&EPA
   United States
   Environmental Protection
   Agency
Response Protocol Toolbox:
Planning for and Responding to
Drinking Water Contamination
Threats and Incidents

Interim Final - December 2003

Module 2:
Contamination Threat Management Guide

-------
             Response Protocol Tool box:
             Planning for and Responding to
  Drinking Water Contamination Threats and Incidents


Module 2: Contamination Threat Management Guide
                   Interm Final - December 2003
                   PLANNING AND PREPARATION
                        Threat Warning
                      Initial Threat Evaluation
                      Immediate Operational
                       Response Actions
                     Site Characterization and
                          Sampling
                      Public Health Response
                           Actions
                        Sample Analysis
                          Is Incident
                          Confirmed?
                     Remediation and Recovery

-------
                            MODULE 2: Contamination Threat Management Guide


      OTHER RESPONSE PROTOCOL TOOLBOX MODULES

Module 1: Water Utility Planning Guide (December 2003)
Module 1 provides a brief discussion of the nature of the contamination threat to the
public water supply.   The module also describes the planning activities that a utility
may undertake to prepare for response to contamination threats and incidents.

Module 2: Contamination Threat Management Guide (December 2003)
Module 2 presents the overarching framework for management of contamination
threats to the drinking water supply.  The threat management process involves two
parallel and interrelated activities: 1) evaluating the threat, and 2) making decisions
regarding appropriate actions to take in response to the threat.

Module 3: Site Characterization and Sampling Guide (December 2003)
Module 3 describes the site characterization process in which information is gathered
from the site of a suspected contamination incident at a drinking water system.  Site
characterization activities include the site investigation, field safety screening, rapid
field testing of the water, and sample collection.

Module 4: Analytical Guide (December 2003)
Module 4 presents an approach to the analysis of samples collected from the site of a
suspected contamination incident.  The purpose of the Analytical Guide is not to
provide a detailed protocol. Rather, it describes a framework for developing an
approach for the analysis of water samples that may contain an unknown contaminant.
The framework is flexible and will allow the approach to be crafted based on the
requirements of the specific situation. The framework is also designed to promote the
effective  and defensible performance of laboratory analysis.

Module 5: Public Health Response Guide (available March 2004)
Module 5 deals with the public health response measures that would potentially be
used to minimize public exposure to potentially contaminated water.  It discusses the
important issue of who is responsible for making the decision to initiate public health
response  actions, and considers the role of the water utility in this decision process.
Specifically, it examines the role of the utility during a public health response action,
as well as the interaction among the utility, the drinking water primacy agency, the
public health community, and other parties with a public health mission.

Module 6: Remediation and Recovery Guide (available March 2004)
Module 6 describes the planning and implementation of remediation and recovery
activities that would be necessary following a confirmed contamination incident. The
remediation process involves a sequence of activities including: system
characterization;  selection of remedy options; provision of an alternate drinking water
supply during remediation activities; and monitoring to demonstrate that the system
has been  remediated.  Module 6 describes the types of organizations that would likely
be involved in this stage of a response,  and the utility's role during remediation and
recovery.
                                                       Interim Final - December 2003

-------
                                  MODULE 2: Contamination Threat Management Guide


                             TABLE OF CONTENTS


1   INTRODUCTION                                                            10

2   OVERVIEW OF THE CONTAMINATION THREAT MANAGEMENT PROCESS            12

  2.1    ROLES AND RESPONSIBILITIES	13
  2.2    EVALUATION OF WATER CONTAMINATION THREATS	14
  2.3    CONSEQUENCE ANALYSIS	16
    2.3.1   NUMBER OF INDIVIDUALS AFFECTED                                     16
    2.3.2   HEALTH EFFECTS                                                      17
    2.3.3   IMPACTS OF RESPONSE ACTIONS ON CONSUMERS                           17
  2.4    PLANNING FOR RESPONSE DECISIONS	17

3   'POSSIBLE' STAGE OF THE THREAT MANAGEMENT PROCESS                      19

  3.1    INFORMATION FROM THE THREAT WARNING	19
    3.1.1   SECURITY BREACH                                                    20
    3.1.2   WITNESS ACCOUNT                                                    21
    3.1.3   DIRECT NOTIFICATION BY PERPETRATOR                                  22
    3.1.4   NOTIFICATION BY NEWS MEDIA                                          22
    3.1.5   NOTIFICATION BY LAW ENFORCEMENT AGENCIES                           23
    3.1.6   UNUSUAL WATER QUALITY                                             23
    3.1.7   CONSUMER COMPLAINTS                                               25
    3.1.8   NOTIFICATION BY PUBLIC HEALTH AGENCIES                              25
  3.2    ADDITIONAL INFORMATION CONSIDERED AT THE 'POSSIBLE' STAGE	26
    3.2.1   UTILITY INFORMATION AND STAFF KNOWLEDGE                            27
    3.2.2   VULNERABILITY ASSESSMENT                                           27
    3.2.3   REAL-TIME WATER QUALITY DATA AND CONSUMER COMPLAINTS              28
  3.3    RESPONSE ACTIONS CONSIDERED AT THE'POSSIBLE' STAGE	28
    3.3.1   SITE CHARACTERIZATION ACTIVITIES                                     29
    3.3.2   IMMEDIATE OPERATIONAL RESPONSE                                     32

4   'CREDIBLE' STAGE OF THE THREAT MANAGEMENT PROCESS                     35

  4.1    INFORMATION CONSIDERED AT THE'CREDIBLE'STAGE	35
    4.1.1   SITE CHARACTERIZATION RESULTS                                       36
    4.1.2   PREVIOUS THREATS AND SECURITY INCIDENTS                             37
    4.1.3   INFORMATION FROM EXTERNAL SOURCES                                 38
  4.2    RESPONSE ACTIONS CONSIDERED AT THE 'CREDIBLE' STAGE	40
    4.2.1   SAMPLE ANALYSIS                                                    41
    4.2.2   CONTINUATION OF SITE CHARACTERIZATION ACTIVITIES                     43
    4.2.3   PUBLIC HEALTH RESPONSE                                              44

5   'CONFIRMATORY' STAGE OF THE THREAT MANAGEMENT PROCESS               47

  5.1    INFORMATION CONSIDERED AT THE 'CONFIRMATORY' STAGE	47
    5.1.1   ANALYTICAL RESULTS                                                 48
    5.1.2   ADDITIONAL SITE CHARACTERIZATION RESULTS                            49
    5.1.3   INFORMATION FROM EXTERNAL SOURCES                                 50
  5.2    RESPONSE ACTIONS CONSIDERED AT THE 'CONFIRMATORY' STAGE	51

6   CONTAMINATION THREAT MANAGEMENT MATRICES                            54

  6.1    SECURITY BREACH	55
  6.2    WITNESS ACCOUNT	57
  6.3    DIRECT NOTIFICATION BY PERPETRATOR	58
  6.4    NOTIFICATION BY LAW ENFORCEMENT	60
  6.5    NOTIFICATION BY NEWS MEDIA	62
                                                           Interim Final - December 2003

-------
                                 MODULE 2: Contamination Threat Management Guide


  6.6    UNUSUAL WATER QUALITY	64
  6.7    CONSUMER COMPLAINT	66
  6.8    PUBLIC HEALTH NOTIFICATION	68

7   REFERENCES AND RESOURCES                                              70

8   APPENDICES                                                             71

  8.1    RESPONSE PLANNING MATRIX	71
  8.2    THREAT EVALUATION WORKSHEET	72
  8.3    SECURITY INCIDENT REPORT FORM	77
  8.4    WITNESS ACCOUNT REPORT FORM	80
  8.5    PHONE THREAT REPORT FORM	84
  8.6    WRITTEN THREAT REPORT FORM	87
  8.7    WATER QUALITY/CONSUMER COMPLAINT REPORT FORM	90
  8.8    PUBLIC HEALTH INFORMATION REPORT FORM	92
  8.9    OVERVIEW OF THE "WATER CONTAMINANT INFORMATION TOOL"	94

LIST OF FIGURES

FIGURE 2-1: CONTAMINATION THREAT MANAGEMENT DECISION TREE	12
FIGURE 2-2: SUMMARY OF THREAT WARNINGS	20
FIGURE 2-3: OVERVIEW OF SITE CHARACTERIZATION AND SAMPLING PROCESS	31
FIGURE 2-4: DECISION PROCESS FOR CONTAINMENT AS AN OPERATIONAL RESPONSE TO A
          'POSSIBLE'CONTAMINATION THREAT	33
FIGURE 2-5: SUMMARY OF LABORATORY TYPES BY CONTAMINANT CLASS	41
FIGURE 2-6: DECISION PROCESS FOR THE DEVELOPMENT OF AN ANALYTICAL APPROACH FOR
          POTENTIALLY CONTAMINATED WATER SAMPLES	42
FIGURE 2-7: DECISION FOR ACTIONS TAKEN TO PROTECT PUBLIC HEALTH IN RESPONSE TO A
          'CREDIBLE'CONTAMINATION THREAT	47
FIGURE 2-8: OVERVIEW OF RESPONSE TO A CONFIRMED CONTAMINATION INCIDENT	52
                                                         Interim Final - December 2003

-------
                                    MODULE 2: Contamination Threat Management Guide
                                     ACRONYMS

AWWARF   American Water Works Association Research Foundation
CDC         Centers for Disease Control and Prevention
ERP         Emergency response plan
ETV         Environmental Technology Verification
FBI          Federal Bureau of Investigation
FEMA       Federal Emergency Management Agency
HazMat      Hazardous materials
ISAC        Information Sharing and Analysis Center
LRN         Laboratory Response Network
PPE          Personal protective  equipment
QA          Quality assurance
QC          Quality control
SCADA      Supervisory control and data acquisition
SDWA      Safe Drinking Water Act
TOC         Total organic carbon
URL         Uniform resource  locator
US EPA      United States Environmental Protection Agency
UV          Ultraviolet
WCIT       Water contaminant information tool
WUERM     Water utility emergency response manager
                                                               Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


                                      GLOSSARY

Definitions in this glossary are specific to the Response Protocol Tool Box but conform to
common usage as much as possible.

Agency - a division of government with a specific function, or a non-governmental organization
(e.g., private contractor, business, etc.) that offers a particular kind of assistance. In the incident
command system, agencies are defined as jurisdictional (having statutory responsibility for
incident mitigation) or assisting and/or cooperating (providing resources and/or assistance).

Analytical Approach - a plan describing the specific analyses that are performed on the
samples collected in the event of a water contamination threat.  The analytical approach is based
on the specific information available about a contamination threat.

Analytical Confirmation - the process of determining an analyte in a defensible manner.

Causative Agent - the pathogen, chemical, or other substance that is the cause of disease or
death in an individual.

'Confirmed' - in the context of the threat evaluation process, a water contamination incident is
'confirmed' if the information collected over the course of the threat evaluation provides
definitive evidence that the water has been contaminated.

'Confirmatory' Stage - the third stage  of the threat evaluation process from the point at which
the threat is deemed 'credible' through the determination that a contamination incident either has
or has not occurred.

Consequence - the adverse outcome resulting from a drinking water contamination incident.  In
the context of the threat management process, the consequence considers both the number of
individuals potentially affected as well as the severity of the health effect experienced upon
exposure.

Contamination Site - the location where a contaminant is known or suspected to have been
introduced into a drinking water system. For example, a distribution system storage tank where
a security breach has occurred may be designated as a suspected contamination site. The
contamination site will likely be designated as an investigation site for the purpose of site
characterization.

'Credible' - in the context of the threat evaluation process, a water contamination threat is
characterized as 'credible'  if information collected during the threat evaluation process
corroborates information from the threat warning.

'Credible' Stage - the second stage of the threat management process from the point at which
the threat is deemed 'possible' through the determination as to whether or not the threat is
'credible'.
                                                                 Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


Drinking Water Primacy Agency - the agency that has primary enforcement responsibility for
national drinking water regulations, namely the Safe Drinking Water Act as amended.  Drinking
water primacy for a particular state may reside in one of a variety of agencies, such as health
departments, environmental quality departments, etc. The drinking water primacy agency is
typically the State Health Agency or the State Environmental Agency.  The drinking water
primacy agency may also play the role of technical assistance provider to drinking water
utilities.

Emergency Operations Center - a pre-designated facility established by an agency or
jurisdiction to coordinate the overall agency or jurisdictional response and support to an
emergency.

Emergency Response Plan - a document that describes the actions that a drinking water utility
would take in response to various emergencies, disasters, and other unexpected incidents.

Field Safety Screening - screening performed to detect any environmental hazards (i.e., in the
air and on surfaces) that might pose a threat to the site characterization team.  Monitoring for
radioactivity as the team approaches the site is an example of field safety screening.

Health Care Provider - any individual or organization involved in the care of patients. Health
care providers include physicians and hospitals.

Immediate  Operational Response - an action taken in response to a 'possible' contamination
threat in an attempt to minimize the potential for exposure to the potentially contaminated water.
Immediate operational response actions will generally have a negligible impact on consumers.

Impact - the consequence or effect on drinking water consumers, or the utility itself, resulting
from the implementation of response actions.  An impact could also be considered as the cost of
implementing a response action.

Incident - a confirmed occurrence that requires response  actions to prevent or minimize loss of
life or damage to property and/or natural resources. A drinking water contamination incident
occurs when the presence of a harmful contaminant has been confirmed.

Incident Command System - a standardized on-scene emergency management concept
specifically  designed to allow its user(s) to adopt an integrated organizational structure
appropriate for the complexity and demands of single or multiple incidents, without being
hindered by jurisdictional boundaries.

Incident Commander - the individual responsible for the management of all incident
operations.

Investigation Site - the location where site characterization activities are performed.  If a
suspected contamination site has been identified, it will likely be designated as a primary
investigation site. Additional or secondary investigation sites may also be identified due to the
potential spread of a contaminant.
                                                                Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
Latency Period - the period of time that elapses between exposure of an individual to a
causative agent and the appearance of signs or symptoms of disease.

'Possible' - in the context of the threat evaluation process, a water contamination threat is
characterized as 'possible' if the circumstances of the threat warning appear to have provided an
opportunity for contamination.

'Possible' Stage - the first stage of the threat management process from the point at which the
threat warning is received through the determination as to whether or not the threat is 'possible'.

Preponderance of Evidence - an overwhelming and convincing amount of information that is
sufficient to conclude that an incident has occurred even though definitive proof may not be
available.

Public Health - the health and well being of an entire population or community. Public health
does not specifically address the health of individuals.

Quality Assurance - an integrated system of management activities involving planning,
implementation, documentation, assessment, reporting, and quality improvement to ensure that a
process, item, or service is of the type and quality needed and expected by the client.

Quality Control - the overall system of technical activities that measures the attributes and
performance of a process, item, or service against defined standards to verify that they meet the
stated requirements established by the client; operational techniques and activities that are used
to fulfill requirements for quality.

Rapid Field Testing - analysis of water during site characterization using rapid field water
testing technology in an attempt to tentatively identify contaminants or unusual water quality.

Response Decisions - part of the threat management process in which decisions are made
regarding appropriate response actions that consider: 1) the conclusions of the threat evaluation,
2) the consequences of the suspected contamination incident, and 3) the impacts of the response
actions on drinking water customers and the utility.

Response Guidelines - a manual designed to be used during the response to a water
contamination threat. Response Guidelines should be easy to use and contain forms, flow charts,
and simple instructions to support staff in the field or decision officials in the Emergency
Operations Center during management of a crisis.

Security Breach - an unauthorized intrusion into a secured facility that may be discovered
through direct observation, an alarm trigger, or signs of intrusion (e.g., cut locks, open doors, cut
fences). A security breach is a type of threat warning.

Site Characterization - the process of collecting information from an investigation site in order
to support the evaluation of a drinking water contamination threat.  Site characterization
                                                                Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


activities include the site investigation, field safety screening, rapid field testing of the water, and
sample collection.

Technical Assistance Provider - any organization or individual that provides assistance to
drinking water utilities in meeting their mission to provide an adequate and safe supply of water
to their customers.  The drinking water primacy agency may serve in this capacity.

Threat - an indication that a harmful incident, such as contamination of the drinking water
supply, may have occurred. The threat may be direct, such as a verbal or written threat, or
circumstantial, such as a security breach or unusual water quality.

Threat Evaluation - part of the threat management process in which all available and relevant
information about the threat is evaluated to determine if the threat is 'possible' or 'credible', or if
a contamination incident has been 'confirmed.'  This is an iterative process in which the threat
evaluation is revised as additional  information becomes available. The conclusions from the
threat evaluation are considered when making response decisions.

Threat Management - the process of evaluating a contamination threat and making decisions
about appropriate response actions. The threat management process includes the parallel
activities of the threat evaluation and making response decisions. The threat management
process is considered in three stages:  'possible', 'credible', and 'confirmatory.' The severity of
the threat and the magnitude of the response decisions escalate as a threat progresses through
these stages.

Threat Warning - an unusual occurrence, observation, or discovery that indicates a potential
contamination incident and initiates actions to address this concern.

Vulnerability Assessment - a systematic process for evaluating the susceptibility of critical
facilities to potential threats and identifying corrective actions that can reduce or mitigate the risk
of serious consequences associated with these threats.

Water Contamination Incident - a situation in which a contaminant has been successfully
introduced into the system.  A water contamination incident may or may not be preceded by a
water contamination threat

Water Contamination Threat - a situation in which the introduction of a contaminant into the
water system is threatened, claimed, or suggested by evidence. Compare water contamination
threat with water contamination incident.  Note that tampering with a water system is a crime
under the Safe Drinking Water Act as amended by the Bioterrorism Act.

Water Utility Emergency Response Manager (WUERM) - the individual(s) within the
drinking water utility management structure that has the responsibility and authority for
managing certain aspects of the utility's response to an emergency (e.g., a contamination threat)
particularly  during the initial stages of the response.  The responsibilities and authority of the
WUERM are defined by utility management and will likely vary based on the circumstances of a
specific utility.
                                                                 Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
1   Introduction
The goal of terrorism is to instill fear in the population, not necessarily to cause damage or
casualty. This fear can be caused by the mere threat of contamination if the threat is not
properly managed. For this reason, both threatened and actual contamination incidents are a
concern faced by the public at large and, in particular, drinking water treatment professionals.
Historic evidence suggests that the probability of intentional contamination of the drinking water
supply is relatively low; however, experts agree that it is possible to contaminate a portion of a
drinking water system, resulting in adverse public health consequences. Furthermore, as
discussed in Module 1, the probability of a contamination threat (the mere indication that
contamination of the drinking water supply may have occurred) is relatively high. Given that it
is possible to contaminate drinking water at levels of public health concern, and the  probable
occurrence of contamination threats in the water sector, there is a need to evaluate the credibility
of any contamination threat and identify appropriate response actions in a very short period of
time.

While it is desirable to have complete information prior to making important decisions, the
reality is that decisions typically must be made with incomplete information.  This will often be
the case when responding to contamination threats to drinking water systems since there will not
be time to definitively determine whether or not the water has been contaminated with a harmful
substance prior to making decisions to protect public health.  However, it is also necessary to
avoid false alarms that would result in undue panic and stress on the public.  Thus a balance must
be achieved between actions taken to protect public health and limiting false alarms and
overreaction to a perceived threat. FEMA offers an on-line course in decision making and
problem solving in emergency situations that may be of interest to the reader (FEMA, 2002)

This module, the "Contamination Threat Management Guide," provides a framework for making
decisions based on available, yet incomplete, information in response to a contamination threat.
It represents the hub of the "Response Protocol Toolbox," and is supported by the other modules
that present procedures for collecting additional information to assist  in evaluating the threat or
describe various actions that might be taken in response to a contamination threat. Based on this
overarching relationship among the modules, the objectives of this module are to:
      Present a framework for evaluating a water contamination threat and making decisions at
       key decision points in the process.
      Describe the type  of information that may be useful for conducting a threat evaluation.
      Describe the actions that might be implemented in response to a contamination threat,
       giving consideration to the potential consequences of an incident and the impacts
       resulting from  various response actions.

Based on these objectives, Module 2 is organized into eight sections that deal with the following
topics:

       Section 1:      Introduction: Describes the objectives and overall organization  of this
                     module.
                                        10                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


       Section 2:    Overview of the Contamination Threat Management Process: Provides an
                    overview of the process for evaluating a contamination threat and making
                    decisions about appropriate response actions based on the conclusions
                    drawn from the threat evaluation and an analysis of potential
                    consequences.

       Section 3:    'Possible' Stage of the Threat Management Process: Describes the general
                    approach for determining whether or not a water contamination threat is
                    'possible,' as well as the information sources and response actions that
                    might be considered at this initial stage of the threat evaluation.

       Section 4:    'Credible' Stage of the  Threat Management Process: Describes the general
                    approach for determining whether or not a water contamination threat is
                    'credible,' as well as the information sources and response actions that
                    might be considered at this advanced stage of the threat evaluation.

