Protecting vital water infrastructure.
The most prominent and likely forms of terrorist attack on the water sector include the intentional release of chemical, biological, and radiological contaminants into the water supply or wastewater systems, disruption of service from explosions, and breaches in cybersecurity.
The sector has its own unique risks driving sector security and resilience activities, including threats, vulnerabilities, and consequences.
However, utility owners and operators have always had to respond to natural disasters and, as a result, emergency response planning is inherent to the industry to ensure continuity of operations and to sustain public health and environmental protection.
Therefore, it is critical that the security and resilience of the nation’s water infrastructure—collectively known as the Water and Wastewater Sector—is enhanced.
Based off the Department of Homeland Security (DHS) and the EPA’s Sector Specific Plan (SSP), along with known threats to the sector, a number of key concepts should be included when building a comprehensive water security program.
A water utility should consider: Conducting periodic threat and vulnerability assessments, annual security exercises, and regular updates to its response and recovery plans Developing surveillance, monitoring, warning, and response capabilities to recognize a security event when it is actively happening Integrating both physical and cybersecurity concepts into daily business operations to foster a culture of security Improving the identification of potential threats with skilled physical and cybersecurity staff, armed with the knowledge to deter, detect, and delay an adversary’s tactics Identifying ways to implement key response and recovery strategies prior to a crisis Increasing its understanding of how the sector is interdependent with other critical infrastructure sectors, especially energy and chemical Enhancing threat communication and coordination among internal and external stakeholders by utilizing the Water Information Sharing and Analysis Center (WaterISAC) and other information sharing networks Multiple governing authorities pertaining to the security of the water sector provide for public health, environmental protection, and security measures.
Notably, the water sector is currently excluded from the Chemical Facility Anti-Terrorism Standards (CFATS), a DHS program that regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals.
Currently, CFATS excludes public water systems (as defined in the Safe Drinking Water Act) and water treatment facilities (as defined in the Federal Water Pollution Control Act) from the program.
Most importantly, utilities should keep utility Industrial Control Systems off the internet.