Preparing for the Everyday
A new landscape in stormwater infrastructure security
By
Henrietta H. P. Locklear
“You’ll notice that terrorists are not listed among the persons in the threat matrix,” says Yakir Hasit, Ph.D., P.E., principal project manager with CH2M Hill. Stormwater asked Hasit about how the recently released American Society of Civil Engineers and American Water Works Association (ASCE/AWWA) Draft American National Standard for Trial Use (DSTU), entitled Guidelines for the Physical Security of Wastewater/Stormwater Utilities, related to concerns about terrorist acts against the nation’s water and wastewater infrastructure. Hasit was a member of the team that drafted the document. It might seem surprising that, although terrorism is probably the first threat that comes to mind when the word security appears in this context, the Guidelines concern everyday threats to the proper functions of our water infrastructure, such as vandalism, as much as an unthinkable, catastrophic event.
Just as the word security might bring terrorism to mind, the word standards might make stormwater managers think, “Is this one more expensive mandate we have to find a way to fund?” The DSTU may become American National Standards Institute (ANSI) standards in the next year but are expected to remain nonmandatory guidance. Written in permissive terms rather than prescriptive ones, they aim to help utilities cope with security in the post-9/11 age. The DSTU offers stormwater managers an open, flexible framework for determining how best to meet their identified security vulnerabilities.
This article covers the content and the implications for stormwater managers of the Guidelines for the Physical Security of Wastewater/Stormwater Utilities, as well as some items of interest in the earlier releases: the Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities (WEF 2004) and the Interim Voluntary Security Guidance for Designing an Online Contaminant Monitoring System (ASCE 2004).
History of the Guidelines
The events of September 11, 2001, catalyzed a change in the country’s attitude toward infrastructure security; “vulnerabilities that previously were not even considered must now be identified and addressed” (WEF 2004). In 2002, the United States Public Health Security and Bioterrorism Preparedness and Response Act (PL 107-188) was passed. It required water utilities—those serving 3,300 or more customers—to identify risks through vulnerability assessments (VAs). (The VAs for the smallest of the utilities covered under the act, serving between 3,300 and 49,999 customers, were required to have been completed by June 30, 2004.) According to the EPA, “Vulnerability assessments help water utilities to evaluate their susceptibility to potential threats and identify corrective actions to reduce or mitigate the risk of serious consequences from vandalism, insider sabotage, or terrorist attack” (http://cfpub.epa.gov/safewater/watersecurity/). Similar regulations have not been passed for wastewater or stormwater systems, although some wastewater utilities have voluntarily completed vulnerability assessments (GAO 2006). However, wastewater and stormwater infrastructure has various vulnerabilities of its own, and several efforts are under way to assist wastewater facilities, at least, with reducing their vulnerabilities (http://cfpub.epa.gov/safewater/watersecurity/index.cfm) (GAO 2006).
One of these projects is the USEPA Water Infrastructure Security Enhancement (WISE) Project. The project, completed under a cooperative agreement among the ASCE, the AWWA, and the Water Environment Federation (WEF), was funded by an EPA grant. The purpose of the WISE project was to “develop materials to assist in the implementation of security recommendations and the overall improvement of water and wastewater infrastructure security” (ASCE/AWWA 2006a). Each of the three organizations was responsible for a different aspect of the WISE Project:
The ASCE was the lead for design of the contaminant detection and monitoring systems for drinking water and wastewater.
The AWWA was the lead for drinking-water supply, treatment, and distribution system concerns.
The WEF was the lead for wastewater and stormwater collection, treatment, and disposal system concerns.
Phase I of the project, completed in 2004, focused on providing a framework for utilities to address the management and operational changes, which require little or no capital investment, and physical upgrades, which may require capital investment, needed to address the specific threats faced by individual systems. This phase produced three security guidance documents, which are available, free of charge, through each of the three organization’s Web sites (http://www.awwa.org/science/wise/). The guidance documents are Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities, Interim Voluntary Security Guidance for Water Utilities, and Interim Voluntary Security Guidance for Contaminant Monitoring Systems.
Phase II of the WISE Project drew on the documents prepared for phase I to create training modules that are appropriate for a wide range of individuals involved in or concerned with utility operations and security. The training modules are available free of charge on CD-ROM through an e-mail request to wise@asce.org (include your mailing address and affiliation when requesting the modules).
Phase III, the most recent phase of the project, focused on the physical security of facilities. This focus was driven by reactions to the phase I documents. According to Stacy Passaro, who was the project manager at the WEF for the WISE Project, after the phase I guidance was published, managers knew “where their vulnerabilities were, but they need a tool to help them get the changes made.” The phase III documents are entitled ASCE/AWWA DSTU Guidelines for the Physical Security of Wastewater/Stormwater Utilities and Guidelines for the Physical Security of Water Utilities.
