Water wastewater security it s still important
1 / 59

Water & Wastewater Security It’s Still Important - PowerPoint PPT Presentation

  • Updated On :

Water & Wastewater Security It’s Still Important. Mark Wetzel P.E., Stantec ISA Water & Wastewater Conference August 2007. Presenter – Mark Wetzel, PE. Principal and New England Practice Area Leader – Environmental Infrastructure

Related searches for Water & Wastewater Security It’s Still Important

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Water & Wastewater Security It’s Still Important' - rane

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Water wastewater security it s still important l.jpg

Water & Wastewater Security It’s Still Important

Mark Wetzel P.E., Stantec

ISA Water & Wastewater Conference

August 2007

Presenter mark wetzel pe l.jpg
Presenter – Mark Wetzel, PE

  • Principal and New England Practice Area Leader – Environmental Infrastructure

  • 29 years of municipal water and wastewater engineering experience

  • Member of AWWA, NEWWA, WEF

Water system security background l.jpg
Water System Security Background

  • Public Health and Security and Bioterrorism Preparedness and Response Act of 2002 required community water systems to complete vulnerability assessments (VA)

  • Funding was provided for large systems to complete the VA

  • Implementation of security improvements was the responsibility of individual utilities

Slide7 l.jpg

Water System Security – Who’s in Charge?








Federal & State Agencies










Associations &





















  • TISP

  • WEF

  • AMSA













Slide8 l.jpg

Security Needs – Water Systems

  • 160,000 water systems in the US; 466 serve more than 100,000 people

  • VAs were completed in 2004 to identify system vulnerabilities and mitigation

  • Issues

    • Lack of redundancy

    • Cyber-security

    • Water quality monitoring

    • Surveillance & facility hardening

Slide10 l.jpg

Wastewater Needs Water System Security

  • 16,000 PO wastewater systems in US

  • 500 systems serve 62% of the population

  • No regulatory requirements to assess security / mitigate vulnerability

  • Wastewater / stormwater facilities can provide point of entry to potential targets

  • Failure causes chemical releases, health threats, environmental impacts and economic impacts

  • Potential for large scale explosions

Water infrastructure security enhancements l.jpg
Water Infrastructure Security Enhancements Water System Security

  • AWWA, ASCE and WEF worked together to develop and implement security standards for water & wastewater systems

  • USEPA funded the effort known as Water Infrastructure Security Enhancements (WISE)

  • AWWA led the water utility effort

  • WEF led the wastewater utility effort

  • ASCE led the contaminant detection and monitoring effort for both water & wastewater

  • Three phase approach

Water infrastructure security enhancement wise l.jpg
Water Infrastructure Security Enhancement (WISE) Water System Security

  • Phase I - Guidance Documents: Water Supply, Wastewater/Stormwater, Online Contaminant Monitoring

  • Phase II - WISE Training Materials

  • Phase III - Voluntary Physical Security Guidelines - for Water Supply and Wastewater/Stormwater Utilities

Purpose of security guidance l.jpg
Purpose of Security Guidance Water System Security

“Provide a centralized starting point for utilities as they integrate modern security practices into the management, operation, construction, or retrofit of their water, wastewater and stormwater systems”

Guidance available on line at:



Overview of guidance l.jpg
Overview of Guidance Water System Security

Security needs and strategies l.jpg
Security Needs and Strategies Water System Security

  • Identify reasons for security measures

  • Determine vulnerabilities and risks

  • Develop security strategy based on threats

    • Risk reduction

    • Cost-Benefit analysis

    • Cost to risk reduction analysis

  • Develop a balanced plan

  • Prioritize investments

Design basis threat l.jpg
Design Basis Threat Water System Security

  • Identify threats and threat levels

    • Vandal

    • Criminal

    • Saboteur

    • Terrorist

  • Threat Level Characteristics

    • Planning

    • Access

    • Weapons

    • Contaminants

    • Asset damage

    • Theft

    • Injuries

    • Fatalities

Other considerations l.jpg
Other Considerations Water System Security

  • Issues related to vulnerability / risk assessment

    • Natural disasters

    • Unanticipated failures

    • Emergency preparedness

    • Loss of key staff

  • Mitigation

  • Emergency Response

  • Recovery

Management considerations l.jpg
Management Considerations Water System Security

  • Financial planning / CIP program to support security needs

  • Policies and procedures

    • Background checks on employees and contractors

    • Training

    • Records management

    • Operations policies

    • Information access

    • Emergency procurement

    • Communications

Operational considerations for enhancing physical security l.jpg
Operational Considerations for Enhancing Physical Security Water System Security