       Section 5:    'Confirmatory' Stage of the Threat Management Process: Describes the
                    general approach for determining whether or not a water contamination
                    incident has been 'confirmed.'  Discusses the information that might be
                    used to confirm an incident as well as the response actions that might be
                    implemented once an incident has been confirmed.

       Section 6:    Contamination Threat Management Matrices: Presents  eight matrices that
                    describe the three stages of a threat evaluation ('possible,'  'credible,'  and
                    'confirmed') for each type of threat warning presented  in this module.

       Section 7:    References and Resources: Lists the references used in  the development of
                    this module as well  as additional information resources.

       Section 8:    Appendices: provides a number of forms that support this module and that
                    may be used in the development of a utility's site-specific Emergency
                    Response Plan (ERP) or Response Guidelines (RGs).

The target audience for this module includes any individuals that might be involved in evaluating
the possibility or credibility of a water contamination threat, providing information to support the
evaluation, or deciding on appropriate response  actions based on the results of the threat
evaluation. This will likely include water utility management and staff, drinking water primacy
agency staff, public health officials, technical assistance providers, and law enforcement
officers.  This module is intended to be a planning tool, and it is recommended that individuals
responsible for managing a contamination threat (including an evaluation of the credibility of the
threat and response actions to the threat) review this module in its entirety and integrate the
concepts presented herein into their own response guidelines.
                                        11
Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide


2   Overview of the Contamination Threat Management Process

This section provides an overview of the entire threat management process and serves as a
roadmap to the remaining sections of this module. This overview is intended to familiarize the
reader with the entire process such that details of the methodology provided in the subsequent
sections can be understood in the context of the overall framework. Figure 2-1 is a flow chart
depicting the threat management process, which is comprised of two parallel activities: the threat
evaluation and response decisions.  While these two activities are interdependent and are
performed concurrently during the threat management process, each is presented separately to
facilitate the discussion.
               Review existing information
               (see Sections 3.1 and 3.2)
                                               -NO-
                       YES
              Perform site characterization
                  (see Section 3.3.1)
     Consider operational response
         (see Section 3.3.2)
              Review additional information
                   (see Section 4.1)
\
/
                                          NO-
                       YES
                    Close investigation, return\
                    to normal operation, and   ]
                      document the threat.  J
\
nple analysis
tion 4.2. 1)



Consider public health response
(see Section 4.2.3)
              Review additional information
                   (seeSecf/on5.7)
                     results confirm
                   contamination?
              Revise operational and public
              health response as necessary
               (see Sections 3.3.2 & 4.2.3)
      Revise sampling and
    analysis plans and continue
        threat evaluation
                 Develop remediation
                  and recovery plan
                   (see Section 5.2)
Figure 2-1. Contamination Threat Management Decision Tree
                                         12
                               Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
The general decision tree for managing a contamination threat presented in Figure 2-1 is a model
that should be applied according to the circumstances of a specific situation. There are numerous
discoveries at water facilities that might be interpreted as potential contamination threats, and the
decision tree presented in Figure 2-1 is intended to reduce the thousands of potential discoveries
to hundreds of possible contamination threats to tens of credible contamination threats.  This will
in turn allow a utility to respond appropriately to contamination threats that do occur and provide
reasonable consideration to the threat without overreacting and triggering harmful false alarms.
2.1  Roles and Responsibilities
Module 1 presented the Incident Command System as a model of the organizational structure for
managing a contamination threat or incident.  Under this structure, the individual with overall
responsibility is the incident commander.  The organization that assumes responsibility for
incident command will depend on the nature and severity of the threat or incident. By default, if
no other organization with the proper authority assumes responsibility for incident command, it
becomes the water utility's responsibility. The water utility emergency response manager
(WUERM) would assume the role of incident commander in this case.

During the course of managing a contamination threat, the individual designated as incident
commander may change as different organizations assume responsibility for managing the
situation. For example, during the initial stages of a situation, the WUERM will likely be in the
role of incident commander.  As more information about the threat becomes available and the
situation evolves, different organizations may step in and take command. For example, if
terrorist activity is suspected, the FBI will likely assume incident command. On the other hand,
if the situation were a potential public health crisis (without links to terrorism), the state or local
public health agency would likely assume incident command.  In cases where another
organization has assumed responsibility for incident command, the utility will play a supporting
role during the threat management process and maintain responsibility for the system.

The following is a brief discussion of roles and responsibilities during the threat management
process. This listing is not intended to be comprehensive for all situations, but to highlight the
key players that might be involved in the threat evaluation or in making  response decisions.

   Drinking Water Utility - The utility will be responsible for incident command, and the
   WUERM would be designated as the incident commander, unless another organization takes
   over the  situation.  As incident commander, the WUERM would  be responsible for
   conducting the threat evaluation and making response decisions.  Regardless of the
   organization responsible for incident command, the utility  has an ongoing responsibility as a
   technical advisor to the incident commander for issues related to  the operation of the water
   system and water quality.

   Drinking Water Primacy Agency - This agency may assume responsibility for incident
   command in cases in which the water utility lacks the resources to manage the threat.  The
   primacy  agency may also coordinate some aspects of response and reporting throughout its
   jurisdiction. Furthermore, the primacy agency may serve as a technical resource to water
                                        13                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


   utilities and serve as a link to federal resources such as the United State Environmental
   Protection Agency (U.S. EPA) and the Federal Emergency Management Agency (FEMA).

   Public Health Agency (State or Local) - This agency may assume responsibility for
   incident command in situations in which there is a potential threat to public health. The
   public health agency will have the lead in coordinating the public health response to a
   contamination threat or incident, possibly including public notification. They would also
   have the lead in the public health investigation, including identification of the source of
   unusual disease or death in the population. The public health agency would also serve as the
   link to federal resources such as the Centers for Disease Control and Prevention (CDC) and
   the Laboratory Response Network (LRN). Note: in some states, the state public health
   agency is  also the drinking water primacy agency.

   Local Law Enforcement Agency- This agency may assume responsibility for incident
   command in situations in which criminal activity, excluding federal crimes, is suspected.
   Law enforcement will have the lead in the criminal investigation and will determine whether
   or not a crime has been committed. The criminal investigation (i.e., has a crime been
   committed?) is related to the threat evaluation process, which addresses the more  specific
   question regarding whether or not the water has been contaminated.

   Federal Bureau of Investigation (FBI) - This agency will assume responsibility for
   incident command when a federal crime, including terrorism, is suspected.  Furthermore, FBI
   will make the determination regarding the credibility of a terrorist threat based on the
   information available and their experience in criminal investigations.  If FBI determines the
   terrorist threat to be credible, they will assume command of the situation, and the  utility will
   play a technical advisory role.

The roles of federal organizations during the response to an incident are defined in the Federal
Response Plan, which is described in Module 1, Appendix 6.2.
2.2  Evaluation of Water Contamination Threats
The process begins with a threat warning, which is an unusual event, observation, or discovery
that indicates a potential contamination incident and which initiates actions to address this
concern.  For example, a security breach at a distribution system storage tank might be
considered a threat warning.  A threat warning will typically result in a threat evaluation, a
process in which all available and relevant information is evaluated to determine the credibility
of a contamination threat. The following simple model described the threat evaluation in terms
of input, evaluation, and output:
      Input = all available information relevant to the contamination threat.
      Evaluation = systematic evaluation of the collective information to determine whether or
       not the water supply could have been contaminated. It is important to consider all
       available information as a whole such that any one individual piece of information does
       not drive the entire decision process.
      Output = conclusions of the threat evaluation (i.e., has something actually happened?).
                                        14                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


The threat evaluation is a progressive process that is considered in three stages (or decision
points) depicted in Figure 2-1: 'possible,' 'credible,'' and 'confirmed.' These stages are briefly
described below and discussed more fully in Sections 3, 4, and 5. It is also an iterative process in
which the threat evaluation is revised as additional information becomes available. The
conclusions from the threat evaluation are considered when making response decisions.

The primary focus of the threat evaluation is public health (i.e., has the water been contaminated
at levels of public health concern?).  However, the threat evaluation should also consider other
potential consequences of a contamination incident such as infrastructure damage, adverse
impacts on the aesthetic qualities of the drinking water, and reduced consumer confidence.

Management of a contamination threat begins with an evaluation of information about the threat
warning. The outcome of this initial evaluation leads to the first decision point in Figure 2-1 -
"is the threat possible?"  This initial evaluation represents a relatively low threshold that is
intended to discriminate between those threats that warrant further investigation and those that
can be dismissed as impossible. If the threat is deemed possible, immediate operational
responses may be implemented to contain the suspect water while the investigation is continued
through activities such as site characterization to support the next stage of the threat evaluation.
If the threat is not considered 'possible,'  the investigation is closed, the threat documented, and
the system returned to normal operation.

The results of site characterization and investigation of other sources will yield additional
information that will inform the second decision point in Figure 2-1 - "is the threat credible?"
This decision represents a higher threshold than that at the 'possible' stage.  In order for a threat
to be considered 'credible,' there must be sufficient information and corroborating evidence to
indicate that the water may have been compromised. If the threat is determined to be 'credible,'
response actions may be necessary to limit the potential for human exposure to the suspect water
and law enforcement should be notified due to the potential for criminal activity.  The
investigation will  continue concurrently with these response actions in an effort to confirm the
contamination incident.  Actions taken to confirm an incident may include the analysis of
samples collected during site characterization and/or additional sampling and rapid field testing.
If the threat is not considered 'credible,' the investigation is closed, the incident documented, and
the system returned to normal operation.

The next and final decision point in Figure 2-1 is confirmation of a contamination incident,
which will typically be achieved in one of two ways. The preferred approach for confirmation of
a contamination incident is through an evaluation of analytical results from samples collected
during site characterization.  However, this may not always be possible due to the limitations of
both sampling and analysis (e.g.,  sampling may fail to capture an aliquot of the contaminated
water). Thus, a contamination incident may also be confirmed through & preponderance of
evidence indicating that the water has been contaminated. As an example, a contamination
incident might be confirmed if there is a  security breach with obvious signs of contamination and
there are reports of unusual health symptoms in residents near the site of the security breach.

Once a contamination incident is confirmed, it may be necessary to revise protective measures
previously implemented in order to ensure that the public will not be exposed to the
                                        15                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


contaminated water. Furthermore, it will be necessary to prepare for remediation and recovery
activities following confirmation. If the analytical results do not confirm the contamination
incident, the credibility of the threat should be reassessed.  Upon reassessment, if the threat is
still deemed credible, it may be necessary to revise the sampling and/or analysis approach since
it is possible that the first round of sampling and analysis missed the contaminant. On the other
hand, if the threat is no longer considered 'credible' due to negative analytical results and a lack
of other evidence, the investigation can be closed, the incident documented, and the  system
returned to normal operation. However, under such circumstances, it will likely be necessary to
collect and analyze a number of samples in the suspect area to provide additional assurance that
the water has not been contaminated and is safe to use.
2.3   Consequence Analysis
Effective management of a contamination threat lies in the ability to make appropriate decisions
and take appropriate actions in response to the threat.  As previously discussed, the credibility of
a contamination threat is one consideration in making these response decisions. An equally
important consideration is the potential consequence to public health.  Thus, an analysis of
potential consequences associated with a particular contamination threat is a complementary
effort to the threat evaluation. Like the threat evaluation, consequence analysis should be viewed
as an iterative process since the potential consequences of a particular threat may be better
understood as additional information is collected from the ongoing investigation. In conducting
a consequence analysis, one should consider the number of individuals potentially affected, the
severity of the health effects, and the impact of an interruption in the drinking water supply on
consumers.
2.3.1  Number of Individuals Affected
The number of individuals potentially affected by a contamination incident is a function of the
spread of the contaminant and the population within the contaminated area. This may be
difficult to determine with a great deal of accuracy within the short time period necessary to
make response decisions; however, it may be possible to quickly develop a rough estimate using
existing information and/or tools. A simple approach is to utilize operational knowledge of the
system to approximate the spread of the potentially contaminated water from the point of
suspected contaminant introduction. One might also develop a list of typical travel times from
key nodes or facilities within the system to large population centers or critical customers.

A more rigorous evaluation approach involves the application of a hydraulic model designed to
estimate the spread of a contaminant from a point of introduction through the distribution
system. Examples of models that could be applied in this manner include EPA Net, PipelineNet,
MWHSoft, Stoner, and Haestad.  The capabilities of PipelineNet are described in more detail in
Module 5, Appendix 8.7. These models are sophisticated and require a certain level of skill and
a significant amount of time to run; thus, it may not be practical to use such models during the
early stages of a response to a contamination threat. Furthermore, the successful application of
these models depends on knowledge of the location and time of contaminant introduction,
information that may not be available in many cases. It may be more useful to run several
                                        16                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


scenarios using a hydraulic model as a planning exercise in order to understand how a
contaminant might move through a system.

Once the area impacted by the spread of the contaminant has been estimated, the number of
individuals potentially affected can be approximated using the population within that area. The
population might be estimated from knowledge of the population centers, neighborhoods, and
institutions within the bounds of the affected area.  Consideration must also be given to the
dilution that would occur as a contaminant moves through the system and the relatively small
percentage of treated water that is used for consumption.  Both of these factors will reduce the
number of individuals potentially affected, but not necessarily to levels acceptable to the public.
2.3.2  Health Effects
The severity of the health effects is directly related to the properties and concentration of the
contaminant.  In cases where the identity of a contaminant is known or assumed, information
about its toxicity/infectivity, fate and transport, and resistance to chlorine or chloramines will
help in the assessment of potential public health impacts. Health effects might be minor (e.g.,
minor skin irritation), moderate (e.g., short-term gastrointestinal disease), or severe (e.g.,
debilitating disease or death).  Situations in which there may be sufficient information to make a
reasonable assessment of potential health effects include those in which a contaminant is named
in a threat, detected through monitoring or analysis, or inferred from clinical data. Information
regarding contaminant properties related to public health effects may be obtained from local
health authorities, U.S. EPA, and CDC, among others. Unfortunately, in most cases there will
not be sufficient information about the suspected contaminant to make an assessment regarding
potential health effects. In these instances, it may be appropriate to make the conservative
assumption that severe health effects are possible.
2.3.3  Impacts of Response Actions on Consumers
While public health protection is the primary objective during management of a contamination
threat, it is also important to consider the overall mission of the water utility - to provide a safe
supply of drinking water for consumption, sanitation, fire protection, and other consumer needs.
Response actions can be taken to minimize possible impacts on public health that could result
from an actual contamination incident, but many of these actions will impact the ability of the
water system to meet various aspects of its overall mission. For example, if a decision is made to
issue a "do not drink" notice, the day-to-day life of citizens will be severely impacted due to the
loss of a convenient supply of potable water for consumption and food preparation.
Furthermore, if the water is deemed unsafe for fire fighting, an alternate source must be quickly
mobilized to maintain fire protection.
2.4   Planning for Response Decisions
Three factors should be considered when planning for decisions regarding actions taken in
response to a contamination threat: 1) the credibility of the threat; 2) the potential consequences
of the contamination incident; and 3) the impact of the response action on consumers.  A
"Response Planning Matrix" is a tool that may help decision officials to consider these three
                                        17                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


factors when planning for response decisions and might serve as a quick reference guide during
an actual crisis. The matrix is a simple tabular summary that lists the three levels of a threat
evaluation, the potential consequences of a threat (both the number of people affected and health
effects), and potential response actions along with their impacts on consumers.  A blank
"Response Planning Matrix" is included in Appendix 8.1.

By planning for threats with different levels of credibility and potential consequences, the utility
will be better able to make appropriate response decisions quickly.  The Response Planning
Matrix will also make it clear when response decisions need to be elevated to a higher level
within the utility chain of command or coordinated with an external organization, such as the
public health agency.  Furthermore, an understanding of the potential impacts of various
response actions will provide an opportunity to develop strategies for managing and minimizing
adverse impacts. For example, the impact associated with issuing a "do not drink" notice might
be mitigated through a public awareness program.  This outreach approach could educate the
public to the possibility of short duration water outages and encourage them to store a supply of
emergency drinking water.  Such practice is common in areas prone to natural disasters such as
earthquakes and hurricanes.

The blank matrix provided in the appendix can be used as an aid during emergency response
planning.  By working through scenarios with different combinations of credibility,
consequences, and impacts, it is possible to gage the relative importance of various factors.  For
example, it may be determined that the response decisions are influenced more by 'the number of
people affected' than the 'health effects.'  Since there are a limited  number of response actions
available to any utility, it is likely that the number of combinations in the matrix will reduce to
just a few,  and the factors that have the greatest impact on response decisions will become
apparent.

Once the planning process is complete, the "Response Planning Matrix" can be completed as
necessary to serve as a quick reference guide that could be incorporated in a set of "Response
Guidelines"  The tool may also need to be modified from its current form in Appendix 8.1 to be
consistent with a utility's planning process (for example, the "number of people affected" might
be changed to "area affected"). During a crisis, such a tool can efficiently guide the WUERM
toward appropriate planned response actions under various conditions or scenarios.
                                        18                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


3   'Possible' Stage of the Threat Management Process

A water contamination threat is characterized as 'possible' if the circumstances of the threat
warning indicate that there was an opportunity for contamination.  This is the lowest threshold in
the threat evaluation process and is the point at which a decision is made regarding whether or
not to proceed with the investigation.  If the threat is determined to be impossible, there is no
need to continue the threat evaluation or consider any response actions. However, it is likely that
many contamination threats will meet this relatively low threshold and thus warrant further
investigation.

The target time period for determining whether or not a contamination threat is 'possible' is
within one hour from the time the threat warning is received by the utility. Given the potentially
severe consequences of failing to  respond to an actual contamination incident in a timely and
appropriate manner, it is important to determine whether or not a threat is 'possible' in this
relatively short time frame.  The one-hour target, however, should be treated as a flexible goal
since the circumstances of a particular threat may dictate a shorter or longer time

As with all stages of the threat management process, the incident commander is responsible for
determining whether or not contamination threat is 'possible.'  In  most cases, this determination
will be made by the WUERM, although others may become involved in this initial evaluation as
appropriate.  For example, if the threat warning is reported by a law enforcement agency, they
would likely play a role in determining whether or not a threat is 'possible.' Also, the drinking
water primacy agency may wish to be informed about all threat warnings and may participate in
this initial stage of the threat evaluation. However, given the short target time frame for this
initial evaluation, it is generally recommended that the WUERM have the authority to make this
determination and the decision to  continue the investigation.

Relevant and timely information is key to determining whether or not a threat is 'possible' in the
target time period. In most cases, the information  considered at this stage will be derived
directly from the threat warning (e.g., type of warning, location, time of discovery, suspected
time of incident, and other details).  Under some circumstances, additional information beyond
the threat warning may be considered. However, there may  not be sufficient time to do so in
most cases, and the determination regarding whether or not the threat is 'possible' will be based
primarily on the details of the threat warning.
3.1  Information from the Threat Warning
A threat warning is an unusual event, observation, or discovery that indicates the potential for
contamination and initiates actions to address the concern.  Threat warnings may come from
several sources from both within and outside of the water utilities as shown in Figure 2-2.

Information extracted from details of the threat warning is critical to determining whether or not
a contamination threat is possible, and different types of warnings will have different levels of
initial credibility. For example, a public health notification of unusual disease or death in the
population would have a higher degree of initial credibility than a report of unusual water quality
based on general parameters (e.g., pH, chlorine residual, etc.). Some warnings may be judged so
                                        19                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


reliable that the threat is deemed 'credible' solely on the basis of information about the threat
warning, while others may be almost instantly dismissed as impossible.  Each type of threat
warning depicted in Figure 2-2 is discussed in greater detail in following subsections,
particularly with respect to the initial reliability of the information from such incidents.
                             Security
                              Breach
   Witness
   Account
              Public Health
               Notification
               Consumer
               Complaint
             Notification by
               Perpetrator
              Notification by
            Law Enforcement
                          Unusual Water
                              Quality
Notification by
 News Media
Figure 2-2. Summary of Threat Warnings
Regardless of the nature and source of the threat warning, it is critical that protocols be in place
to report the warning to the WUERM as quickly as possible.  Utilities and communities should
develop communications channels and procedures to ensure that threat warnings can be
accurately and quickly reported on 24/7 basis. A "Threat Evaluation Worksheet" is provided in
Appendix 8.2 to help organize the information used throughout the threat evaluation, beginning
with a summary of information about the threat warning itself.
3.1.1  Security Breach
A security breach is an unauthorized intrusion into a secured facility that may be discovered
through direct observation, an alarm trigger, or signs of intrusion (e.g., cut locks, open doors, cut
fences). Security breaches are probably the most common threat warnings, but in most cases are
related to day-to-day operation and maintenance within the water system.  Other security
breaches may be due to criminal activity such as trespassing, vandalism, and theft rather than
attempts to contaminate the water.  However, it is prudent to assess any security breach with
respect to the possibility of contamination.