The Guidelines and Terrorism
The latest documents produced through the project do not focus on terrorism but rather on the “overall improvement” of security at facilities. They do this by addressing threats that are less catastrophic in scope than a terrorist attack, such as disruption of service through sabotage, but that are more probable threats to any single utility (WEF 2004). Passaro explains that although 9/11 was an immediate driver for the project, “Once we got into it, we realized that [terrorism] wasn’t as high on the priority list.” As Hasit describes it, there is no way to fully plan for or protect against a person or group who care nothing about their own lives and aim to cause extensive loss of life. However, utilities can do a lot to protect against disruption of a utility’s mission by what the documents call design basis threats (DBTs): vandals, criminals, saboteurs, and insiders. When it comes to catastrophic attacks, utilities need to have excellent emergency response mechanisms to speed the recovery and proper functioning of the utility. The creators of the Guidelines realized that security measures must strike a balance, somewhere between being an easy target and implementing expensive, cumbersome (and ultimately surmountable) preventative measures. This approach involves “smart planning and design to take away easy access” on the one hand, Passaro explains, and redundancy, backup, and emergency response on the other.
What Do the Guidelines Say?
The following sections summarize the methodology for identifying and mitigating threats recommended by the 2006 ASCE/AWWA DSTU Guidelines for the Physical Security of Wastewater/Stormwater Utilities.
Physical Protection of Facilities
The Guidelines recommend specific physical security measures, such as perimeter fencing and closed-circuit television (CCTV) systems. These measures are designed to fulfill one or more elements of facility security and together reduce the probability of a threat and/or the damage a malevolent act has upon a facility. Table 1 gives examples of each element and a brief description.
Step 1: Conduct a Vulnerability Assessment
The introduction to the 2004 Interim Voluntary Security Guidance (which is covered in more detail later) states, “Security issues related to stormwater conveyance systems are included in this document to the extent that the issues parallel those for sanitary sewage collection systems and combined sewer systems, which may be integral parts of a wastewater utility.” Likewise, the Guidelines primarily address stormwater facilities that are in common with a wastewater utility, such as office buildings, or possibly a pump station, and the stormwater collection system. The Guidelines do not focus on flood control canals and dams, although, as one user of the phase I Guidance pointed out, the ideas in the document are really applicable to all types of infrastructure.
The 2006 DSTU Guidelines assume that utilities have completed a vulnerability assessment before using the document. Managers who have participated in multi-hazard mitigation planning (MHMP) might be familiar with VAs, which are conducted as part of efforts to identify risks for communities. Resources on vulnerability assessment tools can be found on the WEF and EPA Web sites (http://www.wef.org/
and http://cfpub.epa.gov/, respectively). Two generally accepted tools cited by the DSTU Guidelines are the Vulnerability Self-Assessment Tool (VSAT) (http://www.vsatusers.net/) and Risk Assessment Methodology for Water (RAM-WT) (http://www.sandia.gov/ram/RAMW.htm). An EPA fact sheet for water utilities on VAs cites the following as “common elements” for a VA:
- Characterization of the system, including mission and objectives
- Identification and characterization of adverse consequences to avoid
- Critical assets that might be subject to malevolent acts that could result in undesired consequences
- Assessment of the likelihood (qualitative probability) of such malevolent acts from adversaries
- Evaluation of existing countermeasures
Analysis of current risk and development of prioritized plan for risk reduction
Step 2: Characterize the Design Basis Threat
- At the outcome of the vulnerability assessment, the utility should go on to characterize the DBTs, which are the threats “the utility decides to protect against” (WEF 2004). The DBTs are the “identified adversaries” with their “specified motivation, tools, equipment, and weapons” (ASCE/AWWA 2006a), or, as defined by the Department of Defense (DOD), “[t]he threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline type and size of threat that buildings or other structures are designed to withstand. The design basis threat includes the tactics aggressors will use against the asset and the tools, weapons, and explosives employed in these tactics” (http://www.dtic.mil/doctrine/jel/doddict/data/d/01646.html).
- The Guidelines are built around four DBT categories: vandal, criminal, saboteur, and insider. These categories are described in detail in the document, as shown in the capability matrix, an excerpt from the document, in Table 2. There are two levels of threat for each DBT category, the base level and the enhanced level.
- Domestic and international terrorists are considered a special category of DBT for the purposes of the Guidelines and may require specialized plans and enhanced measures beyond the ones recommended for the four DBT types addressed in the document.
Step 3: Identify Security Measures
For each type of facility, such as pump station, collection system, or treatment plant, the Guidelines recommend physical security measures for each DBT. The document includes sections for wastewater treatment plants, collection systems, pumping stations, and support facilities covering applicable physical security measures. The appendix describes in detail each of the physical security measures that are covered in each of the sections, such as perimeter fences, walls, gates, site area clear zones, facility entrances, bollards, exterior surfaces, lighting, signage, electronic security systems, access control systems, hatches/vaults and vents, and online water-quality monitoring. A utility can determine whether its security measures are adequate according to the recommendations. If the results of the VA, or other variables such as “specific site conditions or external requirements (such as local ordinances),” dictate “deviations” from the recommended security measures, the utility can elect to provide a different level of security for various assets (ASCE/AWWA 2006a).
Stormwater Facilities
The three sections on facility types in the Guidelines that are most likely to be applicable to stormwater utilities are Section 3, Collection Systems; Section 4, Pump Stations; and Section 5, Wastewater/Stormwater System Support Facilities. Each section describes the major attributes of the facility, the philosophy of security, and benchmark security measures for the facility for each DBT. These sections demonstrate the flexibility of the Guidelines, since a utility would implement the security measures that fit its circumstances and threats.
