Security and Risk Assessment in the Water Sector:
A Case Study
The Department of Homeland Security (DHS) has designated 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Water and Wastewater Systems is one of these critical infrastructure sectors; the Environmental Protection Agency (EPA) has been designated as the Sector-Specific Agency for the Water and Wastewater Systems Sector. This means that water authorities around the country are compelled to follow both DHS and EPA guidelines and recommendations for safety and security, in addition to any other local city-wide, county-wide, or statewide guidelines and recommendations.
Conducting a risk assessment for a water authority’s entire enterprise is an important step to take in order to be in alignment with regulations and recommendations and to improve overall safety for the employee, clients, and property of the water authority. The purpose of a risk assessment is to help the water authority improve site security and mitigate risk by providing assessments, recommendations, and designs for improvement. These goals are achieved by developing a full site assessment of current access control and camera hardware and software, visitor management system, and site processes and procedures related to security management and reporting. An assessment includes recommendations to best meet the needs of the facility while continually maintaining the water authority’s fundamental values and keeping the corporate culture intact.
As outlined in the Water-Sector Specific Plan of the National Infrastructure Protection Plan (NIPP) written by the DHS and the EPA, a good risk assessment includes a consequence analysis, a threat analysis, and a vulnerability assessment. Specifically, a consequence analysis estimates the potential public health and economic impacts of an attack; a threat analysis estimates the likelihood that a particular type of target will be selected for attack; and a vulnerability assessment identifies weaknesses in design, implementation, and operation. The overall risk assessment can be understood in a simplified manner as follows:
- Consequence Analysis (systemic to entire water authority)
- Public health consequences
- Economic consequences
- Threat Analysis (systemic to entire water authority)
- Human threats
- Natural threats
- Vulnerability Assessment (both site-specific and systemic to entire water authority)
- Fences and Gates
- Electronic access control
- Policies and Procedures
Not only does a risk assessment and the accompanying recommendations improve the overall enterprise security for the facilities and employees of the water authority, but it also helps the water authority meet national and local standards for critical infrastructure. This is done by assessing risk by determining shortfalls and vulnerability, measuring current physical security hardware and software against those mandated and/or recommended by industry specific standards, adhering to multiple regulatory and government agency security requirements for critical infrastructures, and standardizing access control platforms into a single database.
Water authorities, while undoubtedly critical infrastructure, are businesses and must be managed as such. As with any other business, there must be a balance between security and the budget, especially if the budget is controlled by a Board of Directors, the public, or the local government. With that said, a thorough and high-quality risk assessment will take all possible recommendations into account, not just report those that they think may fit into the budget for the water authority. When a water authority is having a risk assessment done, they would be wise to have a record and understanding of all of the potential security risks, even if it is not feasible to address every risk or put every recommendation into effect immediately. One outcome of a rigorous risk assessment is an action plan with security upgrades and recommendations laid out in phases and levels of priority; this way the governing body can make informed decisions about which issues to address first.
Invictus Consulting, LLC conducted one such security risk assessment for a county water authority. The process will be described in detail below, giving a more comprehensive explanation and illustration to some of the points made above.
This particular water authority created a priority level list for their 2 dozen sites; this priority list was mutually agreed upon between the water authority and the security consultants. Included in the types of facilities at this water authority were administration buildings, water treatment plants, wastewater treatment plants, water reclamation facilities, water production facilities, community use buildings, and storage/maintenance facilities. Priority levels were based on the type of facility, the number of employees at each facility, and standards and information provided by the Department of Homeland Security. The project had 3 levels of priority, with Level 1 sites being those facilities producing drinking water for the general public, facilities distributing water, and facilities with large numbers of staff to which the public has access. Level 2 sites were medium priority; these sites included facilities that house bulk or a variety of chemicals or equipment that could potentially be used to create mass casualties or that are vital to company operations. Level 3 sites were low priority sites; these sites included buildings with little to no impact on the general public, storage facilities with no chemicals, and general use buildings with little activity. While each facility was assessed in the same manner by the consultants, creating priority levels helped the governing body of the water authority figure out which final recommendations to focus on first. For example, installing a uniform electronic access control system throughout all locations is a lofty goal but not fiscally feasible. With a priority structure in place, the governing body was able to fund the project for the most important sites (Level 1) right away, with the long term goal of completing the project for all sites within a number of years.
In addition to determining a priority level for each site in the water authority, Invictus organized a structure to visualize and understand the various levels of security. Some security measures were site-specific while others were systemic to the water authority as a whole. The levels of security designated for a water authority were as follows:
- Level 1 – Outer Perimeter (this included physical perimeter measures such as fences and gates and the landscaping around these features)
- Level 2 – Visual Perimeter (this included devices used to see the perimeter of a building, facility, or site such as cameras and CCTV)
- Level 3 – Access Control (this included any access control measures such as badges, card readers, door locks, etc.)
- Level 4 – Alarm Systems (this included burglar alarms and other intruder alarm systems)
- Level 5 – Policies and Procedures (this included both systemic and site-specific policies and procedures relating to worker health and safety, hiring and firing,access to locations, reporting of issues, etc.)
Each site was assessed based on these five levels of security, meaning that each site was assessed with the same strategy – assessment of outer perimeter fences and gates (if applicable), assessment of camera equipment (if applicable), assessment of access control features, assessment of alarm systems, and assessment of policies and procedures.
