In This Chapter

Plant Security

Authored by: Frank R. Spellman

Handbook of Water and Wastewater Treatment Plant Operations

Print publication date:  June  2020
Online publication date:  May  2020

Print ISBN: 9780367481681
eBook ISBN: 9781003038351
Adobe ISBN:




You may say Homeland Security is a Y2K problem that doesn’t end Jan. 1 of any given year.

 Add to shortlist  Cite

Plant Security

You may say Homeland Security is a Y2K problem that doesn’t end Jan. 1 of any given year.

—Governor Tom Ridge

U.S. Sees Increase in Cyber Attacks on Infrastructure

The top U.S. military official responsible for defending the United States against cyber attacks said Thursday that there had been a 17-fold increase in computer attacks on U.S. infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations.

New York Times, 07/27/2012


According to USEPA (2004), there are approximately 160,000 public water systems (PWSs) in the United States, each of which regularly supplies drinking water to at least 25 persons or 15 service connections. Of the total U.S. population, 84% is served by PWSs, while the remainder is served primarily by private wells. PWSs are divided into community water systems (CWSs) and non-community water systems (NCWSs). Examples of CWSs include municipal water systems that serve mobile home parks of residential developments. Examples of NCWSs include schools, factories, churches, commercial campgrounds, hotels, and restaurants.


Did You Know?

As of 2003, community water systems serve by far the largest proportion of the U.S. population—273 million out of a total population of 290 million (USEPA 2004).

Because drinking water is consumed directly, health effects associated with contamination have long been major concerns. In addition, interruption or cessation of the drinking water supply can disrupt society, impacting human health and critical activities such as fire protection. Although they have no clue as to its true economic value and to its future worth, the general public correctly perceives drinking water as central to the life of an individual and of society. However, the general public knows even less about or the importance of wastewater treatment and the fate of its end product.

Wastewater treatment is important for preventing disease and protecting the environment. Wastewater is treated by publicly owned treatment works (POTWs) and by private facilities such as industrial plants. There are approximately 2.3 million miles of distribution system pipes and approximately 16,255 POTWs in the United States. Of the total U.S. population, 75% is served by POTWs, with existing flows of less than 1 MGD being considered small; they number approximately 13,057 systems. For the purpose of determining population served, 1 MGD equals approximately 10,000 persons served.

Disruption of a wastewater treatment system or service can cause loss of life, economic impacts, and severe public health incidents. If structural damage occurs, wastewater systems can become vulnerable to inadequate treatment. The public is much less sensitive to wastewater as an area of vulnerability than it is to drinking water; however, wastewater systems do provide opportunities for terrorist threats.

Federal and state agencies have long been active in addressing these risks and threats to water and wastewater utilities through regulations, technical assistance, research, and outreach programs. As a result, an extensive system of regulations governing maximum contaminant levels of 90 conventional contaminants (most established by EPA), construction and operating standards (implemented mostly by the states), monitoring, emergency response planning, training, research, and education has been developed to better protect the nation’s drinking water supply and receiving waters. Since the events of 9/11, the EPA has been designated as the sector-specific agency responsible for infrastructure protection activities for the nation’s drinking water and wastewater system. The EPA is utilizing its position within the water sector and working with its stakeholders to provide information to help protect the nation’s drinking water supply from terrorism or other intentional acts.

Security Hardware/Devices

Keep in mind that when it comes to making “anything” absolutely secure from intrusion or attack, there is inherently, or otherwise, no silver bullet. However, careful preplanning and installation of security hardware and/or devices-products can significantly affect the plant’s ability to weather the storm, so to speak. USEPA (2005) groups the water/wastewater infrastructure security devices or products described below into four general categories:

  • Physical asset monitoring and control devices
  • Water monitoring devices
  • Communication and integration
  • Cyber protection devices

Physical Asset Monitoring and Control Devices

Aboveground, Outdoor Equipment Enclosures

Water and wastewater systems consist of multiple components spread over a wide area, and typically include a centralized treatment plant, as well as distribution or collection system components that are typically distributed at multiple locations throughout the community. However, in recent years, distribution and collection system designers have favored placing critical equipment—especially assets that require regular use and maintenance—aboveground.