Collection Systems: Stormwater collection and conveyance systems present unique security challenges to utilities. The major challenges with collection/conveyance system security are that they are geographically dispersed and do not lend themselves to being controlled at their perimeter (because, for instance, they often run through private property). The most serious risks posed by conveyance systems, which are the most serious risks posed by stormwater facilities overall, would be their use as an avenue to damage other major, critical infrastructure and cause loss of life or their use to introduce contaminants into the environment via outfalls. There are five main areas to which security measures for collection systems can be applied: system structures, water-quality monitoring (covered in more detail later), CCTV systems, power and wiring, and supervisory control and data acquisition (SCADA). System structure security measures range from locking manhole covers to routing sewers so that they are not underneath a critical infrastructure or target. In Denver, CO, a number of manhole covers are slated to be welded shut as a security measure. Denver has been selected to host the Democratic National Convention in August 2008. Because the convention is a high-profile event with national significance, the city has set up a blue ribbon committee to guide the city’s planning efforts for the event, according to Terry Baus of the City and County of Denver Wastewater Department, which manages both wastewater and stormwater. Although the committee’s work is not yet complete and a VA for the stormwater system has not been completed to date, preventing easy access to the stormwater conveyance system is expected to be among the security actions Denver takes to prepare for this noted event.
Pumping Stations: Pumping stations, if attacked, present the major risks of causing environmental or flooding problems if they fail and conveying contaminants. These facilities, unlike collection and conveyance systems, have defined perimeters and thus can be secured more similarly to wastewater treatment plants and other facilities with defined boundaries. For instance, pumping stations can be enclosed in perimeter fencing. Other security measure categories include water-quality monitoring, CCTV systems, power and wiring, and SCADA security.
Stormwater System Support Facilities: Support facilities include “administrative buildings, maintenance yards, [and] material and vehicle storage areas” (ASCE/AWWA 2006a). These facilities are not targets for the same reason as the stormwater drainage system (contamination) but may nevertheless be attractive for attackers because, for instance, fuel and other materials are stored at them or because they are symbolic targets. Categories for security measures are similar to the ones for other facilities. Specific security measures may include ones such as those used at the downtown office of the Metropolitan Water Reclamation District of Greater Chicago. Entrance to the office is restricted, employee badges are required, and visitor access is controlled, according to Susan O’Connell, principal civil engineer for the district.
Step 4: Consider Consequence Mitigation
Before making a final decision about what types of physical security measures to implement, a utility must weigh the cost of the measure against mitigating the consequences of an event. Does it make more sense to replace or repair an asset than to implement a security measure? If so, mitigation might be the best measure for a particular facility. The Guidelines suggest the use of tools such as a cost-to-risk reduction curve, excerpted from the document and included here as Figure 1.
Experience With the Security Guidance
Some utilities agreed to speak with Stormwater about their experience with the security guidance and guidelines, although the specific results of their vulnerability assessments and implemented security measures were not discussed. One of these, the Metropolitan Water Reclamation District of Greater Chicago, has been treating wastewater for Chicago for over 80 years and began stormwater-related duties in the 1970s. The district used the phase I Guidance document in its process to increase the security of its facilities. The district, which was involved in the creation of the VSAT, conducted its vulnerability assessment of both wastewater and stormwater assets. The district considered its options for increasing security according to the Guidance and subsequently implemented security measures enterprise-wide. Speaking about the Guidance document itself, Antonio Quintanilla, assistant chief engineer and plant manager for the Calumet Water Reclamation facility for the district, says, “They’re very well done, very well thought through.” The district used the phase I document, as opposed to the phase III document, but both have the same “key concepts,” says Quintanilla. The phase III Guidelines simply made physical security guidance “a lot more meaty.” Pointing out the flexibility of the documents, he says that organizations have to decide how far to take them: “Where does the agency feel comfortable in accepting risk?” He points to the cost-to-risk reduction curve, shown in Figure 1, as an illustration of this concept.
What Do the Guidelines and Voluntary Interim Guidance Mean for Stormwater Managers?
The Guidelines are not a mandatory standard, nor are they expected to become one, according to Hasit. According to ASCE standards-writing protocol, consensus standards like these offer “a series of options, suggestions, methods or instructions, but normally shall not recommend a specific course of action” (ASCE 2006). Thus, they should be viewed as a valuable resource for stormwater system managers. Some other points to consider follow.
Resources Are Available
The 2006 DSTU and the 2004 guidance documents produced by the WISE project are a valuable resource for stormwater utilities and programs. They provide managers with clear, concise information to assist with security planning. The documents provide an overall framework for planning as well as specific recommended actions. The recommendations are flexible and vary based on the individual system circumstances and vulnerability assessment. The Guidelines make it clear that every system can take steps to be more secure and that security is important, whether the threat is from petty vandalism or a disgruntled insider, for every system. The documents are in themselves resources, and they also provide users with references to other helpful documents, trainings, and resources.
