The online RCAP Resources Library has a variety of resources that are useful to small, rural drinking water and wastewater systems.

Are Water Systems a Terrorist Target?

Originally published in On Tap magazine’s Winter 2002 edition

by Kathy Jesperson, On Tap Managing Editor

Threats to drinking water supplies are not new. Almost every water supply system is at risk to natural hazards, such as floods, drought, earthquakes, landslides, storms, and high winds. Consequently, many systems already have emergency preparedness plans in place. In most cases, though, unless the system actually experienced an emergency, the plans just simply take up shelf space.

But now a different menace threatens the nation’s drinking water systems. One that’s making operators everywhere pull out their emergency planning manuals—if they have them—and wipe off the dust. With everything else they have to worry about, frustrated water suppliers, regardless of their system’s size, must add the risk of terrorism to their emergency preparedness plans—just in case.

Terror is an intense state of fear. Terrorism is the systematic use of fear as a means of coercion. To drinking water systems, terrorism poses an unfamiliar and confusing threat to the safety of water supplies. Across the nation, apprehensive drinking water system personnel hustle to implement security measures. But, with no precedent, creating security plans to combat an unknown, uncertain, and, at times, unimaginable threat seems practically impossible.

Historically, security has never been a major component of the U.S. water industry. And the reason is simple: Terrorists rarely target water supplies. In the past, even if an event did occur, it seldom made the papers.
Prior to September 11, most Americans didn’t give much thought to terrorism. But four jetliners used as weapons, a series of anthrax-laced letters, and persistent warnings to be on “high alert” have changed the American thought process.

Water Is Not a Typical Target
Regardless, the reality remains: Water systems are rarely a target. According to a U.S. Army research paper, “Natural and Terrorist Threats to Drinking Water Supplies,” only six of 84 terrorists events that H.J. McGeorge, author of Chemical/ Biological Terrorism Threat Hand-book Report, recorded between 1942 and 1989 involved water. Of the six, only one involving cholera contamination in Italy had any degree of success.

Yet the paper does note that water systems have received threats, and because the possibility exists that the threats could be carried out, water systems must take them seriously. To illustrate the point, the paper cites a November 1985 incident at the U.S. Military Academy in West Point, New York.
What happened was that someone called the academy claiming that a saboteur contaminated its potable water supply with some unknown substance. But after extensive sampling and testing, plant operators determined that the water was not contaminated. However, fearful that they may have overlooked something, the operators refused to restart the plant until they were certain that the water was safe, and then only after water deprivation became a critical concern.
Watertechonline.com reported that Jeffery Danneels, a security researcher at Sandia National Laboratories in New Mexico, testified before the House Committee on Science on November 15, 2001. What he told the committee isn’t much of a surprise, but the concerns he raised may have alarming consequences. He told lawmakers: “Hundreds of water systems draw their supplies from unguarded reservoirs, some distribute water without treating it or treat it in outmoded facilities, and still others use open distribution systems that are difficult to protect. The threat is particularly acute once water leaves treatment plants because it often is not tested again before reaching consumers.”

Are small systems safe?
In the U.S., water system customers support approximately 54,064 community drinking water systems. Somewhere in the neighborhood of 85 percent of those systems are small or very small, meaning that they serve fewer than 3,300 customers.
“Most of the larger metropolitan systems have now improved their security, but more needs to be done,” says Irwin M. Pikus, Ph.D, J.D, who served on the President’s Commission for Critical Infrastructure Protection (PCCIP). “Many smaller systems, believing they would not be targets for terrorists, have still not seriously addressed security matters. Such reasoning is not well-founded. One key impact of terrorist attacks is the realization that they can be replicated elsewhere at the attacker’s whim. So an attack against a small system could well reverberate nationwide.”