One of the primary reasons for doing so is that locating this equipment aboveground eliminates the safety risks associated with confined space entry, which is often required for the maintenance of equipment located belowground. In addition, space restrictions often limit the amount of equipment that can be located inside, and there are concerns that some types of equipment (such as backflow prevention devices) can, under certain circumstances, discharge water that could flood pits, vaults, or equipment rooms. Therefore, many pieces of critical equipment are located outdoors and aboveground. Many different system components can be installed outdoors and aboveground. Examples of these types of components could include:

  • Backflow prevention devices
  • Air release and control valves
  • Pressure vacuum breakers
  • Pumps and motors
  • Chemical storage and feed equipment
  • Meters
  • Sampling equipment
  • Instrumentation

Much of this equipment is installed in remote locations and/or in areas where the public can access it.

One of the most effective security measures for protecting aboveground equipment is to place it inside a building. When or where this is not possible, enclosing the equipment or parts of the equipment using some sort of commercial or homemade add-on structure may help to prevent tampering with the equipment. Equipment enclosures can generally be categorized into one of four main configurations, which include:

  • O-piece, drop over enclosures
  • Hinged or removable top enclosures
  • Sectional enclosures
  • Shelters with access locks

Other security features that can be implemented on aboveground, outdoor equipment enclosures include locks, mounting brackets, tamper-resistant doors, and exterior lighting.


An alarm system is a type of electronic monitoring system that is used to detect and respond to specific types of events—such as unauthorized access to an asset, or a possible fire. In water and wastewater systems, alarms are also used to alert operators when process operating or monitoring conditions go out of preset parameters (i.e., process alarms). These types of alarms are primarily integrated with process monitoring and reporting systems (i.e., SCADA systems). Note that this discussion does not focus on alarm systems that are not related to a utility’s processes.

Alarm systems can be integrated with fire detection systems, intrusion detection systems (IDSs), access control systems, or closed circuit television (CCTV) systems, such that these systems automatically respond when the alarm is triggered. For example, a smoke detector alarm can be set up to automatically notify the fire department when smoke is detected; or an intrusion alarm can automatically trigger cameras to turn on in a remote location so that personnel can monitor that location.

An alarm system consists of sensors that detect different types of events; an arming station that is used to turn the system on and off; a control panel that receives information, processes it, and transmits the alarm; and an annunciator that generates a visual and/or audible response to the alarm. When a sensor is tripped it sends a signal to a control panel, which triggers a visual or audible alarm and/or notifies a central monitoring station. A more complete description of each of the components of an alarm system is provided below.

Detection devices (also called sensors) are designed to detect a specific type of event (such as smoke, intrusion, etc.). Depending on the type of event they are designed to detect, sensors can be located inside or outside of the facility or other asset. When an event is detected, the sensors use some type of communication method (such as wireless radio transmitters, conductors, or cables) to send signals to the control panel to generate the alarm. For example, a smoke detector sends a signal to a control panel when it detects smoke.

An arming station, which is the main user interface with the security system, allows the user to arm (turn on), disarm (turn off), and communicate with the system. How a specific system is armed will depend on how it is used. For example, while IDSs can be armed for continuous operation (24 hr/day), they are usually armed and disarmed according to the work schedule at a specific location so that personnel going about their daily activities do not set off the alarms. In contrast, fire protection systems are typically armed 24hours a day.

The control panel receives information from the sensors and sends it to an appropriate location, such as to a central operations station or to a 24-hour monitoring facility. Once the alarm signal is received at the central monitoring location, personnel monitoring for alarms can respond (such as by sending security teams to investigate or by dispatching the fire department).

The annunciator responds to the detection of an event by emitting a signal. This signal may be visual, audible, electronic, or a combination of these three. For example, fire alarm signals will always be connected to audible annunciators, whereas intrusion alarms may not be.

Alarms can be reported locally, remotely, or both locally and remotely. A local alarm emits a signal at the location of the event (typically using a bell or siren). A “local only” alarm emits a signal at the location of the event but does not transmit the alarm signal to any other location (i.e., it does not transmit the alarm to a central monitoring location). Typically, the purpose of a “local only” alarm is to frighten away intruders, and possibly to attract the attention of someone who might notify the proper authorities. Because no signal is sent to a central monitoring location, personnel can only respond to a local alarm if they are in the area and can hear and/or see the alarm signal.