Funding
Some of these helpful references, found in the 2004 Guidance, are about funding. Section 2.6.4 discusses possible sources of funding, suggesting that systems contact regional emergency planning agencies to discuss possible funding. Sources suggested by the document include Clean Water State Revolving Funds (state), Pre-Disaster Mitigation Program (FEMA), and Multi-Hazard Mitigation and Terrorism Prevention (MHMTP). Securing infrastructure is an important program for the Department of Homeland Security, and although funding for securing wastewater/stormwater infrastructure has not been announced, managers should be on the lookout in case funding becomes available in the future. Finally, the 2004 Guidance contains suggestions for ensuring adequate capital improvement program (CIP) funding at the local level for security.
Conduct a Vulnerability Assessment
As an earlier section described, both the 2006 Guidelines and the 2004 Voluntary Interim Security Guidance for Wastewater/Stormwater Facilities advise that organizations conduct a vulnerability assessment. “A thorough VA will … identify the threats that should be addressed” (WEF 2004). Jim Sullivan, with the WEF, which conducts training for wastewater systems on vulnerability assessments, states that the WEF does not “have a good idea how many wastewater systems are implementing security measures because there is no federal mandate to conduct one, and we do not track their progress to see if they complete the assessment.” The story for stormwater systems appears to be similar—it is unknown how many stormwater systems have completed a VA. The WEF’s Web site provides information on its training, as well as links to other security resources (www.wef.org).
Implement Operational and Management Changes
Phase I of the WISE project produced the 2004 Voluntary Interim Security Guidance for Wastewater/Stormwater Facilities. For managers concerned with cost, this document contains suggested management and operational changes, as well as design changes (which could involve greater capital investments), that can be implemented to reduce vulnerabilities. The lower-cost changes, such as human resources precautions like employee identification badges, background checks, and contractor access, are described in detail in the document. The Guidance also describes the importance of involving the governing board of a utility in the awareness of and planning for securing facilities and of increasing public awareness of potential threats. Operational changes, which tend to be less expensive than capital expenditures but may still be demanding of “substantial resources” in “staff time” and other expenses (WEF 2004), are also laid out in the Guidance. Some examples of these changes range from practices as simple as locking gates when a facility is not attended by staff to setting up alarm response protocols.
Keep a Watch on the Development of Online Contaminant Monitoring Systems
As described in the history of the 2006 Guidelines, one area of the WISE project was development of standards for an Online Contaminant Monitoring System (OCMS). A draft standard for trial use has not yet been produced for this area of the project; however, the pre-standards document, published in 2004, provides a wealth of information about online contaminant monitoring. From a drinking-water perspective, the value of contaminant monitoring is obvious. Contamination of drinking-water supplies could cause illness or even death in consumers, prevent the utility from selling the contaminated water, erode public trust, and subject the utility to legal liability (ASCE 2006). For wastewater utilities (and combined sewer areas), contamination could damage treatment processes, resulting in unacceptable effluent levels. For separate stormwater systems, the consequences of contamination may seem less severe. However, apart from the environmental damage that could occur, contamination from some substances, such as a flammable substance that ignites while in the system, could be devastating. One often-cited occurrence is an explosion that destroyed 2 miles of streets in Louisville, KY, in 1981. A flammable material had been introduced into the wastewater system, ignited, and caused massive damage to the city’s infrastructure. Thus, there is value for a stormwater OCMS, if the results of a VA suggest that the utility faces a threat that makes it necessary. The OCMS Guidance makes it clear that, currently, a number of factors limit the implementation of a system. Because the field is in an early stage, even the risk assessment tools necessary to characterize contamination threats are limited, let alone the instrumentation and other technology for an OCMS.
Advertisement
According to the ASCE guidance, one of the objectives or missions of an OCMS may be “to support or supplement the existing regulatory surveillance activities” (ASCE 2004). Existing activities may be programs such as illicit discharge detection and elimination (IDDE) requirements for NPDES Phase II permits. However, this mission in itself may not justify the type of remote, sensitive instrumentation and extensive monitoring required for an extensive OCMS. The expense of an OCMS is more likely to be justified by a need to “provide early, reliable warning of a contamination event …, indicate the location and travel of the contaminant …, and identify the contaminant and its concentration.” As this field develops, best practices and proper technology will become more evident.
Changing a Culture
“Preparing for extreme events has been a standard practice of wastewater and stormwater designers, managers, and operators for many decades. Major rain events, blizzards, and earthquakes have been considerations in the design of infrastructure and in the planning for emergency preparedness and disaster response” (WEF 2004). However, security has not traditionally been incorporated into all aspects of the design of wastewater and stormwater facilities. As Passaro, who worked on the Guidelines, puts it, the main concerns in design of facilities have “always been [concerns like] minimizing pipe run and making deliveries convenient and easy.” Therefore, for instance, wastewater plants put “chemicals up front” so that deliveries are a snap. However, a large chemical storage area in the front of a facility presents an obvious security risk if the facility is targeted for an attack. As Hasit says, facility security is a “new thinking process, a cultural change,” and this change needs to be incorporated into the design, operation, and management of facilities. The area of wastewater infrastructure security (including stormwater infrastructure) is rapidly progressing, so now stormwater managers can find guidance as they contend with the question of their stormwater system security.
Author's Bio: Henrietta H. P. Locklear is with AMEC Earth and Environmental Inc. in Raleigh, NC.