When evaluating whether or not a security breach is a possible contamination threat, it is
important to consider the circumstances of the incident:
      The mode of discovery of the security breach, e.g., discovery by utility crews, law
       enforcement, a citizen, security  alarm, etc. "Is the source reliable?"
                                        20
                 Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


       The time window in which the security breach occurred. "Can a time window be
       established for the incident based on the times of previous visits to the site and/or the
       time of discovery?"
       The area in which the security breach occurred.  "Is there a history of break-ins,
       vandalism, or trespassing in this area?"
       Any other information or circumstances about the incident.  "Are there signs of theft,
       vandalism, or mischief?" "Are there indications that multiple individuals were
       involved?" "Was anything left at the site?"

A "Security Incident Report Form" is included in Appendix 8.3 to assist in documenting the
available information about the breach and support the threat evaluation.

If the site of the security breach is equipped with security cameras, the footage should be
reviewed as part of the threat evaluation. A video record of the security breach can provide
valuable information to help distinguish among normal operational activity, simple trespassing,
and 'possible' or 'credible' contamination threats. Furthermore, it can help to establish the
actual time of the security breach, which is critical for estimating the area of a distribution
system that would be affected if a contaminant were actually introduced (i.e., such information
would aid in consequence analysis).

The information about a security breach available at the time of discovery may be sufficient to
determine whether or not a threat is 'possible.'  However, in most cases additional information
will be necessary to determine whether or not the threat is 'credible.' Information collected
during site characterization activities will be critical to the threat evaluation at this later stage, as
discussed in Section 4.1.1.
3.1.2  Witness Account
A threat warning may come from an individual who directly witnesses suspicious activity, such
as trespassing, breaking and entering, or some other form of tampering. The witness could be
either a utility employee or a bystander. As a result, the witness report may come directly to the
utility, or may be directed to a 911 operator or law enforcement agency.  If the witness reports
the incident to a law enforcement agency, a written or verbal report from the police may provide
some insight regarding the possibility of contamination. Furthermore, if the suspect(s) was
apprehended, the police report may include additional insight regarding the motives and
circumstances of the episode. It is important that the utility establish a relationship with local
law enforcement agents, as individuals observing suspicious behavior near drinking water
facilities will likely call 911 or law enforcement rather than the water utility.

It is important to collect as much information as possible from the witness to support the initial
threat evaluation. A "Witness Account Report Form" is included Appendix 8.4 to help
document the witness account. If the witness has not already been interviewed, or if the
interview did not cover all aspects of the event that are relevant to the utility's threat evaluation,
the WUERM should contact law enforcement and arrange to interview with the witness. In some
cases, law enforcement officials may prefer to conduct the interview themselves, but the
WUERM may be able to  suggest certain questions that are relevant to the threat from the
                                        21                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


perspective of the water utility.  Information from the witness that would be important to the
utility's evaluation includes the number of individuals, their actions at the site, equipment or
containers handled by the perpetrators, and anything taken from the site. It is also important to
consider the reliability of the source when evaluating information from any witness account,.
For example, a threat warning delivered by an individual with a history of filing false reports
with police should be  considered suspect until corroborated by additional information. On the
other hand, direct observation by utility staff would be considered a reliable threat warning.
3.1.3  Direct Notification by Perpetrator
A threat may be made directly to the water utility, either verbally or in writing.  Verbal threats
made over the phone are historically the most common type of direct threats from perpetrators;
however, written threats have also been delivered to utilities. Report forms for both phone and
written threats are provided in Appendices 8.5 and 8.6, respectively.  A direct notification should
be evaluated with respect to both the nature of the threat and specificity of information provided
in the threat. In the case of a phone threat, the caller should be questioned about the specifics of
the threat: time and location of the incident, name and amount of the contaminant, reason for the
attack, the name and location  of the caller, etc.  The characteristics of the caller should be noted
as well (e.g., male/female, accent, tone of voice, background noise, etc.).  Given the number of
different individuals that might receive a phone threat at a utility, there is a need for training and
frequent updates regarding procedures for handling phone threats.  In a similar manner,
mailroom staff should be provided with training regarding the recognition and handling of
suspicious packages and letters. Guidance for dealing with suspicious packages has issued been
issued by the US Postal Service (http://www.usps.com/news/2001/press/prOl_1022gsa.htm).

Since tampering with a drinking water system is a crime under the Safe Drinking Water Act, and
may involve several other felony acts, any threats received by a utility should be reported to the
appropriate authorities, including law enforcement and drinking water primacy agency.
3.1.4  Notification by News Media
A threat to contaminate the water supply might be made through the news media, or the media
may discover and report a threat before the utility is alerted. Thus, it is important that utilities
establish relationships with the media to emphasize the importance of notifying the utility or the
drinking water primacy agency immediately if a threat against the water supply is received. An
established contact should be available to receive such calls at any time. If the threat is general
(i.e., not targeted at a specific town or city), the utility should evaluate the reported information
and may wish to discuss the threat with their primacy agency.  The utility may also consider
notifying local law enforcement about the general threat.

In the case of a threat against the water supply for a specific city, a conscientious reporter would
immediately report the threat to the police, and either the media or the police should immediately
contact the water utility.  Assuming this level  of professionalism in the media, the notification
would go directly to the utility or law enforcement. This early notification would provide an
opportunity for the utility to work with law enforcement agencies toward assessing the
possibility of the threat before any broader notification is made.
                                        22                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
Note that a separate report form was not generated for a notification by news media, since this
represents a notification pathway rather than a distinct type of threat warning. The "Threat
Evaluation Worksheet," and possibly other forms included in the appendices, may be used to
document a notification from news media.
3.1.5  Notification by Law Enforcement Agencies
A utility may receive notification about a contamination threat directly from a law enforcement
agency. This notification could be a result of suspicious activity reported to the police or a threat
to the water supply made through the news media. Other information could also lead law
enforcement agents to conclude that there may be a threat to the water supply. In any case, the
utility should review the available information with law enforcement to assess whether the threat
is possible and decide on appropriate response actions. While law enforcement agents will have
the lead in the criminal investigation, the utility has primary responsibility for the safety of the
water supply and operation of the water system.  Thus, the utility's role will likely be to help law
enforcement appreciate the feasibility and public health implications of a particular threat.

Note that a separate report form was not generated for a notification by  law enforcement
agencies, since this represents a notification pathway rather than a distinct type of threat warning.
The "Threat Evaluation Worksheet," and possibly other forms included in the appendices, may
be used to document a notification from law enforcement.
3.1.6  Unusual Water Quality
Unusual water quality results may serve as a warning of potential contamination if the data is
available in real-time or near real-time.  This type of threat warning could come from on-line
monitoring, grab sampling, or an early warning system.  Appendix 8.7 provides a "Water Quality
and Consumer Complaints Report Form," which may be useful when evaluating a threat warning
due to unusual water quality.

Unusual water quality data should be evaluated against an established baseline that captures
normal variability in the system, both temporally and spatially. Deviations from an established
water quality baseline may serve as a threat warning and should be investigated to determine
whether or not the results are indicative of potential contamination. In the absence of a baseline,
it will be difficult to discriminate between normal variability and legitimate threat warnings - a
situation that could lead to unacceptable false alarms. A baseline can be established for any
water quality parameter that  is routinely monitored, and the following list is intended to be
illustrative rather than comprehensive:

      pH of the distributed  water is a function of the pH of the finished water at the entry point
       to the distribution system.  In well buffered waters, it will typically remain fairly constant
       throughout a distribution system in which the water is in equilibrium with the pipe
       material; however, it  may vary if there are corrosion problems.
                                        23                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


       Conductivity of the distributed water is a function of the conductivity of the finished
       water at the entry point to the distribution system. It will typically remain fairly constant
       throughout a distribution system in which the water is in equilibrium with the pipe
       material; however, it may vary if there are corrosion problems.

       Chlorine/chloramine residual levels vary as a function of temperature, pH, degree of
       nitrification, pipe wall demand (i.e., from biofilm or corrosion), and distribution system
       residence time (i.e., water age). The initial residual is established at the plant and is a
       function of the disinfectant dose and oxidant demand of the water. Oxidant demand will
       vary as a function of water quality and typically experiences seasonal fluctuations. The
       use of disinfectant booster stations in the distribution system must also be considered
       when evaluating baseline residual data.

       Total organic carbon (TOO  levels in the distributions system will remain relatively
       constant with respect to the finished water TOC.  However, use of strong oxidants, such
       as ozone, can increase the biodegradable fraction of TOC, potentially resulting in greater
       variability in TOC levels in the distributions system.

       UV absorbance is typically used as a surrogate for TOC, but is more indicative of the
       aromatic fraction of TOC. UV absorbance will experience variations similar to TOC and
       is also impacted by oxidants and disinfectants used in water treatment.

Another factor to consider when establishing a baseline for distribution system water quality is
the potential for blending of water quality from different treatment plants. If multiple treatment
plants feed the distribution system, the water quality will be a function of the blending ratio of
the water from the different plants, in addition to the other factors described above. The task of
establishing a baseline for such systems is further complicated by the fact that  the blending ratios
will vary both spatially and temporally.

Since 9/11, there have been a number of unconventional technologies and parameters suggested
as early warning systems that might detect contamination incidents. It is even more important to
establish a reliable baseline for an early warning system that relies on such unconventional
parameters, since there is not an experience base to support the identification of unusual results
without a baseline for comparison. The applicability of on-line monitoring to the detection of
intentional  contamination incidents is still under study and many questions remain unanswered
regarding the applicability of these tools to water security (i.e., general effectiveness, sensor
density requirements, false alarm rate, etc.). The topic of on-line monitoring and early warning
systems is also discussed in Module 1, Appendix 6.3.

Finally, it is also critical to evaluate a threat warning due to  unusual water quality data in light of
the performance characteristics of the monitoring and detection equipment.  Factors to consider
include the rate of false positives, false negatives, known interferences, and instrument
reliability.  The EPA Environmental Technology Verification (ETV) program  has established an
on-going program to evaluate the performance of hand held and on-line monitoring and detection
technologies. Utilities considering the application of any monitoring technology should evaluate
ETV verification reports, if available (www.epa.gov/etv).
                                        24                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


3.1.7  Consumer Complaints
An unexplained or unusually high incidence of consumer complaints about the aesthetic qualities
of drinking water, or minor health problems resulting from exposure to water (e.g., skin
irritation), should be investigated as a potential threat warning. A number of chemicals can
impart an odor or taste to water, some may discolor the water, and others might result in minor
health problems in exposed individuals. It is also important to realize that a number of chemicals
and all pathogens will have no impact on the aesthetic qualities of drinking water; thus, an
absence of consumer complaints does not imply that the water is free of contaminants. When
evaluating consumer complaints as  a potential indicator of contamination, it is important to ask a
series of questions:
      Are the complaints significantly different, with respect to number or type, from those
       associated with typical taste and odor episodes (such as those resulting from lake
       turnover or algal blooms)?
      What is the specific nature of the compliant? What is the characteristic odor,  taste or
       color? What is the minor health problem experienced by customers?
      Is the reported taste, odor, or color different from those typically reported?
      Is the reported taste, odor, or color characteristic of a particular contaminant?
      Is there an unusual geographic clustering of complaints (e.g., are complaints isolated to a
       small area of the distribution system)?
      Are the complaints from customers that are not habitual complainers?

The answers to these questions will help to determine whether the complaints are indicative of a
possible contamination incident, or typical of normal water quality conditions and routine
episodes. Appendix 8.7 provides a  "Water Quality and Consumer Complaints Report Form" that
may be useful when evaluating a threat warning resulting from unusual consumer complaints.

In order for consumer complaints to be an effective trigger, a utility must have a 24/7 system in
place to respond to consumer complaints in a timely fashion. Furthermore, complaint staff
should be trained to  recognize unusual trends in consumer complaints and have the tools
necessary to characterize complaints by type and location. Unusual trends should be reported to
the WUERM immediately. A useful resource that describes an approach for investigating
consumer complaints as a potential  indicator of contamination has been prepared by U.S. Army
Center for Health Promotion and Preventative Medicine (2003).
3.1.8  Notification by Public Health Agencies
Notification from a public health agency or health care providers (e.g., doctors or hospitals)
regarding increased incidence of disease or death is another possible threat warning.  This threat
warning is obviously contingent on health care professionals associating patterns in exposure and
symptoms with potential water supply contamination.  A distinction should be made between a
notification that comes from public health officials and one that comes directly from health care
providers; the former deals with the health of a population, while the latter is concerned with the
health of individual patients. Since safe drinking water is a cornerstone of public health, the
utility should generally work directly with public health officials rather than individual health
care providers.  If a threat warning comes  in from a health care provider, it should be
immediately reported to the local or state public health agency.
                                        25                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
A threat triggered by a public health notification is unique in that at least a segment of the
population has presumably been exposed to a harmful substance. Given this circumstance, it is
likely that public health officials will assume responsibility for incident command and may
choose to handle the situation as an epidemiological investigation in an effort to track down the
source. During a public health investigation, the utility should work with local or state health
officials in a support role.

The role of the drinking water utility will likely be to assist in the evaluation of water as a
possible source of the increased disease or death observed in the community.  The "Public Health
Information Report Form" included in Appendix 8.8 is intended to organize information from
public health agencies in a manner to support this evaluation. If the causative agent is known
(i.e., through clinical data), it may indicate whether or not water is a possible or likely source.
For example, if the contaminant is unstable in water, the investigation might focus on other
potential sources, such as food.

It is also important to consider the time that would be expected to elapse between exposure and
onset of symptoms. If the causative agent is a chemical (including biotoxins and high level
radiation), then the time between exposure and onset of symptoms may be on the order of
minutes to hours; thus, there is the potential that the contaminant is still present in the water
system. On the other hand, the incubation period for most pathogens is on the order of days to
weeks, and thus the causative agent may be absent from the system or present only in trace
quantities due to water use, dilution, and die-off during the time period between the incident and
onset of symptoms. Similarly, the signs of low-level radiation poisoning may not appear
immediately following exposure. This time lag will have a significant impact on the  response
strategy, including both sampling and actions taken to protect public health.
3.2  Additional Information Considered at the 'Possible' Stage
While the threat warning will likely provide the most immediate and relevant information,
several other potential resources might be considered at the 'possible' stage. In general, it is
assumed that there will only be time to consult resources within the utility at this stage of the
threat evaluation given the short time available to determine whether or not the threat is
'possible.'  The information resources listed in this section should not be considered
comprehensive or mandatory for determining whether or not a threat is 'possible,' since the
circumstances of a specific threat are unique and will dictate appropriate information resources.
The specific information resources described in this section include:
      Internal utility information from those who know the physical configuration, operation,
       and typical water quality of the water system.
      Information from the utility' s site-specific vulnerability assessment that is relevant to the
       contamination threat.
      Real-time water quality data that might be used as a potential indicator of water
       contamination, when evaluated in the context of an established baseline.

Even though this information is listed under the 'possible'  stage of a threat evaluation, it is
important to remember that the analysis of this information will likely continue throughout the
                                        26                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


threat evaluation process.  Specifically, the same information resources may be used during the
'possible,' 'credible,' and 'confirmed' stages of the threat evaluation, as long as they are
relevant. As the investigation continues, additional information will become available and
previously collected information may be either confirmed or invalidated.  In summary, the threat
evaluation process is continuous and iterative in nature.
3.2.1  Utility Information and Staff Knowledge
Utility staff possess an extensive knowledge about the physical configuration, operation, and
water quality of their system.  This knowledge should be utilized throughout the entire threat
evaluation process, beginning with the assessment of whether or not the threat is 'possible.'
Direct experience in dealing with previous security breaches, such as trespassing or vandalism,
can provide insight regarding the possibility of contamination during the evaluation of a current
threat warning.  Knowledge of typical water quality conditions provides a basis for the
evaluation of unusual water quality data that might be considered a threat warning. Previous
experience with taste and odor episodes may allow staff to recognize unusual patterns in
consumer complaints. Furthermore, during advanced stages of an incident, the understanding of
distribution system hydraulics by operations staff and engineers will be critical to the rapid
assessment of the propagation of a suspected contaminant through a system. In summary, the
knowledge and  experience of utility staff should be included as a key information resource.
Also, the staff can be sensitized to various potential threat warnings so that they can recognize
them early  and report them to the WUERM in an efficient and timely manner. To facilitate
utilization of staff in an emergency, the WUERM should have 24/7 contact information for all
critical staff with specialized knowledge of the system.


3.2.2  Vulnerability Assessment
A utility's vulnerability assessment (VA) is another potential source of information to consider
during a threat evaluation; however, this will depend on the manner in which the general threat
of intentional contamination was addressed during the VA.  Information that could be derived
from a VA to support the threat evaluation of a specific contamination threat might include:
      Locations potentially considered as high value targets of intentional contamination (e.g.,
       large population centers, government buildings, etc.).
      Locations considered particularly vulnerable to the intentional introduction of
       contaminants.
      Other site-specific considerations, such as the availability of a particular contaminant in
       an area.

This information might be of particular value during  the evaluation of general contamination
threats in which neither a location nor a contaminant is specified or suspected. Ideally, such
information would be derived from a VA and summarized as part of utility planning for response
to contamination threats (i.e., rather than referring to the complete VA in the midst of a crisis).
                                        27                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


3.2.3  Real-time Water Quality Data and Consumer Complaints
Unusual water quality data is a potential threat warning but may also serve as a valuable source
of information during the evaluation of a threat triggered by another type of threat warning.  For
example, a threat warning may result from discovery of a security breach, and real-time (or near
real-time) water quality data might be used as an additional source of information during the
threat evaluation.  Currently, on-line residual disinfectant monitors provide the most likely
source of real-time water quality data. However, data from monitoring stations that measure
other parameters (i.e., as part of an early warning system) should be evaluated if available. As
with water quality data considered as a threat warning, it is important to evaluate water quality
data used during a threat evaluation against a baseline and in light of instrument/method
performance (see Section 3.1.6 for additional guidance).

Aesthetic characteristics of water are another potential source of information to support a threat
evaluation. This information might be most effectively gathered through a review of consumer
complaints at the time of the contamination threat.  Section 3.1.7 describes the evaluation of
information derived from consumer complaints in the context of a threat warning. Appendix 8.7,
contains a "Water Quality and Consumer Complaints Report Form" that may be useful during
the  analysis of such data in support of a threat evaluation.

Given the limited amount of time available to determine whether or not a contamination threat is
'possible,' there may only be time to conduct a cursory analysis of available water quality or
consumer complaint data. The analysis of such data should begin at the 'possible' stage and
continue  through the duration of the threat evaluation.


3.3  Response Actions Considered at the 'Possible' Stage
Once a contamination threat has been  deemed 'possible,' relatively low level response actions
are  appropriate. This section describes two response actions that might be considered at this
stage: 1)  site characterization and 2) immediate operational response.  Site characterization is one
of the critical activities in the ongoing threat evaluation and is intended to gather critical
information to support the 'credible' stage of the threat evaluation. Immediate operational
response  actions are primarily intended to limit the potential for exposure of the public to the
suspect water while site characterization activities are implemented.  An example of an
operational response action is hydraulic isolation of a tank by pumping water into the tank or
valving out a tank.  These actions would generally not affect consumers  and thus would
generally not require public notification.

The decision to implement these response actions must be made very quickly for the actions to
have their desired impact. For example, in order for containment to be an effective operational
response, it should be implemented as quickly  as feasible after a threat is deemed 'possible.' To
facilitate  this, the WUERM should be empowered to implement such response actions at the
possible stage. However, the plans regarding the use of immediate operational response actions
should be shared with utility management and all relevant stakeholders (e.g., the drinking water
primacy agency).
                                        28                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


3.3.1  Site Characterization Activities
Site characterization is defined as the process of collecting information from the site of a
suspected drinking water contamination incident.  Site characterization activities include the site
investigation,^/e/J safety screening, rapid field testing of the water, and sample collection.  The
procedures for performing site characterization and sampling are fully described in Module 3,
while this section describes the role of site characterization within the overall context of the
threat management process.  According to Figure 2-1, if initial information from the threat
warning indicates that the threat is 'possible,' site characterization activities are performed to
gather additional information that will help to establish whether or not the threat is 'credible.' In
this respect, site characterization is both a response action (initiated once a threat is deemed
'possible') and an information source (to help determine whether or not the threat is 'credible').

An overview of the site characterization and sampling process is shown in Figure 2-3. The site
characterization process is defined in five primary stages:
    1.  Customizing the Site Characterization Plan to guide the team during site characterization
       activities.
    2.  Approaching the Site to perform an initial assessment of site conditions and potential
       hazards.
    3.  Characterizing the Site at which point the team performs their detailed site investigation
       as well as rapid testing of the water.
    4.  Collecting Samples for possible delivery to a laboratory for analysis.
    5.  Exiting the Site  after completion of all site characterization activities.

The bracketed boxes on the right side of the figure provide additional detail regarding the
activities that are implemented during each stage.