Fire alarm systems must have local alarms, including both audible and visual signals. Most fire alarm signal and response requirements are codified in the National Fire Alarm Code, National Fire Protection Association (NFPA) 72. NFPA 72 discusses the application, installation, performance, and maintenance of protective signaling systems and their components. In contrast to fire alarms, which require a local signal when fire is detected, many IDSs do not have a local alert device, because monitoring personnel do not wish to inform potential intruders that they have been detected. Instead, these types of systems silently alert monitoring personnel that an intrusion has been detected, thus allowing monitoring personnel to respond.

In contrast to systems that are set up to transmit “local only” alarms when the sensors are triggered, systems can also be set up to transmit signals to a central location, such as to a control room or guard post at the utility, or to a police or fire station. Most fire/smoke alarms are set up to signal both at the location of the event and at a fire station or central monitoring station. Many insurance companies require that facilities install certified systems that include alarm communication to a central station. For example, systems certified by the Underwriters Laboratory (UL) require that the alarm be reported to a central monitoring station.

The main differences between alarm systems lie in the types of event detection devices used in different systems. Intrusion sensors, for example, consist of two main categories: perimeter sensors and interior (space) sensors. Perimeter intrusion sensors are typically applied on fences, doors, walls, windows, etc., and are designed to detect an intruder before he/she accesses a protected asset (i.e., perimeter intrusion sensors are used to detect intruders attempting to enter through a door, window, etc.). In contrast, interior intrusion sensors are designed to detect an intruder who has already accessed the protected asset (i.e., interior intrusion sensors are used to detect intruders once they are already within a protected room or building). These two types of detection devices can be complementary, and they are often used together to enhance security for an asset. For example, a typical intrusion alarm system might employ a perimeter glass-break detector that protects against intruders accessing a room through a window, as well as an ultrasonic interior sensor that detects intruders that have gotten into the room without using the window.

Fire detection/fire alarm systems consist of different types of fire detection devices and fire alarm systems. These systems may detect fire, heat, smoke, or a combination of any of these. For example, a typical fire alarm system might consist of heat sensors, which are located throughout a facility and which detect high temperatures or a certain change in temperature over a fixed time period. A different system might be outfitted with both smoke and heat detection devices.

When a sensor in an alarm system detects an event, it must communicate an alarm signal. The two basic types of alarm communication systems are hardwired and wireless. Hardwired systems rely on wires that run from the control panel to each of the detection devices and annunciators. Wireless systems transmit signals from a transmitter to a receiver through the air—primarily using radio or other waves. Hardwired systems are usually lower-cost, more reliable (they are not affected by terrain or environmental factors), and significantly easier to troubleshoot than are wireless systems. However, a major disadvantage of hardwired systems is that it may not be possible to hardwire all locations (for example, it may be difficult to hardwire remote locations). In addition, running wires to their required locations can be both time consuming and costly. The major advantage to using wireless systems is that they can often be installed in areas where hardwired systems are not feasible. However, wireless components can be much more expensive when compared to hardwired systems. In addition, in the past, it has been difficult to perform self-diagnostics on wireless systems to confirm that they are communicating properly with the controller. Presently, the majority of wireless systems incorporate supervising circuitry, which allows the subscriber to know immediately if there is a problem with the system (such as a broken detection device or a low battery), or if a protected door or window has been left open.

Backflow Prevention Devices

As their name suggests, backflow prevention devices are designed to prevent backflow, which is the reversal of the normal and intended direction of water flow in a water system. Backflow is a potential problem in a water system because it can spread contaminated water back through a distribution system. For example, backflow at uncontrolled cross-connections (cross-connections are any actual or potential connection between the public water supply and a source of contamination) or pollution can allow pollutants or contaminants to enter the potable water system. More specifically, backflow from private plumbing systems, industrial areas, hospitals, and other hazardous contaminant-containing systems, into public water mains and wells poses serious public health risks and security problems. Cross-contamination from private plumbing systems can contain biological hazards (such as bacteria or viruses) or toxic substances that can contaminate and sicken an entire population in the event of backflow. The majority of historical incidences of backflow have been accidental, but growing concern that contaminants could be intentionally backfed into a system is prompting increased awareness for private homes, businesses, industries, and areas most vulnerable to intentional strikes. Therefore, backflow prevention is a major tool for the protection of water systems.

