• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Protecting vital water infrastructure

Apr 18, 20176 mins
Critical InfrastructureDisaster RecoverySecurity

The security and protection of drinking water, wastewater treatment services, and collection systems are essential to the American way of life and the nation’s economy.

Improving the security of the United States’ drinking water and wastewater infrastructure has not received the attention it requires. Over the past two decades of combating home grown and international terrorism, the electricity sector has received the majority of critical media headlines; however, the water sector may be the more vulnerable.

The most prominent and likely forms of terrorist attack on the water sector include the intentional release of chemical, biological, and radiological contaminants into the water supply or wastewater systems, disruption of service from explosions, and breaches in cybersecurity. The water sector is complex, composed of drinking water and wastewater infrastructure of varying sizes and types of ownership. The sector has its own unique risks driving sector security and resilience activities, including threats, vulnerabilities, and consequences.

However, utility owners and operators have always had to respond to natural disasters and, as a result, emergency response planning is inherent to the industry to ensure continuity of operations and to sustain public health and environmental protection.

The Water and Wastewater Sector partners with the US Environmental Protection Agency (EPA), state agencies, and other federal agencies, sharing in the mission to protect public health, the environment, and security and resilience activities. Significant actions are underway to assess and reduce vulnerabilities to potential terrorist attacks, plan for and practice response to emergencies and incidents, develop new security technologies to detect and monitor contaminants, and prevent security breaches.

The water sector is vulnerable to a variety of attacks through contamination with deadly agents, physical attacks (such as the release of toxic gaseous chemicals), and cyber-attacks. If these attacks were realized, the result could be significant illness, casualties, or a denial of service that could also affect public health and preparedness.

Critical services such as firefighting or healthcare would be negatively impacted by a denial of service from the water sector, as would other dependent and interdependent sectors such as energy, transportation systems, and agriculture and food. Therefore, it is critical that the security and resilience of the nation’s water infrastructure—collectively known as the Water and Wastewater Sector—is enhanced.

Based off the Department of Homeland Security (DHS) and the EPA’s Sector Specific Plan (SSP), along with known threats to the sector, a number of key concepts should be included when building a comprehensive water security program. A water utility should consider:

  • Conducting periodic threat and vulnerability assessments, annual security exercises, and regular updates to its response and recovery plans
  • Developing surveillance, monitoring, warning, and response capabilities to recognize a security event when it is actively happening
  • Integrating both physical and cybersecurity concepts into daily business operations to foster a culture of security
  • Improving the identification of potential threats with skilled physical and cybersecurity staff, armed with the knowledge to deter, detect, and delay an adversary’s tactics
  • Identifying ways to implement key response and recovery strategies prior to a crisis
  • Increasing its understanding of how the sector is interdependent with other critical infrastructure sectors, especially energy and chemical
  • Enhancing threat communication and coordination among internal and external stakeholders by utilizing the Water Information Sharing and Analysis Center (WaterISAC) and other information sharing networks

Multiple governing authorities pertaining to the security of the water sector provide for public health, environmental protection, and security measures. Notably, the water sector is currently excluded from the Chemical Facility Anti-Terrorism Standards (CFATS), a DHS program that regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. Water associations have won the exclusion argument by suggesting that they are adequately covered by the rules under the Bioterrorism Act of 2002.

Currently, CFATS excludes public water systems (as defined in the Safe Drinking Water Act) and water treatment facilities (as defined in the Federal Water Pollution Control Act) from the program. This exemption has been called into question many times, even by the leadership of the US House Committee on Homeland Security.

Furthering situation-awareness capabilities through the effective sharing of critical, security-related information via the WaterISAC should continue. As the official communication mechanism for the water sector, the WaterISAC should be included to a greater extent in the planning and preparedness-related initiatives to better inform the sector about key security issues, opportunities, and information. Likewise, the WaterISAC should consider partnering with additional ISACs, such as electricity.

While there have not been any highly publicized events surrounding the contamination of water systems, it is worth investing resources and technologies to ensure the water supply stays safe. Water distribution systems are routinely monitored to ensure that drinking water meets mandated standards and that treatment processes are performing as intended. Online sensors measure water quality in real-time and have the potential to serve as an early warning for an intentional contamination event.

Unfortunately, water utilities have not been immune to ransomware and other cyber-attacks on their IT infrastructure. Utilities should continue to update security patches, encrypt sensitive data, and use firewalls between operating systems. Most importantly, utilities should keep utility Industrial Control Systems off the internet.

Owners and operators are responsible for implementing security and resilience activities at the utility level, which allows protective programs to be tailored to the geography and conditions of that locality, with a focus on critical facilities. Many water and wastewater utilities have conducted risk assessments and spent millions of dollars to reduce identified vulnerabilities and install protective measures. The development of security resources that enhance sector resilience, increase education and awareness, and build a business case for security investments today will pay dividends prior to any attack.

It can be assumed that at some point, a North American utility may suffer from a planned and coordinated attack against its water infrastructure. Have these utilities examined credible threats closely enough? Did they prepare to respond, recover, and communicate? As an industry, many will be judged and hard questions will be asked about how seriously threats were considered and what was done to mitigate future attacks. Success will be determined by how quickly the industry responds and the swiftness of system recovery.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.