Agencies and authorities that provide water, wastewater and dam services don’t face the same regulatory hurdles as power utilities, but they’re also often smaller and have fewer resources, housed as they generally are within municipal governments or other smaller entities.
Their existence and benefits, and the challenges they face are also often underappreciated, according to those who toil within the sector, one of 16 designated as “critical infrastructure” by the Department of Homeland Security.
“People often take water for granted because it just shows up,” says Kevin Morley, Manager, Federal Relations for the American Water Works Association, who notes that for drinking water alone, there are 52,000 separate community systems in the U.S. “If you have a potholed street and someone paves it over, there is immediate public gratification, or recognition. If there’s a leaky pipe, we could repair a mile, or 15 miles, of main, but the public does not directly experience the benefit, so the value is often less appreciated,” he says.
Rick Verardi, security division manager for Austin (Texas) Water, sounds similar notes. “People turn on their taps, it’s there,” he says. “People flush their toilets, and it goes away. They don’t realize what goes on in the background. Water is an underappreciated resource.”
Power authorities have significantly greater budgets than water agencies, although they might have regulations to match, notes Scott Starkey, security director at Birmingham (Ala.) Water Works Board, which is the largest water utility in the state but does not handle wastewater. “Most of our resources to go making sure the water meets the EPA standards for testing, and things like that,” he says. “It’s the ‘drinkable’ part of it, rather than an emphasis on security.”
Yet water is the nation’s most critical resource, Starkey says. “You can live without power, transit, and – despite what my kids may say – the Internet,” he says. “But you can’t live without water. We have an obligation to do everything we can with the funding we have to protect our resources.”
Terrorism is the most high-profile concern, Starkey says. “Terrorists know that throughout history, if you affect an enemy’s water supply, you can bring them to their knees,” he says. “If you start poisoning somebody’s water, that really creates mass hysteria. You see what happened in Flint, Michigan, even though that wasn’t a terrorist attack. You see that kind of thing happen, it’s a very scary thing.”
The threat of terrorism is a significant part of what has prompted water, wastewater and dam utilities to focus more heavily on safety and security, for the protection of public health, Morley says. Going back to 9/11, and even the 1995 Oklahoma City bombings, the water sector started to pivot its attention to physical security.
“We started as a sector doing work in that space a little more rigorously than others sectors did post-Oklahoma City, and certainly post-9/11 we cranked it up a bit,” he says. “Another important incident was [Hurricane] Katrina, a wide-area event that made the sector shift toward an all-hazards approach rather than focusing on the threat actor. We now prepare for various consequences regardless of cause.”
This has resulted in a robust mutual aid system among water utilities similar to that which exists in the power sector, except that “we don’t typically have to roll assets across state lines,” Morley says. But the arrangement has been effective regionally in moving generators and across supplies to help sustain operations. “Generators are expensive – smaller utilities might not be able to afford one, so these agreements provide economies-of-scale,” he says.
Karl Perman, a critical infrastructure protection consultant, agrees that terrorism is high on the watchlist of water utility operators. “I hate to say it, but I will,” he says. Partly for that reason, agencies have been focusing holistically on three areas: improved awareness, improved intelligence, and banding together with one another and the government “to get better intelligence of threats out there, tracked by open or closed source agencies.”
Other Physical Threats
Over the years, water utilities’ concerns about terrorism have shifted somewhat, Morley says. “We’ve realized that malevolent threats are not hiding in every bush, as we might have been led to believe a number of years ago,” he says. “Active shooter is on many folks’ minds, especially with recent incidents.”
To face those threats, the utility must be capable and responsive, Morley says. “Our observation has been that for systems that do exercise a response to these things, if something bad does happen, they’re not going to follow the book precisely [in the heat of the moment] but at least they’re going to be less panicked if they have worked things through,” he says. “We have exercises for various scenarios, and coordination with first responders. That way you have synergies – the burden isn’t on one entity.”
Aside from terrorism, Perman believes water utilities are most concerned about two threats on the physical side: employee malfeasance from someone gone rogue, and an outsider with a gun. An employee “could cripple a system if they had access,” he says. “They could pollute the water, open a dam when it shouldn’t be open, spin turbines that shouldn’t be spun. It could lead to a catastrophic event for that system.”
