Tuesday, March 30, 2010
Water Facility Security Lacking
Last week there was an interesting water facility security breach out in Oregon. According to news reports an intruder broke into a local water treatment facility and stole the computer that operated the automated water treatment equipment at the facility, including the valves that control the addition of chlorine to the water. The article reports that “the burglar gained access to the plant by driving around a fenced and gated area through an adjacent tree farm”. The local residents can rest assured that local officials are taking action to ‘harden’ both the water treatment and waste water treatment facilities against future intrusions; too little, too late. Now current water security rules require all facilities that serve over 3,500 customers (and I am making the perhaps unwarranted assumption that this facility meets that requirement) have completed security vulnerability assessments. Unfortunately there are no provisions to allow the EPA (the water facility security enforcement agency) to require that facilities take action to correct security shortcomings. In this case the only thing that happened with the break-in was the loss of about $1,000 worth of computer equipment and significant amounts of overtime pay to cover having someone on site executing manual control of the system. What if this had been something more than vandalism or theft? What if this had been a terrorist attack on the water system? Or an attack on the chlorine used at the water system? Can anyone believe that the security system would have had any better result? This is a perfect example of why I am concerned about the lack of water facility security regulations that really mean anything. Requiring that facilities ‘conduct an SVA’ is a toothless requirement if there is no check of the adequacy of that evaluation. And an SVA does not provide any security, it just identifies the security needs. It should lead to the development and execution of a security plan and there are no current requirement for that to be done. Legislation like HR 2868 needs to be passed to give DHS or EPA the authority to provide proper regulatory oversight of the security of water treatment and wastewater treatment facilities. Sooner or later terrorists are going to see stories like this one in the Oregon newspaper and realize exactly how vulnerable our water treatment facilities actually are.