Besides acting as a training camp for terrorists who plan to move on to larger systems, small systems may become targets for a number of other reasons. “It is very important for small communities to be prepared for sabotage or terrorism activities,” says Peter S. Beering, deputy counsel for the Indianapolis Water Company and internationally recognized terrorism expert. “No community is immune. As the major cities harden their targets, a small community may become more interesting to aggressors.”
In a twist of fate, however, small drinking water systems’ limitations have become their advantages. It seems that small drinking water systems may have a benefit that their larger counterparts do not: There are a lot of them. Since so many small systems dot the countryside, they may have more options. For example, small systems can network with their neighbors and form coalitions.
“Collectively, small drinking water systems can create a formidable force against any threat,” says Mark Bradshaw, CEO of the Marcus Group Company Ltd., a security company in New Mexico. “What they do together can make a measurable difference in the safety of the nation’s drinking water supplies.” Unlike other utilities, drinking water systems are self-contained and serve a defined area. These attributes are even more distinct in small drinking water systems. Danneels, along with Richard Luthy, a Stanford University engineer, emphasized this point in November 15, 2001, congressional testimony.

They propose that lawmakers encourage communities to develop small, independent water systems so that potential saboteurs cannot easily contaminate or disrupt water supplies for large numbers of people. However, Danneels and Luthy recommend that these “new, small systems” be networked, like electric and telephone utilities, so that if a local supply is tainted, safe water can be rerouted from other communities to prevent gaps in service.  [Editor’s Note: We are now seeing this in the form of WARNs]

Will our system be attacked?
According to the article “Reducing Vulnerability of Water Supply Systems to Attack” in the Journal of Infrastructure Systems, December 1998, Yacov Y. Haimes and others reported that the odds of a particular system being attacked rely upon two things: how vulnerable it is and what the potential payoff might be to terrorists.

Drinking water systems are not equally vulnerable to terrorist threats because drinking water systems vary in size, how they
are built, and where they are built, says Haimes, adding that vulnerability is unique to each system. Operators and system managers need to begin asking themselves plenty of questions just to find a few simple answers. One question they will want to answer is: “If my system is attacked, what goals or aims will the saboteur accomplish?” The answer may help a system’s operator discover what the payoff might be for attacking this particular system.

And if all this isn’t complicated enough, Haimes says that the most vulnerable system and the system offering the greatest potential payoff are not necessarily the same system. For example, an isolated drinking water system may be vulnerable. But if this particular system only serves 50 people, the payoff may not be great enough for anyone to bother with it.

Also, to be successful, a terrorist assault relies upon surprise. Without this element, no attack can be carried out as planned. To remain a surprise, saboteurs need to keep their plans a secret. Like most secrets, though, someone is always eager to tell. Once the plans leak, the element of surprise is lost. Potential attackers then need to seek an alternative target.

Getting Serious about Security
“Every utility that has had to repaint a graffiti-riddled water tower or replace stolen signs around the reservoir has witnessed how vulnerable it is to outside intrusion,” writes Gay Porter DeNileon in “Critical Infrastructure Protection: The Who, What, Why, and How of Counterterrorism Issues,” in the May 2001 issue of Journal AWWA.

Stopping people at the gate is one obvious example of what water systems can do to increase security measures. But utilities need to do more than just stop people from coming in. They need to develop comprehensive security plans. The first thing water systems can do is to dust off their existing emergency planning guides, read through them, figure out what they need to do to “harden” their systems against an assault, and then regularly update their emergency plans.

Water systems don’t have to become fortresses to increase security. “Most security and emergency planning is common sense risk assessment,” explains Beering. According to the Federal Emergency Management Agency (FEMA), emergency-planning skills used during natural disasters can be used for terrorist events as well. The agency notes: “Were you to witness or experience an act of terrorism, remember what you have learned about responding to other emergencies.”

As Lee Michalsky, assistant professor at the Alaska Training and Technical Assistance Center, says: “An operator’s senses are the best tools available for detecting abnormal water system conditions.”

Conduct a Vulnerability Assessment
The very first thing water systems should do is complete a vulnerability assessment.
Watertechonline.com reported that Mike Hightower, a member of the technical staff for Sandia National Laboratories, talked about the vulnerability assessment process at the Water Security Summit, December 4, 2001, Washington, D.C.