  • Operational changes can provide the most cost effective security enhancements

  • Approaches will depend upon the threat levels (vandals, criminals, saboteurs, terrorists)

  • Deter – Detect - Delay

  • Operational approaches should be developed on a “layered approach”

    • Perimeter

    • Site

    • Buildings and structures

    • Building systems (internal features)

General operational practices l.jpg
General Operational Practices Water System Security

  • Visitor control /delivery control

  • Alarm points and response

  • Access control / key control

  • Scheduling of maintenance / general maintenance practices

  • Clear zone areas / site access

  • Fencing

  • Cyber security

Operational policies should be developed for each facility including l.jpg
Operational Policies should be developed for each facility including:

  • Source water

  • Intakes and impoundments

  • Wells and pumping stations

  • Treatment facilities

  • Storage facilities

  • Distribution systems

  • Administration facilities

Slide26 l.jpg

Hacker jailed for revenge sewage attacks including:

By Tony Smith

Published Wednesday 31st October 2001 15:55 GMT

An Australian man was today sent to prison for two years after he was found guilty of hacking into the Maroochy Shire, Queensland computerized waste management system and caused millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel.

"Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant of the Australian Environmental Protection Agency.

Scada cyber security l.jpg
SCADA – Cyber Security including:

“ Under restructuring, the grid is now being operated in a way for which it was never designed... More access to control systems is being granted to more users, the demand for real-time control has increased system complexity, and business and control systems are interconnected. ”

Samuel Varnado, director of the Information Operations Center, Sandia National Labs

Cyber security l.jpg
Cyber Security including:

  • Cyber security is the protection of enterprise information systems from inside or outside attack

  • Systems include

    • Financial and enterprise resource programs

    • LIMS

    • Customer Information systems

    • Preventative maintenance / work order system

    • GIS, records, models

    • SCADA and controls

  • Threats

    • Outside hackers

    • Outside attackers

    • Inside attackers

Integrations issues l.jpg
Integrations Issues including:

  • Network system reliability

  • Exposure to viruses, worms, Trojan horses

  • Increased traffic on system

  • Controlling / managing access

  • Expertise of staff

Control system security program l.jpg
Control System Security Program including:

  • United States Computer Emergency Readiness Team (US-CERT) Catalog of Control Systems Security Requirements

  • Developed to facilitate the development of cyber security standards for control systems

  • Includes:

    • Organizational, personnel, physical security

    • Systems & services acquisition

    • Planning

    • System & communications protection

    • Information / document management

    • Awareness & training

    • Incident response

    • System integrity

    • Access Control

    • Risk management

  • http://www.us-cert.gov/control_systems/

Cyber security policies and procedures l.jpg
Cyber Security Policies and Procedures including:

  • Process for granting / revoking access to system

  • Password policies

  • Maintenance of anti-virus and firewall systems

  • Restricted flow of information between systems and networks

  • Comprehensive system documentation

  • Prohibition of unauthorized wireless or modem connections

  • Disaster recovery plan

  • Incident response plan

  • Cyber security training

Cyber security design l.jpg
Cyber Security Design including:

  • Physical security

    • Back-up of all systems every day with off-site storage of back-up data

    • Lockable PLC cabinets, computer / server rooms

    • Protective, lockable cabinets for outdoor RTUs

    • Managed entry system (coded of cards) for server rooms

  • Best design practices

    • Identify & characterize all network connections and implements secure connections

    • Provide UPS for all critical components

    • Contract for periodic evaluation of firewalls and intrusion detection systems

Scada security l.jpg
SCADA Security including:

  • Use intelligent RTUs with manual operation overrides

  • Grid topology to eliminate single points of failure

  • Design intrusion detection tools into system

  • Test system for intrusion and vulnerability

Purpose of physical security guidance l.jpg
Purpose of Physical Security Guidance including:

