Reader Comments 03-30-10 Water Security

It’s been a busy week and I missed mentioning two comments posted to my earlier blog about water facility security. Bob Radvanovsky, who brings us WaterSec List, posted both comments and they are well worth reading. Security and Bond Ratings Bob’s first comment looks at the ‘compliance vs security’ issue, noting that in many cases following the rules does not mean that the facility is secure. In that posting he makes an interesting observation that I haven’t seen before, writing: “In most cases, these organizations would loose their bond ratings if they were to admit that they had a security flaw or vulnerability, so instead, do nothing.” I’m pretty sure that Bob is right, any adverse information about the facility could have an effect on their bond rating and that rating is very important to any organization that must rely on the sale of bonds to finance capital improvements. I’m not sure how bond rating organizations would find out about adverse security reports since they are ‘classified’ SSI and should be protected against disclosure. Having said that, I would be interested in hearing if any of the public water treatment facilities that were mentioned in the CAP Chemical 101 report have had their bond ratings affected by that listing. An interesting side light to that question relates to funding for security measures. If a water treatment facility had to execute a major capitol project to effect a mandated increase in security (like substitute sodium hypochlorite for chlorine gas), would that have an effect on the bond rating for the facility? One could argue that the improvement would reduce the risk associated with the facility and that should improve (or at least be neutral to) the facility bond rating. On the other hand, it does point out a severe security issue that would remain while the project proceeded (which could take a couple of years in some cases), so that might temporarily decrease the facility bond rating. Another possibility would be that the new security related capital project could adversely affect the bond rating by increasing the amount of borrowing for the facility to a level that would have an effect on the bond rating. In the normal course of events this project would not be pursued until other projects were paid off, but if the project were mandated by the Federal (or State under the current version of HR 2868) government, that might not be possible. This should be part of the economic evaluation of the projected IST implementation. Insider Attacks In his second post Bob writes that: “This, to me, represents a form of sabotage, and perhaps someone internally who knew the base operations of the organization and what impact this would have on the sudden removal of said equipment.” He also notes that, with the recent increase in radical militias, there might be an expected increase in the potential for insider attacks on facilities. One explanation is a non-terroristic action; employees might have realized that the manual operation of the facility would result in more overtime work to affect the manual operation of the facility. This would mean increased paychecks for those employees. Another explanation, much more threatening, would be that if there were an insider working for or with a terrorist organization, the lack of electronic supervisory control would make it easier to undertake a serreptious attack that would allow for contamination of the drinking water leaving the facility. I’m not sure how successful this would really be with the on going investigation of the ‘theft’, but it would be an interesting attack profile.