Backflow may occur under two types of conditions: backpressure and backsiphonage. Backpressure is the reverse from normal flow direction within a piping system that is the result of the downstream pressure being higher than the supply pressure. These reductions in the supply pressure occur whenever the amount of water being used exceeds the amount of water supplied, such as during water line flushing, fire fighting, or breaks in water mains. Backsiphonage is the reverse from normal flow direction within a piping system that is caused by negative pressure in the supply piping (i.e., the reversal of normal flow in a system caused by a vacuum or partial vacuum within the water supply piping). Backsiphonage can occur where there is a high velocity in a pipe line; when there is a line repair or break that is lower than a service point; or when there is lowered main pressure due to high water withdrawal rates, such as during fire fighting or water main flushing.

To prevent backflow, various types of backflow preventers are appropriate for use. The primary types of backflow preventers are:

  • Air Gap Drains
  • Double Check Valves
  • Reduced Pressure Principle Assemblies
  • Pressure Vacuum Breakers


Active Security Barriers (Crash Barriers)

Active security barriers (also known as crash barriers) are large structures that are placed in roadways at entrance and exit points to protected facilities to control vehicle access to these areas. These barriers are placed perpendicular to traffic to block the roadway, so that the only way that traffic can pass the barrier is for the barrier to be moved out of the roadway. These types of barriers are typically constructed from sturdy materials, such as concrete or steel, such that vehicles cannot penetrate through them. They are also designed at a certain height off the roadway so that vehicles cannot go over them.

The key difference between active security barriers, which include wedges, crash beams, gates, retractable bollards, and portable barricades, and passive security barriers, which include non-movable bollards, jersey barriers, and planters, is that active security barriers are designed so that they can be raised and lowered or moved out of the roadway easily to allow authorized vehicles to pass them. Many of these types of barriers are designed so that they can be opened and closed automatically (i.e., mechanized gates and hydraulic wedge barriers), while others are easy to open and close manually (swing crash beams and manual gates). In contrast to active barriers, passive barriers are permanent, non-movable barriers, and thus they are typically used to protect the perimeter of a protected facility, such as sidewalks and other areas that do not require vehicular traffic to pass them. Several of the major types of active security barriers such as wedge barriers, crash beams, gates, bollards, and portable/removable barricades are described below.

Wedge barriers are plated, rectangular steel buttresses approximately 2–3 feet high that can be raised and lowered from the roadway. When they are in the open position, they are flush with the roadway and vehicles can pass over them. However, when they are in the closed (armed) position, they project up from the road at a 45 degree angle, with the upper end pointing towards the oncoming vehicle and the base of the barrier away from the vehicle. Generally, wedge barriers are constructed from heavy gauge steel, or from concrete that contains an impact-dampening iron rebar core that is strong and resistant to breaking or cracking, thereby allowing them to withstand the impact from a vehicle attempting to crash through them. In addition, both of these materials help to transfer the energy of the impact over the barrier’s entire volume, thus helping to prevent the barrier from being sheared off its base. In addition, because the barrier is angled away from traffic, the force of any vehicle impacting the barrier is distributed over the entire surface of the barrier and is not concentrated at the base, which helps prevent the barrier from breaking off at the base. Finally, the angle of the barrier helps hang up any vehicles attempting to drive over it.

Wedge barriers can be fixed or portable. Fixed wedge barriers can be mounted on the surface of the roadway (“surface-mounted wedges”) or in a shallow mount in the road’s surface, or they can be installed completely below the road surface. Surface-mounted wedge barricades operate by rising from a flat position on the surface of the roadway, while shallow-mount wedge barriers rise from their resting position just below the road surface. In contrast, below-surface wedge barriers operate by rising from beneath the road surface. Both the shallow-mounted and surface-mounted barriers require little or no excavation, and thus do not interfere with buried utilities. All three barrier mounting types project above the road surface and block traffic when they are raised into the armed position. Once they are disarmed and lowered, they are flush with the road, thereby allowing traffic to pass portable wedge barriers that are moved into place on wheels that are removed after the barrier has been set into place.

Installing rising wedge barriers requires preparation of the road surface. Installing surface-mounted wedges does not require that the road be excavated; however, the road surface must be intact and strong enough to allow the bolts anchoring the wedge to the road surface to attach properly. Shallow-mount and below-surface wedge barricades require excavation of a pit that is large enough to accommodate the wedge structure, as well as any arming/disarming mechanisms. Generally, the bottom of the excavation pit is lined with gravel to allow for drainage. Areas not sheltered from rain or surface runoff can install a gravity drain or self-priming pump.

