1 / 59

Water & Wastewater Security It’s Still Important

Water & Wastewater Security It’s Still Important. Mark Wetzel P.E., Stantec ISA Water & Wastewater Conference August 2007. Presenter – Mark Wetzel, PE. Principal and New England Practice Area Leader – Environmental Infrastructure

rane
Download Presentation

Water & Wastewater Security It’s Still Important

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Water & Wastewater Security It’s Still Important Mark Wetzel P.E., Stantec ISA Water & Wastewater Conference August 2007

  2. Presenter – Mark Wetzel, PE • Principal and New England Practice Area Leader – Environmental Infrastructure • 29 years of municipal water and wastewater engineering experience • Member of AWWA, NEWWA, WEF

  3. Water System Security Background • Public Health and Security and Bioterrorism Preparedness and Response Act of 2002 required community water systems to complete vulnerability assessments (VA) • Funding was provided for large systems to complete the VA • Implementation of security improvements was the responsibility of individual utilities

  4. Water System Security – Who’s in Charge? HSRC, ETV, ETC FBI INFRAGARD PROGRAM ELEMENTS CDC EPA Federal & State Agencies NDWAC WSWG PRACTICES & PRINCIPLES DHS STATE PUBLIC WATER AGENCIES WSCC Associations & Committees AMWA ASCE/ EWRI AWWA ASDWA NRWA WATER ISAC WISE WATER UTILITY COUNCIL SECURITY COMMITTEE • OTHER INVOLVED GROUPS • SANDIA LABS • ARGONNE LABS • CONSULTANTS • MILITARY LABS • TISP • WEF • AMSA WS SUBCOMMITTEE M&C (ASCE) SUBCOMMITTEE TECHNICAL ADVISORY GROUP MONITORING USERS GROUP WW (WEF) SUBCOMMITTEE

  5. Security Needs – Water Systems • 160,000 water systems in the US; 466 serve more than 100,000 people • VAs were completed in 2004 to identify system vulnerabilities and mitigation • Issues • Lack of redundancy • Cyber-security • Water quality monitoring • Surveillance & facility hardening

  6. Key Vulnerabilities Identified As Compromising Drinking Water System Security

  7. Wastewater Needs • 16,000 PO wastewater systems in US • 500 systems serve 62% of the population • No regulatory requirements to assess security / mitigate vulnerability • Wastewater / stormwater facilities can provide point of entry to potential targets • Failure causes chemical releases, health threats, environmental impacts and economic impacts • Potential for large scale explosions

  8. Water Infrastructure Security Enhancements • AWWA, ASCE and WEF worked together to develop and implement security standards for water & wastewater systems • USEPA funded the effort known as Water Infrastructure Security Enhancements (WISE) • AWWA led the water utility effort • WEF led the wastewater utility effort • ASCE led the contaminant detection and monitoring effort for both water & wastewater • Three phase approach

  9. Water Infrastructure Security Enhancement (WISE) • Phase I - Guidance Documents: Water Supply, Wastewater/Stormwater, Online Contaminant Monitoring • Phase II - WISE Training Materials • Phase III - Voluntary Physical Security Guidelines - for Water Supply and Wastewater/Stormwater Utilities

  10. Purpose of Security Guidance “Provide a centralized starting point for utilities as they integrate modern security practices into the management, operation, construction, or retrofit of their water, wastewater and stormwater systems” Guidance available on line at: www.awwa.org/science/wise www.asce.org/static/1/wise.cfm

  11. Overview of Guidance

  12. Security Needs and Strategies • Identify reasons for security measures • Determine vulnerabilities and risks • Develop security strategy based on threats • Risk reduction • Cost-Benefit analysis • Cost to risk reduction analysis • Develop a balanced plan • Prioritize investments

  13. Risk Assessment Methodology for Water Utilities (RAM-W)

  14. Design Basis Threat • Identify threats and threat levels • Vandal • Criminal • Saboteur • Terrorist • Threat Level Characteristics • Planning • Access • Weapons • Contaminants • Asset damage • Theft • Injuries • Fatalities

  15. Other Considerations • Issues related to vulnerability / risk assessment • Natural disasters • Unanticipated failures • Emergency preparedness • Loss of key staff • Mitigation • Emergency Response • Recovery

  16. Management Considerations • Financial planning / CIP program to support security needs • Policies and procedures • Background checks on employees and contractors • Training • Records management • Operations policies • Information access • Emergency procurement • Communications

  17. Operational Considerations for Enhancing Physical Security • Operational changes can provide the most cost effective security enhancements • Approaches will depend upon the threat levels (vandals, criminals, saboteurs, terrorists) • Deter – Detect - Delay • Operational approaches should be developed on a “layered approach” • Perimeter • Site • Buildings and structures • Building systems (internal features)

  18. General Operational Practices • Visitor control /delivery control • Alarm points and response • Access control / key control • Scheduling of maintenance / general maintenance practices • Clear zone areas / site access • Fencing • Cyber security

  19. Operational Policies should be developed for each facility including: • Source water • Intakes and impoundments • Wells and pumping stations • Treatment facilities • Storage facilities • Distribution systems • Administration facilities

  20. Hacker jailed for revenge sewage attacks By Tony Smith Published Wednesday 31st October 2001 15:55 GMT An Australian man was today sent to prison for two years after he was found guilty of hacking into the Maroochy Shire, Queensland computerized waste management system and caused millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel. "Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant of the Australian Environmental Protection Agency.