July-August 2007
Preparing for the Everyday
A new landscape in stormwater infrastructure security
By
Henrietta H. P. Locklear
“You’ll notice that terrorists are not listed among the persons in the threat matrix,” says Yakir Hasit, Ph.D., P.E., principal project manager with CH2M Hill.
Stormwater asked Hasit about how the recently released American Society of Civil Engineers and American Water Works Association (ASCE/AWWA) Draft American National Standard for Trial Use (DSTU), entitled
Guidelines for the Physical Security of Wastewater/Stormwater Utilities, related to concerns about terrorist acts against the nation’s water and wastewater infrastructure. Hasit was a member of the team that drafted the document. It might seem surprising that, although terrorism is probably the first threat that comes to mind when the word
security appears in this context, the
Guidelines concern everyday threats to the proper functions of our water infrastructure, such as vandalism, as much as an unthinkable, catastrophic event.
Just as the word security might bring terrorism to mind, the word standards might make stormwater managers think, “Is this one more expensive mandate we have to find a way to fund?” The DSTU may become American National Standards Institute (ANSI) standards in the next year but are expected to remain nonmandatory guidance. Written in permissive terms rather than prescriptive ones, they aim to help utilities cope with security in the post-9/11 age. The DSTU offers stormwater managers an open, flexible framework for determining how best to meet their identified security vulnerabilities.
This article covers the content and the implications for stormwater managers of the Guidelines for the Physical Security of Wastewater/Stormwater Utilities, as well as some items of interest in the earlier releases: the Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities (WEF 2004) and the Interim Voluntary Security Guidance for Designing an Online Contaminant Monitoring System (ASCE 2004).
History of the Guidelines
The events of September 11, 2001, catalyzed a change in the country’s attitude toward infrastructure security; “vulnerabilities that previously were not even considered must now be identified and addressed” (WEF 2004). In 2002, the United States Public Health Security and Bioterrorism Preparedness and Response Act (PL 107-188) was passed. It required water utilities—those serving 3,300 or more customers—to identify risks through vulnerability assessments (VAs). (The VAs for the smallest of the utilities covered under the act, serving between 3,300 and 49,999 customers, were required to have been completed by June 30, 2004.) According to the EPA, “Vulnerability assessments help water utilities to evaluate their susceptibility to potential threats and identify corrective actions to reduce or mitigate the risk of serious consequences from vandalism, insider sabotage, or terrorist attack” (http://cfpub.epa.gov/safewater/watersecurity/). Similar regulations have not been passed for wastewater or stormwater systems, although some wastewater utilities have voluntarily completed vulnerability assessments (GAO 2006). However, wastewater and stormwater infrastructure has various vulnerabilities of its own, and several efforts are under way to assist wastewater facilities, at least, with reducing their vulnerabilities (http://cfpub.epa.gov/safewater/watersecurity/index.cfm) (GAO 2006).
One of these projects is the USEPA Water Infrastructure Security Enhancement (WISE) Project. The project, completed under a cooperative agreement among the ASCE, the AWWA, and the Water Environment Federation (WEF), was funded by an EPA grant. The purpose of the WISE project was to “develop materials to assist in the implementation of security recommendations and the overall improvement of water and wastewater infrastructure security” (ASCE/AWWA 2006a). Each of the three organizations was responsible for a different aspect of the WISE Project:
The ASCE was the lead for design of the contaminant detection and monitoring systems for drinking water and wastewater.
The AWWA was the lead for drinking-water supply, treatment, and distribution system concerns.
The WEF was the lead for wastewater and stormwater collection, treatment, and disposal system concerns.
Phase I of the project, completed in 2004, focused on providing a framework for utilities to address the management and operational changes, which require little or no capital investment, and physical upgrades, which may require capital investment, needed to address the specific threats faced by individual systems. This phase produced three security guidance documents, which are available, free of charge, through each of the three organization’s Web sites (http://www.awwa.org/science/wise/). The guidance documents are Interim Voluntary Security Guidance for Wastewater/Stormwater Utilities, Interim Voluntary Security Guidance for Water Utilities, and Interim Voluntary Security Guidance for Contaminant Monitoring Systems.
Phase II of the WISE Project drew on the documents prepared for phase I to create training modules that are appropriate for a wide range of individuals involved in or concerned with utility operations and security. The training modules are available free of charge on CD-ROM through an e-mail request to wise@asce.org (include your mailing address and affiliation when requesting the modules).
Phase III, the most recent phase of the project, focused on the physical security of facilities. This focus was driven by reactions to the phase I documents. According to Stacy Passaro, who was the project manager at the WEF for the WISE Project, after the phase I guidance was published, managers knew “where their vulnerabilities were, but they need a tool to help them get the changes made.” The phase III documents are entitled ASCE/AWWA DSTU Guidelines for the Physical Security of Wastewater/Stormwater Utilities and Guidelines for the Physical Security of Water Utilities.