The large arrow along the left side of this  figure represents the threat evaluation process, and the
interconnecting arrows  show the interrelationship between the threat evaluation and site
characterization processes. Information gathered to support the initial threat evaluation will also
support the development of the customized site characterization plan. As site characterization
activities progress, information collected from the site will be used to revise and update the threat
evaluation. Likewise, the threat evaluation may impact the course of the site characterization
activities.

During the development of a site characterization plan, the incident commander (i.e., the
WUERM) and other supporting  staff should review available information in order to define the
investigation site and develop an approach for field testing and sampling.  A critical
consideration during this planning stage is ensuring the safety of the site characterization team.
Accordingly, one objective at this point is to conduct a preliminary assessment of potential site
hazards. If there are indicators that hazardous contaminants may be involved, then teams trained
in hazardous materials safety and handling techniques,  such  as HazMat teams, should manage
and conduct the site characterization. Steps should also be taken to protect the integrity of any
potential evidence at the site (e.g, avoid handling  or moving potential evidence). Module 3,
Appendix 8.1 provides a "Site Characterization Plan Template" that may be useful in developing
a customized site characterization plan.
                                         29                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


During the approach to the site, the team should look for any evidence of potential contamination
and initiate field safety screening. The purpose of field safety screening is to detect any
environmental hazards (i.e., in the air and on surfaces) that might pose a threat to the site
characterization team. Field safety screening will be conducted based on preliminary
information about the threat and potential site hazards.  If signs of a hazard are evident during the
approach, the team should halt their approach and immediately inform the WUERM regarding
their findings. The WUERM may determine that the threat is 'credible' based on this
preliminary information, even before site characterization has been completed. Furthermore, if
the investigation or field safety screening indicates any acute hazards in the environment, it will
be necessary to immediately evacuate the site. In these instances, teams that are properly
equipped and trained should deal with the hazard tentatively identified during screening (e.g.,
HazMat).
                                        30                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
          Place samples in
           secure storage
                               Customize the Site
                              Characterization Plan
                                                            Initial evaluation
                                                         Identify investigation site
                                                         Characterize site hazards
                                                      Form site characterization team
                              Approaching the Site
                                                      Conduct field safety screening
                                                       Observe site conditions and
                                                        determine signs of hazard
                              Characterize the Site
                                                       Repeat field safety screening
                         Investigate site and evaluate
                                  hazards
                                                        Conduct field water testing
                                Collect Samples
                                Exiting the Site
                              YES-
Ship samples to lab
           Figure 2-3. Overview of Site Characterization and Sampling Process
In situations where it is deemed necessary to turn over the site to a HazMat team, the WUERM
may need to assign a member of the water utility site characterization team to the HazMat team.
While it is unlikely that the water utility personnel will be trained in HazMat techniques, they
can provide technical advice and guidance to the HazMat responders with respect to water
quality, water sampling, and water system components.  In some cases the HazMat team may
enter the site to perform their hazard assessment and "clear" the site for entry by utility staff.
                                         31
                                    Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
Once the team has entered the site, they will proceed with the actual site characterization, which
includes additional field safety screening, investigation of the site, and rapid field testing of the
water.  Field safety screening and the site investigation were initiated during the approach and
continue when the team enters the site.  The primary objectives of rapid field testing of the water
include: 1) providing additional information to support the threat evaluation process; 2)
providing tentative identification of contaminants that would need to be confirmed in the
laboratory; and 3) determining if hazards tentatively identified in the water require special
handling precautions.

Following the detailed site characterization, samples should be collected so that they are
available for analysis if necessary.  Figure 2-3 indicates that the decision to send samples to the
laboratory is based on the threat evaluation at the 'credible' stage.  If the threat is deemed
'credible,' the samples should be immediately transported to the laboratory  for analysis (see
Section 4.2.1  for additional discussion regarding sample analysis).  If the threat is not deemed
'credible,' the samples should be stored for a predetermined period of time in case the situation
changes and analysis is determined to be necessary.
3.3.2  Immediate Operational Response
The objective of immediate operational response is to minimize the potential for exposure of the
public to the suspect water through operational strategies such as containment. These actions are
typically suitable for implementation early in the threat management process, assuming that they
will have minimal impact on consumers. Furthermore, such response actions may provide the
utility with additional time to perform site characterization activities and gather additional
information to support the threat evaluation. In general, some form of containment will be the
most likely option for an operational response, but other options might be considered as
appropriate to a particular situation. Addition guidance on containment can be found in Module
5, Section 4 where containment is considered as a public health response action.

Figure 2-4 provides an overview of the general decision process for implementation of a
containment strategy as an operational response to a possible threat. There are three key decision
points in the process: 1) Can the area potentially affected by the contaminant be estimated? 2) Is
it physically possible to contain the affected area? and 3) Are the impacts of containment on
consumers and fire protection minimal?  The answers to these questions are influenced by the
outcome of the "Consequence Analysis" discussed in Section 2.3.
                                        32                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
                         Review existing
                           information
                             Can the
                       contaminated area be
                           estimated?
         Accelerate threat
       evaluation to determine
            'credibility'
                              YES
                   Estimate spread of contaminant
                          (Section 2.3.1)
                         Can affected area
                          be contained?
NO-
   Accelerate threat
evaluation to determine
     'credibility'
                   Assess impacts of containment
                          (Section 2.3.3)
                                                      Accelerate threat
                                                   evaluation to determine
                                                         'credibility'
                     Develop and implement a
                       containment strategy
Figure 2-4. Decision Process for Containment as an Operational Response to a 'Possible'
            Contamination Threat
For containment to be an effective option, the spread of the contaminant must be estimated.  This
requires knowledge of the suspected location(s) and estimated time(s) of contaminant
introduction. These estimates may be derived from the details of the threat warning and other
readily available information relevant to the threat. Using the suspected location and time of
contaminant introduction as a starting point, the spread of the contaminant through the system
can be estimated. Operational information for the system at the suspected location and time may
be collected from SCAD A, as well as operator knowledge, and will be a valuable resource in
estimating the spread of the contaminant. There will generally not be sufficient time to run a
hydraulic model for the purpose of estimating the affected area this early in the process. Such
                                         33
                     Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


advanced tools may be best used as planning tools where various 'scenarios' can be run to better
understand how a contaminant might migrate through a distribution system.

If it is determined that containment is technically feasible and would have minimal impact on the
public and on fire protection, then a containment strategy will need to be quickly developed.
Utility operations staff will need to engage in both the development and implementation of the
containment strategy.  Isolation of portions of a system can typically be achieved through
hydraulic and/or mechanical means. Hydraulic isolation would typically involve the use of
system pumps and pressure zones to contain water within a specific area of the system.
Mechanical isolation is achieved through the manipulation of valves, which requires that the
valves be accurately mapped and maintained. It is also important to consider how long the
isolated area can be kept out of service and plan for alternate routing of water if necessary.

Situations in which containment is likely to be feasible include those in which a specific
contamination site has been identified and the site can be easily isolated without impacting the
normal operation of the system.  As an example, some distribution system storage tanks may be
isolated using valves without minimal impact on the system pressure. However, there will be
many situations in which isolation is not feasible, including  situations in which:
        The contamination site is unknown.
        The time of contamination cannot be narrowed down to a  reasonable period.
        The extent of the contamination cannot be reasonably estimated.
        The affected area cannot be hydraulically or mechanically isolated.

Furthermore, even if containment is feasible, it may not be practical at the 'possible' stage due to
the adverse impacts of isolation on fire protection or sanitation.  If containment is determined to
be impractical, the threat evaluation should be accelerated to determine whether or not the threat
is credible.  Once a threat is determined to be credible, expanded response actions might be
considered, as discussed in the following section.
                                        34                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


4   'Credible' Stage of the Threat Management Process

A water contamination threat is characterized as 'credible' if additional information collected
during the investigation corroborates the threat warning, and the collective information indicates
that contamination is likely. For example, if the threat warning comes in the form of a security
breach and additional signs of contamination are observed during site characterization, the threat
would likely be considered 'credible.' While many threat warnings may result in 'possible'
contamination threats, only a small percentage of those 'possible' threats are expected to be
elevated to 'credible.'

Immediate operational response actions taken once a threat has been deemed 'possible' may
decrease the urgency of the situation, but these actions do not constitute resolution of the
incident. It is important to move quickly to the next stage of the threat management process to
determine whether or not the threat is 'credible' and warrants an elevated response. The target
time period for determining whether or not a contamination threat is 'credible' is within two to
eight  hours from the time that the threat is deemed 'possible.' A more precise target time period
will depend to some extent on the operational response implemented.  If a contaminant strategy
was effectively implemented, and there is a degree of confidence that the suspect water did not
spread to other parts of the system, there may be more time to make the credibility
determination. An example of such a situation is a threat warning resulting from a security
breach at a distribution system storage tank that was isolated from the system before the suspect
water from the tank had an opportunity to leave the tank and enter the system. On the other
hand,  if operational response actions cannot be implemented or cannot ensure containment of the
suspect water, the threat evaluation process should be accelerated to determine whether or not
the threat is 'credible'  as quickly as possible.

The decision to elevate a threat from 'possible' to 'credible' is significant since elevated
response actions may be necessary to protect public health.  These elevated response measures
may fall outside of the authority of the WUERM, and the organizations that would be involved
in these response decisions would need to be engaged in the threat evaluation process at this
stage. This might include water utility management, the drinking water primacy agency, the
state/local public health agency, and law enforcement. The person ultimately responsible  for
determining that a contamination threat is 'credible' is the incident commander, which may not
be the WUERM at this stage of the threat management process.
4.1  Information Considered at the 'Credible' Stage
Many of the information resources used to determine that a threat is 'possible' may also prove
relevant at the 'credible' stage. Utility information and staff knowledge can aid in the
interpretation of new findings from the investigation. Additional water quality data, either real-
time or off-line, may be collected and evaluated against baseline data to determine if unusual
water quality trends are consistent with the initial data and corroborate the threat. In summary, it
is important to view the investigation as a continuum, and the information collected through the
'possible' and 'credible' stages of an investigation should be evaluated in its entirety.
                                        35                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


The additional information that might be collected to support the threat evaluation and determine
whether or not a threat is 'credible' includes:
       The results of site characterization, including observations from the site investigation as
        well as results from field safety screening and rapid field testing.
       Summary information derived from an analysis of previous security incidents similar to
        the current threat warning.
       Information from external sources that is relevant and available in a timely manner.

The following subsections describe each of these information categories in additional detail and
discuss how each may be used in support of the threat evaluation process.


4.1.1  Site Characterization Results
In cases in which there is a known or suspected contamination site, site characterization is the
focal point of the threat evaluation and potentially provides the most valuable information to
support the credibility determination.  The findings from site characterization activities should be
quickly summarized  and provided to the incident commander (which may or may not be the
WUERM at this stage) to support the threat evaluation. In Module 3, this  summary is referred to
as a "Site Characterization Report"; however, it is not intended to be a formal report per se, but
may simply be a compilation of the forms completed during site characterization. The
information included in the "Site Characterization Report" may include:
      General information about the site.
      Summary of observations from the site investigation including physical evidence (e.g.,
       discarded equipment, containers, etc.)  and environmental indicators (e.g., dead animals,
       dead vegetation, unusual odors, etc.).
      Results from  field  safety screening and rapid field testing of the water, including any
       appropriate caveats on the reliability of the results.
      Results of the site hazard assessment.
      Inventory of samples collected and a log of all sampling activities.

The results of field safety  screening and rapid field testing of the water warrant special
consideration and should be evaluated against baseline data that demonstrates typical variability
in the measured parameter. Depending on the parameter monitored, the baseline may vary
temporally, spatially, seasonally, or with changing treatment conditions, among other factors.
Furthermore, field test results should be evaluated in light of the performance characteristics of
the detection equipment such as:  the rate of false positive and false negative results; the range in
which the instrument or method results are valid; known interferences; and instrument reliability.
Deviations from an established baseline that fall within the performance characteristics of the
detection equipment  may be indicative of contamination.  Skill and familiarity with the field
testing techniques are required to properly interpret the results. These skills can be reinforced
through routine monitoring or exercises with the equipment.

The results of site characterization must be assessed in the context of information previously
collected over the course of the threat evaluation.  The results of site characterization may
corroborate, contradict, or be inconclusive with respect to other information gathered during
earlier stages of the incident.  This comprehensive evaluation of information is critical to
                                        36                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


determining whether or not a threat is credible.  For example, if the threat warning was a
witness account of suspicious activity at a secured location, but no evidence of a security breach
was observed during site characterization, the threat would likely be considered 'not credible.'
Even though the results of site characterization are critical to the threat evaluation at this stage, it
is still important to consider the other available information about the threat, especially if the
findings of site characterization are inconclusive.

Another purpose of the site characterization is to conduct a hazard assessment of the site, which
is an evaluation of the potential presence of immediately dangerous contaminants at the site.
Module 3 defines four hazard categories as follows:
        Low hazard - no obvious signs of radiological, chemical, or biological contaminants are
        present at the site (i.e., in air or on surfaces).  Contaminants that may be present in the
        water are assumed to be dilute and confined to the water.
        Radiological - presence of radiological isotopes or emitters tentatively identified at the
        site or in the water (i.e., through field safety screening for radioactivity).
        Chemical - presence of highly toxic chemicals (e.g., biotoxins or Schedule 1 chemical
        weapons) or highly volatile industrial chemicals tentatively identified at the site or in the
        water that pose a potential risk of exposure through dermal or inhalation routes.
        Biological - presence of pathogens tentatively identified at the site and a potential risk
        of exposure through dermal or inhalation routes.

The site hazard assessment should incorporate the results of field testing, but not rely exclusively
on these results. Observations from the site investigation (e.g., obvious signs of hazards) may be
more useful than limited field testing in determining whether or not a site poses an immediate
hazard.  The findings of the site hazard assessment  should be summarized in the 'Site
Characterization Report' since they will inform the  credibility determination as well as provide
direction to subsequent steps of the investigation, such as sample analysis.
4.1.2  Previous Threats and Security Incidents
Information derived from previous threat warnings (i.e., security breaches, phone threats,
unusual consumer complaints, etc.) can provide valuable insight regarding the credibility of a
current threat. It is equally important to consider those threat warnings that were dismissed as
insignificant (e.g., vandalism) as well as those that resulted in an investigation and were deemed
'possible' or 'credible' contamination threats. Such information can be used to corroborate or
dismiss a threat; thus it is most appropriate to consider this type of information when evaluating
whether or not a threat is 'credible.'

Previous threats and incidents must be documented and catalogued to provide quick access to
information that can be used to support a threat evaluation. A comparison between previous
incidents and a current threat may indicate whether or not the threat reflects previous patterns
and may therefore be deemed 'not credible' (e.g., in the case of repeated vandalism or theft).
This documentation could be accomplished through a simple system of filing past reports in an
organized and systematic manner. Given the urgency of the threat evaluation process, it is
critical that threats be documented and organized when there is time to do so. During emergency
                                        37                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


conditions, there will not be time to search through poorly organized or incomplete records in
order to further the threat evaluation process.

In addition to a summary of previous threats and security incidents that have occurred at a
specific utility, threat information from a regional or national perspective may be of use during a
threat evaluation. This information could include results of an analysis of security incidents
across the nation, which may be performed by FBI, EPA, AMWA (through ISAC), or AWWA.
This type of information might be useful in making general comparisons to the current threat, but
will generally not be as relevant as those documented threat warnings that occurred at a specific
utility. The types of information that might be available through these and other external sources
are discussed in the following section.
4.1.3  Information from External Sources
There are many potential external (i.e., external to the utility) sources of information that may be
of value during a threat evaluation.  However, as there is insufficient time to identify and pursue
new sources during the response to an actual threat, planning is necessary for the effective use of
external information sources during a threat evaluation. This planning includes an assessment of
the  relevance, reliability, and accessibility of each information source prior to the occurrence of a
contamination threat.  Therefore, it is recommended that a WUERM:  1) identify the information
sources that would be used to support a threat evaluation; 2) understand the type of information
that the resource might provide; and 3) determine how to access the resource quickly on a 24/7
basis.

The following list provides a summary of external information sources that might be consulted
during a threat evaluation.  This list is intended to illustrate  the value of certain external sources,
but is by  no means comprehensive.  The most relevant information resources will depend on the
nature  and circumstances of the threat warning, and it is up  to the incident commander to apply
the  information from these various sources in response to a  specific threat.

      Drinking Water Primacy Agency: If the Drinking Water Primacy Agency is informed
       about a contamination threat prior to the credibility determination, they may be of
       assistance in making  this determination. For example, if the primacy  agency does track
       security incidents at water utilities within their jurisdiction, this collective information
       could be of value when trying to establish the credibility of a threat. Furthermore, the
       primacy agency may  have access to information and expertise for assisting in the threat
       evaluation process. Also, smaller utilities with limited resources and capability in water
       security may rely on the primacy agency to perform the threat evaluation.

      EPA: The EPA has a breadth of expertise in drinking water treatment, occurrence and
       properties of water contaminants, analytical methodology,  and remediation of hazardous
       sites. EPA has also established specific capability in the area of water security in its
       Water Security Division and National Homeland Security Research Center.  Furthermore,
       EPA's  Criminal Investigation Division has experience in the investigation of
       environmental crimes and links to federal law enforcement agencies.  The expertise
       within EPA can be a valuable resource in responding to a threatened or actual
                                        38                       Interim Final - December 2003

-------
                              MODULE 2: Contamination Threat Management Guide


contamination incident. The best way to access EPA's resources will typically be
through the Regional EPA office or the Drinking Water Primacy Agency. Federal
expertise, including that from EPA, may also be accessed by calling the National
Response Center (NRC) at 1-800-424-8802. The NRC is the sole point of federal contact
for reporting oil and chemical spills and has experts trained to provide assistance in the
case of a terrorist threat or incident.

Law Enforcement Agencies: The expertise of law enforcement agencies (local and State)
might be particularly helpful in evaluating the credibility of a contamination threat. They
may have knowledge of recent criminal activity in the area that might help establish
credibility or support advanced stages of the investigation.  It is important to consider that
most law enforcement agents have very limited knowledge of drinking water systems,
and the WUERM should be available to provide that expertise during the threat
evaluation.

FBI: The FBI may be able to provide support similar to local law enforcement agencies
and, in addition, may have access to intelligence information not available to local law
enforcement. The focus of the FBI's investigation will be on the criminal or terrorism
aspect of the threat, rather than the safety and quality of the water.  However, if the FBI
determines that the event is  credible from a criminal perspective, the threat will likely
also be considered credible from a public health perspective.

Neighboring Utilities: In some cases, neighboring utilities may be a source of information
during a threat evaluation. For example, in the case of a threat warning resulting from
unusual source water quality, additional insight may be gained by contacting another
utility that shares the same source and typically experiences similar water quality.  The
neighboring utility may be experiencing similar unusual water quality  and/or may know
the cause.

Public Health Agencies: Public health agencies may be aware of a significant number of
patients showing unusual  symptoms or disease through activities such  as disease
surveillance and reporting. Upon discovering such a trend, the agency may launch an
investigation in which they will evaluate how the cases are clustered and search for the
cause of the disease.  However, in many disease surveillance systems,  there is a
significant delay between the time  that patients begin showing up at hospitals and the
time that the public health agency has enough data to observe an unusual trend.
Furthermore, there will be a latency period between exposure to a contaminant and onset
of symptoms, which may range from less than a minute for highly toxic chemicals to over
a week for some pathogens.

911 Call Centers: 911 call centers may provide consolidated information about unusual
signs and symptoms since many members of the public will choose to  call 911 for
immediate medical assistance. Calls to 911 are even more likely to occur in the case of a
chemical poisoning where onset of symptoms is rapid.  This information may need to be
accessed through law enforcement agencies or an emergency medical service.
                                 39                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


       Water IS AC: The Water ISAC is a national resource, available to water-utility
       subscribers, that serves as a clearinghouse for alerts, warnings, information on drinking
       water contaminants and other security information released by various agencies. While
       the information on ISAC may not be immediately relevant to a specific contamination
       threat at a utility, the collective information on ISAC should create a national picture of
       the threat level in the water sector and may have information on existing alerts. More
       detail on the capabilities of the Water ISAC and information regarding how to subscribe
       can be found at http://www.waterisac.org/.

       Homeland Security Warnings and Alerts: The Department of Homeland Security
       establishes the national threat level as a general indicator of the potential for terrorist
       activity and may also issue alerts and warning for specific  sectors, such as the water
       sector.  While these warnings and alerts will not be specific to an individual utility, any
       alerts specific to the water sector or relevant to the circumstances of a particular threat
       warning may warrant consideration during the threat evaluation.

