmsant th« Consensus; of the W8WG
US GAO. Report to the Committee on Environment and Public Works, US Senate—Drinking
Water: Expert Views on How Future Federal Funding Can Best Be Spent to Improve
Security. Washington, DC: GAO-04-29 Drinking Water Security, October 2003. (DFO)
URL: http://www.gao.qov/new.items/d0429.pcjf
The GAO report reviews the state of water security in a broad manner. The U.S. Senate
Environment and Public Works committee commissioned the systematic web based
research to discuss water security matters with 43 selected experts. The GAO
recommends that the EPA use the report as a guide to allocating funding or resources to
water utilities. It outlines the methods it recommends to distribute Federal funding, and a
compilation of security-enhancing activities that utilities may undertake.
US GAO. Testimony Before the Subcommittee on Environment and Hazardous Materials,
Committee on Energy and Commerce, House of Representatives—Drinking Water:
Experts' Views on How Federal Funding Can Best Be Spent To Improve Security.
Washington, DC: GAO-04-1098T Drinking Water Security, September 30, 2004.
URL: http://www.gao.gov/new.items/d041098t.pdf
US GAO Testimony to follow up on the Report Senate—Drinking Water: Expert Views
on How Future Federal Funding Can Best Be Spent to Improve Security. This is the
most recent discussion of the report before the US Congress (House of Representatives.
Draft WSWG Re port--3/21/05
Page 127
-------�
DRAFT Oosss. hjof Represent th« Consensus of the
Attachment 4: Acronym List
ACC - American Chemistry Council
ADWA - Association of Drinking Water Administrators
ASCE - American Society of Civil Engineers
AMSA - Association of Metropolitan Sewerage Agencies
AMWA - Association of Metropolitan Water Agencies
AWWA - American Water Works Association
AWWARF - American Water Works Association Research Foundation
Bioterrorism Preparedness and Response Act - Bioterrorism Act
Cl - American Chlorine Institute
EPA - The Environmental Protection Agency
ERP - Emergency Response/ Recovery Plan
GAO - Government Accountability Office
HSC - Homeland Security Council
HSIN - Homeland Security Information Network
IT - Information Technology
CDC - Centers for Disease Control and Prevention
DHS - Department of Homeland Security
DoD - Department of Defense
NBP - National Biosolid Partnership
NDWAC - National Drinking Water Advisory Council
NRWA - National Rural Water Association
NW WARN - Northwest Warning and Alert Response Network
RAM-W - Risk Assessment Methodology for Water
SCADA - Secure Supervisory Control and Data Acquisition
SEMS - Standardized Emergency Management System
V-SAT - Vulnerability Self-Assessment Tool
WaterlSAC - The Water Information Sharing and Analysis Center
WEF - Water Environment Federation
WSWG - The Water Security Working Group
WSCC - Water Security Coordination Council
Draft WSWG Re port--3/21/05
Page 128
-------� |