A DROP OF PREVENTION
Could terrorists contaminate the water supply of a major city? Probably. People have been contaminating water supplies inadvertently for decades.
A 2002 study by the U.S. Environmental Protection Agency (EPA) lists 459 incidents in which contaminated liquids flowed back into a water system. The incidents occurred between 1970 and 2001 and caused 12,093 cases of illness.
In 1997, for example, a fire truck pump created backpressure on a fire hydrant before the valve was closed and forced more than 60 gallons of fire-fighting foam into 40,000 neighborhood taps in Charlotte-Mecklenburg, N.C. In 2000, contaminated water lines at an Ohio fairground resulted in an outbreak of E. coli.
None of these incidents was caused by someone trying to do harm. Still, they suggest that contaminating a public water supply is not that difficult. “The threat of contamination is a hard problem to deal with,” says Alan Roberson, director of security and regulatory affairs for the American Water Works Association (AWWA) in Washington, D.C., an international group that represents more than 4,700 water utilities in North America.
Contamination may pose the chief threat to the nation’s water supply. Every community, at one time or another, has cut off its water supply for a couple of days — usually without lasting effect. While a long-term water shortage would create hardship and economic losses, it would also be enormously difficult to cause. But if a city water supply suddenly began to make lots of people sick, panic could infect the rest of the country.
Since Sept. 11, the nation’s water utilities have been struggling to secure public drinking water against the possibility of a terrorist attack. Security strategies have altered water system design and day-to-day operating procedures; increased applications of conventional security technologies; and produced stopgap measures aimed at detecting and responding to contamination events.
AN ENORMOUS WATER SYSTEM
The scope of the nation’s water system is enormous. Across the country, there are 54,000 community water systems. Of those, about 3,000 provide more than 75 percent of the nation’s drinking water. Eighty percent are publicly owned, while 20 percent operate as private businesses.
Water authorities draw raw water from resources including rivers, lakes, reservoirs or wells drilled into underground aquifers. Raw water flows into plants for treatment, usually with chlorine. The water is also tested for more than 100 chemical and biological impurities. Miles of pipes distribute water from the treatment plant to homes and businesses in the community. Treatment plants also maintain treated water reservoirs to handle emergency needs.
Distribution systems often require intermediate pumping stations to maintain pressure in the system when water must move uphill, over a mountain, and most importantly, to a community’s network of fire hydrants.
Sophisticated electronic supervisory control and data acquisition (SCADA) systems control the valves, pumps and monitoring systems connected to a water authority’s network of pipes.
Any one of these water system components could become a target of a terrorist attack. Beyond noting that larger water systems probably face more serious risks, experts say it is impossible to predict likely targets.
WATER SECURITY STRATEGY
Following Sept. 11, the federal government began to shape a water security strategy for the nation. The Bio-terrorism Act of 2002 outlined the first steps. The legislation required community water systems serving populations of more than 3,300 people to conduct vulnerability assessments and report their findings to the EPA. The law set a tiered schedule for completing the vulnerability assessments with the largest water authorities going first. The final deadline occurred on June 30, 2004.
Six months after the vulnerability assessments came due, water authorities were required to submit updated emergency response plans for dealing with an attack on the water supply.
“The deadlines have passed, and we’ve had a tremendous response from the water sector,” says Janet Pawlukiewicz, director of the EPA’s water security division. “One-hundred percent of the large and medium systems have completed their vulnerability assessments and their emergency response plans. At last count, 94 percent of the small systems had also complied.”
While the law does not require water suppliers to make security improvements, many have decided to address weaknesses discovered in their vulnerability assessments.
REDUNDANT SYSTEMS TO MAINTAIN SUPPLIES
The water industry has traditionally planned for trouble. Earthquakes, hurricanes, tornadoes and other natural disasters pose a threat to water supplies in the regions where they occur. As a result, most water authorities design facilities to be redundant — able to provide water from another source if one source is compromised. In response to Sept. 11 and the vulnerability assessments that followed, many utilities accelerated their current redundancy projects.
Last year, for example, the Massachusetts Water Resources Authority (MWRA), one of the largest water authorities in the country, completed construction of a second aqueduct to supply water to Boston. For years, Boston received 85 percent of its water through the single 17-mile Hultman Aqueduct. “Because it was the only pipe that delivered water to the city, a failure would have meant a very difficult recovery,” says Marcis Kempe, director of operations support for MWRA. “Any time you lose water to an area, you lose economic activity and risk greater losses from fires. Because of this, we started building a second pipe a number of years ago, well before Sept. 11.”
Kempe also notes that the MWRA added several new, covered reservoirs, replacing older facilities that were not covered. “Today, all treated water sent to users stays covered all the way,” he says. “There is no return to daylight anywhere.”
NEW DESIGNS TO PROTECT WATER
The industry is also altering its approach to system design. “We are used to preparing for storms and power outages,” says Steve Gerwin, operations support manager with the Washington Suburban Sanitary Commission (WSSC) in Laurel, Md., another large water authority. “The threat of terrorism has introduced a new problem that we’re not used to in that a facility design that might have been good five years ago may be a bad design post-9-11.”
It makes economic sense, for example, to build one large water treatment plant instead of two small plants, Gerwin says. Since Sept. 11, however, water authorities would probably opt for two smaller plants. Though more expensive, dual plants would provide the security benefits of redundancy.