       Contaminant Information: If a contaminant is named in a threat or tentatively identified
       during the investigation (i.e., during site characterization),  specific information about that
       contaminant should be consulted to help establish the credibility and potential
       consequences of the threat.  For example,  such information can establish whether or not
       the suspected contaminant is harmful, available, water soluble, stable in water, etc. This
       information may also support decisions regarding appropriate response actions at the
       'credible' stage of the threat management  process. A resource for contaminant specific
       information is the Water Contaminant Information Tool (WCIT).  The WCIT is being
       developed specifically for the water sector and is described in Appendix 8.9.  Other
       sources of contaminant information that might be  used in the interim include:
         http://www.bt.cdc.gov/agent/agentlistchem.asp
         http ://www. cdc. gov/atsdr/index.html
         http: //www. wateri sac. or g/
4.2   Response Actions Considered at the 'Credible' Stage
The response actions considered at the 'credible' stage may involve more effort and have a
greater impact than those considered at the 'possible' stage. This section describes three
response actions that might be considered at this stage: 1) sample analysis; 2) continuation of site
characterization activities; and 3) public health response. Sample analysis and continuing site
characterization are part of the ongoing threat evaluation and are intended to gather information
to 'confirm' that a contamination incident did or did not occur.  Public health response actions
are intended to prevent or limit exposure of the public to the suspect water and are more
protective and have a greater impact on the public than the operational response actions
considered at the 'possible' stage. An example of a public health response action is issuance of a
"do not drink" notice.

The incident commander will make decisions regarding actions taken in response to a 'credible'
water contamination threat. Due to the elevated level of actions considered in response to a
'credible' threat, responsibility for incident command may be shifted from the WUERM to
                                        40                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


another individual or organization at the point when response decisions are made. At this stage,
the utility or locality may choose to activate their Emergency Operations Center (EOC) to
manage the situation, mobilize resources, and institute a more formal incident command
structure. Furthermore, the EOC will facilitate a coordinated response among the participating
agencies, such as the drinking water primacy agency, state/local public health agency, and local
fire and police departments. Activation of the EOC may be full or partial depending on the
circumstances.
4.2.1  Sample Analysis
Once a threat has been deemed 'credible,' one of the first steps taken in an effort to confirm a
contamination incident is the analysis of samples collected during site characterization. The
analytical procedures for confirming the presence of tentatively identified contaminants, or
analyzing water samples for unknown contaminants, are presented in Module 4.  Given the large
number of potential contaminants and the compartmentalized nature of laboratory capability, it
will be necessary to make initial decisions regarding the laboratories that will be utilized and the
general analytical approach that will be used with water samples potentially containing
unknown analytes. Note that the presence or suspicion of extremely hazardous substances, as
determined through the site characterization, will likely result in other response organizations
(e.g., HazMat) becoming involved in the threat management process.  These organizations may
take responsibility for identifying appropriate laboratories to conduct analyses.

Laboratory selection should be made on the basis of any available information about the threat,
the nature of the suspected contaminant, and the hazard assessment performed as part of site
characterization. For example, if the site is characterized as a radiological hazard, a radiological
laboratory should perform the analytical work. Figure 2-5 shows various categories of
laboratories with different analytical capabilities. Laboratories are grouped into two broad
categories,  chemical and biological laboratories. Chemical labs include general environmental
chemistry laboratories, radiological laboratories, and specialty laboratories that may be able to
handle exotic contaminants, such as chemical weapons and biotoxins.  Biological laboratories
include environmental microbiology laboratories and the Laboratory Response Network (LRN)
that typically analyze clinical samples for pathogens.


Chemical


Radiological
Labs
Analysis



Environmental
Chemistry Labs





Specialty
Labs


Chemical D. ,
... DI01
Weapons
Biological Analysis


Lab Response
Network



oxins



Environmental
Microbiology Labs


Figure 2-5.  Summary of Laboratory Types by Contaminant Class
                                        41
Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide


Once a decision has been made regarding the laboratory(ies) that will be used, the utility and
incident commander should work with the laboratory contact(s) to develop an analytical
approach for the samples. The approach should be based on all available information about the
threat, particularly the results of site characterization.  The decision process for developing an
analytical approach, which should be planned in advance, is shown in Figure 2-6.
                  Review the Site
               Characterization Report
                 Contaminant class
                 nown or suspected?
Perform Broad Screen for
Chemicals and Biologicals
                Specific contaminant
                tentatively identified?
Perform Broad Screen for
 Chemicals or Biologicals
                Perform Confirmatory
                     Analysis
                    Presence of
                    contaminant
                    confirmed?
    Is additional
     screening
    necessary?
                     Revise/Expand
                   Analytical Approach
YES-
                 Analysis Complete
                  Report Results
Figure 2-6. Decision Process for the Development of an Analytical Approach for
Potentially Contaminated Water Samples
                                         42
                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


In Figure 2-6, the first decision point in the process is an assessment of whether or not there is
sufficient information to make a tentative identification of the contaminant as chemical or
pathogen.  If this is possible, then an entire class of contaminants is eliminated from
consideration, allowing the approach to focus on the tentatively identified contaminant class.  If
the information is not sufficient to make a determination between chemical and biological
contaminants, then the sample may need to be treated as a complete unknown.  In this case, it
may be necessary to use multiple laboratories (i.e., one lab for chemical analysis and another for
pathogen analysis).

The second decision point in Figure 2-6 is based on a tentative identification of the specific
contaminant. At this point in the analytical process, the contaminant identity is hypothesized
based on available information from the site characterization report or threat warning. Examples
of situations in which tentative identification might occur include: a specific contaminant named
in a threat; presumptive positive results for a specific contaminant from field screening; physical
evidence at the site pointing to a specific contaminant; and clinical evidence of the identity of the
causative agent.  However, it is important to note that each of these situations has a different
level of reliability for the purpose of tentative identification. A tentative identification can be
used to focus the analytical approach on confirmation of the specific contaminant or contaminant
subclass. For example, tentative identification of a class of pesticides (i.e., organophosphates)
may be based on results from a test kit.  This information might, in turn, be used to focus the
analytical approach on specific pesticides within that class.

The third decision point in Figure 2-6 is based on the results of the analysis used to confirm the
presence and concentration of the tentatively identified contaminant.  If the presence of the
contaminant is analytically confirmed, the contamination incident will also be confirmed.
Although not depicted in Figure 2-6, even when the presence of one contaminant has been
confirmed, additional analyses may be performed for other contaminants if deemed necessary.
The primary purpose of additional laboratory analysis at this point will be further
characterization of the contaminated area of the system (see Module 6, Section 4).

If the presence of the tentatively identified contaminant is not verified during confirmatory
analysis, the need for additional analytical screening should be considered.  Additional screening
should be considered since no analytical approach  is completely comprehensive.  In general, if
the threat is still deemed 'credible' following negative results from confirmatory analysis,
revision to the analytical approach should be considered. Furthermore, it is possible that
sampling conducted during site characterization did not  capture the contaminated water, and
additional sampling may be necessary as discussed in the following section.  On the other hand,
if the threat is no longer deemed 'credible', then additional  analysis may be unnecessary.
4.2.2  Continuation of Site Characterization Activities
Site characterization activities initiated in response to a 'possible' threat are typically limited to
the suspected contamination site with the objective of providing information to support the threat
evaluation at the 'credible' stage. However, once an incident is deemed 'credible,' additional
site characterization and sampling activities may be implemented in an attempt to 'confirm' a
contamination incident.  In cases where a 'credible' contamination threat is not confirmed, the
                                        43                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


purpose of additional site characterization and sampling activities will be to verify that the water
is safe and support the decision to return to normal operation.

Site characterization activities implemented in response to a 'credible' threat should be planned
and coordinated in the same manner as during the 'possible' stage. The scope and extent of site
characterization activities at this stage will depend on the available information, and factors to
consider include:
      Any information about the identity or nature of the contaminant obtained through
       laboratory analysis, rapid field testing, or results from the initial site characterization.
       Such information would help to focus the site characterization activities on the known or
       suspected contaminant.
      An estimate of the contaminated area through an evaluation of hydraulic information,
       consumer complaints, water quality data, or other available information.  This estimate
       would help to define the additional locations for site characterization activities.
      Unusual signs or symptoms in the population reported by public health agencies.  This
       information could provide an indication of both the nature and spread of the contaminant.
       Evaluation of this type of information must consider the latency period between exposure
       and onset of symptoms.

The available information should help to focus the rapid field testing and sampling activities at
this stage. Module 3 contains additional guidance on planning for site characterization activities
that is equally applicable to the 'credible' and 'possible' stages of a threat evaluation. In
particular, Module 3, Section 3.4 provides some examples that illustrate the transition to follow-
on site characterization activities once a threat is deemed 'credible.'
4.2.3  Public Health Response
Like immediate operational response actions, the objective of public health response actions is to
minimize the potential for exposure of the public to the suspect water. However, public health
response actions are elevated with respect to both the level of protection and the impact on the
public. For example, consumers may be instructed to boil water, limit their water uses to
activities that do not involve consumption, or not use the water at all. While such measures will
provide an increased level of public health protection, they will have a significant impact on
consumers. Depending on the duration of these restrictions, it may be necessary to provide an
alternate  supply of drinking water until  the incident is resolved.

Figure 2-7 provides an overview of the  general decision process for measures taken to protect
public health in response to a 'credible' contamination threat.  The first decision point in the
process considers containment of the suspect water as a potential public health response action.
If containment was implemented at the  'possible' stage as an operational response, the
containment strategy should be evaluated to determine if it is adequate to protect public health.

At the 'possible' stage, implementation of containment options was limited by consideration of
the impacts of containment on consumers.  However, once a threat has been deemed 'credible',
expanded containment strategies might  also be considered. It may also be  appropriate to
implement containment strategies  and manage the  resulting impacts.  For example, if there are
                                        44                       Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide


consumers within the containment area, it will be necessary to notify them of any restrictions
regarding use of their water. In some instances, it may be necessary to provide them with an
alternate supply of drinking water.
                           Review existing
                             information
                            an affected area
                            be contained?
YES-
Develop and implement a
  containment strategy
                     Assess potential consequences
                           to public health
                             (Section 2.3)
                              Is there a
                           threat to public
                               health?
       Public health response
       may not be necessary
                         Public notification
                          may be required
                        Consult with appropriate
                        officials regarding public
                          notification options
                        Develop and implement a
                       public health response plan
                            (see Module 5)
Figure 2-7. Decision Process for Actions taken to Protect Public Health in Response to a
            'Credible' Contamination Threat
If containment is deemed inadequate to protect public health, then it is necessary to consider the
potential public health consequences of contamination, as discussed in Section 2.3. A "credible
threat to public health" results when there is a 'credible' threat and the consequences of
contamination threaten public health. If it is determined that there is a credible threat to public
health, then it may be necessary to notify the public.  Furthermore, public notification may be
required under the Public Notification Rule (40 CFR Part 141, Subpart Q).  Specifically, this rule
may require public notification in a "situation with significant potential to have serious adverse
                                          45
                      Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


effects on human health as a result of short term exposure" [141.201(b)]. Thus, the utility will
need to consult with the drinking water primacy agency, and potentially the public health agency,
during the evaluation of public notification requirements and options. Additional guidance
regarding public notification and the requirements of this rule can be found in the "Public
Notification Handbook" (USEPA, 2002).

Module 5 describes activities related to planning for and implementation of public notifications
designed to prevent or limit exposure. Once a decision has been made to notify the public, it is
necessary to evaluate the level of notification appropriate for the incident. For example, the level
of restrictions on water use that are necessary to protect the public will vary depending on the
nature of the contamination. These decisions are influenced by consequence analysis,
particularly with regard to the potential health effects of a threat.  These potential effects, in turn,
are heavily influenced by the identity of the contaminant.

If the contaminant has been tentatively identified at this stage, it may be possible to tailor the
public notification to the specific public health risk. For example, if the contaminant only poses
a risk through ingestion of contaminated water, a "do not drink" notice may provide a sufficient
level of protection. On the other hand, if the identity of the contaminant is unknown, a more
restrictive "do not  use" notice might be considered. Furthermore, if the public notification places
restrictions on the  use of the water, it will be necessary to provide a short-term alternate water
supply. Of particular concern is the need to maintain fire protection throughout the community.
The topics of public notification and alternate drinking water supplies are discussed in detail in
Module 5.
                                         46                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


5   'Confirmatory' Stage of the Threat Management Process

Confirmation represents the transition from a contamination threat to a contamination incident
and relies on definitive information demonstrating that the water has been contaminated.  The
most reliable means of confirming a contamination incident is through analytical confirmation of
the presence of a contaminant. However, under some circumstances, it may be appropriate to
confirm a contamination incident in the absence of definitive analytical data. This is particularly
true in cases where analytical confirmation may be impractical due to challenges in collecting a
representative sample due to uncertainty in the point of contaminant introduction and/or the time
that elapsed between the introduction of the contaminant and receipt of the threat warning. In
cases where analytical confirmation is deemed impractical, it will be necessary to rely upon the
'preponderance of the evidence' to confirm an incident. A more detailed discussion of this
concept is provided below in Section 5.1.

If the threat evaluation yields no conclusive evidence of contamination, then the incident
commander may  decide that the threat is no longer 'credible.'  However, the investigation will
have to be sufficiently thorough to demonstrate that the water is safe and the system can be
returned to  normal operation. Each  situation will  be unique, and it is up to the judgment and
experience  of the incident commander and supporting staff to  make the determination regarding
whether a 'credible' threat is elevated to a 'confirmed' incident or dismissed as 'not credible.'

It may take several days to collect sufficient evidence to confirm a contamination incident, and
the required time will depend on the type of information used  for confirmation. For example,
some microbiological analytical procedures may take several days. The actual amount of time
available to confirm the incident will depend on the response actions taken to protect public
health once the threat deemed 'credible.'

Due to the magnitude of the effort involved in responding to a confirmed water contamination
incident, many organizations will likely be involved in the threat evaluation at this stage.  Within
the utility, senior managers and the heads of major departments (e.g., operations, water quality,
and emergency response) will be involved in this  advanced stage  of the threat management
process.  External organizations will likely include the drinking water primacy agency, the state
public health agency (if different than the primacy agency), state or local  emergency response
organizations, and law enforcement  agencies. Furthermore, some federal agencies may become
involved at this point, and if the governor declares a state of emergency, the Federal Response
Plan will become effective and coordinate the federal response (see Modulel, Appendix 6.2).
While the WUERM will not be responsible for incident command at this stage, it is important for
the WUERM to become familiar with the organizations and plans that would be activated in the
case of a confirmed contamination incident and to understand the role of the water utility in this
situation.
5.1  Information Considered at the 'Confirmatory' Stage
While it is desirable to confirm an incident through laboratory analysis and identification of a
particular contaminant, this may not always be feasible.  Thus, additional information sources
may be considered in an effort to confirm the contamination incident based on a 'preponderance
                                       47                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


of evidence.' For example, if there is a security breach with obvious signs of contamination
along with unusual water quality and consumer complaints in the vicinity of the security breach,
the multiple layers of evidence might be sufficient to confirm a contamination incident.  In
another situation, additional findings of continued site characterization activities might add to the
preponderance of evidence necessary to confirm a contamination incident in the absence of
definitive analytical data.  The information resources discussed in this section that might support
confirmation of a contamination incident include:
      The results from laboratory analysis of samples collected during the initial or continuing
       site characterization activities.
      The results and observations of continued site characterization activities.
      Information from public health officials, area hospitals, or 911 call centers.
      Information about specific contaminants.
      Targeted information from external sources based on the collective knowledge of the
       threat.
5.1.1  Analytical Results
Positive identification of a contaminant through sample analysis can confirm a contamination
incident and provide the basis for making decisions about public health response actions and
remediation activities.  Thus, when practical, analytical confirmation should be pursued through
a suitable analytical approach as discussed in Module 4. However, all analytical data must be
subject to some level of evaluation and interpretation in order to provide meaningful information
to support the threat evaluation.

As discussed in Module 4, a report from the laboratory should include the results of all analyses
performed, available QA/QC information, and any other information relevant to the interpreting
the results. In general, the only analytical results that should be considered at the confirmatory
stage of the threat management process are those that have been validated by the laboratory, i.e.,
the contaminant has been positively identified and/or quantified at the level of concern through
the use of accepted analytical methods and QA/QC procedures. If special circumstances warrant
consideration of analytical results that have not been validated, it may be necessary to seek
laboratory assistance in the interpretation of tentative results. Depending on the analytical
methods used, supplementary information provided with non-validated results might include:
         the probability of false negative/false positive results at this stage  of analysis;
         method sensitivity, accuracy, and/or precision;
         probability of misidentification;
         quantitative versus qualitative results; and
         the time necessary to confirm the results.

It is important that all of this information be considered when attempting to confirm an incident
using data that have not been completely validated.

Furthermore, it is important to consider typical background levels of a particular contaminant
during the interpretation of analytical results.  However, the availability of background data will
likely be limited or nonexistent for many hazardous contaminants.  In situations where
background data are not available, it may be sufficient to consider occurrence in a more general
                                         48                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


sense (i.e., whether the contaminant is known to occur in treated waters). If the general
occurrence is unknown, then it may be necessary to evaluate the concentration of the
contaminant solely from a public health perspective; specifically, whether or  not the contaminant
at the levels detected poses any threat to public health.

Interpretation of analytical results for contaminants known to occur in treated drinking water can
present unique challenges.  For example, chloropicrin and cyanogen chloride are potentially
hazardous if present in the water at high concentrations. However, these same compounds are
disinfection by-products that result from the reaction of the disinfectant with  naturally occurring
precursor compounds and thus may occur at very low levels in disinfected drinking water. If low
levels of such "normally occurring yet potentially hazardous contaminants" are detected, it must
be determined whether these levels represent typical background or result from intentional
contamination, e.g., the tail of transient contaminant slug or a low-level contamination incident.
This uncertainty in the source of the detected contaminant would likely lead to additional
sampling and analysis to support the threat evaluation process.

The laboratory should be considered as a potential resource during the interpretation of analytical
results. Laboratory staff will have a unique perspective regarding the reliability of the method
and interpretation of analytical results as well as substantial experience with the analysis of
countless other water  samples using the same or similar analytical techniques. Thus, the analyst
may have the experience necessary to recognize results that fall within the normal range of
occurrence, compared to those more likely to be indicative of an actual contamination incident.
5.1.2  Additional Site Characterization Results
As discussed in Section 4.2.2, site characterization activities may be continued in response to a
'credible' contamination threat to help confirm the incident, or support the decision to return to
normal operation if the incident is not confirmed.  The focus of continued site characterization
would have been influenced by the information already collected through the threat evaluation
process; thus, interpretation of the findings may be more straightforward. For example, if
unusual water quality results were part of the basis for determining that a threat is 'credible,'
additional site characterization activities might be conducted in an effort to confirm the initial
findings.  Thus, these follow-on site characterization activities will be more focused than the
initial site characterization in which there is less information to focus the investigation.

As discussed previously, the results of field safety screening and rapid field testing of the water
must be interpreted in the context of background or typical levels, and the reliability of the
information must also be considered. Furthermore, the results of additional screening should be
compared to the results of the initial screening to determine if they corroborate or contradict the
initial results

At the 'confirmatory' stage of the threat management process, there will  likely be results from
site characterization activities performed at multiple locations,  and these results should be
reviewed collectively to explore any potential trends in the data.  This may help to build the
preponderance of evidence that would be necessary to confirm a contamination incident in the
                                         49                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


absence of definitive laboratory analysis. Furthermore, the collective results might provide some
indication regarding the spread of the contaminant.
5.1.3  Information from External Sources
Information from external sources can be gathered during the continuing threat evaluation
process to support efforts to confirm the incident. At this stage, external resources can be
specifically targeted in light of the information already collected to support the threat evaluation.
Information from these resources may help to build the preponderance of evidence necessary to
confirm an event in the absence of laboratory identification of a contaminant.  This information
may also support decisions regarding appropriate response actions. The following examples
illustrate how external information sources may help to confirm a contamination incident. The
other external information sources listed in Section 4.1.3 may also be consulted as appropriate.
In any  case, it is up to the incident commander and supporting staff to determine how to apply
the information from these various sources during the threat evaluation.

     Public Health Sector: In the absence of definitive analytical data to confirm a
       contamination incident, information from the public health sector may be the next most
       reliable resource. The occurrence of unusual symptoms in the population or atypical
       clustering of disease may indicate a potential biological, chemical, or radiological
       contamination incident. The most immediate source of such information may be through
       local hospitals and 911 call centers. If there is ample evidence linking these unusual
       health effects to the drinking water supply,  that may be sufficient to confirm the
       contamination incident. However, water is only one possible  source of the contaminant
       and, in many cases, will not be the primary focus of the public health investigation.  The
       state or local public health agency would typically be the lead agency in the public health
       investigation and would likely confirm the source of the incident.

     Law Enforcement Agencies: Local and federal law enforcement agencies will probably
       not be as critical to the 'confirmatory' stage of the investigation as they are at the
       'possible' or 'credible' stages. Nonetheless, these agencies will likely still be engaged in
       the evaluation of a 'credible' threat, particularly as they continue the criminal aspect of
       the investigation. In particular, they may discover crucial evidence or apprehend a
       suspect that could help to confirm whether or not the water has been contaminated.  Such
       information would typically not provide definitive analytical confirmation (i.e., it may
       not reveal the identity of the contaminant);  however, it may support confirmation based
       on a preponderance of evidence. In any case, it is important that the utility remain
       engaged with law enforcement throughout the investigation.