Crash beam barriers consist of aluminum beams that can be opened or closed across the roadway. While there are several different crash beam designs, every crash beam system consists of an aluminum beam that is supported on each side of the road and is made by a solid footing or buttress, which is typically constructed from concrete, steel, or some other strong material. Beams typically contain an interior steel cable (typically at least one inch in diameter) to give the beam added strength and rigidity. The beam is connected by a heavy-duty hinge or another mechanism to one of the footings so that it can swing or rotate out of the roadway when it is open, and can swing back across the road when it is in the closed (armed) position, blocking the road and inhibiting access by unauthorized vehicles. The non-hinged end of the beam can be locked into its footing, thus providing anchoring for the beam on both sides of the road and increasing the beam’s resistance to any vehicles attempting to penetrate through it. In addition, if the crash beam is hit by a vehicle, the aluminum beam transfers the impact energy to the interior cable, which in turn transfers the impact energy through the footings and into their foundation, thereby minimizing the chance that the impact will snap the beam and allow the intruding vehicle to pass through.

Crash beam barriers can employ drop-arm, cantilever, or swing beam designs. Drop-arm crash beams operate by raising and lowering the beam vertically across the road. Cantilever crash beams are projecting structures that are opened and closed by extending the beam from the hinge buttress to the receiving buttress located on the opposite side of the road. In the swing beam design, the beam is hinged to the buttress in such a way that it swings horizontally across the road. Generally, swing beam and cantilever designs are used at locations where a vertical lift beam is impractical. For example, the swing beam or cantilever designs are utilized at entrances and exits with overhangs, trees, or buildings that would physically block the operation of the drop-arm beam design. Installing any of these crash beam barriers involves the excavation of a pit approximately 48 inches deep for both the hinge and the receiver footings. Due to the depth of excavation, the site should be inspected for underground utilities before digging begins.

In contrast to wedge barriers and crash beams, which are typically installed separately from a fence line, gates are often integrated units of a perimeter fence or wall around a facility. Gates are basically movable pieces of fencing that can be opened and closed across a road. When the gate is in the closed (armed) position, the leaves of the gate lock into steel buttresses that are embedded in concrete foundation located on both sides of the roadway, thereby blocking access to the roadway. Generally, gate barricades are constructed from a combination of heavy gauge steel and aluminum that can absorb an impact from vehicles attempting to ram through them. Any remaining impact energy not absorbed by the gate material is transferred to the steel buttresses and their concrete foundation.

Gates can utilize a cantilever, linear, or swing design. Cantilever gates are projecting structures that operate by extending the gate from the hinge footing across the roadway to the receiver footing. A linear gate is designed to slide across the road on tracks via a rack and pinion drive mechanism. Swing gates are hinged so that they can swing horizontally across the road. Installation of the cantilever, linear, or swing gate designs described above involve the excavation of a pit approximately 48 inches deep for both the hinge and receiver footings to which the gates are attached. Due to the depth of excavation, the site should be inspected for underground utilities before digging begins.

Bollards are vertical barriers at least 3 feet tall and 1–2 feet in diameter that are typically set 4–5 feet apart from each other so that they block vehicles from passing between them. Bollards can either be fixed in place, removable, or retractable. Fixed and removable bollards are passive barriers that are typically used along building perimeters or on sidewalks to prevent vehicles from passing them, while allowing pedestrians to pass them. In contrast to passive bollards, retractable bollards are active security barriers that can easily be raised and lowered to allow vehicles to pass between them. Thus, they can be used in driveways or on roads to control vehicular access. When the bollards are raised, they protect above the road surface and block the roadway; when they are lowered, they sit flush with the road surface, and thus allow traffic to pass over them. Retractable bollards are typically constructed from steel or other materials that have a low weight-to-volume ratio so that they require low power to raise and lower. Steel is also more resistant to breaking than is a more brittle material, such as concrete, and is better able to withstand direct vehicular impact without breaking apart.

Retractable bollards are installed in a trench dug across a roadway—typically at an entrance or gate. Installing retractable bollards requires preparing the road surface. Depending on the vendor, bollards can be installed either in a continuous slab of concrete, or in individual excavations with concrete poured in place. The required excavation for a bollard is typically slightly wider and slightly deeper than the bollard height when extended aboveground. The bottom of the excavation is typically lined with gravel to allow drainage. The bollards are then connected to a control panel which controls the raising and lowering of the bollards. Installation typically requires mechanical, electrical, and concrete work; if utility personnel with these skills are available, then the utility can install the bollards themselves.