The Guidelines and Terrorism
The latest documents produced through the project do not focus on terrorism but rather on the “overall improvement” of security at facilities. They do this by addressing threats that are less catastrophic in scope than a terrorist attack, such as disruption of service through sabotage, but that are more probable threats to any single utility (WEF 2004). Passaro explains that although 9/11 was an immediate driver for the project, “Once we got into it, we realized that [terrorism] wasn’t as high on the priority list.” As Hasit describes it, there is no way to fully plan for or protect against a person or group who care nothing about their own lives and aim to cause extensive loss of life. However, utilities can do a lot to protect against disruption of a utility’s mission by what the documents call design basis threats (DBTs): vandals, criminals, saboteurs, and insiders. When it comes to catastrophic attacks, utilities need to have excellent emergency response mechanisms to speed the recovery and proper functioning of the utility. The creators of the Guidelines realized that security measures must strike a balance, somewhere between being an easy target and implementing expensive, cumbersome (and ultimately surmountable) preventative measures. This approach involves “smart planning and design to take away easy access” on the one hand, Passaro explains, and redundancy, backup, and emergency response on the other.
What Do the Guidelines Say?
The following sections summarize the methodology for identifying and mitigating threats recommended by the 2006 ASCE/AWWA DSTU Guidelines for the Physical Security of Wastewater/Stormwater Utilities.
Physical Protection of Facilities
The Guidelines recommend specific physical security measures, such as perimeter fencing and closed-circuit television (CCTV) systems. These measures are designed to fulfill one or more elements of facility security and together reduce the probability of a threat and/or the damage a malevolent act has upon a facility. Table 1 gives examples of each element and a brief description.
Step 1: Conduct a Vulnerability Assessment
The introduction to the 2004 Interim Voluntary Security Guidance (which is covered in more detail later) states, “Security issues related to stormwater conveyance systems are included in this document to the extent that the issues parallel those for sanitary sewage collection systems and combined sewer systems, which may be integral parts of a wastewater utility.” Likewise, the Guidelines primarily address stormwater facilities that are in common with a wastewater utility, such as office buildings, or possibly a pump station, and the stormwater collection system. The Guidelines do not focus on flood control canals and dams, although, as one user of the phase I Guidance pointed out, the ideas in the document are really applicable to all types of infrastructure.
The 2006 DSTU Guidelines assume that utilities have completed a vulnerability assessment before using the document. Managers who have participated in multi-hazard mitigation planning (MHMP) might be familiar with VAs, which are conducted as part of efforts to identify risks for communities. Resources on vulnerability assessment tools can be found on the WEF and EPA Web sites (http://www.wef.org/
and http://cfpub.epa.gov/, respectively). Two generally accepted tools cited by the DSTU Guidelines are the Vulnerability Self-Assessment Tool (VSAT) (http://www.vsatusers.net/) and Risk Assessment Methodology for Water (RAM-WT) (http://www.sandia.gov/ram/RAMW.htm). An EPA fact sheet for water utilities on VAs cites the following as “common elements” for a VA:
- Characterization of the system, including mission and objectives
- Identification and characterization of adverse consequences to avoid
- Critical assets that might be subject to malevolent acts that could result in undesired consequences
- Assessment of the likelihood (qualitative probability) of such malevolent acts from adversaries
- Evaluation of existing countermeasures
Analysis of current risk and development of prioritized plan for risk reduction
Step 2: Characterize the Design Basis Threat
- At the outcome of the vulnerability assessment, the utility should go on to characterize the DBTs, which are the threats “the utility decides to protect against” (WEF 2004). The DBTs are the “identified adversaries” with their “specified motivation, tools, equipment, and weapons” (ASCE/AWWA 2006a), or, as defined by the Department of Defense (DOD), “[t]he threat against which an asset must be protected and upon which the protective system’s design is based. It is the baseline type and size of threat that buildings or other structures are designed to withstand. The design basis threat includes the tactics aggressors will use against the asset and the tools, weapons, and explosives employed in these tactics” (http://www.dtic.mil/doctrine/jel/doddict/data/d/01646.html).
- The Guidelines are built around four DBT categories: vandal, criminal, saboteur, and insider. These categories are described in detail in the document, as shown in the capability matrix, an excerpt from the document, in Table 2. There are two levels of threat for each DBT category, the base level and the enhanced level.
- Domestic and international terrorists are considered a special category of DBT for the purposes of the Guidelines and may require specialized plans and enhanced measures beyond the ones recommended for the four DBT types addressed in the document.
Step 3: Identify Security Measures
For each type of facility, such as pump station, collection system, or treatment plant, the Guidelines recommend physical security measures for each DBT. The document includes sections for wastewater treatment plants, collection systems, pumping stations, and support facilities covering applicable physical security measures. The appendix describes in detail each of the physical security measures that are covered in each of the sections, such as perimeter fences, walls, gates, site area clear zones, facility entrances, bollards, exterior surfaces, lighting, signage, electronic security systems, access control systems, hatches/vaults and vents, and online water-quality monitoring. A utility can determine whether its security measures are adequate according to the recommendations. If the results of the VA, or other variables such as “specific site conditions or external requirements (such as local ordinances),” dictate “deviations” from the recommended security measures, the utility can elect to provide a different level of security for various assets (ASCE/AWWA 2006a).