The active shooter scenario is particularly concerning for a water utility as opposed to, say, a nuclear plant because the latter would be much more heavily armed. Whereas at a water plant, “they’re lucky if the guy is a $13 an hour [security officer],” Perman says. “What are they going to do with a guy with a machine gun, or any other kind of trained adversary?”
To guard against these threats, water utilities are trying to put in place layers of defenses including electronic card readers, cameras, fencing and other barriers, and “improving as much as you can on the security officer side,” he says. “It’s more defense-in-depth, with additional layers of controls. Rather than relying on the card, you have a guard, plus electronic access controls, plus cameras, in a ring of security so you’re not subject to a single point of failure.”
Verardi at Austin Water says his utility is mostly concerned about physical intrusion and theft of equipment. Local youth tend to like to break in so they can hang out on top of the water tanks, just for the thrills. Problem is, “there are hatches and so forth that open up into the processed water,” he says. “Anybody can attempt, at that point, to contaminate the water. … A public perception that the water has been tampered with is not a good thing. We would have to flush out the system.”
The agency tries to stop intrusion before it happens at the perimeter of its water and wastewater facilities, says Michael Martell, IT project manager for Austin Water. The fencing at treatment plants has solar-powered wireless detection systems supplied by Protech that set off an alarm if someone tries to climb them, backed up by camera coverage. Card reader systems and badges allow people initial access at the gates as well as highprofile sites like chemical storage areas.
This is all monitored by local security at each plant as well as a 24/7 central site, Verardi says. “Anybody that comes on site either has to be an employee – but just because you’re an employee doesn’t mean you have access everywhere – or a contractor, and any contractor who comes on property has to be cleared to access,” he says. “Contractors have to be escorted. Visits to the plants are planned out ahead of time. We limit the amount of photography that’s allowed because of the sensitive areas.”
Security officers receive extensive training on issues like how to respond to alarms, and all employees receive training during the initial orientation as well as via “tip of the month” type e-mails, Verardi says. “We remind them to be aware of the situation,” he says. “If you see something out of the ordinary, report it to security. Security does frequent patrols of the plants – there’s somebody parked at the fence line, I don’t think it’s right – security would respond to something like that.”
Birmingham City Water Works considers active shooter to be its greatest threat, whether a disgruntled employee or an outsider. Among other facilities, the agency has a walk-in location where people can pay their bills, which is convenient for those who don’t have checking accounts, Starkey says.
“But that’s a large congregation of people with cash in one location, which attracts criminal activity,” he says. “It’s almost like a bank.” The water agency also needs to protect a toxic asset that’s unique among utilities to water authorities: chlorine gas.
In reaction to a 2003 Department of Homeland Security vulnerability assessment, which made recommendations related to mitigating against terrorism but did not follow up with federal funding, the Birmingham Water Works’ board of directors added new protections to water treatment sites, Starkey says. Those have included a high-voltage security fence with alarms and pan-tilt-zoom cameras that can be tracked from a 24/7 downtown location. The authority has used thermal cameras to protect dams since it’s tough to light up the middle of a reservoir.
“We do a lot of training on what to look for, and what to report,” he says. “If you see something, say something. You can have all the cameras in the world, but your best asset is your employees. You start by establishing the mindset that security is everybody’s business. Security employees are not just in the security department. They’re not just going to poison the security department’s water. That [mentality] is starting to take hold here, and it’s helped out a lot.”
Robert Conner, director of Lakeland (Fla.) Water Utilities, says he doesn’t worry too much about Al Qaeda being around the corner. “I’m sure most people in the Middle East would say, ‘Where in the devil is Lakeland?’ ” he says, adding, “We are capable of gearing up if we have to. We look at our threats as being mostly local morons, as well as the usual threat from insiders – not politically motivated but personal.”
Lakeland, which runs two water plants, three wastewater plants and a wetlands area with earthen dams, recently needed to call out local police to escort someone off the property when he was terminated, which Conner says “resolved itself more peaceably than I expected.” They also noticed a couple men trespassing at a wastewater plant wearing masks and carrying backpacks, although those contained only wrenches – and lunch. “They were a little surprised – we had helicopters, and dogs,” he says. “They were just screwing around.”