     Contaminant Information: At the confirmatory stage of the threat management process,
       information about specific contaminants becomes particularly important. In cases where
       the contaminant has been identified through laboratory analysis or other definitive means,
       such information is critical for assessing potential impacts to public health resulting from
       various routes of exposure to the contaminant.  Furthermore, this information will be
       used to make decisions regarding suitable remediation options.  On the other hand, if the
       contaminant has not been identified, specific information on a number of potential
                                        50                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


       contaminants might be used in conjunction with other available information in an attempt
       to narrow down the number of contaminant candidates.  For example, if information from
       site characterization activities indicates that the contaminant impacts water quality in a
       certain manner (i.e., consumes free chlorine or imparts a certain odor to the water), the
       contaminant specific information may facilitate tentative identification  of a contaminant
       and inform the analytical approach that would be used in an attempt to  positively identify
       the contaminant. A resource for contaminant specific information is the Water
       Contaminant Information Tool (WCIT). The WCIT is being developed specifically for
       the water sector and is described in Appendix 8.9. The WCIT is currently under
       development, and other sources of contaminant information that might  be used in the
       interim include:
         http://www.bt.cdc.gov/agent/agentlistchem.asp
         http ://www. cdc. gov/atsdr/index.html
         http: //www. wateri sac. or g/
5.2  Response Actions Considered at the 'Confirmatory' Stage
Once a contamination incident has been confirmed, it will be necessary to move into full
response mode. At this point, the EOC may be fully activated in order to support an effective
and coordinated response.  Other organizations that may be actively engaged in the response
include: the drinking water primacy agency, the public health agency, response agencies, and law
enforcement. All of these participating organizations will likely be coordinated under existing
incident command structures designed to manage emergencies at the state or local level.  One
agency will be designated as a lead agency and will be responsible for incident command.  If
federal agencies are involved in the response, their roles and  responsibilities are established by
the Federal Response Plan.  States and local entities have likely established their own response
plans that would be in effect if the incident were managed at  that level. In any case, the utility
will still have a role in the implementation of full response actions;  however, they will generally
act in a technical support role.

Figure 2-8 illustrates the actions that might be taken in response to a confirmed contamination
incident. The process begins with an evaluation of available  information about the incident,
which should include identification of the contaminant. Effective implementation of response
actions at this stage does depend on positive identification of the contaminant and knowledge of
contaminant properties.  In particular, the appropriateness of various public health protection
strategies and selection of treatment technologies will depend on the nature of the specific
contaminant. Due to the potential impact of response actions considered at the 'confirmatory'
stage, decision makers may question whether or not the incident has indeed been confirmed if a
contaminant cannot be detected in the water.  Therefore, it is  vital to perform a thorough
investigation in order to have confidence in any decisions about response actions. This is
especially true if response actions are implemented on the basis of a "preponderance of
evidence" rather than analytical confirmation.
                                        51                        Interim Final - December 2003

-------
                                         MODULE 2: Contamination Threat Management Guide
                                   Evaluate all available
                                  information about the
                                  contamination incident
                               Revise public health response
                                 measures as necessary
                                 Consult with appropriate
                              officials to develop remediation
                                    and recovery plan
                             f Characterize contaminated area j


                           f    Evaluate options for treating  ^\
                           [ contaminated water and rehabilitating I
                                   system componenets      J
\^
(

(
                              Select treatment and rehabilitation
                                   technology/approach
                              Design treatment and rehabilitation
                                   technology/approach
    )
                               Develop strategy for disposal of
                                 decontamination residuals
                           /Develop sampling and analysis plan to\
                           V        verify remediation       J
                              Develop communication and public
                                      relations plan
                                Implement remediation and
                                     recovery plan
                               \
         Return to normal
            operation
7
Figure 2-8.  Overview of Response to a Confirmed Contamination Incident
Following the initial review of available information about the incident, the public health
response measures already implemented should be reassessed and revised if necessary. This
process might include revisions to containment strategies or public notifications. This is
particularly important if the contaminant has been identified and/or the affected area better
characterized following the initial implementation of public health response measures.  Once the
                                            52
                                            Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


immediate public health crisis is under control, efforts will likely focus on remediation and
recovery.

Remediation and recovery activities will likely be planned and implemented by a number of
agencies, and the first step of the process is to establish the roles and responsibilities of each
organization. The elements of the remediation and recovery plan are called out in Figure 2-8 as
ovals.  Characterization of the contaminated area includes an evaluation of contaminant
properties, contaminant concentration profiles, and characteristics of the impacted area.  This
information is essential to the evaluation of options for treating the contaminated water,
remediation  of contaminated system components, and disposal of decontamination residuals.
The plan should also consider options for supplying alternate drinking water to customers over
the duration  of the project. Sampling and analysis will be necessary to monitor the progress of
treatment and remediation and to ensure that the system is cleaned to acceptable levels by the
end of the project.  Communications and public relations will be integral to regaining consumer
confidence and  thus should be considered in the plan as well.  Upon successful completion of the
remediation  effort, the system can begin the process of returning to  normal operation.  Module 6
describes the remediation and recovery process in detail.
                                                                 Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


6    Contamination Threat Management Matrices

The previous sections described the three stages of a threat evaluation: 'possible,' 'credible,' and
'confirmatory.'  This section compares and contrasts how the information, evaluation, and
response options vary as the threat evaluation progresses through the three stages for each of the
different types of threat warnings discussed in Section 3.1. For each of these threat warnings, a
"contamination threat management matrix" is presented. Each matrix is a tabular summary that
lists the following at each stage of the threat evaluation:
      Information considered during the threat evaluation.
      Factors considered during the threat evaluation.
      Potential notifications unique to specific stage of a particular threat warning.
      Potential response actions.

These matrices are necessarily generic and are provided as examples of how the threat
management framework described in the previous sections of this module might be applied to
specific threat warnings. As part of their planning, users are encouraged to tailor these matrices
to their specific circumstances as well as consider threat warnings other than those listed.
Furthermore, threat matrices can be developed for more detailed threat scenarios, for example:
      A security breach at a tank that can be isolated from the system.
      A security breach at an uncovered finished water reservoir that cannot be isolated.
      A security breach discovered by an alarm.
      A security breach discovered by utility staff during routine inspection.

Such customized "contamination threat management matrices" could be used as an aid in the
development and refinement of ERPs. For example, the completed matrices may indicate the
type of response actions that would need to be planned in advance.  The customized matrices
might also be incorporated into the utility's site-specific "Response Guidelines" and used as a
quick reference during the response to a contamination threat.
                                       54                       Interim Final - December 2003

-------
                                         MODULE 2: Contamination Threat Management Guide
6.1   Security Breach
                                 THREAT EVALUATION STAGE
               Possible
Location of security breach.
Time of security breach.
Information from alarms.
Observations when security
breach was discovered.
Additional details from the
threat warning.	
                                     Credible
                                     Results of site characterization at
                                     location of security breach.
                                     Previous security incidents.
                                     Real time water quality data from
                                     the location of security breach.
                                     Input from local law enforcement.
                                                                   Confirmatory
                                                              Results of sample analysis.
                                                              Contaminant information.
                                                              Results of site characterization
                                                              at other investigation sites.
                                                              Input from primacy agency
                                                              and public health agency.

        Was there an opportunity for
        contamination?
        Has normal operational
        activity been ruled out?
        Have other "harmless"
        causes been ruled out?
                             Do site characterization results
                             reveal signs of contamination?
                             Is this security breach similar to
                             previous security incidents?
                             Does other information (e.g.,
                             water quality) corroborate threat?
                             Does law enforcement consider
                             this a credible threat?
                                                               Were unusual contaminants
                                                               detected during analysis?  Do
                                                               they pose a risk to the public?
                                                               Do site characterization results
                                                               reveal signs of contamination?
                                                               Is contamination indicated by a
                                                               "preponderance of evidence?"
Notifications within utility.
Local law enforcement
agencies.
                                    Drinking water primacy agency.
                                    State/local public health agency.
                                     FBI.
                                                              Emergency response agencies.
                                                              National Response Center.
                                                              Other state and federal
                                                              assistance providers.
 o
 z
 a
 o
 a
 K
 4*
Isolate affected area.
Initiate site characterization.
Estimate spread of suspected
contaminant.
Consult external information
sources.
                             Implement appropriate public
                             health protection measures.
                             Plan for alternate water supply.
                             Analyze samples.
                             Perform site characterization at
                             additional investigation sites.
Characterize affected area.
Revise public health protection
measures as necessary.
Provide alternate water supply.
Plan remediation activities.
Security breaches may be the most common type of threat warning encountered by a utility since
they may result from trespassing, vandalism, theft, or failure to re-secure facilities following
legitimate activities. The purpose of the threat evaluation under this scenario is to distinguish
between these more frequent, yet relatively harmless security breaches, and those few that might
be considered 'credible' contamination threats.

At the 'possible'  stage of the threat evaluation under this  scenario, information about the security
breach will be available. Specifically, the location of the security breach will be known, which
will likely be established as the initial investigation site.  Other information may be available
from  alarms (including surveillance footage), which may help to establish the time of the
security breach.  The evaluation at this stage should consider whether or not there was an
opportunity for contamination at the site of the security breach. Furthermore, "normal" activity
should be considered and investigated at this stage as potential reasons for the security breach
(e.g., was a utility crew recently at the site and potentially forgot to re-secure the area?). If the
threat of contamination is considered 'possible,' law enforcement agents should be contacted
since the  security breach may be a result of criminal activity (e.g.,  criminal trespassing).
Potential  response actions to a 'possible' threat may include isolating areas of the system that
                                            55
                                                               Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


could be affected, initiating site characterization activities to collect more information in support
of the threat evaluation, and initiating the process to estimate the spread of the suspect water
through the system.

Information that may be available at the 'credible' stage includes the results of site
characterization, an assessment of previous security incidents, real-time water quality data in the
area of the security breach, and an assessment of the threat by law enforcement.  The evaluation
at this stage will consider whether or not signs of contamination were discovered during site
characterization, including unusual results from field testing or unusual observations during the
site investigation. Consideration should also be given to whether or not the new information
available at this stage corroborates the information about the threat. The drinking water primacy
agency may be contacted during the 'credible' stage to assist with  the threat evaluation and make
decisions regarding response actions. (Note: the point at which a primacy agency is notified
following discovery of a security breach, or other threat warning, should be consistent with any
primacy agency requirements.) The public health agency (if different from the primacy agency)
should also be notified if there is a potential threat to public health, particularly since this agency
will be able to gather information regarding unusual symptoms in the population and should be
involved in any decisions regarding actions taken to protect public health. If the threat is
determined to be 'credible,' response actions may include measures to limit or prevent exposure
of the public to the suspect water, such as public notification.  Actions taken to continue the
investigation at this point may include analysis of samples  collected from the site, continued site
characterization activities, and an analysis to estimate the spread of the contaminant.

The new information available at the confirmatory stage may include the results from laboratory
analysis, including QA/QC data to support the interpretation of the results.  If a specific
contaminant is identified, then additional information about that contaminant can be used to
further evaluate the nature of the threat as well as implications to public health. The findings of
continued site characterization activities may also help to confirm  the incident. The basis for
confirming a contamination incident can be analytical  results that identify a specific contaminant
or other definitive evidence that a contaminant is present in the water.  If a contaminant has been
identified, consideration should be given to the health  effects associated with exposure to that
contaminant.  It may be necessary to revise the sampling and analysis plans if a contaminant was
not positively identified through laboratory analysis but the threat  is still deemed 'credible.'
Upon confirmation of a contamination incident, a number of agencies that will support the
response will need to be notified.  Response actions potentially initiated once a contamination
incident has been confirmed include characterization of the contaminated area, revision to public
health protection measures, provision of alternate water supplies, and planning for remediation
and recovery activities.
                                         56                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
6.2   Witness Account
Information ^^H
Evaluation
Notifications
1 Response
THREAT EVALUATION STAGE
Possible
 Location of the suspicious
activity.
 Witness account of the
suspicious activity.
 Additional details from the
threat warning.
 Was there an opportunity for
contamination?
 Is the witness reliable?
 Has normal operational
activity been ruled out?
 Have other "harmless"
causes been ruled out?
 Notifications within utility.
 Local law enforcement.
 Isolate affected area.
 Initiate site characterization.
 Estimate spread of suspected
contaminant.
 Consult external information
sources.
 Interview witness for
additional information.
Credible
 Additional information from the
witness.
 Results of site characterization at
location of suspicious activity.
 Previous security incidents.
 Real time water quality data from
the location of suspicious activity.
 Input from local law enforcement.
 Do site characterization results
reveal signs of contamination?
 Is the suspicious activity similar
to previous security incidents?
 Does other information (e.g.,
water quality) corroborate threat?
 Does law enforcement consider
this a credible threat?
 Drinking water primacy agency.
 State/local public health agency.
 FBI.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
Confirmatory
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
From the perspective of the threat management process, a threat triggered by a witness account is
similar to one triggered by a security breach.  One of the few significant differences is the use of
information collected directly from the witness throughout the evaluation, particularly during the
'possible' and 'credible' stages of the threat evaluation. As discussed in  Section 3.1.2, the
reliability of the witness must be considered when making these determinations, and additional
evidence collected during the  investigation should be evaluated to determine whether or not it
corroborates the witness account. In some cases, access to a witness may be restricted by law
enforcement agencies, and a direct interview may not be possible. If this is the case, the incident
commander should work with law enforcement and make them aware of the type of information
that is needed to support the utility's threat evaluation.
                                        57
Interim Final - December 2003

-------
                                    MODULE 2: Contamination Threat Management Guide
6.3  Direct Notification by Perpetrator
Information ^^H
Evaluation
Notifications
Response
THREAT EVALUATION STAGE
Possible
 Transcript of phone (or
written) threat.
 The who, what, where,
when, and why of the threat.
 Additional details from the
threat warning.
 Vulnerability assessment.
 Is the threat feasible?
 Has the water already been
contaminated?
 Is the location known or
suspected?
 Is the identity of the
perpetrator known or
suspected?
 Have there been personnel
problems at the utility?
 Notifications within utility.
 Local law enforcement.
 Drinking water primacy
agency.
 Isolate affected area if
identified in the threat.
 Identify sites and initiate site
characterization.
 Consult external information
sources.
 Gather information from law
enforcement assessment.
Credible
 Law enforcement assessment.
 Primacy agency assessment.
 Previous threats at this utility or
other utilities.
 Results of site characterization at
selected investigation sites.
 Real time water quality data.
 Reports from ISAC, EPA, etc.
 Do site characterization results
reveal signs of contamination?
 Does other information (e.g.,
water quality) corroborate threat?
 Does law enforcement consider
this a credible threat?
 Does the primacy agency consider
this a credible threat?
 FBI.
 State/local public health agency.
 EPA Criminal Investigation
Division.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
 Estimate spread of suspected
contaminant.
Confirmatory
 FBI assessment.
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
Threats to contaminate the water made via direct notification by a perpetrator need to be taken
seriously, especially since the mere act of making such a threat is a criminal act. However, the
majority of such direct threats are hoaxes that may be intended to cause panic or disruption, gain
attention, or meet some personal objective such as revenge.  Thus, the focus of the threat
evaluation for this type of threat warning is to identify any credible threats amongst the larger
number of hoax notifications. In any cases, such threats should generally be reported to law
enforcement and the drinking water primacy agency.

A key source of information that may support the threat evaluation under this scenario is
provided directly by the perpetrator making the threat, and forms are included in Appendices 8.5
and 8.6 to document phone and written threats, respectively.  In the case of a phone threat, it is
important to collect information from the caller regarding the threat to support the threat
evaluation. Similarly, a written notification should be carefully reviewed for details about the
                                       58
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


threat. Additional information collected throughout the investigation should be evaluated against
the details of the threat notification. If the additional information collected during the
investigation corroborates the details of the threat notification, then the threat is more likely to be
considered 'credible.' Furthermore, law enforcement agencies will likely assess the credibility
of the threat from a criminal perspective and thus directly support the threat evaluation process.
If law enforcement identifies potential suspects, they may take custody of and interview the
suspect, and the information gathered during the interview of suspects may be of value during
the threat evaluation.

One of the potential challenges in managing a threat triggered by direct notification from a
perpetrator is identification of an investigation site that will be the focus of site characterization
activities. Unless a location is named in the threat, it will be necessary to use other information,
such as that derived from vulnerability assessments or unusual water quality data/consumer
complaints, to identify investigation sites. Additional guidance on the selection of investigation
sites for site characterization is provided in Module 3.
                                         59                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
6.4  Notification by Law Enforcement
Information ^^H
Evaluation
Notifications
1 Response
THREAT EVALUATION STAGE
Possible
 Law enforcement report.
 The who, what, where,
when, and why of the threat.
 Additional details from the
threat warning.
 Vulnerability assessment.
 How did the threat warning
come to law enforcement?
 Is the threat feasible?
 Has the water already been
contaminated?
 Is a specific location
targeted?
 Notifications within utility.
 Drinking water primacy
agency.
 Isolate affected area if
known.
 Identify sites and initiate site
characterization.
 Work with law enforcement
to assess threat credibility.
 Consult external information
sources.
Credible
 Law enforcement assessment.
 Previous security incidents.
 Results of site characterization at
selected investigation sites.
 Real time water quality data.
 Reports from ISAC, EPA, etc.
 Do site characterization results
reveal signs of contamination?
 Does other information (e.g.,
water quality) corroborate threat?
 Does law enforcement consider
this a credible threat?
 Does the primacy agency consider
this a credible threat?
 FBI
 State/local public health agency.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
 Estimate spread of suspected
contaminant.
Confirmatory
 FBI assessment.
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
Notification of a potential contamination threat by law enforcement may originate from a witness
account (reported to a law enforcement agency) or direct notification by the perpetrator, and thus
a notification by a law enforcement agency will have some commonalities with these other types
of threat warnings. A threat warning coming directly from a law enforcement agent has an initial
level of credibility due to the source.  However, the specific details should be further evaluated
by the WUERM and supporting staff to determine if the threat is indeed possible. Law
enforcement agencies will need to rely upon the expertise of drinking water professionals,
including those  from the utility and primacy agency, to evaluate the threat from the perspective
of water quality and public health.

Information used to support the threat evaluation  during the 'possible' and  'credible' stages may
be derived from the law enforcement agency report and any specific details about the threat that
are available. Additional information collected throughout the investigation should be evaluated
against the details provided by law enforcement or gained from interviews with witnesses or
suspects. Furthermore, any additional information collected should be immediately reported to
                                       60
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


law enforcement to aid their ongoing investigation.  If the additional information collected
during the investigation corroborates the details of the threat warning, then the threat is more
likely to be considered 'credible.' The utility will need to work closely with law enforcement
agents throughout the threat evaluation in order to determine whether or not the threat is
'credible' and warrants a response.

In some cases, the information about the threat may be sufficient to identify an investigation site.
For example, if the notification is a result of a witness account in which suspicious activity was
observed at a particular location, it will likely be selected as an investigation site. However, in
situations where a site has not been identified, it will be necessary to use other information, such
as that derived from vulnerability assessments or unusual water quality data/consumer
complaints, to identify investigation sites.  Additional guidance on the selection of investigation
sites for site characterization is provided in Module 3.
                                         61                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
6.5   Notification by News Media
Information ^^H
Evaluation
Notifications
1 Response
THREAT EVALUATION STAGE
Possible
 Details of media report.
 The who, what, where,
when, and why of the threat.
 Additional details from the
threat warning.
 Vulnerability assessment.
 How did the threat warning
come to the media?
 Is the threat feasible?
 Has the water already been
contaminated?
 Is a specific location
targeted?
 Notifications within utility.
 Local law enforcement.
 Drinking water primacy
agency.
 Isolate affected area if
known.
 Identify sites and initiate site
characterization.
 Contact news media for
additional details.
 Consult external information
sources.
Credible
 Additional details from media.
 Law enforcement assessment.
 Previous security incidents.
 Results of site characterization at
selected investigation sites.
 Real time water quality data.
 Reports from ISAC, EPA, etc.
 Do site characterization results
reveal signs of contamination?
 Does other information (e.g.,
water quality) corroborate threat?
 Does law enforcement consider
this a credible threat?
 Does the primacy agency consider
this a credible threat?
 FBI
 State/local public health agency.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
 Estimate spread of suspected
contaminant.
Confirmatory
 FBI assessment.
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
In some cases, the news media may be alerted to a threat before the utility. If the threat is
generic, the utility may only be able to collect additional information from the media, primacy
agency, EPA, ISAC, and other sources to determine if the threat is at all relevant to the specific
utility. In the absence of any specifics, the utility may be able to do nothing more than increase
vigilance.

