You have assessed your water utilities' security vulnerabilities...now what?

The federal government provided the funding for water utility vulnerability assessments and mandated that facility executives assess their facilities as part of a nationwide vulnerability assessment charge. But the feds have yet to provide facilities with sufficient cash to implement security upgrades to mitigate identified vulnerabilities. Some agencies begun security improvements on their own, some have applied for grants or state funds, and for others the waiting game has begun.

By Robert Sommerfeld, Adesta

Jan. 28, 2004 -- Once funding becomes available to implement your facility security upgrade, do you know where to begin?

The federal government provided the funding for water utility vulnerability assessments and mandated that facility executives assess their facilities as part of a nationwide vulnerability assessment charge. But the feds have yet to provide facilities with sufficient cash to implement security upgrades to mitigate identified vulnerabilities. Some agencies have elected to begin security improvements on their own, some have applied for grants or state funds, and for others the waiting game has begun.

The American Water Works Association asked the federal government to provide $2 billion in emergency funding to assist water utilities in addressing their susceptibility to a terrorist attack. This includes approximately $1.6 billion for installing or upgrading secure access controls at water utilities, including security alarms, lighting, sensors, locks and cameras. However, funding to implement the security upgrades has been slow to materialize.

There are many things to consider when executing a security upgrade to a water utility facility. Since 1991 Adesta, a multi-discipline infrastructure service provider and integrator, has protected critical water assets for a number of federal and state entities.
Here is the checklist Adesta uses when it helps a critical water asset or facility upgrade their security and/or communications infrastructures.

Identify weaknesses and risks

Since we continue to harden larger, more public targets to prevent attacks, the smaller, unprotected assets become more vulnerable to attacks.

Consider your critical customers and what would happen if your infrastructure was attacked. Where might you have single points of failure? What is your dependence on others infrastructure and what would happen if they were attacked?

Next, gather information to identify the most essential vulnerable assets or (MEVAs). Think about your distributed assets: power plants and water supplies. Where are they located and how vulnerable would they be during an event. Sources of information may include: Department of Homeland Security, law enforcement, and engineering plans/operating procedures.

Your people know your sites best. Utilize their expertise to look at your current measures to secure your sites and any procedures you have in place to protect your assets. Look at potential attack points and concerns. Consider chemical, explosive or vehicular damage. Consider how old your old key entry system is and how many keys could be out there. How many people have access to your facilities?

Pre-attack planning

What is the pre-attack plan? This is a plan that looks at the facility and its proximity to other collateral targets. During a pre-attack planning meeting, gather actual plans or sketch the target and the location. Look at the schedule you keep. Document when people show up and leave.

More sophisticated pre-attack planning could involve practice drills and threat exercises to identify shortcomings. Always keep in mind scheduled community events. These types of events are often targeted by outsiders for maximum exposure. For example, does your community have a festival or celebration that draws large crowds? Security measures are all about early detection, deterring, or delaying the event and providing the appropriate response.

Mitigating Risks

Countermeasures such as the items listed below utilize procedures, equipment and responses that will eliminate, reduce or mitigate risk. The more protected and secured your facility is the less likely it will be attacked.

• Establish stand-off distances
• Control access to facility
• Harden structures - blast mitigation film, blast curtains, barriers
• Install electronic security; combine security and communications networks, such as CCTV (Closed Circuit Television), IDS (Intrusion Detection Systems) and EEC (Electronic Entry Control)

Methods to bring everything all together

You probably already have some level of control room functionality where you monitor and control your municipal systems, and you probably already have some level of communication with remote sites. Some managers are developing broadband communications networks for their cities for faster, more reliable communications.

Convergence of a communications network with a security network creates an additional application. Security applications provide locations with higher bandwidth capability for sending and receiving video signals. Using electronic security systems may reduce headcount requirements, make existing staff more productive. Federal grants and Homeland Security funds may be available to help offset the deployment of security networks.

DC NET: Delay, detect, and respond

DC NET is a good example of a communications project that is being constructed to provide security services. DC NET is a $92 million project that supplies a redundant fiber optic backbone to the District of Columbia. Its primary focus is to provide enhanced reliable communication, emergency services and homeland defense for residents, businesses and government in the nation's capital.

• Converges communications and security applications to quickly move and share information between the government and citizens.
• Streamlines communications between law enforcement, District departments, federal emergency teams and the public via radio, telephone, computer and wireless handheld devices.
• When completed will connect approximately 400 District buildings.
• Adesta is engineering and constructing the last mile connections to District buildings

About the Author: Bob Sommerfeld is president of Adesta. Sommerfeld has nearly 30 years of engineering and construction management experience in the telecommunications industry for engineering consulting firms.

More in Asset Management