A primary problem is that “redundancies” often do not exist, Hightower says. One of the reasons for this problem is that system planners often do not design redundancies into plants, meaning that most facilities don’t have spare pumps let alone spare parts. (See sidebar below.)

Top Ten Most Common Errors Found with Emergency Response Plans
1. No upper management support
2. Lack of employee buy in
3. Poor or no planning
4. Lack of training and practice
5. No designated leader
6. Failure to keep the plan up-to-date
7. No method of communication to alert employees
8. Occupational Safety and Health Administration regulations are not part of plan
9. No procedures for shutting down critical equipment
10. Employees are not told what actions to take in an emergency
Source: National Safety Council

In addition, he says that distribution systems are often unmonitored and unsecured, and facilities need to address this concern, noting that the distribution system is likely a water system’s most vulnerable point.

To assess vulnerability, water system personnel first need to understand how their systems function. Haimes notes that a typical water supply facility consists of seven elements:
1. physical components, including all equipment within the facility and the distribution network;
2. management structure, including system managers and personnel;
3. operating rules and procedures, including treatment standards and monitoring sites, procedures, and parameters;
4. institutional structure, defining the system’s place within the community;
5. control centers, including supervisory control and data acquisition (SCADA) systems, telephone lines, and other outside communication;
6. laboratories, including the system’s own labs as well as any labs that it uses to analyze samples; and
7. maintenance and storage facilities, including trucks, tools, and chemical storage.

Evaluate Physical Components
According to the Massachusetts Handbook for Water Supply Emergencies, a number of physical components are vulnerable to sabotage, because if they are compromised, the result is diminished water quality or availability. These components are:
• aquifers;
• chemical storage tanks;
especially chlorine;
• communication systems, including telephones, two-way radios, and computer links;
• dams;
• distribution systems, including pipes, valves, and pressure regulators;
• personnel, including
operators and office staff;
• power systems, including electricity;
• pumping stations;
• source water, including groundwater or surface water;
• treatment systems;
• water storage tanks; and
• watersheds.

Drinking water systems can protect their physical assets in a number of ways. Often, just taking charge and doing something about water system security, such as training and security-response drills, enables system employees to control the situation, rather than the other way around. “Until you solve the basic issues, it doesn’t make any sense to install high-tech security devices,” says Danneels, during the November 27, 2001, AWWA satellite teleconference, “Security Risk Assessment for Water Utilities.”

“Ask yourself what it is that you’re trying to stop,” he notes. “What’s the likelihood that a particular threat will be carried out? What are the ‘back doors’ to your system that make it easy to disrupt the system? What are the single points of failure? An adversary will look for your most vulnerable point.” Pikus explains that the president’s commission found that physical security around critical portions of water supply systems is generally poor. He says the commission found that:
• where fences exist, they often are not closed and locked;
• doors to facilities often are unlocked and unguarded; and
• finished water reservoirs are generally not secure.

“In fact,” Pikus explains, “until recently, water authorities strove to keep their facilities as open and publicly accessible as possible.” Nowadays, just wandering into a drinking water treatment plant may get a person into trouble. All system employees should make sure to ask scheduled visitors, contractors, and other non-system individuals for identification and have them wear badges while in the plant.

Besides keeping an eye on who’s coming and going, employees can take a walk around the facility to look for anything out of the ordinary. “Vulnerable facilities should be physically inspected as often as possible,” says Beering. System personnel should secure entrances and exits, and block any back roads to the reservoir. They should record unusual occurrences as well. Keeping records will help system personnel to know if something is not right.

“Many systems also should consider surveillance and Web-based cameras,” says Pikus. If they are visible, cameras can deter some would-be criminals. However, many small systems cannot afford these conveniences and should evaluate their necessity accordingly. In any case, having a professional install software that tamper-proofs Web-based surveillance equipment is essential, and helps ensure that a saboteur cannot remotely intercept these high-tech security systems. In addition to security measures, a valve-operating program requires system employees to open and close valves on water mains on a regular basis—ensuring their proper operation in emergencies.