Another example: Large water treatment plants are sometimes built as two or more plants on the same plot of ground — two 50 million gallon-per-day (MGD) plants to make a 100-MGD plant. In the future, large utilities will use separate sites for each component plant.
WSSC and other large authorities are also considering the installation of large generators as back-up power supplies to prevent a long-term power outage from cutting off supplies of drinking water.
Fences are being viewed in a new light as well. “Before Sept. 11, we were doing away with fences around facilities because the public didn’t like that,” Gerwin says. “Today, we are installing fences again.”
SECURITY FROM OPERATIONAL CHANGES
Changes in operating methods are helping to enhance water security, too. For example, water companies have historically used chlorine to purify water at treatment plants. Industry observers have suggested that large chlorine storage facilities may offer attractive terrorist targets.
In response, some large water companies have begun to redesign their treatment methods. MWRA, for instance, has switched from chlorine gas to liquid chlorine, a form of the chemical believed to be easier to handle.
MWRA is also testing new purification methods that employ ozone and ultra-violet light technologies instead of chlorine. “We’re building a new treatment plant that uses ozone for primary disinfection,” Kempe says. “We’re also piloting an ultra-violet process at a smaller treatment plant. In the future, we will add ultra-violet to our main treatment plant.”
According to Kempe, ultra-violet light treatment inactivates many biological impurities, while ozone eliminates algae that affects taste and produces odors. “We think that regulations in coming years will require the use of double primary disinfection,” he says. “This is another redundancy philosophy.”
Operational changes need not be expensive, Roberson adds. “Big plants receive numerous deliveries by truck every week,” he says. “To protect against a truck bomb attack, a utility can require shippers to provide a day’s notice for deliveries. The notice would include a description of the delivery, the truck, and the driver’s name and license number. It’s an easy, inexpensive procedure to implement, and it will improve security.
CONVENTIONAL SECURITY
Charlie Howell, a principal with Security Concepts and Planning, a Sacramento security consultant specializing in water systems, tells his clients to create layers of security with technology matched to facility vulnerabilities.
A facility might be a plant, an emergency tank or a remote pumping station. No matter what the facility, the layering idea works the same. For example, Howell recommends removing the ladders typically installed on tanks holding treated water reserves. “Ladders make it easy for water utility people to check the water and for others to climb up to the door of the tank,” he says. “Without a ladder, the water company will need a boom truck to get up there, but removing ladders can increase security, at least against vandals.”
Utilities dealing with sophisticated vandals can add more layers by installing fences around the tanks, placing steel mesh over the doors and locking the doors.
If a vulnerability assessment finds additional threats, motion sensors and other intrusion alarms can be added to the layers. Alarms at staffed facilities like treatment plants can be checked out by the plant staff. At a remote facility, however, false alarms raise concerns, since a utility would probably call the police or a private security firm to check out an alarm on a water tank.
Howell recommends setting at least two alarms at remote facilities and using one to verify the other. “You might put a motion detector on a gate and combine it with another motion detector inside the building,” he says. “If one alarm goes off, but not the other, it’s probably a false alarm. But if they both go off, that’s positive verification and worth investigating.”
Howell also suggests looking for ways to combine operational and security technologies. “A utility might install a video camera at a remote pumping station to make sure the pump goes on when its supposed to,” he says. “If you’re going to spend that money, why not spend a little extra and get two cameras. If you’re installing cameras a several remote facilities, why not get a digital video recorder to make monitoring easier.”
LOGICAL SECURITY
SCADA systems represent another potential vulnerability for water utilities. The main SCADA threat would probably be a hacker causing a loss of service, although a utility might identify SCADA threats in the context of a larger terrorist attack on a region.
While the threat is somewhat vague, utilities have taken steps to protect SCADA systems. “We’ve isolated the MWRA SCADA systems pretty well with firewalls,” Kempe says. “But then we have a pretty simple system. We bring our water down from the mountains with gravity. There are only a few places where we need electronic controls.”
Other large water systems have a much larger technical challenge. Kempe points out that some large urban systems operate hundreds of booster pumping stations, none of them staffed. For those utilities, losing SCADA could take the entire water system off line.
THE CONTAMINATION PROBLEM
All of these steps, from security design through the installation of security technology, can help reduce contamination risks. But utilities still feel vulnerable, given the unprotected water pipes that run into every house, office building, store and factory in every community.
Then there are the numbers of possible contaminants. “There are literally hundreds of chemicals and dozens of biologicals that you worry about,” Kempe says. “While you test for what you can, you can’t test for each and every one. So you have to look for basic changes.”
Such changes might show up in water quality measurements. Utilities typically measure residual chlorine, pH and turbidity in the water. MWRA has begun to sample its water more frequently in the belief that a sudden change in one of the basic measures might give early warning of an attack.
“We’re watching everything more closely, including the behavior of consumers,” Kempe says. “People call in when they see something funky in the water.”
MWRA also works closely with healthcare agencies. The Boston Department of Public Health, for instance, is cataloging visits to area emergency rooms and hospitals. Are more people showing up with gastrointestinal ailments? Is drinking water the source of the problem? Public Health also monitors sales of stomach pain remedies in drug stores. An uptick in sales might set off a round of testing at the water authority. “We’ve been tied into this research since before Sept. 11,” Kempe says. “But we’ve kept it going.”
Meanwhile, researchers continue to design and test real-time monitoring devices, searching for the magic sensor that will raise an alarm about contaminated water before anyone arrives at an emergency room.