Stormwater Facilities
The three sections on facility types in the Guidelines that are most likely to be applicable to stormwater utilities are Section 3, Collection Systems; Section 4, Pump Stations; and Section 5, Wastewater/Stormwater System Support Facilities. Each section describes the major attributes of the facility, the philosophy of security, and benchmark security measures for the facility for each DBT. These sections demonstrate the flexibility of the Guidelines, since a utility would implement the security measures that fit its circumstances and threats.
Collection Systems: Stormwater collection and conveyance systems present unique security challenges to utilities. The major challenges with collection/conveyance system security are that they are geographically dispersed and do not lend themselves to being controlled at their perimeter (because, for instance, they often run through private property). The most serious risks posed by conveyance systems, which are the most serious risks posed by stormwater facilities overall, would be their use as an avenue to damage other major, critical infrastructure and cause loss of life or their use to introduce contaminants into the environment via outfalls. There are five main areas to which security measures for collection systems can be applied: system structures, water-quality monitoring (covered in more detail later), CCTV systems, power and wiring, and supervisory control and data acquisition (SCADA). System structure security measures range from locking manhole covers to routing sewers so that they are not underneath a critical infrastructure or target. In Denver, CO, a number of manhole covers are slated to be welded shut as a security measure. Denver has been selected to host the Democratic National Convention in August 2008. Because the convention is a high-profile event with national significance, the city has set up a blue ribbon committee to guide the city’s planning efforts for the event, according to Terry Baus of the City and County of Denver Wastewater Department, which manages both wastewater and stormwater. Although the committee’s work is not yet complete and a VA for the stormwater system has not been completed to date, preventing easy access to the stormwater conveyance system is expected to be among the security actions Denver takes to prepare for this noted event.
Pumping Stations: Pumping stations, if attacked, present the major risks of causing environmental or flooding problems if they fail and conveying contaminants. These facilities, unlike collection and conveyance systems, have defined perimeters and thus can be secured more similarly to wastewater treatment plants and other facilities with defined boundaries. For instance, pumping stations can be enclosed in perimeter fencing. Other security measure categories include water-quality monitoring, CCTV systems, power and wiring, and SCADA security.
Stormwater System Support Facilities: Support facilities include “administrative buildings, maintenance yards, [and] material and vehicle storage areas” (ASCE/AWWA 2006a). These facilities are not targets for the same reason as the stormwater drainage system (contamination) but may nevertheless be attractive for attackers because, for instance, fuel and other materials are stored at them or because they are symbolic targets. Categories for security measures are similar to the ones for other facilities. Specific security measures may include ones such as those used at the downtown office of the Metropolitan Water Reclamation District of Greater Chicago. Entrance to the office is restricted, employee badges are required, and visitor access is controlled, according to Susan O’Connell, principal civil engineer for the district.
Step 4: Consider Consequence Mitigation
Before making a final decision about what types of physical security measures to implement, a utility must weigh the cost of the measure against mitigating the consequences of an event. Does it make more sense to replace or repair an asset than to implement a security measure? If so, mitigation might be the best measure for a particular facility. The Guidelines suggest the use of tools such as a cost-to-risk reduction curve, excerpted from the document and included here as Figure 1.
Experience With the Security Guidance
Some utilities agreed to speak with Stormwater about their experience with the security guidance and guidelines, although the specific results of their vulnerability assessments and implemented security measures were not discussed. One of these, the Metropolitan Water Reclamation District of Greater Chicago, has been treating wastewater for Chicago for over 80 years and began stormwater-related duties in the 1970s. The district used the phase I Guidance document in its process to increase the security of its facilities. The district, which was involved in the creation of the VSAT, conducted its vulnerability assessment of both wastewater and stormwater assets. The district considered its options for increasing security according to the Guidance and subsequently implemented security measures enterprise-wide. Speaking about the Guidance document itself, Antonio Quintanilla, assistant chief engineer and plant manager for the Calumet Water Reclamation facility for the district, says, “They’re very well done, very well thought through.” The district used the phase I document, as opposed to the phase III document, but both have the same “key concepts,” says Quintanilla. The phase III Guidelines simply made physical security guidance “a lot more meaty.” Pointing out the flexibility of the documents, he says that organizations have to decide how far to take them: “Where does the agency feel comfortable in accepting risk?” He points to the cost-to-risk reduction curve, shown in Figure 1, as an illustration of this concept.
What Do the Guidelines and Voluntary Interim Guidance Mean for Stormwater Managers?
The Guidelines are not a mandatory standard, nor are they expected to become one, according to Hasit. According to ASCE standards-writing protocol, consensus standards like these offer “a series of options, suggestions, methods or instructions, but normally shall not recommend a specific course of action” (ASCE 2006). Thus, they should be viewed as a valuable resource for stormwater system managers. Some other points to consider follow.
Resources Are Available
The 2006 DSTU and the 2004 guidance documents produced by the WISE project are a valuable resource for stormwater utilities and programs. They provide managers with clear, concise information to assist with security planning. The documents provide an overall framework for planning as well as specific recommended actions. The recommendations are flexible and vary based on the individual system circumstances and vulnerability assessment. The Guidelines make it clear that every system can take steps to be more secure and that security is important, whether the threat is from petty vandalism or a disgruntled insider, for every system. The documents are in themselves resources, and they also provide users with references to other helpful documents, trainings, and resources.
