Protecting vital water infrastructure

Improving the security of the United States’ drinking water and wastewater infrastructure has not received the attention it requires. Over the past two decades of combating home grown and international terrorism, the electricity sector has received the majority of critical media headlines; however, the water sector may be the more vulnerable.

The most prominent and likely forms of terrorist attack on the water sector include the intentional release of chemical, biological, and radiological contaminants into the water supply or wastewater systems, disruption of service from explosions, and breaches in cybersecurity. The water sector is complex, composed of drinking water and wastewater infrastructure of varying sizes and types of ownership. The sector has its own unique risks driving sector security and resilience activities, including threats, vulnerabilities, and consequences.

However, utility owners and operators have always had to respond to natural disasters and, as a result, emergency response planning is inherent to the industry to ensure continuity of operations and to sustain public health and environmental protection.

The Water and Wastewater Sector partners with the US Environmental Protection Agency (EPA), state agencies, and other federal agencies, sharing in the mission to protect public health, the environment, and security and resilience activities. Significant actions are underway to assess and reduce vulnerabilities to potential terrorist attacks, plan for and practice response to emergencies and incidents, develop new security technologies to detect and monitor contaminants, and prevent security breaches.

The water sector is vulnerable to a variety of attacks through contamination with deadly agents, physical attacks (such as the release of toxic gaseous chemicals), and cyber-attacks. If these attacks were realized, the result could be significant illness, casualties, or a denial of service that could also affect public health and preparedness.

Critical services such as firefighting or healthcare would be negatively impacted by a denial of service from the water sector, as would other dependent and interdependent sectors such as energy, transportation systems, and agriculture and food. Therefore, it is critical that the security and resilience of the nation’s water infrastructure—collectively known as the Water and Wastewater Sector—is enhanced.

Based off the Department of Homeland Security (DHS) and the EPA’s Sector Specific Plan (SSP), along with known threats to the sector, a number of key concepts should be included when building a comprehensive water security program. A water utility should consider:

• Conducting periodic threat and vulnerability assessments, annual security exercises, and regular updates to its response and recovery plans
• Developing surveillance, monitoring, warning, and response capabilities to recognize a security event when it is actively happening
• Integrating both physical and cybersecurity concepts into daily business operations to foster a culture of security
• Improving the identification of potential threats with skilled physical and cybersecurity staff, armed with the knowledge to deter, detect, and delay an adversary’s tactics
• Identifying ways to implement key response and recovery strategies prior to a crisis
• Increasing its understanding of how the sector is interdependent with other critical infrastructure sectors, especially energy and chemical
• Enhancing threat communication and coordination among internal and external stakeholders by utilizing the Water Information Sharing and Analysis Center (WaterISAC) and other information sharing networks

Multiple governing authorities pertaining to the security of the water sector provide for public health, environmental protection, and security measures. Notably, the water sector is currently excluded from the Chemical Facility Anti-Terrorism Standards (CFATS), a DHS program that regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. Water associations have won the exclusion argument by suggesting that they are adequately covered by the rules under the Bioterrorism Act of 2002.

Currently, CFATS excludes public water systems (as defined in the Safe Drinking Water Act) and water treatment facilities (as defined in the Federal Water Pollution Control Act) from the program. This exemption has been called into question many times, even by the leadership of the US House Committee on Homeland Security.

Furthering situation-awareness capabilities through the effective sharing of critical, security-related information via the WaterISAC should continue. As the official communication mechanism for the water sector, the WaterISAC should be included to a greater extent in the planning and preparedness-related initiatives to better inform the sector about key security issues, opportunities, and information. Likewise, the WaterISAC should consider partnering with additional ISACs, such as electricity.

While there have not been any highly publicized events surrounding the contamination of water systems, it is worth investing resources and technologies to ensure the water supply stays safe. Water distribution systems are routinely monitored to ensure that drinking water meets mandated standards and that treatment processes are performing as intended. Online sensors measure water quality in real-time and have the potential to serve as an early warning for an intentional contamination event.

Unfortunately, water utilities have not been immune to ransomware and other cyber-attacks on their IT infrastructure. Utilities should continue to update security patches, encrypt sensitive data, and use firewalls between operating systems. Most importantly, utilities should keep utility Industrial Control Systems off the internet.

Owners and operators are responsible for implementing security and resilience activities at the utility level, which allows protective programs to be tailored to the geography and conditions of that locality, with a focus on critical facilities. Many water and wastewater utilities have conducted risk assessments and spent millions of dollars to reduce identified vulnerabilities and install protective measures. The development of security resources that enhance sector resilience, increase education and awareness, and build a business case for security investments today will pay dividends prior to any attack.

It can be assumed that at some point, a North American utility may suffer from a planned and coordinated attack against its water infrastructure. Have these utilities examined credible threats closely enough? Did they prepare to respond, recover, and communicate? As an industry, many will be judged and hard questions will be asked about how seriously threats were considered and what was done to mitigate future attacks. Success will be determined by how quickly the industry responds and the swiftness of system recovery.