If a threat reported by the news media has elements that are specific to a utility, additional
information should be collected from the media to help establish whether the threat is 'possible'
or 'credible'.  Furthermore, the media's information source should be contacted directly if at all
possible. It may also be prudent to contact law enforcement agencies early in the process to help
determine whether or not the threat is 'possible' or 'credible.' Other than the involvement of the
media as an information resource, a threat triggered by notification from news media may be
handled in a manner similar to those triggered by other notifications (e.g., directly from the
perpetrator or from a law enforcement agency). Additional information collected throughout the
investigation should be evaluated against the details of the threat warning.  If the additional
                                        62
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


information collected during the investigation corroborates the details of the media report, then
the threat is more likely to be considered 'credible'.

The media notification may or may not provide information necessary to identify an
investigation site. If the media report contains no information about a potential contamination
site, it will be necessary to use other information, such as that derived from vulnerability
assessments or unusual water quality data/consumer complaints, to identify investigation  sites.
Additional guidance on the selection of investigation  sites for site characterization is provided in
Modules.
                                        63                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
6.6   Unusual Water Quality
1
a
a
hH
Evaluation
Notifications
1 Response
THREAT EVALUATION STAGE
Possible
 Unusual water quality data.
 Baseline water quality data.
 Real time water quality data.
 Operational information
corresponding to the time of
the unusual water quality.
 Is the unusual water quality
significantly different from
an established baseline?
 Could operational changes
be the cause?
 Could changes in source
water quality be the cause?
 Are there similar results at
other monitoring locations?
 Notifications within utility.
 Identify sites and initiate site
characterization.
 Begin analysis of available
water quality data.
 Investigate unusual
consumer complaints.
 Consult external information
sources.
Credible
 Results of site characterization at
selected investigation sites.
 Previous threat warnings triggered
by water quality.
 Contaminant information.
 Reports of consumer complaints.
 Do site characterization results
reveal signs of contamination?
 Is this unusual data substantial
different from other water quality
episodes?
 Is the unusual data indicative of a
specific contaminant?
 Are the unusual water quality
clustered in a specific area?
 Are there any unusual consumer
complaints in the area?
 Drinking water primacy agency.
 State/local public health agency.
 Local law enforcement.
 FBI.
 Estimate affected area and isolate
if possible.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
Confirmatory
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
A threat warning arising from unusual water quality data is significantly different from the
other threat warnings previously discussed and thus should be handled differently during the
threat evaluation.  In determining whether or not the threat is possible, it is necessary to evaluate
the anomalous data relative to an established baseline.  Furthermore, it is important to consider
operational conditions, or potential impacts from changing source water quality or distribution
system blending as possible explanations for the unusual water quality. If the unusual water
quality data is determined to be significantly different from the baseline, and cannot be explained
by other factors, then the threat of contamination should be considered a possibility.  In order to
proceed with the threat evaluation in a timely manner, the  supporting information, such as
baseline water quality data, must be summarized in a useful, predetermined format that facilitates
a rapid assessment of the suspect water quality data.
                                        64
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


Presumably, the unusual water quality data will be associated with a particular location in the
system, which will help in the identification of investigation sites that will be the focus of site
characterization activities. At this stage of the incident, it is important to verify the anomalous
water quality data through additional testing using independent equipment. For example, if an
incident was triggered by a rapid decrease in the free chlorine residual, as detected by online
electrochemical monitors, additional testing could be performed with colormetric field kits to
confirm the results. Additional rapid field testing might also help to determine the bounds of the
affected area.  Furthermore, additional data collected during the investigation should be
evaluated to determine whether or not it corroborates the unusual water quality data.  Specific
information about particular contaminants should be considered at the 'credible' stage as it might
be used to identify potential contaminants that would impact the water quality parameter with
anomalous readings. For example, contaminants with  acidic functional groups might result in
reduced pH.

The investigation of unusual water quality will likely remain within the utility until sufficient
information has been gathered to indicate that there is  a credible contamination threat. Water
quality changes constantly due to a number of complex and interrelated factors, and it is
appropriate that most of these water quality episodes be investigated within the utility.  However,
it is equally important to recognize a significant, unusual, and unexplained change in water
quality and investigate the cause.  If over the course of the investigation,  corroborating evidence
is found to indicate a 'credible' contamination threat, then additional notification outside of the
utility may be appropriate.
                                         65                        Interim Final - December 2003

-------
                                    MODULE 2: Contamination Threat Management Guide
6.7  Consumer Complaint
Information ^^H
Evaluation
Notifications
Response
THREAT EVALUATION STAGE
Possible
 Compilation of consumer
complaints, including
geographic distribution.
 Recent water quality data
that may be associated with
complaints.
 Operational information
corresponding to the time of
the unusual complaints.
 Are the complaints unusual?
 Could operational changes
be the cause?
 Could changes in source
water quality be the cause?
 Are the complaints clustered
in a specific area?
 Are complaints from
habitual complainers?
 Notifications within utility.
 Identify sites and initiate site
characterization.
 Begin analysis of available
water quality data.
 Interview consumers in area
with high numbers of
complaints.
 Consult external information
sources.
Credible
 Results of site characterization at
selected investigation sites.
 Summary of historic consumer
complaints.
 Results of consumer interviews.
 Contaminant information.
 Do site characterization results
reveal signs of contamination?
 Are other consumers in the area
experiencing similar water
quality?
 Are the unusual complaints
significantly different from typical
complaints?
 Are the complaints indicative of a
specific contaminant?
 Is there anything unusual about
the water quality in the area?
 Drinking water primacy agency.
 State/local public health agency.
 Local law enforcement agency.
 FBI.
 Estimate affected area and isolate
if possible.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Analyze samples.
 Perform site characterization at
additional investigation sites.
Confirmatory
 Results of sample analysis.
 Contaminant information.
 Results of site characterization
at other investigation sites.
 Input from primacy agency
and public health agency.
 Were unusual contaminants
detected during analysis? Do
they pose a risk to the public?
 Do site characterization results
reveal signs of contamination?
 Is contamination indicated by a
"preponderance of evidence?"
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
If a utility has a system for tracking consumer complaints, then there is the potential that a high
or unusual incidence of consumer complaints could serve as a warning of a possible
contamination incident.  This is especially true for chemical contaminants, which, depending
upon the concentration, may impart a strong odor/taste or discolor the water. In many respects, a
threat warning resulting from consumer complaints is similar to one resulting from unusual water
quality, particularly when one considers that consumer complaints are simply a surrogate
indicator for the aesthetic qualities of drinking water. Furthermore, consumer complaints must
be evaluated against baseline information about complaints in order to determine if they are
indicative of a 'possible'  contamination threat.  Other factors that might impact aesthetic water
quality, or consumer complaints,  should also be considered when determining whether or not the
                                       66
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide


threat is 'possible.'  For example, operational changes or normal source water events, such as
algal blooms, could be the cause of the complaints.

In order for consumer complaints to be an effective trigger, a utility must have a system in place
that responds to consumer complaints in a timely fashion and have an established
communication link to the WUERM.  Furthermore, an effective system would be operational
24/7 with staff trained in recognizing contaminant characteristics such as unusual odors and able
to characterize complaints by type and location.

If there is a geographic clustering of complaints, this will assist in the identification of
investigation sites that will be the focus of site characterization activities. Available online water
quality data and rapid field testing results should be evaluated to determine whether or not the
information corroborates or explains the aesthetic changes in the water.  Furthermore, other
customers in the same area might be questioned regarding the aesthetic qualities of their drinking
water.  If the additional information collected during the evaluation indicates that contamination
is likely, then the threat will likely be deemed 'credible.'
                                        67                       Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
6.8  Public Health Notification
Information
Evaluation
Notifications
Response
THREAT EVALUATION STAGE
Possible
 Details of notification from
public health sector.
 Symptoms of disease and
causative agent, if known.
 Contaminant information.
 Why is water under
investigation as a possible
source?
 Are the reported symptoms
consistent with exposure to
the contaminant via water?
 If causative agent is known,
is it stable in water?
 Notifications within utility.
 State/local public health
agency.
 Drinking water primacy
agency.
 Consult with public health
agency and primacy agency.
 Consult external information
sources.
Credible
 Geographic distribution of disease
or death.
 Recent water quality and
operational data.
 Reports of consumer complaints.
 Contaminant information.
 Is the geographic pattern of
exposure consistent with exposure
to contaminated water?
 Is there a recent occurrence of
unusual water quality data or
consumer complaints?
 Does additional information about
the potential contaminant indicate
water as a potential source?
 FBI.
 Local and State law enforcement
agencies.
 Estimate affected area and isolate
if possible.
 Implement appropriate public
health protection measures.
 Plan for alternate water supply.
 Identify sites and initiate site
characterization.
 Analyze samples.
Confirmatory
 Results of site characterization
at selected investigation sites.
 Results of sample analysis.
 Contaminant information.
 FBI assessment.
 Has the public health agency
concluded that water is the
cause of the disease or deaths?
 Did sample analysis detect the
causative agent?
 Was another contaminant
detected during sample
analysis that could be the cause
of the disease or deaths?
 Emergency response agencies.
 National Response Center.
 Other state and federal
assistance providers.
 Characterize affected area.
 Revise public health protection
measures as necessary.
 Provide alternate water supply.
 Plan remediation activities.
Notification from public health regarding a potential water contamination incident is unique in
that individuals have been exposed to a harmful substance resulting in illness, disease or death in
the population.  The threat evaluation in this case may be part of a larger epidemiological
investigation to determine the cause of disease.  From a utility perspective, the first step will be
to evaluate whether or not the drinking water is a possible source of the harmful contaminant.  It
is critical that the utility work with the appropriate public health officials from the outset, since
these officials will likely have information critical for the evaluation.  For example, they may
know or suspect the causative agent based on clinical information. This knowledge, in
conjunction with information about the properties of the contaminant, may indicate whether or
not contaminated water is even a possibility. For example, if the causative agent is known to
immediately decompose upon exposure to water, then the possibility of contaminated water
might be dismissed.

If water is considered a possible carrier for the contaminant, then further investigation should be
conducted to determine if water is the most likely carrier of the contaminant (i.e.,  analogous to
                                       68
Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide


the 'credible' stage of the threat evaluation). Information that may help to make this
determination will include additional findings from the larger epidemiological investigation,
geographic distribution of exposure, recent water quality and operational data, and reports of
consumer complaints. If this additional information indicates that water contamination is likely,
response actions would likely include public notification to limit further exposure as well as
sampling for the suspected contaminant.

The sampling plan developed at this point may start with information about the geographic
distribution of exposure; however, consideration must be given to the latency period of the
disease, which could be from minutes to weeks, as well as the travel time within the system. The
objectives of sampling and analysis at this point would include:  1) confirming the presence  of the
contaminant in the water; 2) determining if the contaminant is still present; and 3) determining
the area affected.  If water contamination is confirmed, and the contaminant  is still present in the
system, it will be necessary to begin planning for remediation and recovery efforts.  If the
contaminant is not found, extensive sampling would likely be necessary to demonstrate that the
contaminant is indeed absent from the system.
                                        69                       Interim Final - December 2003

-------
                                    MODULE 2: Contamination Threat Management Guide


7   References and Resources

References and information cited or used to develop this module are listed below. The URLs of
several sources are cited throughout the text. These URLs were correct at the time of the
preparation of this document.  If the document is no longer available at the URL provided, please
search the sponsoring organization's Web site or the World Wide Web for alternate sources. A
copy of referenced documents may also be provided on the CD version of this module, although
readers should consult the referenced URL for the latest version.

AWWARF, 2002. Online monitoring for drinking water utilities.  Editor, Erika Hargesheimer,
AWWA Research Foundation and CRS PRO AQUA, American Water Works Association,
Denver, CO; ISBN 1-58321-183-7.

FEMA Emergency Management Institute.  http://training.fema.gov/EMIWeb/IS/crslist.asp.

U.S. Army Center for Health Promotion and Preventative Medicine, 2003. "Drinking Water
Consumer Complaints: Indicators from Distribution System Sentinels, TG 284. http://chppm-
www.apgea.army.mil/documents/TG/TECHGUID/TG284.pdf.

U.S. EPA. 2000.  40 CFR Part 141, Subpart Q.  National Primary Drinking Water Regulations:
Public Notification Rule; Final Rule. Federal Register (Part II). 65(87):  25982-26049.
http ://www. epa. gov/safewater/pws/pn/pnrule.pdf.

U.S. EPA. June 2000. Public Notification Handbook. EPA/816/R-OO/010. Office of Water.
Washington DC. http://www.epa.gov/safewater/pws/pn/handbook.pdf
                                      70                      Interim Final - December 2003

-------
8  Appendices
                                MODULE 2: Contamination Threat Management Guide
8.1  Response Planning Matrix
Incident
Credibility
Possible
Credible
Confirmed
Consequences
# people
affected
10's
100's
1,000's
10's
100's
1,000's
10's
100's
1,000's
Health
Impact
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Minor
Moderate
Severe
Other
Considerations




























Response
Possible Actions




























Anticipated Impacts
on the public




























                                  71
Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
8.2   Threat Evaluation Worksheet

INSTRUCTIONS
The purpose of this worksheet is to help organize information about a contamination threat warning that
would be used during the Threat Evaluation Process.  The individual responsible for conducting the
Threat Evaluation (e.g., the WUERM) should complete this worksheet. The worksheet is generic to
accommodate information from different types of threat warnings; thus, there will likely be information that
is unavailable  or not immediately available.  Other forms in the Appendices are provided to augment the
information in this worksheet.
THREAT WARNING INFORMATION

    Date/Time threat warning discovered:
    Name of person who discovered threat warning:
    Type of threat warning:
       D Security breach        D  Witness account            D   Phone threat
       D Written threat          D  Law enforcement            D   Unusual water quality
       D News media           D  Consumer complaints        D   Public health notification
       D Other   	
    Identity of the contaminant:     D  Known         D Suspected     D  Unknown
       If known or suspected, provide additional detail below

       H  Chemical            D  Biological                 D  Radiological

       Describe
    Time of contamination:         D  Known        D Estimated     D Unknown
       If known or estimated, provide additional detail below

       Date and time of contamination: 	

       Additional Information:  	
    Mode of contamination:        D  Known        D Suspected     D Unknown
       If known or suspected, provide additional detail below

       Method of addition:     D  Single dose      D  Overtime        D  Other	

       Amount of material:
       Additional Information:
                                         72                        Interim Final - December 2003

-------
                                   MODULE 2: Contamination Threat Management Guide
Site of contamination:          D  Known         D Suspected
   If known or suspected, provide additional detail below

   Number of sites:
                               D Unknown
   Provide the following information for each site.

   Site #1
   Site Name:
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other  	
   Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D   Pump station
D   Finished water reservoir
D   Service connection
   Additional Site Information:
   Site #2
   Site Name:
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other
   Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D   Pump station
D   Finished water reservoir
D   Service connection
   Additional Site Information:
   Site #3
   Site Name:
   Type of facility
       D  Source water
       D  Ground storage tank
       D  Distribution main
       D  Other  	
   Address:
D  Treatment plant
D  Elevated storage tank
D  Hydrant
D   Pump station
D   Finished water reservoir
D   Service connection
   Additional Site Information:
                                      73
                              Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
ADDITIONAL INFORMATION

    Has there been a breach of security at the suspected site?     D Yes       D No
       If "Yes", review the completed 'Security Incident Report' (Appendix 8.3)

    Are there any witness accounts of the suspected incident?     D Yes       D No
       If "Yes", review the completed Witness Account Report' (Appendix 8.4)

    Was the threat made verbally over the phone?                 D Yes       D No
       If "Yes", review the completed 'Phone Threat Report' (Appendix 8.5)

    Was a written threat received?                               D Yes       D No
       If "Yes", review the completed Written Threat Report' (Appendix 8.6)

    Are there unusual water quality data or consumer complaints? D Yes       D No
       If "Yes", review the completed Water Quality/Consumer Complaint Report' (Appendix 8.7)

    Are there unusual symptoms or disease in the population?     D Yes       D No
       If "Yes", review the completed 'Public Health Report' (Appendix 8.8)

    Is a 'Site Characterization Report' available?    D Yes          D  No
       If "Yes", review the completed 'Site Characterization Report' (Module 3, Appendix 8.3)

    Are results of sample analysis available?       D Yes          D  No
       If "Yes", review the analytical results report, including appropriate QA/QC data

    Is a 'Contaminant Identification  Report' available?   D  Yes      D  No
       If "Yes", review the completed 'Sample Analysis Report' (Module 5, Appendix 8.1)

    Is there relevant information available from external sources?  D Yes D No
       Check all that apply

       H  Local law enforcement  D  FBI                        D   DW primacy agency
       D  Public health agency    D  Hospitals/911 call centers    D   US EPA/ Water ISAC
       D  Media reports          D  Homeland security alerts     D   Neighboring utilities
       D  Other   	

       Point of Contact: 	
       Summary of key information from external sources (provide detail in attachments as necessary):
                                         74                        Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
THREAT EVALUATION

     Has normal activity been investigated as the cause of the threat warning?     D Yes D No
       Normal activities to consider
           D Utility staff inspections                   D  Routine water quality sampling
           D Construction or maintenance             D  Contractor activity
           D Operational changes                    D  Water quality changes with a known cause
           D Other	

     Is the threat 'possible'?      D Yes        D  No

       Summarize the basis  for this determination:  	
       Response to a 'possible' threat:
         D  None                        D Site characterization
         D  Increased monitoring/security   D Other	
               D Isolation/containment
     Is the threat 'credible'?       D Yes        D  No

       Summarize the basis for this determination:
       Response to a 'credible' threat:
         D  Sample analysis           D  Site characterization
         D  Partial EOC activation      D  Public notification
         D  Other
          D  Isolation/containment
          D  Provide alternate water supply
     Has a contamination incident been confirmed?

       Summarize the basis for this determination:
D  Yes
D  No
       Response to a confirmed incident:
         D  Sample analysis           D  Site characterization
         D  Full EOC activation        D  Public notification
         D   Initiate remediation and recovery
         D   Other	
          D  Isolation/containment
          D  Provide alternate water supply
                                          75
               Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
    How do other organizations characterize the threat?
Organization
n Local Law
Enforcement
D FBI
D Public Health
Agency
D Drinking Water
Primacy Agency
D Other
D Other
Evaluation
n Possible
n Credible
n Confirmed
n Possible
n Credible
n Confirmed
n Possible
D Credible
D Confirmed
D Possible
D Credible
n Confirmed
n Possible
D Credible
n Confirmed
n Possible
D Credible
n Confirmed
Comment






SIGNOFF
  Name of person responsible for threat evaluation:
     Print name  	
     Signature   	
Date/Time:
                                        76
 Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
8.3   Security Incident Report Form


INSTRUCTIONS
The purpose of this form is to help organize information about a security incident, typically a security
breach, which may be related to a water contamination threat.  The individual who discovered the security
incident, such as a security supervisor, the WUERM, or another designated individual may complete this
form.  This form is intended to summarize information about a security breach that may be relevant to the
threat evaluation process.  This form should be completed for each location where a security incident was
discovered.
DISCOVERY OF SECURITY INCIDENT
    Date/Time security incident discovered:
    Name of person who discovered security incident:
    Mode of discovery:
       D Alarm (building)
       D Video surveillance
       D Suspect confession
       D Other
D  Alarm (gate/fence)           D
D  Utility staff discovery         D
D  Law enforcement discovery
 Alarm (access hatch)
 Citizen discovery
    Did anyone observe the security incident as it occurred?
       If "Yes", complete the Witness Account Report' (Appendix 8.4)
                                 Yes
          D No
SITE DESCRIPTION
    Site Name:
    Type of facility
           D  Source water
           D  Ground storage tank
           D  Distribution main
            D  Other
    Address:
     D  Treatment plant
     D  Elevated storage tank
     D  Hydrant
D  Pump station
D  Finished water reservoir
D  Service connection
    Additional Site Information:
BACKGROUND INFORMATION
    Have the following "normal activities" been investigated as potential causes of the security
    incident?
       D Alarms with known and harmless causes      D  Utility staff inspections
       D Routine water quality sampling               D  Construction or maintenance
       D Contractor activity                          D  Other	
                                         77
                                  Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
    Was this site recently visited pr/orto the security incident?       D Yes        D  No
       If "Yes," provide additional detail below

       Date and time of previous visit:  	
       Name of individual who visited the site:

       Additional Information:
     Has this location been the site of previous security incidents?    D Yes        D  No
       If "Yes," provide additional detail below

       Date and time of most recent security incident: 	

       Description of incident:  	
       What were the results of the threat evaluation for this incident?
            D  'Possible'               D  'Credible'                 D  'Confirmed'

     Have security incidents occurred at other locations recently?      D Yes        D  No
       If "Yes", complete additional 'Security Incident Reports' (Appendix 8.3) for each site

       Name of 1st additional site:
       Name of 2nd additional site:
       Name of 3rd additional site:
SECURITY INCIDENT DETAILS

    Was there an alarm(s) associated with the security incident?   D Yes         D  No
       If "Yes," provide additional detail below