Funding
Some of these helpful references, found in the 2004 Guidance, are about funding. Section 2.6.4 discusses possible sources of funding, suggesting that systems contact regional emergency planning agencies to discuss possible funding. Sources suggested by the document include Clean Water State Revolving Funds (state), Pre-Disaster Mitigation Program (FEMA), and Multi-Hazard Mitigation and Terrorism Prevention (MHMTP). Securing infrastructure is an important program for the Department of Homeland Security, and although funding for securing wastewater/stormwater infrastructure has not been announced, managers should be on the lookout in case funding becomes available in the future. Finally, the 2004 Guidance contains suggestions for ensuring adequate capital improvement program (CIP) funding at the local level for security.
Conduct a Vulnerability Assessment
As an earlier section described, both the 2006 Guidelines and the 2004 Voluntary Interim Security Guidance for Wastewater/Stormwater Facilities advise that organizations conduct a vulnerability assessment. “A thorough VA will … identify the threats that should be addressed” (WEF 2004). Jim Sullivan, with the WEF, which conducts training for wastewater systems on vulnerability assessments, states that the WEF does not “have a good idea how many wastewater systems are implementing security measures because there is no federal mandate to conduct one, and we do not track their progress to see if they complete the assessment.” The story for stormwater systems appears to be similar—it is unknown how many stormwater systems have completed a VA. The WEF’s Web site provides information on its training, as well as links to other security resources (www.wef.org).
Implement Operational and Management Changes
Phase I of the WISE project produced the 2004 Voluntary Interim Security Guidance for Wastewater/Stormwater Facilities. For managers concerned with cost, this document contains suggested management and operational changes, as well as design changes (which could involve greater capital investments), that can be implemented to reduce vulnerabilities. The lower-cost changes, such as human resources precautions like employee identification badges, background checks, and contractor access, are described in detail in the document. The Guidance also describes the importance of involving the governing board of a utility in the awareness of and planning for securing facilities and of increasing public awareness of potential threats. Operational changes, which tend to be less expensive than capital expenditures but may still be demanding of “substantial resources” in “staff time” and other expenses (WEF 2004), are also laid out in the Guidance. Some examples of these changes range from practices as simple as locking gates when a facility is not attended by staff to setting up alarm response protocols.
Keep a Watch on the Development of Online Contaminant Monitoring Systems
As described in the history of the 2006 Guidelines, one area of the WISE project was development of standards for an Online Contaminant Monitoring System (OCMS). A draft standard for trial use has not yet been produced for this area of the project; however, the pre-standards document, published in 2004, provides a wealth of information about online contaminant monitoring. From a drinking-water perspective, the value of contaminant monitoring is obvious. Contamination of drinking-water supplies could cause illness or even death in consumers, prevent the utility from selling the contaminated water, erode public trust, and subject the utility to legal liability (ASCE 2006). For wastewater utilities (and combined sewer areas), contamination could damage treatment processes, resulting in unacceptable effluent levels. For separate stormwater systems, the consequences of contamination may seem less severe. However, apart from the environmental damage that could occur, contamination from some substances, such as a flammable substance that ignites while in the system, could be devastating. One often-cited occurrence is an explosion that destroyed 2 miles of streets in Louisville, KY, in 1981. A flammable material had been introduced into the wastewater system, ignited, and caused massive damage to the city’s infrastructure. Thus, there is value for a stormwater OCMS, if the results of a VA suggest that the utility faces a threat that makes it necessary. The OCMS Guidance makes it clear that, currently, a number of factors limit the implementation of a system. Because the field is in an early stage, even the risk assessment tools necessary to characterize contamination threats are limited, let alone the instrumentation and other technology for an OCMS.
According to the ASCE guidance, one of the objectives or missions of an OCMS may be “to support or supplement the existing regulatory surveillance activities” (ASCE 2004). Existing activities may be programs such as illicit discharge detection and elimination (IDDE) requirements for NPDES Phase II permits. However, this mission in itself may not justify the type of remote, sensitive instrumentation and extensive monitoring required for an extensive OCMS. The expense of an OCMS is more likely to be justified by a need to “provide early, reliable warning of a contamination event …, indicate the location and travel of the contaminant …, and identify the contaminant and its concentration.” As this field develops, best practices and proper technology will become more evident.
Changing a Culture
“Preparing for extreme events has been a standard practice of wastewater and stormwater designers, managers, and operators for many decades. Major rain events, blizzards, and earthquakes have been considerations in the design of infrastructure and in the planning for emergency preparedness and disaster response” (WEF 2004). However, security has not traditionally been incorporated into all aspects of the design of wastewater and stormwater facilities. As Passaro, who worked on the Guidelines, puts it, the main concerns in design of facilities have “always been [concerns like] minimizing pipe run and making deliveries convenient and easy.” Therefore, for instance, wastewater plants put “chemicals up front” so that deliveries are a snap. However, a large chemical storage area in the front of a facility presents an obvious security risk if the facility is targeted for an attack. As Hasit says, facility security is a “new thinking process, a cultural change,” and this change needs to be incorporated into the design, operation, and management of facilities. The area of wastewater infrastructure security (including stormwater infrastructure) is rapidly progressing, so now stormwater managers can find guidance as they contend with the question of their stormwater system security.