For Level 1 security measures, the outer perimeter of each site was assessed. This included an assessment of the condition of fences and gates around the site; assessment of the condition of locks, chains, and padlocks on gates; assessment of landscape features near fences and gates; and assessment of whether gates were open or closed. Broken fences, wide open gates, and vegetation growing up around fences (impeding line of sight) were common Level 1
For Level 2 security measures, cameras were assessed. This assessment included camera manufacturer, configuration, recording duration, quality of display, dynamic presentation, type of view captured (e.g., parking lot, break room), and camera hardware (e.g., IP versus analog technology). Common Level 2 problems included multiple dummy cameras (i.e., cameras that are just for show and don’t actually work), little to no consistency in hardware or recording specifications, and little to no database (storage) of captured film.
For Level 3 security, access control measures were assessed. This included assessing the process of credentialing; assessment of the physical credentials/badges themselves; assessment of the processes and procedures related to physical keys (as opposed to electronic badges); a thorough examination of access control systems including assessment of software, badge printers, panels, reader boards, input boards, output boards, network switches, batteries; and a thorough examination of access controlled doors including door location, construction, card reader, lock type, egress, and contact type. Typical Level 3 issues included inconsistent processes and procedures for credentialing and giving out keys, card readers not working, and employee bypassing of access control measures.
For Level 4 security measures, alarm systems were assessed. This was done in much the same way access control hardware and software were assessed, namely a through investigation of alarm zones, keypads, sounders, powered sensors, network connectivity, and alarm monitoring. This examination was completed for motion detectors, tamper alarms, sensor alarms, fire alarms, and contact alarms. The most common issues with Level 4 security measures were non-functioning alarms and too few alarms present.
For Level 5 security measures, interviews were conducted with executive level staff, managerial level staff, and at least one person at each and every site. This gave a picture of both site-specific issues and systemic issues. Interview topics included visitor management procedures, building access, credentialing procedures, video functionality and verification, perimeter verification, reporting and documenting procedures for emergencies and risks, emergency notification procedures, alarm system management, and site-specific incidents. Interviews were kept confidential so that employees would be honest, and interview answers were codified and plotted to uncover discrepancies between stated policies and what was actually happening on the ground. Common Level 5 issues included inconsistent visitor management procedures, inconsistent reporting and documenting procedures (especially for facilities that
house dangerous chemicals), and an overall lack of a culture of security.
In addition to a physical assessment of every site belonging to the water authority, research was done into sector-specific risks for the consequence analysis and threat analysis aspects of the risk assessment. In the case of the Water and Wastewater Systems Sector, research was done for general risks factors to all Water Sector facilities and also specific risk factors related to the location, size, and operation of the specific water authority being assessed. A consequence analysis was written; this included research and data concerning public health consequences and economic consequences of a breach in safety. A threat analysis was also written; this included research on human threats and natural threats to both this specific water authority and the Water Sector in general.
A detailed and extensive report was delivered to the water authority being assessed. This report included methodology of assessment, the complete consequence analysis, the complete threat analysis, the complete vulnerability analysis, and thorough recommendations for improving security. Individual reports were also written for each and every site, providing specific and detailed data from each site assessment and precise recommendations for each site.
In addition to a full report and site-specific reports, the water authority was presented with all of the data collected for their records.
Final recommendations were categorized into 3 groups:
- Site Logistics – this included recommendations for building structures, moveable entrances, hardware, lighting, etc.
- Security Management – this included recommendations for a systemic security management system that incorporates camera systems, Intercom systems, fence line detection systems, and a unified platform allowing each site to be monitored and managed with relative ease
- Policy and Procedures – this included recommendations for visitor management, credentialing, and the overall climate of safety
Beyond written recommendations for site logistics, a security management system, and policies/procedures, comprehensive engineering plans were designed for each and every site assessed. These designs were provided on CAD drawings for each facility and included locations for CCTV, intercom, card readers, door contacts, motion sensors, and magnetic locks; detailed specs for integration into the existing security system; access and CCTV schematics; and access and CCTV installation details.
As noted earlier, recommendations were exhaustive and covered every possible improvement and upgrade, even if it was not possible for the water authority to put all recommendations and upgrades into effect immediately. The CAD drawings provided to the water authority became the property of the water authority so the design and engineering could be executed on the water authority’s own timeline. The same held true for all of the recommendations for site logistics, security management system, and policies and procedures – the final deliverable to the water authority included all possible recommendations regardless of projected budget. This gave the water authority a complete and exhaustive plan that they can execute over time.
The final deliverable to the water authority was a request for proposals (RFP) written for the exact specifications of the recommended security upgrades and centralized security management system. The RFP document was something that the water authority could use as they put the project out to bid without having to create the document themselves.
Easily the most important part of the risk and security assessment was the final debrief meeting with the water authority key players. This meeting was a place to present the data, findings, and recommendations to concerned parties at the water authority including the safety and security officer, general manager, HR director, risk manager, finance director, engineering manager, and public relations manager. The importance of this meeting can not be understated, as it was a place for executive level and managerial level employees to get a clear picture of exactly what risks were uncovered and understand the details of the recommended plan to mitigate those risks. In addition, a projected budget was created for each site, giving the executives and managers a clear picture of how the recommendations could be carried out. As noted above, the sites were categorized into priority levels, which, in combination with projected
budgets for each site, were able to give a comprehensive plan to the water authority executives on how to proceed with improvements over the course of the next few years.