  • “Provide direction to water utilities on how to design or retrofit their infrastructure, with respect to their unique circumstances or threats”

  • “Establish physical and procedural controls to restrict access to utility infrastructure…….and to detect unauthorized physical intrusions”

  • “Incorporate security considerations into decisions about acquisition, repair, major maintenance and replacement of infrastructure”

Physical design considerations l.jpg
Physical Design Considerations including:

  • Based on threat type and layered approach

  • Crime Prevention through Environmental Design (CPTED)

    • Access control

    • Territorial reinforcement

    • Surveillance

    • Image and maintenance

  • Specific design considerations /criteria

    • 10 State Standards

    • USEPA Water Security Web site / tools & guidance

    • WISE Phase III Guidelines for Physical Security of Water Utilities

Overview l.jpg
Overview including:

  • Guidance addresses:

    • Raw Water Facilities

    • Wells & pumping stations

    • Water Treatment plants

    • Finished Water Storage Facilities Distribution systems

    • Water system support facilities

  • For each facility the guidance includes:

    • Scope

    • Facility mission

    • Philosophy of security approach

    • Benchmark security measures

Elements of physical security systems l.jpg
Elements of Physical Security Systems including:

  • Deterrence, detection, delay, response

  • Design base threat

  • Layered approach

Physical security methodology l.jpg
Physical Security Methodology including:

  • Step 1 – Vulnerability Assessment

  • Step 2 - Characterize design base threat (DBT)

  • Step 3 – Identify security measures

  • Step 4 – Consider Consequence Mitigation

Benchmark security measures l.jpg
Benchmark Security Measures including:

  • Guideline establishes benchmark measures to deter, detect and/or delay threats

  • Based on each type of facility and DBT

  • Decisions are site and utility specific and benchmarks are considerations not rules

  • Special considerations may be required depending upon public safety, redundancy, public access etc

  • Based on layered approach

  • Appendix A provides design guidelines for specific security elements

Choosing optimal physical security equipment l.jpg
Choosing Optimal Physical Security Equipment including:

  • Guidance provides an overview of issues that should be considered when selecting and implementing electronic security systems

  • Issues

    • Threat type (anticipated adversary, motivation, tactics)

    • Vulnerabilities of critical assets

    • Areas of coverage

    • Levels of resolution

    • Power, wiring and transmission methods

    • Viewing and assessment

Security equipment l.jpg
Security Equipment including:

  • Access control –access cards, PIN, biometrics

  • Interior intrusion devices – volumetric sensors, penetration sensors

  • Exterior intrusion detection – free-standing sensors, buried line sensors, fence mounted sensors

  • Camera systems

Epa security products guide l.jpg
EPA Security Products Guide including:

  • Searchable guide of products for water/wastewater security systems

  • Physical security (walls, gates, and manhole locks)

  • Electronic or cyber security (computer firewalls and remote monitoring systems)

  • Monitoring tools that can be used to identify anomalies in process streams or finished water that may represent potential threats

  • Not sure how up-to date- it is in the fast changing security technology business

Online contaminant monitoring l.jpg
Online Contaminant Monitoring including:

  • Objective is to reduce risk due to contamination of water / wastewater

  • Early warning system to allow for proper response

  • Technology is still relatively new – no knowledge base

  • Design to characterize contamination and location

  • Source intake monitoring

  • Distribution / collection system monitoring

Ocms design considerations l.jpg
OCMS Design Considerations including:

  • Contaminants monitored

  • Monitoring locations

  • Data analysis & models

  • Communications

  • Operation and maintenance

Fully integrated security planning design l.jpg
Fully Integrated Security Planning & Design including:

  • Do what is best for your utility

  • Integrated plan of management, operations and design strategies

  • Simple solutions

  • Solutions with multiple benefits

  • Use a “cross functional” utility team to develop and implement the solutions

  • Supplement with external resources

Acknowledgement l.jpg
Acknowledgement including:

Tables and figures presented in this presentation are from:

Interim Voluntary Security Guidance for Water Utilities, ASCE/AWWA/WEF, Dec.9,2004

Guidelines for the Physical Security of Water Utilities – Draft American Nation Standard for Trial Use, ASCE/AWWA, Dec. 2006

Questions l.jpg
Questions?? including: