All community water systems (CWS) need a program to raise security awareness and overcome common challenges. The need for such a program was confirmed in a recent General Accounting Office (GAO) report and further underscored in a report by the National Drinking Water Advisory Council released in June 2005.
After conducting a number of threat assessments for US water systems, the security consulting firm Business Protection Specialists has found that, generally, security incidents and crime resulting from disgruntled insiders and common criminals tend to occur more frequently than terrorist attacks, even on an international scale.
When considering the terrorist, it is critical to understand that this adversary is adaptive. Effective security may be invalidated as the enemy adapts to a water system’s defensive measures. For other adversaries, and even natural or operational hazards, a quality assurance/ compliance verification program ensures that program measures are optimized and deficiencies are identified before they are needed in a security incident or emergency.
Security Program Basics
It is essential to incorporate a formal performance verification process to assess the effectiveness and function of each security measure. Business Protection Specialists recommends to its CWS clients a compliance assurance program that evaluates all components of the security program, highlighting deficient areas and providing a means to determine where upgrades or repairs are necessary.
Proper implementation of this program should, in part, meet the intent of the National Drinking Water Advisory Council expectations #6 for restricting access and detecting intrusions and #14 for self assessment and documentation of program progress. It can also help CWS executives get employee, board and public support for necessary security funding and, at low cost, teach staff how to identify security program deficiencies that could be exploited by criminals or terrorists.
To implement a “compliance assurance” program for security utilities should:
-- Inventory security measures and develop a schedule/calendar to identify the appropriate testing frequency to ensure effective performance;
-- Assign responsibility to conduct verification activities;
-- Execute verification activities as prescribed by the schedule/calendar;
-- Ensure that personnel conducting tests are properly trained and prepare reports for each verification exercise;
-- Maintain an inventory of deficiencies and track them to ensure that all corrective action is implemented in a timely fashion;
-- Commit the necessary resources to correct discovered deficiencies.
CWS leadership should document all security measures in a matrix. The sample matrix (figure 1) provides common testing frequencies that a CWS may wish to consider. Based on the security countermeasures in place, the following areas (as applicable to your CWS) should be considered for periodic testing and measurement to assure effectiveness:
-- Perimeter/facility inspections
-- Mechanical performance of doors on building perimeters or internal security sensitive areas
-- Security alarms
-- Verification of access privileges to security-sensitive areas
-- Removal of separated personnel from electronic access control system
-- Security operating and emergency procedures
-- Accuracy of alarm response protocol
-- Security awareness training
-- Electronic access control system archive restoration
Responsibility for conducting each test should be assigned and tracked. Failure to assign responsibility will lead to lapses in testing and documentation of deficiencies. Someone in an operational leadership role must be checking to ensure the execution of the tests on a regular basis, as with any critical preventive maintenance tasks. Part of the responsibility for those conducting tests is to document the results of each test, highlighting deficiencies in performance for corrective action.
Training Testing Personnel
It is vital that CWS personnel are properly trained on the expectations for each security measure and what constitutes effective performance. Testing standards for several commonly applied countermeasures are detailed below. Similar procedures should be implemented for all countermeasures.
Perimeter Fencing - This inspection will ensure a site’s perimeter barrier remains effective against low level adversaries such as vandals and casual trespassers. Additional information on perimeter fencing and barrier management can be obtained from NFPA 730 Chapter 6. At a minimum, perimeter inspections should include the following:
-- Review clear zones. Failure to maintain proper clear zones can provide opportunities for intruder concealment, may enable criminals to get into the facility or let them remove assets.
-- No trespassing, and other signs required by regulation should be reviewed to ensure they are properly deployed and fastened to the fence.
-- Posts and bracing should be reviewed to ensure that the fence is properly attached and that posts and braces are anchored in the ground.
-- Rails and tension wires should be firmly affixed with no sagging or disconnection.
-- Fence fabric should be properly attached to posts. The fabric should be free of vegetation and close enough to the ground to prevent someone from crawling under the fence.
-- Top guard should be facing in the direction of the threat. It should be firmly affixed with wire or clamps, and wires tightened to prevent sagging or disconnection
Perimeter Doors - This test will ensure the integrity of the portals and guarantee that unauthorized access is not made possible by defective doors or hardware.
Follow this procedure when testing the mechanical performance of doors: Each door should be opened and allowed to close normally, without intervention, from a barely ajar condition, as well as from half open and fully open positions. Each door leaf should move smoothly from each position to a tightly closed and latched condition. The hinges should be tight and in line so that the leaves do not sag and scrape on the threshold. The door closer should provide adequate force to close and latch the door without the leaf banging into the stops or rebounding back. The latch should freely retract so that it passes by the strike without slowing the movement of the door, but also firmly and quickly pop into place after it has passed the strike. The latch and strike should line up with each other so that they are fully engaged with each other, providing the maximum resistance to prevent the door from being forced open. The strike should be firmly and rigidly attached to the jamb. All trim should be tightly attached to the door leaves and should operate easily and without binding or requiring excessive force.
Except for one designated for emergency entrance, alarmed doors should not have operable cylinders on the outside. Such cylinders permit key holders to enter an alarmed door, spoofing an armed intrusion system into signaling an intrusion. If egress is permitted at an alarmed portal, a “request to exit device” (such as a passive infrared device) should be installed to prevent false alarms. All latches, hinges and cylinders should be lubricated once a year.
Alarm Testing - Every sensor that reports to an access control or intrusion detection system should be inspected to determine its condition. Its wiring and connectors, including the device mounting, should be inspected for damage or tampering. The sensor should be firmly attached and properly aligned, with the lead wires firmly fastened and protected against intentional or accidental damage. Devices to be inspected include all motion detectors, beam sensors, glass break detectors, duress or panic alarm buttons, door contacts and keypads.
During every inspection, each point should be tripped by the same means that would activate it were an actual alarm to occur. Additionally, systems that communicate alarms to an internal monitoring point, or an off-site central station, should be exercised so that the panel transmits at least one alarm from each zone. This ensures that the panel and the outbound communications circuits are functioning. Any duress, panic or robbery alarm buttons connected to the system should be tested more often to ensure that they are functioning. Due to the intended use of these devices, this test is required by UL Standard 636.
The alarm message that appears on the display at the central station or other monitoring location and the alarm action message maintained by the system administrator should be confirmed. The display at any on-site annunciator panels or keypads should also be confirmed, as well as the message delivered by any activity printers.
At the conclusion of the test, a print-out should be requested from the monitoring point to ensure that all signals reported and match up to field test documentation.
When the alarm procedures or action plan print-outs are requested from the central station or monitoring point, a listing of the persons to be contacted in alarm situations should be requested as well. This list should be reviewed by a person with appropriate knowledge. This will insure that the correct people are listed and that their contact numbers are current.
Key Card Access Door Testing - In addition to testing the intrusion detection devices at the site, several tests must be conducted at each portal on which a card reader is installed. Two important tests (not all inclusive) are for the door-ajar alarm and for the door-forced-open alarm. These tests need to be conducted on each card reader door.
A door-ajar alarm is generated in the access control system if, after a valid door opening (presentation of a card or valid egress), the door is not closed before the expiration of the permissible hold-open time that is programmed in the access control software. This type of security hazard is created when someone props open perimeter doors, making them accessible to unauthorized personnel. To complete this test, present a valid card to the card reader to unlock the door or exit from the secured area. Hold the door open for a period that exceeds the door hold-open time programmed into the access control system. Ensure that the door-ajar alarm is received at the terminal and that results are documented.
A door-forced alarm is generated in the access control system if a door is opened without the presentation of a card or valid egress. If the locking device is a latch, opening a card reader door with a key can generate a door-forced alarm. Masking the request to exit device and opening the door can generate the alarm. It is more difficult to generate a door-forced alarm when there is a magnetic lock installed. Masking the request to exit device and inserting a piece of cardboard or a clipboard between the magnet and the armature opening may generate the door-forced alarm. Ensure the “door-forced” alarm is received at the alarm monitoring terminal and the results are documented. At the conclusion of the access control system tests, reports should be run from the access control system to compare alarm transactions to the field documentation.
Correcting Deficiencies
CWS management must ensure that identified deficiencies are corrected in a timely manner. Without a proactive testing program, a CWS will learn that a vital security countermeasure is not working only when it has failed in an attack or other emergency. A proper compliance verification program is more than just “maintaining equipment.” This program ensures that the required oversight and resources are applied to provide for the integrity of the complete security program and prevent the “window dressing” that exists in many CWSs.
About the Author:
Frank Pisciotta, CSC, is president of Business Protection Specialists, an international security consulting firm headquartered in New York. The company has helped community water systems prevent security incidents and crime since 1990. Pisciotta was recently named by the IAPSC as its eighth Certified Security Consultant (CSC) in the United States. He is also a member of the Institute of Internal Auditors, and is an ASIS member who earned his Certified Protection Professional designation in 1994. He may be contacted via e-mail at [email protected].
