Survey Reports on Water Utilities' Vulnerability Assessments

Drinking water utilities in the U.S. need more security information, training and financial help to bolster their security initiatives, according to a recently released survey.

Drinking water utilities in the U.S. need more security information, training and financial help to bolster their security initiatives, according to a recently released survey.

The survey was released recently by the U.S. Environmental Protection Agency's (EPA) Inspector General. The report summarizes the survey responses from 16 drinking water utilities in six states.

The water utilities that participated received most of their information on the identification of threats, the detection of problems, delay barriers, response capabilities and computer control systems from the EPA, the American Water Works Association and consultants.

Recent terrorist activities and incidents such as the blackout in the Midwest and Northeast U.S. have demonstrated the crucial role of water sector infrastructures in the health and economic well-being of the nation.

Recognizing that Federal, State, and local levels of government have a vested interest in water security, the Inspector General's office suggested that the Domestic Working Group (DWG), an informal group of Federal, State, and local auditors, develop a survey focusing on the security needs and tools of their local water systems.

The objective of the survey was to gather feedback on the usefulness of water security information provided to utilities by EPA and other sources.

Specifically, the survey helped determine the following:

• Did EPA and other Federal, State, and local agencies provide useful threat and risk information to water utilities to conduct vulnerability assessments as required by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act)?

• What are the needs of utilities with regard to financial assistance, training, and procedural changes to improve security?

• What information can be collected and analyzed by EPA that would depict changes in security levels at water utilities?

The Inspector General's office provided this report to the EPA for comment and did not receive a response.

Results

Members of the DWG surveyed their local water utilities regarding (1) the usefulness of water security information in conducting vulnerability assessments, (2) remaining security needs, and (3) potential measures to track progress in water security.

Though the results of the DWG survey cannot be interpreted as representing conditions within the water industry or the nation due to limitations of the sample, agencies overseeing efforts to enhance the security of the nation's drinking water infrastructure, such as EPA, may benefit from the observations.

For example, the survey shows that, while EPA and groups such as AWWA provided useful information, the survey respondents most frequently listed consultants hired by water utilities as providing useful information.

This suggests a possible disadvantage to smaller utilities which are required to complete vulnerability assessments by June 2004 but, unlike larger utilities, may not be able to afford a consultant.

In addition, each of the utilities surveyed had concerns for water security that included: the information available to assess vulnerabilities; the financing of security improvements; the level of training assistance; EPA's research agenda; and the need for procedural changes.

For example, the Water Information Sharing and Analysis Center (Water-ISAC) can provide utilities useful threat information, but water utilities can only access Water-ISAC through a subscription fee.

Survey respondents also stated that they needed financial assistance for necessary security enhancements, training exercises to prepare for actual events, and research to detect contaminants in the distribution system.

The survey found that EPA could use the following performance indicators to measure changes in water security levels:

1. Length of time a water utility could provide water during or after a security incident.
2. Detection and response times.
3. Ability to detect contaminants in the water system.
4. Ability to detect attempted intrusions into the remote access system, commonly known as the Supervisory Control and Data Acquisition (SCADA) system.

Suggestions

Based on the survey results and the IG's observations, the report offered the following suggestions:

1. Ensure that small utilities have access to security information that large utilities received from consultants funded by EPA, possibly by fully funding the Water-ISAC, and provide lists of other agencies from which utilities could obtain information.

2. Ensure that water utilities have access to information on funding security enhancements, including use of the Drinking Water State Revolving Fund.

3. Consider using the performance indicators discussed above to set a baseline for water security and measure improvements over time, particularly through the use of exercises and drills to test the security of water utilities.

To access the whole report, including the survey questions, in PDF format, visit this link: http://www.epa.gov/ oigearth/reports/2004/20040120-2004-M-0001.pdf

More in Environmental