  21. SCADA – Cyber Security “ Under restructuring, the grid is now being operated in a way for which it was never designed... More access to control systems is being granted to more users, the demand for real-time control has increased system complexity, and business and control systems are interconnected. ” Samuel Varnado, director of the Information Operations Center, Sandia National Labs

  22. Cyber Security • Cyber security is the protection of enterprise information systems from inside or outside attack • Systems include • Financial and enterprise resource programs • LIMS • Customer Information systems • Preventative maintenance / work order system • GIS, records, models • SCADA and controls • Threats • Outside hackers • Outside attackers • Inside attackers

  23. Integrations Issues • Network system reliability • Exposure to viruses, worms, Trojan horses • Increased traffic on system • Controlling / managing access • Expertise of staff

  24. Control System Security Program • United States Computer Emergency Readiness Team (US-CERT) Catalog of Control Systems Security Requirements • Developed to facilitate the development of cyber security standards for control systems • Includes: • Organizational, personnel, physical security • Systems & services acquisition • Planning • System & communications protection • Information / document management • Awareness & training • Incident response • System integrity • Access Control • Risk management • http://www.us-cert.gov/control_systems/

  25. Cyber Security Policies and Procedures • Process for granting / revoking access to system • Password policies • Maintenance of anti-virus and firewall systems • Restricted flow of information between systems and networks • Comprehensive system documentation • Prohibition of unauthorized wireless or modem connections • Disaster recovery plan • Incident response plan • Cyber security training

  26. Cyber Security Design • Physical security • Back-up of all systems every day with off-site storage of back-up data • Lockable PLC cabinets, computer / server rooms • Protective, lockable cabinets for outdoor RTUs • Managed entry system (coded of cards) for server rooms • Best design practices • Identify & characterize all network connections and implements secure connections • Provide UPS for all critical components • Contract for periodic evaluation of firewalls and intrusion detection systems

  27. SCADA Security • Use intelligent RTUs with manual operation overrides • Grid topology to eliminate single points of failure • Design intrusion detection tools into system • Test system for intrusion and vulnerability

  28. Purpose of Physical Security Guidance • “Provide direction to water utilities on how to design or retrofit their infrastructure, with respect to their unique circumstances or threats” • “Establish physical and procedural controls to restrict access to utility infrastructure…….and to detect unauthorized physical intrusions” • “Incorporate security considerations into decisions about acquisition, repair, major maintenance and replacement of infrastructure”

  29. Physical Design Considerations • Based on threat type and layered approach • Crime Prevention through Environmental Design (CPTED) • Access control • Territorial reinforcement • Surveillance • Image and maintenance • Specific design considerations /criteria • 10 State Standards • USEPA Water Security Web site / tools & guidance • WISE Phase III Guidelines for Physical Security of Water Utilities

  30. Overview • Guidance addresses: • Raw Water Facilities • Wells & pumping stations • Water Treatment plants • Finished Water Storage Facilities Distribution systems • Water system support facilities • For each facility the guidance includes: • Scope • Facility mission • Philosophy of security approach • Benchmark security measures

  31. Elements of Physical Security Systems • Deterrence, detection, delay, response • Design base threat • Layered approach

  32. Physical Security Methodology • Step 1 – Vulnerability Assessment • Step 2 - Characterize design base threat (DBT) • Step 3 – Identify security measures • Step 4 – Consider Consequence Mitigation

  33. Benchmark Security Measures • Guideline establishes benchmark measures to deter, detect and/or delay threats • Based on each type of facility and DBT • Decisions are site and utility specific and benchmarks are considerations not rules • Special considerations may be required depending upon public safety, redundancy, public access etc • Based on layered approach • Appendix A provides design guidelines for specific security elements

  34. Choosing Optimal Physical Security Equipment • Guidance provides an overview of issues that should be considered when selecting and implementing electronic security systems • Issues • Threat type (anticipated adversary, motivation, tactics) • Vulnerabilities of critical assets • Areas of coverage • Levels of resolution • Power, wiring and transmission methods • Viewing and assessment

  35. Security Equipment • Access control –access cards, PIN, biometrics • Interior intrusion devices – volumetric sensors, penetration sensors • Exterior intrusion detection – free-standing sensors, buried line sensors, fence mounted sensors • Camera systems

  36. EPA Security Products Guide • Searchable guide of products for water/wastewater security systems • Physical security (walls, gates, and manhole locks) • Electronic or cyber security (computer firewalls and remote monitoring systems) • Monitoring tools that can be used to identify anomalies in process streams or finished water that may represent potential threats • Not sure how up-to date- it is in the fast changing security technology business

More Related