Plugging the Leak . . .in Water Security

Medium- and smaller-sized water utilities find themselves in a bind as they are compelled to obey an underfunded government mandate

To a terrorist, a tempting target is any utility that can be attacked easily and successfully.

The events of Sept. 11, 2001 continue to reverberate and the echoes have reached the nation's water utilities. For the most part, large water utilities--those serving more than 100,000 people--have already completed Vulnerability Assessments as of the end of 2003, and they have updated their Emergency Response Plans in compliance with a federal mandate known as the Public Health Security & Bioterrorism Act of 2001. While no facility is ever completely secure, these utilities have prepared diligently for potential terrorist attacks.

But what about utilities serving fewer then 100,000 people? Are they even legitimate terrorist targets?

Yes, they are, Terrorists are like car thieves--they don't always go for the largest car, often opting instead for one that is easiest to steal. So whether the utility serves 5,000 people or 500,000 people, a facility that is easy to attack is an attractive, tempting target. Such water utilities must remove the metaphorical bull's-eye tattooed on their facilities by taking swift, certain, prudent action.

Important deadlines

Like the larger utilities, medium-sized and smaller utilities must meet a government mandate for Vulnerability Assessments and Emergency Response Plans. For the medium-sized utilities serving between 50,000 and 99,999 people, the deadline was Dec. 31, 2003 for the Vulnerability Assessment and June 30, 2004 for the Emergency Response Plan update.

Utilities serving populations between 3,301 and 49,999 must comply with the government mandate by having their Vulnerability Assessments done by June 30, 2004 and their Emergency Response Plans updated by December 31, 2004.

But there is a hitch. Most of the money earmarked for water utilities to perform these functions has already been spent.

With little or no money available, what's a medium- or small-sized utility manager to do?

Well, there is no simple answer. But there are some very simple tests that can be taken immediately to make a utility safer and more secure.

The first thing is that every utility--large or small--take a long, hard look at the obvious vulnerabilities in the water utility and the attitude of everyone who works in it. One would hope that in every case, security precautions of some kind would already be in place. Follow them to the letter. The single greatest weapon in an arsenal against terrorism is the alert guard--the door not propped open with a brick, the key not left in the truck overnight, the locked access hatch, the completed checklist, and the procedure that is followed rigorously every time.

If the treated water tank hatch was found open, it must be determined who opened it and what should be done about it. The utility managers must teach and inspire a staff to understand that the procedures they are asked to follow can mean the difference between a devastating attack and an attack that is prevented altogether. In industry parlance, this would be a "culture by security." By and large, vigilance is considerably less expensive than a new web-based, camera-equipped force protection system bristling with motion detectors and thermal sensors.

Preventive measures

Another area where utility managers can and must act immediately is information. Managers must check their websites and examine carefully internal and external publications.

Can anyone just go into City Hall and review the water system plans? Has any sensitive information that could be used by a terrorist been disseminated? Did a paper on the municipality's emergency response plan get published? Has too much detail been presented in a brochure about a new water treatment plant, perhaps, just trying to convince a constituency that service is being improved?

First, take anything sensitive off the utility's website--immediately. By definition, if it's a utility's website, it's on the web around the world. That gives any computer-literate terrorist with a laptop and phone line instant access to information about a facility. Replace the sensitive information with more innocuous particulars, but do not give terrorists a free electronic pamphlet on how to attack a facility.

Those steps should be taken immediately--yesterday would have been better. Then, the issue turns to the government mandate, the required security review and upgrade. It is very possible for a water utility to perform its own Vulnerability Assessment and to develop its own Emergency Response Plan.

For many years prior to the attacks of September 11, water systems and staffs knew how to protect against vandals. But the adversaries, terminology and risks have changed. While some utility managers are more than qualified to develop a security plan or Vulnerability Assessment or to use one of the available do-it-yourself tools, many others are not.

That is particularly true for the smaller utilities. So, while a utility that performs its own Vulnerability Assessment and Emergency Response Plan might be saving tens of thousands of dollars in the short-term, in the long-run it might end up spending hundred of thousands or even millions of dollars in unnecessary or inappropriate defenses--or even be risking a great deal more.

The ultimate goal here is to protect the drinking supply for a town, city, county or region. Water utility managers in this country are the nation's experts in creating the safest, cleanest water supply in the world. But their job description until two years ago had very little to do with terrorism countermeasures. So, while it may seem to cost more up front, hiring the appropriate expertise can pay great dividends in keeping a facility safe in the face of an attack.

Message becomes clear

Funding is in short supply. However, the judicious application of time-tested wisdom, combined with cost-saving innovation, can provide medium-to-small water utilities with the best, most cost-effective protection. But it's not only security that is on the line. In many cases, water utilities have found these security reviews can help justify long-delayed projects that they believe are essential to the future of their community. The best security project is one that was supposed to be done anyway, to improve the operation and reliability of a water system.

September 11 left an indelible mark on everyone. But recent events have left an impression as well.

From the shooting in New York's City Hall to the Great Blackout of 2003, the oft-heard message becomes clearer. We must protect our utilities and ourselves; no one and nothing is immune to hazard. And one of the most important areas that needs protection is the national water supply.

Vulnerability Assessments and Emergency Response Plans are not simply government exercises. These are necessary to ensure the safety of society. From the largest water utilities in the nation to the smallest, we are as vulnerable as we allow ourselves to be. If anyone thinks, "it can't happen to me," think again.

To a terrorist, a tempting target is any utility that is vulnerable to a successful attack.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options


About the author

William G. Sewell is senior vice president and practice manager with DMJM Technology, and John F. Shawcross is a vice president with Metcalf & Eddy. Sewell can be reached at [email protected] or 703/469-3003. Shawcross can be reached at [email protected] or 781/224-6209.