Tuesday, March 30, 2010

Water Facility Security Lacking

Last week there was an interesting water facility security breach out in Oregon. According to news reports an intruder broke into a local water treatment facility and stole the computer that operated the automated water treatment equipment at the facility, including the valves that control the addition of chlorine to the water. The article reports that “the burglar gained access to the plant by driving around a fenced and gated area through an adjacent tree farm”. The local residents can rest assured that local officials are taking action to ‘harden’ both the water treatment and waste water treatment facilities against future intrusions; too little, too late. Now current water security rules require all facilities that serve over 3,500 customers (and I am making the perhaps unwarranted assumption that this facility meets that requirement) have completed security vulnerability assessments. Unfortunately there are no provisions to allow the EPA (the water facility security enforcement agency) to require that facilities take action to correct security shortcomings. In this case the only thing that happened with the break-in was the loss of about $1,000 worth of computer equipment and significant amounts of overtime pay to cover having someone on site executing manual control of the system. What if this had been something more than vandalism or theft? What if this had been a terrorist attack on the water system? Or an attack on the chlorine used at the water system? Can anyone believe that the security system would have had any better result? This is a perfect example of why I am concerned about the lack of water facility security regulations that really mean anything. Requiring that facilities ‘conduct an SVA’ is a toothless requirement if there is no check of the adequacy of that evaluation. And an SVA does not provide any security, it just identifies the security needs. It should lead to the development and execution of a security plan and there are no current requirement for that to be done. Legislation like HR 2868 needs to be passed to give DHS or EPA the authority to provide proper regulatory oversight of the security of water treatment and wastewater treatment facilities. Sooner or later terrorists are going to see stories like this one in the Oregon newspaper and realize exactly how vulnerable our water treatment facilities actually are.


Bob Radvanovsky said...

This is a *perfect* reason for both public and private organizations to begin reviewing their policies that are in place for their security methodologies. Having worked (briefly) for a water district (under an internship while in college) many years ago, I gained a tremendous amount of insight about this industry.

It's old, and so are its policies and operational methodologies. I seriously doubt that anyone thought about the circumstances surrounding the computer theft incident in Colorado. More specifically, the article further mentions that the control systems' computer was found not too far away in/near a pond. This, to me, represents a form of sabotage, and perhaps someone internally who knew the base operations of the organization and what impact this would have on the sudden removal of said equipment.

Additionally, in future years, both "inside jobs" will become increasingly more frequent (due to social unrest, etc.), as well as the need for safe, clean, drinkable water. Water, as a resource, I suspect will become nearly as valuable as gold itself - in some arid countries, this is already true.

Bob Radvanovsky said...

In comment to your statement that (excerpted):

"And an SVA does not provide any security, it just identifies the security needs. It should lead to the development and execution of a security plan and there are no current requirement for that to be done."

This relies upon the longtime argument of compliance versus security.

By performing an SVA, a water utility is in compliance with the requirement; in most circumstances, their are little or no performance guage or level of safety and/or security that are required.

In most circumstances, the water utility will seek out the cheapest bidder (NOTE: "cheapest vendor" does NOT mean "most capable vendor") to perform their SVAs. And, even if something were found, how many utilities (not just water, but includes natural gas, pipeline and energy providers, too) simply shirk the report and do *nothing* about remediating the flaw or vulnerability.

In most cases, these organizations would loose their bond ratings if they were to admit that they had a security flaw or vulnerability, so instead, do nothing.

That may have the case here...

PJCoyle said...

For my response to both of Bob's comments see: http://chemical-facility-security-news.blogspot.com/2010/04/reader-comments-03-30-10-water-security.html

/* Use this with templates/template-twocol.html */