A good program is especially important if a utility is working with older distribution equipment. For example, many of the valves around Morgantown, West Virginia, have been in place since 1928. Corrosion and debris build up in the valves and can make operation difficult, if not impossible.

“If proper valve operation is ensured, when a section of the main needs to be shut off for repairs or alterations, it may only be necessary to shut off two or three valves,” said David Pask, who was the National Drinking Water Clearinghouse’s technical services coordinator. “Faulty valves could mean the closure of four or five valves, causing a much larger area of the community to be without water.”

Managing the Security Plan
The most important thing that
a water system can do is to provide its customers with safe drinking water. To accomplish that goal, water systems must be secure, meaning that they must have a security plan. But even if they have a plan, they must make it work. And making it work means that water system personnel must pay attention to their management structure, which includes:
• the chain of command,
• decision making,
• employee work schedules,
• employee training programs,
• practicing emergency
procedures,
• system performance
standards,
• system review schedules,
• security program and
procedures, and
• the budgeting process.

Gathering “intelligence” is the best way to begin a security program. “All of the major water organizations are rolling out information about security,” says Beering. “Each system should review these materials and determine which is most appropriate for its particular needs. Systems can take protective actions, and stop or limit things from getting worse.”

In addition, system managers can take advantage of the resources available in their communities. “Develop your own intelligence network,” says Bradshaw. “Local people can report anything that is out of the ordinary. If it’s a really small town, the residents will know if something strange is going on. They can tell you if someone has been asking questions about the drinking water system. Encourage people not to be bashful. Some people are reluctant to report things because they think it seems silly. They need to be open to the fact that (their systems) could be targets.”

Once a system develops an intelligence network, it can then train all the system’s employees to handle situations that are out of the ordinary. “Office staff should be trained in how to handle bomb and contamination threats,” Beering says. “They should be trained in how to carefully examine unusual packages and, if appropriate, be prepared to call the police or FBI.”
Water systems also may use an insert in water bills or an ad in the local newspaper to ask the community to immediately report any suspicious behavior or events out of the ordinary to local law enforcement and the FBI.
Aside from becoming more alert, the Massachusetts preparedness handbook states that as a part of emergency management planning, water system personnel should evaluate possible emergency situations and determine what their consequences may be. For example, if a saboteur biologically or chemically contaminated a water supply, the health or lives of the system’s customers may be in jeopardy. Or if a major fire broke out within the community, a disruption in the distribution system could make putting the fire out impossible.

Assess Operating Rules and Procedures
“The (president’s commission) concluded that chemical and biological contamination probably pose the most serious threat to water supply,” says Pikus. “Clearly, it would be impractical to contaminate source water—there is just too great a volume to achieve the necessary concentrations. However, contaminating finished water—either at small reservoirs, water towers, or in portions of the distribution system—is feasible and could be highly destructive.”

Because of this threat, operators need to make changes in their daily routines. By definition, rules and procedures require routines, which people outside the system can easily track. To avoid a saboteur’s radar, operators should vary their schedules from day to day. For example, operators should vary water-sampling sites as well as the times they collect samples. If an operator always uses the same sampling routine, he may not be the only person privy to this information.

Do you have a back-up water source?
Water systems can work with neighboring communities to arrange alternative water resources and ensure that their customers always have water. Operators also can use special purpose equipment to purify water in some instances. According to the U.S. Army research paper, reverse osmosis (RO), for example, can remove a number of biotoxins, chemical warfare agents, and many opportunistic poisons, such as sodium flouroacetate (rat poison).

RO also can be used to remove all live biological warfare (BW) agents, including viruses. Activated carbon can remove most organics. Chlorine can inactivate most live BW agents and some biotoxins. Cryptosporidium and anthrax can be removed using microfiltration or using cartridge filters with a 3 micrometers absolute pore size. Several water systems within close proximity may want to invest in a portable microfiltration unit that they can use in case of an emergency.