       Are there sequential alarms (e.g., alarm on a gate and a hatch)?    D Yes         D No

       Date and time of alarm(s): 	

       Describe alarm(s):  	


    Is video surveillance available from the site of the security incident?    D Yes      D No
       If "Yes," provide additional detail below

       Date and time of video surveillance:  	

       Describe surveillance:
                                          78                        Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
    Unusual equipment found at the site and time of discovery of the security incident:
       D Discarded PPE (e.g., gloves, masks)          D  Empty containers (e.g., bottles, drums)
       D Tools (e.g., wrenches, bolt cutters)           D  Hardware (e.g., valves, pipe)
       D Lab equipment (e.g., beakers, tubing)         D  Pumps or hoses
       D None                                     D  Other
       Describe equipment:
    Unusual vehicles found at the site and time of discovery of the security incident:
       D Car/sedan                   D SUV                     D  Pickup truck
       D Flatbed truck                 D Construction vehicle       D  None
       D Other	

       Describe vehicles (including make/model/year/color, license plate #, and logos or markings):
    Signs of tampering at the site and time of discovery of the security incident:
       D Cut locks/fences                           D  Open/damaged gates, doors, or windows
       D Open/damaged access hatches              D  Missing/damaged equipment
       D Facility in disarray                          D  None
       D Other
       Are there signs of sequential intrusion (e.g., locks removed from a gate and hatch)?
                D
                D
Yes
No
       Describe signs of tampering:
    Signs of hazard at the site and time of discovery of the security incident:
       D Unexplained or unusual odors               D  Unexplained dead animals
       D Unexplained dead or stressed vegetation      D  Unexplained liquids
       D Unexplained clouds or vapors               D  None
       D Other	

       Describe signs of hazard: 	
SIGNOFF
  Name of person responsible for documenting the security incident:

     Print name 	

     Signature  	
Date/Time:
                                         79
 Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
8.4   Witness Account Report Form

INSTRUCTIONS
The purpose of this form is to document the observations of a witness to activities that might be
considered an incident warning.  The individual interviewing the witness, or potentially the witness, should
complete this form.  This may be the WUERM or an individual designated by incident command to
perform the interview. If law enforcement is conducting the interview (which may often be the case), then
this form may serve as a prompt for "utility relevant information" that should be pursued during the
interview.  This form is intended to consolidate the details of the witness account that may be relevant to
the threat evaluation process.  This form should be completed for each witness that is interviewed.
BASIC INFORMATION
     Date/Time of interview:
     Name of person interviewing the witness:

     Witness contact information
        Full Name: 	
        Address:
        Day-time phone:
        Evening phone:
        E-mail address:
     Reason the witness was in the vicinity of the suspicious activity:
WITNESS ACCOUNT
     Date/Time of activity:

     Location of activity:
       Site Name: 	
       Type of facility
           D  Source water            D  Treatment plant           D  Pump station
           D  Ground storage tank     D  Elevated storage tank      D  Finished water reservoir
           D  Distribution main         D  Hydrant                  D  Service connection
           D  Other  	

       Address:
       Additional Site Information:
                                         80                        Interim Final - December 2003

-------
                                   MODULE 2: Contamination Threat Management Guide
Type of activity
   D Trespassing
   D Theft
   D Other
D  Vandalism
D  Tampering
   Additional description of the activity
D  Breaking and entering
D  Surveillance
Description of suspects
   Were suspects present at the site?

   How many suspects were present?
              D Yes
D  No
   Describe each suspect's appearance:
Suspect #
1
2
3
4
5
6
Sex






Race






Hair color






Clothing






Voice






   Where any of the suspects wearing uniforms?
   If "Yes," describe the uniform(s): 	
                      D Yes
            D No
   Describe any other unusual characteristics of the suspects:
   Did any of the suspects notice the witness?
   If "Yes," how did they respond:  	
                    D Yes
        D  No
Vehicles at the site
   Were vehicles present at the site?         D  Yes

   Did the vehicles appear to belong to the suspects?

   How many vehicles were present?  	
                             D No

                             D Yes
           D No
                                     81
                                     Interim Final - December 2003

-------
                                   MODULE 2: Contamination Threat Management Guide
   Describe each vehicle:
Vehicle #
1
2
3
4
5
6
Type






Color






Make






Model






License plate






   Where there any logos or distinguishing markings on the vehicles?
   If "Yes," describe: 	
                                    D Yes
                         D  No
   Provide any additional detail about the vehicles and how they were used (if at all):
Equipment at the site
   Was any unusual equipment present at the site?

   D  Explosive or incendiary devices
   D  PPE (e.g., gloves, masks)
   D  Tools (e.g., wrenches, bolt cutters)
   D  Lab equipment (e.g., beakers, tubing)
   D  Other	
                        D  Yes
             D No
               D Firearms
               D Containers (e.g., bottles, drums)
               D Hardware (e.g., valves, pipe, hoses)
               D Pumps and related equipment
   Describe the equipment and how it was being used by the suspects (if at all):
Unusual conditions at the site
   Were there any unusual conditions at the site?
                        D  Yes
             D No
   D  Explosions or fires
   D  Dead/stressed vegetation
   D  Other	
D  Fogs or vapors
D  Dead animals
D  Unusual odors
D  Unusual noises
   Describe the site conditions:
                                     82
                               Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
    Additional observations
       Describe any additional details from the witness account:
SIGNOFF
  Name of interviewer:
     Print name
     Signature   	    Date/Time:
  Name of witness:
     Print name  	
     Signature   	    Date/Time:
                                        83                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
8.5   Phone Threat Report Form


INSTRUCTIONS
This form is intended to be used by utility staff that regularly answer phone calls from the public (e.g., call
center operators). The purpose of this form is to help these staff capturer as much information from a
threatening phone call while the caller is on the line.  It is important that the operator keep the caller on
the line as long as possible in order to collect additional information.  Since this form will be used during
the call, it is important that operators become familiar with the content of the form. The sections of the
form are organized with the information that should be collected during the call at the front of the form
(i.e., Basic Call Information and Details of Threat) and information that can be completed immediately
following the call at the end of the form (i.e., the description of the caller). The information collected on
this form will be critical to the threat evaluation process.

Remember, tampering with a drinking water system is a crime under the SDWA Amendments!

THREAT NOTIFICATION
    Name of person receiving the call: 	
    Date phone call received:

    Time phone call ended: _
    Originating number:
         Time phone call received:

         Duration of phone call: 	
         Originating name:
        If the number/name is not displayed on the caller ID, press *57 (or call trace) at the end of the
        call and inform law enforcement that the phone company may have trace information.
    Is the connection clear?
D  Yes
    Could call be from a wireless phone?    D  Yes

DETAILS OF THREAT
    Has the water already been contaminated?

    Date and time of contaminant introduction known?
       Date and time if known: 	
        D  No

        D  No


D  Yes

     D Yes
                           D No
                                 D No
    Location of contaminant introduction known?
       Site Name:  	
               D Yes
                        D No
       Type of facility
           D  Source water            D  Treatment plant
           D  Ground storage tank     D  Elevated storage tank
           D  Distribution main         D  Hydrant
           D  Other
                       D  Pump station
                       D  Finished water reservoir
                       D  Service connection
       Address:
       Additional Site Information:
                                         84
                        Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
    Name or type of contaminant known?
       Type of contaminant
           D  Chemical               D  Biological

       Specific contaminant name/description:  	
                D Yes            D  No

                        D  Radiological
    Mode of contaminant introduction known?
       Method of addition:     D  Single dose

       Amount of material: 	
                D Yes            D  No
     D Overtime        D Other
       Additional Information:
    Motive for contamination known?             D  Yes

           D  Retaliation/revenge       D  Political cause
           D  Other  	
       Describe motivation:
                    D  No

                        D  Religious doctrine
CALLER INFORMATION
    Basic Information:
       Stated name: 	
       Affiliation:
       Phone number: _
       Location/address:
    Caller's Voice:
       Did the voice sound disguised or altered?        D Yes

       Did the call sound like a recording?             D Yes

       Did the voice sound?       D Male / D  Female

       Did the voice sound familiar?                  D Yes
          If 'Yes,' who did it sound like? 	
       Did the caller have an accent?
          If 'Yes,' what nationality? _
       How did the caller sound or speak?
          D Educated
          D Irrational
          D Reading a script
        D Yes
D  Well spoken
D  Obscene
D  Other
                             D  No

                             D  No

                        D Young / D Old

                             D  No
     D No
D  Illiterate
D  Incoherent
                                         85
                         Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
       What was the caller's tone of voice?
          D Calm                D Angry
          D Excited              D Nervous
          D Slow                D Rapid
          D Soft                 D Loud
          D Laughing            D Crying
          D Deep                D High
          D Other
D  Lisping
D  Sincere
D  Normal
D  Nasal
D  Clear
D  Raspy
D  Stuttering/broken
D  Insincere
D  Slurred
D  Clearing throat
D  Deep breathing
D  Cracking
       Were there background noises coming from the caller's end?
          D Silence
          D Voices                    describe   	
          D Children                   describe   	
          D Animals                   describe   	
          D Factory sounds             describe   	
          D Office sounds              describe   	
          D Music                     describe   	
          D Traffic/street sounds        describe   	
          D Airplanes                  describe   	
          D Trains                     describe   	
          D Ships or large boats        describe   	

          D Other:
SIGNOFF
  Name of call recipient:

      Print name
      Signature   	
  Name of person completing form (if different from call recipient):
      Print name  	
      Signature   	
                Date/Time:
                Date/Time:
                                          86
                 Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
8.6   Written Threat Report Form


INSTRUCTIONS
The purpose of this form is to summarize significant information from a written threat received by a
drinking water utility.  This form should be completed by the WUERM or an individual designated by
incident command to evaluate the written threat.  The summary information provided in this form is
intended to support the threat evaluation process; however, the completed form is not a substitute for the
complete written threat, which may contain additional, significant details.

The written threat itself (e.g., the note, letter, e-mail message, etc.) may be considered evidence and thus
should be minimally handled (or not handled at all) and placed into a clean plastic bag to preserve any
forensic evidence.

Remember, tampering with a drinking water system is a crime under the SDWA Amendments!


SAFETY
A suspicious letter or package could pose a threat in and of itself, so caution should be exercised if such
packages are received.  The US Postal Service has issued guidance when dealing with suspicious
packages (http://www.usps.com/news/2001/press/pr01 1022asa.htm).


THREAT NOTIFICATION
     Name of person receiving the written threat:  	
     Person(s) to whom threat was addressed: 	

     Date threat received:                            Time threat received:
     How was the written threat received?
          D  US Postal service              D Delivery service       D  Courier
          D  Fax                          D E-mail                D  Hand delivered
          D  Other	

       If mailed, is the return address listed?    D Yes       D No
       If mailed, what is the date and location of the postmark?
       If delivered, what was the service used (list any tracking numbers)?
       If Faxed, what is the number of the sending fax?
       If E-mailed, what is the e-mail address of sender?
       If hand-delivered, who delivered the message?
                                         87                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
DETAILS OF THREAT
    Has the water already been contaminated?        D Yes           D No

    Date and time of contaminant introduction known?      D Yes            D No
       Date and time if known:  	

    Location of contaminant introduction known?           D Yes            D No
       Site Name: 	

       Type of facility
           D Source water           D  Treatment plant           D  Pump station
           D Ground storage tank     D  Elevated storage tank      D  Finished water reservoir
           D Distribution main        D  Hydrant                 D  Service connection
           D Other  	

       Address:  	
       Additional Site Information:
    Name or type of contaminant known?                  D Yes            D No
       Type of contaminant
           D  Chemical               D  Biological                D  Radiological

       Specific contaminant name/description: 	
    Mode of contaminant introduction known?              D Yes            D No
       Method of addition:    D Single dose      D  Overtime        D  Other	
       Amount of material:
       Additional Information:
    Motive for contamination known?             D  Yes        D No

           D  Retaliation/revenge      D  Political cause            D Religious doctrine
           D  Other  	

       Describe motivation: 	
NOTE CHARACTERISES
    Perpetrator Information:
         Stated name:  	
         Affiliation:
         Phone number: _
         Location/address:
                                                                 Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
Condition of paper/envelop:
D Marked personal
D Neatly typed or written
D Crumpled or wadded up
D Other:
D Marked confidential
D Clean
D Soiled/stained
D Properly addressed
D Corrected or marked-up
D Torn/tattered
     How was the note prepared?
          D  Handwritten in print
          D  Machine typed
          D  Other: 	
D  Handwritten in script           D  Computer typed
D Spliced (e.g., from other typed material)
          If handwritten, does writing look familiar?
            D Yes
D  No
     Language:
          D  Clear English
          D  Another language:
          D  Mixed languages:

     Writing Style
          D  Educated
          D  Uneducated
          D  Use of slang
          D  Other:
     Writing Tone
          D  Clear
          D  Condescending
          D  Agitated
          D  Other:
D  Poor English
D  Proper grammar
D  Poor grammar/spelling
D  Obscene
D  Direct
D  Accusatory
D  Nervous
    D Logical
    D Incoherent
    D Sincere
    D Angry
    D Irrational
SIGNOFF
  Name of individual who received the threat:

     Print name  	

     Signature   	
                         Date/Time:
  Name of person completing form (if different from written threat recipient):
     Print name 	
     Signature  	
                         Date/Time:
                                         89
                           Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
8.7   Water Quality/Consumer Complaint Report Form


INSTRUCTIONS
This form is provided to guide the individual responsible for evaluating unusual water quality data or
consumer complaints.  It is designed to prompt the analyst to consider various factors or information
when evaluating the unusual data. The actual data used in this analysis should be compiled separately
and appended to this form. The form can be used to support the threat evaluation due to a threat warning
from unusual water quality or consumer complaints, or another type of threat warning in which water
quality data or consumer complaints are used to support the evaluation.

Note that in this form, water quality refers to both specific water quality parameters and the general
aesthetic characteristics of the water that might result in consumer complaints.

Threat warning is based on:     D Water quality       D  Consumer complaints        D Other

What is the water quality parameter or complaint under consideration?

Are unusual consumer complaints corroborated by unusual water quality data?

Is the unusual water quality indicative of a particular contaminant of concern?  For example, is the
color, order, or taste associated with a particular contaminant?

Are consumers in the affected area experiencing any unusual health symptoms?

What is 'typical' for consumer complaints for the current season and water quality?
     Number of complaints.
     Nature of complaints.
     Clustering of complaints

What is considered to be 'normal' water quality (i.e., what is the baseline water quality data or
level of consumer complaints)?

What is reliability of the method or instrumentation used for the water quality analysis?
     Are standards and reagents OK?
     Is the method/instrument functioning properly?

Based on recent data, does the unusual water quality appear to be part of a gradual trend (i.e.,
occurring over several days or longer)?

Are the unusual water quality observations sporadic over a wide area, or are they clustered in a
particular area?
     What is the  extent of the area? A pressure zone. A neighborhood.  A city block. A street. A
     building.
                                         90                        Interim Final - December 2003

-------
                                       MODULE 2: Contamination Threat Management Guide
If the unusual condition isolated to a specific area:
     Is this area being supplied by a particular plant or source water?
     Have there been any operational changes at the plant or in the affected area of the system?
     Has there  been any flushing or distribution system maintenance in the affected area?
     Has there  been any repair or construction in the area that could impact water quality?
SIGNOFF

  Name of person completing form:

     Print name
     Signature   	    Date/Time:
                                          91                         Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
8.8   Public Health Information Report Form


INSTRUCTIONS
The purpose of this form is to summarize significant information about a public health episode that could
be linked to contaminated water. This form should be completed by the WUERM or an individual
designated by incident command. The information compiled in this form is intended to support the threat
evaluation process.

In the case of a threat warning due to a report from public health, it is likely that the public health agency
will assume incident command during the investigation. The drinking water utility will likely play a support
role during the investigation, specifically to help determine whether or not water might be the cause.

PUBLIC HEALTH  NOTIFICATION
     Date and Time of notification:  	             	
    Name of person who received the notification:
    Contact information for individual providing the notification
        Full Name: 	
        Title:
        Organization:
        Address:
        Day-time phone:
        Evening phone:
        Fax Number: 	
        E-mail address:
    Why is this person contacting the drinking water utility?
    Has the state or local public health agency been notified?     D Yes         D No
        If "No," the appropriate public health official should be immediately notified.
DESCRIPTION OF PUBLIC HEALTH EPISODE
    Nature of public health episode:
       D Unusual disease (mild)         D Unusual disease (severe)        D Death
       D Other: 	
Symptoms:
D Diarrhea
D Fever
D Other:
D Vomiting/nausea
D Headache
D Flu-like symptoms
D Breathing difficulty
       Describe symptoms:
    Causative Agent:       D  Known          D Suspected          D  Unknown
       If known or suspected, provide additional detail below

       H  Chemical             D Biological                  D Radiological

       Describe 	
                                         92                       Interim Final - December 2003

-------
                                      MODULE 2: Contamination Threat Management Guide
       Estimate of time between exposure and onset of symptoms:
    Exposed Individuals:
       Location where exposure is thought to have occurred
          D Residence                D  Work                      D School
          D Restaurant                D  Shopping mall              D Social gathering
          D Other:  	

          Additional  notes on location of exposure:  	
          Collect addresses for specific locations where exposure is thought to have occurred.

       Is the pattern of exposure clustered in a specific area?      D Yes        D No

       Extent of area
          D Single building             D Complex (several buildings)   D  City block
          D Neighborhood             D Cluster of neighborhoods     D  Large section of city
          D Other: 	

          Additional notes on extent of area:
       Do the exposed individuals represent a disproportionate number of:
          D Immune compromised      D Elderly                     D Children
          D Infants                   D Pregnant women            D Women
          D Other: 	
          D None, no specific groups dominate the makeup of exposed individuals

EVALUATION OF LINK TO WATER
    Are the symptoms consistent with typical waterborne diseases, such as gastrointestinal
    disease, vomiting, or diarrhea?                                      D Yes        D No

    Does the area of exposure coincide with  a specific area of the system, such as a pressure
    zone or area feed by a specific plant?                                D Yes        D No

    Were there any consumer complaints within the affected area?         D Yes        D No

    Were there any unusual water quality data within the affected area?    D Yes        D No

    Were there any process upsets or operational changes?               D Yes        D No

    Was there any construction/maintenance within the affected area?     D Yes        D No

    Were there any security incidents within  the affected area?             D Yes        D No


SIGNOFF

  Name of person completing form:

     Print name
     Signature   	    Date/Time:
                                        93                        Interim Final - December 2003

-------
                                     MODULE 2: Contamination Threat Management Guide
8.9   Overview of the "Water Contaminant Information Tool"

What is the WCIT? Fundamentally, the Water Contaminant Information Tool (WCIT) is a
compilation of information on nontraditional water contaminants. Nontraditional contaminants
are those that are not significant from a regulatory or operational perspective, but which could
have substantial adverse consequences to the public and/or utility if accidentally or intentionally
introduced into the drinking water.  The WCIT contains peer-reviewed information about these
nontraditional contaminants that is relevant to the drinking water treatment industry. This
information is managed in a relational database that will allow a user to search and sort
contaminant information based on key properties. It will also allow users to create summary
reports for each contaminant.

What is the purpose of the WCIT?  This tool is being developed to support the drinking water
treatment industry in the management of water contamination threats and incidents. It will
provide relevant, accurate information to users for a variety of non-traditional drinking water
contaminants. This information will be relevant to planning for and responding to drinking
water contamination threats and incidents. As a planning tool, the WCIT can be used to support
vulnerability assessments, emergency response plans, and the development of site-specific
response guidelines. As a response tool, the WCIT can provide information about specific water
contaminants, which will be necessary to make appropriate response decisions. (The WCIT will
likely be most useful as a response tool.)

What type of information will be contained in the WCIT? The nontraditional contaminants
in the WCIT will include pathogens, chemicals, and radionuclides that are of concern to drinking
water. For each contaminant, the following type of information will be included in the WCIT,
when available:

      Contaminant properties, such as  solubility, volatility,  and thermal stability.
      Fate and transport information that indicates the persistence of the contaminant in water.
      Toxicity data for chemicals and infectivity data for pathogens.
      Signs and symptoms of exposure to the contaminant.
      Efficacy of treatment processes for removing or neutralizing the contaminant.
      Methods to detect the contaminant.
      Impact of the contaminant on environmental indicators.

What is the Status of the WCIT?  The WCIT is currently under development. A system
prototype has been designed, constructed and populated with an initial set of data for testing.
The results of system testing will be used to refine the design and functionality of the  system.
Next, the system will be fully populated with information for priority contaminants. It is
anticipated that an initial version of the WCIT will  be made available in late 2004.
                                        94                       Interim Final - December 2003

-------
Office of Ground Water and Drinking Water
Water Security Division
EPA817-D-03-002
www.epa.gov/safewater/security
December 2003
Recycled/Recyclable  Printed with Vegetable Oil Based Inks on
   100% Postconsumer, Process Chlorine Free Recycled Paper

-------