Water Security Congress

On Monday, the ASDWA Security Notes Blog posted information on last month’s 2010 Water Security Congress conducted by the American Water Works Association (AWWA). While most of this meeting was focused on security issues that did not specifically deal with chemical issues at water facilities, there were a couple of presentations that might be of interest to the general chemical security community. For readers from the water community may want to look at the general AWWA page on the meeting.

Water ISAC

There was an interesting presentation made by Aaron Levy discussing the Water Sector Information Sharing and Analysis Center (WaterISAC) that he heads. This is an organization run by the Water Sector Coordinating Council, part of the National Infrastructure Protection Program. It provides an information sharing environment for all sorts of water sector protection activities including a secure portal for sharing intelligence information. I have not seen a comparable organization coming out of the Chemical Sector Coordinating Council.

One of the interesting issues raised in Levy’s presentation is the problem of financially-motivated vandalism. Water facilities have a security issue that is much more prevalent than terrorist attacks, the theft of metal (pipe and wire) from their extended facilities; a problem aggravated by the poor economy.

Stuxnet was briefly addressed in the presentation both as a threat to water system control systems, but also as a threat to the electrical power supply critical to the operations of these systems. This is an issue that should also be of concern to chemical facility operators.

I want to take an opportunity to commend Mr. Levy for the format of his presentation file. Most presenters provide copies of the presentation slides for these type files. The WaterISAC presentation not only includes the slides, but the notes that he used in his presentation. This provides a lot more information and provides more of a flavor of the actual presentation. Still not as good as a video file, but Levy is to be commended for taking this innovative step.

Utility Security

This presentation by John W. McLaughlin, from Jacobs-JJG (engineering firm), looks at the switch from security being a counter-terrorism matter to a more inclusive ‘all-hazards’ approach. He notes that many utilities do not see themselves as a terrorist target and may see counter-terrorism measures as a diversion of funds that could be better spent elsewhere.

He notes the enlarged focus of security at the national level is now looking beyond just the possibility of terrorist attacks and is addressing all sorts of security issues. A major new focus at the national level is ‘resiliency’, the ability to get the water system up and running after an attack, vandalism, systems failures, or natural disaster.

This discussion about the need for resiliency is certainly an increasingly important focus at DHS. Prevention of production disruptions from all causes is important, but resilient facilities recognize that all disruptions cannot be prevented. I’ve noted for some time in this blog that recognition of the practical inability to prevent all terrorist attacks requires planning for emergency response to deal with resulting chemical releases, fires and explosions. Resiliency looks even beyond that, at what happens after the emergency response is done.

While chemical facility management certainly has an interest in getting their facility back on line, they don’t have the same urgency in this matter that public utilities have. An off-line chemical facility will not typically cause life changing problems for all of their neighbors and customers. A shutdown water plant, on the other hand, adversely affects the entire community until it gets back on-line.

Water and CFATS

Bryon O. Elwell, from ABS Consulting, provided an overview of both the current CFATS regulations and the pending legislation in Congress that might affect security operations at water and waste-water treatment facilities. The information in the slides was well put together, especially the summary data on S 3598, the Secure Water Facilities Act.

Elwell presented some facts that I haven’t seen pulled together before. He noted (slide 18) that there were 1,200 waste water treatment plants that had more than 2,500 lbs (CFATS SQT for Chlorine) of Chlorine gas on-site and 1,700 water treatment plants that were covered by EPA’s risk management plan rules (and presumably would be covered by CFATS rules). He also provided (slides 19 and 20) a more complete listing of water treatment chemicals that are DHS chemicals of interest (COI) than I have seen to date.

Water Cyber Security

I was pleased to see that there were three separate presentations on control system cyber security (CSCS) matters; all of them should be reviewed by any organization with an automated industrial control system. The first was by Candace Chan-Sands, from EMA, Inc. who’s presentation looked at the DHS ICS-CERT Cyber Security Evaluation Tool (CSET). This is a service provided by DHS ICS-CERT to evaluate the security environment for a facility’s control system. Some how I have overlooked this service listed on the ICS-CERT web site; I’ll cover this in more detail in a separate blog post.

The second presentation was by W. Michael Sutton, an engineer with Malcolm Pirnie Inc. He looked at both the development of the ISA-99 cyber security standards under development. He pointed the audience at ANSI/ISA-99.02.01-2009, the Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, published in 2009. He did not provide a link to the ANSI site for obtaining the document; here it is. He also provided a brief look at control system design and technologies available to help secure cyber assets.

The third cyber-security presentation was made by Jeff Mills, from Coalfire, an IT Audit and Compliance Management firm. This is a pretty good, if high-level, review of the control system security problem, but it does not address the peculiar ICS issues with implementing many IT security measures. There is, however, a very good description (slide 25) of general control system security measures that would apply to any facility using ICS systems.

Posting Presentations

I always appreciate it when organizations like the AWWA post their presentations on-line. I don’t have the travel budget to get to these meetings and there is a wealth of good information presented at meetings like this. Most people in the public water supply industry have similar budget constraints making the posting of these presentations a valuable service to the industry. I would like to make my standard presentation recommendation to AWWA; next year, how about providing videos of the presentations on-line.

Personal Complaint Warning: I am always upset when an organization posts .PDF documents with excessive security settings. Why would anyone be concerned about someone copying and pasting from the document. It makes the job of reviewers like myself that much more difficult. This is especially true when the document includes URL’s, its bad enough that the listed URL’s were not live links, but then they were protected against copying. What a PAIN! Please re-think your document security policy.