Even though these technologies cannot remove or inactivate every possible threatening contaminant, they demonstrate that options exist.

Review Institutional Structure
Institutional structure refers to the system’s place within the community. To protect its water supplies, a system can:
• Develop or refresh relationships with key public safety agencies, law enforcement, fire, emergency management, media, and other emergency responders.
• Get to know the local emergency responders you may need to work with eventually, set up an emergency response drill with them, and practice it. Determining everyone’s role ahead of time will prevent turf battles later.
• Ask the local police to add your facility to their routine rounds, and provide them with map of the facility with the critical assets highlighted. Include this map in the system’s emergency response plan.
• Draw on the local police department to become a call-in center. “Lone plant operators should call in regularly to ensure their safety,” cautions Beering.
• Request that health care providers report any illnesses among customers that may be associated with water supplies. (See crisis commun-ication article.)
Evaluate Control Centers
Control centers refer to:
• water system operating facilities,
• electrical power,
• transformers, and
• communication facilities.

At one time, a saboteur had to approach a water supply system to threaten it. However, as water system operations become more automated using SCADA systems, they may find themselves increasingly vulnerable to cyberterrorism. In the November 27, 2001, AWWA teleconference, Danneels, says: “(SCADA systems) are about as secure as the Internet. And you know how secure the Internet is.”

According to the National Infrastructure Protection Center, if the system uses computer-based information, SCADA, or other control systems linked directly to the Internet, personnel should:
• increase computer-user awareness,
• choose passwords that are difficult or impossible to guess; create different
passwords for all accounts,
• update anti-virus software and use it to screen all downloads and e-mail attachments,
• use ingress and egress filtering, and
• establish policies and procedures to respond to and recover infected or crashed systems.

Besides vulnerability to viruses passed through the Internet, Sandia National Laboratories has found that many facilities ignore their “interdependencies,” or dependence upon other utilities.
For example, water treatment plants have found ways to secure pumps, but they seem to have overlooked that it takes power to run them. Backup electrical generators can keep the lights on in a plant, but they aren’t powerful enough to run a large pump.

In addition, SCADA computer systems that operate vital functions, like monitoring equipment and flow control, also depend upon power and other communication systems, such as telephone lines.

Evaluate Laboratory Facilities
Laboratory facilities include:
• the system’s laboratory facilities,
• test procedures and compliance records, and
• communication with federal and analytical labs.

Water systems need to be ready to sample for almost anything. Communities already routinely test their water supplies. They may have their own labs, send samples out to state labs, or contract with private labs. Most states probably require that drinking water systems use certified labs to test their samples. So, most systems likely have compliance report records. And most systems maintain data for their Consumer Confidence Reports.

Operators can use the information gathered during routine monitoring to establish a baseline, which will help them discover if anything is out of the ordinary. Additional monitoring is absolutely necessary—not only to achieve a true baseline, but also to find out if anything unusual is in the water. “Operators should increase sampling of raw and finished water,” says Beering, adding that they also should begin a sampling program at various points along the distribution system.

The U.S. Army fact sheet, “Just the Facts: Countering Terrorism of Drinking Water Supplies,” advises operators to establish a new, permissible level of pH, turbidity, conductivity, and chlorine residual. This new level should be restrictive enough that if something is wrong, the operator will know immediately. For instance, many contaminants diminish chlorine’s effectiveness.
An unexplained drop in the distribution system’s chlorine residual could indicate that a saboteur injected a crude biological or chemical agent into the system.

Operators should prepare a list of qualified labs along with their analytical capabilities. Also, water systems need to be aware that if they suspect that a biological or chemical agent was introduced into the drinking water supply, they must report it to the FBI. The bureau will then make arrangements with the Centers for Disease Control and Prevention (CDC) to have an agent detection laboratory test water samples. If your system isn’t already equipped and can afford it, continuous online monitoring that sounds an alarm when something odd is detected is a good investment.