But Lakeland doesn’t mess around when it comes to physical security, with fencing, cameras, electronic access control and security guards at plants, although Conner says they probably wouldn’t have guards if not for the fact that the water utility also owns the local power plant (and they are co-owned by the municipality).
“We have vulnerabilities we can’t cover against a determined adversary,” he says. “You can’t protect thousands of miles of pipe. The plants are protected well. We do awareness training with the [guards] to make sure they keep [the range of possible incidents] at least halfway in their minds.” The plants are manned 24 hours per day, and while front parking lots are opened in the daytime, you still have to go through checked gates, he adds.
At more remote, lower-profile sites the Lakeland agency has hired off-duty police officers to patrol. For those officers and the full-time guards at the plants, “They’re their own first line of defense,” Conner says. “They’re the ones who know who should and shouldn’t be on the property. We look at staff as the first line of defense, and we give them the tools to extend their vision. The threats we’ve actually seen have been pilferage and vandalism.”
Cybersecurity entered the radar screen of water, wastewater and dam utilities later in the 2000s, in part thanks to a few incidents involving a disgruntled employee or contractor. An Australian man angry that he had not been hired somehow managed to obtain “back-door” controls to a wastewater system, exercised some valves and “released a lot of crap,” Morley says. “Nobody got hurt, but there was significant environmental damage, mostly into surrounding parks and streams.”
In 2008, the Department of Homeland Security worked to develop a road map on securing process controls in the water sector that serve as a gap assessment on the challenges and needs in the sector, Morley says. This lent a little scale for smaller water utilities who otherwise would have been approaching large companies on their own.
“Any one of them is not going to be a market maker,” he says. “Manufacturers are not going to change their process for one utility. In changing those systems, you have to be pretty confident that the fix is not going to cause some other problem. I can’t take my water system offline, test it out and put it back online. It’s a 24/7/365 operation.”
A major challenge of cybersecurity is that threat actors don’t need to reveal themselves and tend to be opportunistic rather than targeting a particular entity, Morley says.
If a cyber attack results in the need to pay ransomware, for example, it doesn’t matter of the threat actor is in China or Mexico or Chicago, Morley says. “People like to click on stuff,” he says. “That’s probably the biggest threat domain. I’ve seen it happen to utilities, I’ve seen it happen to towns. Whether or not you pay the ransom, you may or may not get that data back, and you certainly don’t know that they’re out of your system.”
Particularly smaller water utilities may or may not have the technical skills to deal with such incidents, which has pointed to the need for state or federal help, Morley says. The American Water Works Association has developed guidelines or utility managers in facing cybersecurity threats alongside the efforts of the National Institute of Standards and Technology (NIST) to do so more broadly.
“I want to remotely manage my pump station at 3 a.m.,” he says. “OK, that’s fine. If you’re going to do that, here are the controls you should have in place, and they’re prioritized... Now I should evaluate myself against that profile. I can then begin to build that into my capital equipment. There’s a lot of policy and procedure work. But I can start building a program that’s transparent and repeatable.”
Perman sees the Internet of Things as an emerging threat vector for critical infrastructure such as dams. “It’s more and more gone from electromechanical, flip a switch, to machine-to-machine or Internet-based,” he says. “It’s programmable logic controllers, driven by micro-processors, many tied together in networks that are Internet-facing. They’re prone to phishing campaigns and malware in general.”
To mitigate these threats, Perman says, water utilities are turning to firewalls, intrusion detection systems – and training.
Larger utilities who have chief information security officers are probably mostly on top of this, Morley says, but in smaller towns they might not have a clear, repeatable strategy, and they might be more dependent on contractors.
“The resources we’ve developed, I wouldn’t say level the playing field but goes in that direction,” he says. “They help the utilities be more informed and ask the right questions of their contract support if that’s how they’re going. That helps the sector implement a cybersecurity framework in a dynamic threat environment.”
Lakeland has an enterprise cybersecurity unit that works out of the city manager’s office and covers the water and power utilities, airport and other facilities, Conner says, adding that the city was conducting vulnerability assessments for cyber and other forms of terrorism before 9/11. “We were one of the few utilities, and we were generally thought to be crackpots until 9/12,” he says. “Somebody here did the editing of [national] documents for protecting water facilities because we were one of the few who actually thought about it.”