Also, if operators are concerned about cross-connection contamination, they can continuously monitor the system’s water pressure to help evaluate whether or not it is a problem.

Analyze Maintenance and Storage Facilities
Maintenance and storage facilities hold the system’s equipment, including vehicles, cranes, tools, and chemicals.
Sandia’s Hightower notes that a saboteur could easily make use of large amounts of stored chemicals. Systems need to secure, limit access, and monitor their chemical storage facilities.

“Be especially vigilant about securing chlorine tanks,” says Bradshaw. Chlorine gas is an extremely hazardous chemical, and systems that use it should consider changing to liquid chlorine, ozone, or some other less risky means of disinfection.
“Also, secure any other treatment chemicals under lock and key,” he notes, adding that these chemicals should be isolated and in spill-containment areas.

“Another thing they can do is to vary chemical delivery schedules,” he continues. “For example, if they always get their chlorine delivered at 3 p.m. on Friday, see if they can arrange with their vendor to vary deliveries.”

In addition to securing any stored chemicals, make sure you lock up all equipment and never leave keys
in vehicles. We have a long way to go before we can develop a comprehensive security plan that fits every system; in fact it may not be possible. In the meantime, many groups exist that can help utilities to develop a comprehensive security plan.

If your system isn’t already equipped and can afford it, continuous online monitoring that sounds an alarm when something odd is detected is a good investment.

References:
Brosnan, Thomas. 1999. “Early Warning Monitoring to Detect Hazardous Events in Water Supplies,” International Life Sciences Institute Workshop Report: Washington, D.C. rsi.ilsi.org.

Burrows, W. Dickinson, J.A. Valcik, and Alan Seitzinger. 1997. “Natural and Terrorist Threats to Drinking Water Supplies,” American Defense Preparedness Association 23rd Environmental Symposium.

Centers for Disease Control and Prevention, April 21, 2000. “Biological and Chemical Terrorism: Strategic Plan for Preparedness and Response,” Morbidity and Mortality Weekly Report. www.cdc.gov.

DeNileon, Gay Porter. 2001. “Critical Infrastructure Protection: The Who, What, Why, and How of Counterterrorism Issues,” Journal AWWA. www.awwa.org.

Evans, Richard. 2001. “Public Works and Terrorism,” Community Response to the Threat of Terrorism Symposium. www.riskinstitute.org.

Ezell, Barry, Yacov Y. Haimes, James H. Lambert. 2001. “Risks of Cyber Attack to Water Utility Supervisory Control and Data Acquisition Systems,” Military Operations Research.

Haimes, Yacov Y., Fellow American Society of Civil Engineers, Nicholas C. Matalas, James H. Lambert, member ASCE, Bronwyn A. Jackson, and James F.R. Fellows. 1998. “Reducing Vulnerability of Water Supply Systems to Attack,” Journal of Infrastructure Systems.

Massachusetts Department of Environmental Protection. 2001. Handbook for Water Supply Emergencies. www.state.ma.us/env.htm.

National League of Cities. 2000. “Domestic Terrorism: Resources for Local Governments,” Local Officials Guide: Washington, D.C. www.nlc.org.

National Safety Council. 2001. Web site www.nsc.org.

U.S. Army Center for Health Promotion and Preventive Medicine. 2001. “Just the Facts. . .Countering Terrorism of Drinking Water Supplies.”

U.S. Environmental Protection Agency. 2001. “What Drinking Water Utilities Can Do Now to Guard Against Terrorist Threats.” www.epa.gov.

U.S. General Accounting Office. 2001. “Combating Terrorism: FEMA Continues to Make Progress in Coordinating Preparedness and Response.” www.gao.gov.

U.S. Government, Interagency Domestic Terrorism Concept of Operations Plan (CONPLAN), Federal Bureau of Investigation: Washington, D.C. www.fbi.gov.

Water Technology Online Web site. 2001. www.WaterTechOnline.com.