Portable/removable barriers, which can include removable crash beams and wedge barriers, are mobile obstacles that can be moved in and out of position on a roadway. For example, a crash beam may be completely removed and stored off-site when it is not needed. An additional example would be wedge barriers that are equipped with wheels that can be removed after the barricade is towed into place.

When portable barricades are needed, they can be moved into position rapidly. To provide them with added strength and stability, they are typically anchored to buttress boxes that are located on either side of the road. These buttress boxes, which may or may not be permanent, are usually filled with sand, water, cement, gravel, or concrete to make them heavy and to aid in stabilizing the portable barrier. In addition, these buttresses can help dissipate any impact energy from vehicles crashing into the barrier itself.

Because these barriers are not anchored into the roadway, they do not require excavation or other related construction for installation. In contrast, they can be assembled and made operational in a short period of time. The primary shortcoming of this type of design is that these barriers may move if they are hit by vehicles. Therefore, it is important to carefully assess the placement and anchoring of these types of barriers to ensure that they can withstand the types of impacts that may be anticipated at that location.

Because the primary threat to active security barriers is that vehicles will attempt to crash through them, their most important attributes are their size, strength, and crash resistance. Other important features for an active security barrier are the mechanisms by which the barrier is raised and lowered to allow authorized vehicle entry, and other factors, such as weather resistance and safety features.

Passive Security Barriers

One of the most basic threats facing any facility is from intruders accessing the facility with the intention of causing damage to its assets. These threats may include intruders actually entering the facility, as well as intruders attacking the facility from outside without actually entering it (i.e., detonating a bomb near enough to the facility to cause damage within its boundaries).

Security barriers are one of the most effective ways to counter the threat of intruders accessing a facility or the facility perimeter. Security barriers are large, heavy structures that are used to control access through a perimeter by either vehicles or personnel. They can be used in many different ways depending on how or where they are located at the facility. For example, security barriers can be used on or along driveways or roads to direct traffic to a checkpoint (i.e., a facility may install jersey barriers in a road to direct traffic in a certain direction). Other types of security barriers (crash beams, gates) can be installed at the checkpoint so that guards can regulate which vehicles can access the facility. Finally, other security barriers (i.e., bollards or security planters) can be used along the facility perimeter to establish a protective buffer area between the facility and approaching vehicles. Establishing such a protective buffer can help in mitigating the effects of the type of bomb blast described above, both by potentially absorbing some of the blast, and also by increasing the “stand-off” distance between the blast and the facility (the force of an explosion is reduced as the shock wave travels further from the source, and thus the further the explosion is from the target, the less effective it will be in damaging the target).

Security barriers can be either “active” or “passive.” “Active” barriers, which include gates, retractable bollards, wedge barriers, and crash barriers, are readily movable, and thus they are typically used in areas where they must be moved often to allow vehicles to pass—such as in roadways at entrances and exits to a facility. In contrast to active security barriers, “passive” security barriers, which include jersey barriers, bollards, and security planters, are not designed to be moved on a regular basis, and thus they are typically used in areas where access is not required or allowed—such as along building perimeters or in traffic control areas. Passive security barriers are typically large, heavy structures that are usually several feet high, and they are designed so that even heavy-duty vehicles cannot go over or through them. Therefore, they can be placed in a roadway parallel to the flow of traffic so that they direct traffic in a certain direction (such as to a guardhouse, a gate, or some other sort of checkpoint), or perpendicular to traffic such that they prevent a vehicle from using a road or approaching a building or an area.

Biometric Security Systems

Biometrics involves measuring the unique physical characteristics or traits of the human body. Any aspect of the body that is measurably different from person to person—for example fingerprints or eye characteristics—can serve as a unique biometric identifier for that individual. Biometric systems recognizing fingerprints, palm shape, eyes, face, voice, and signature comprise the bulk of the current biometric systems; however, biometric systems that recognize other biological features do exist. Biometric security systems use biometric technology combined with some type of locking mechanism to control access to specific assets. In order to access an asset controlled by a biometric security system, an individual’s biometric trait must be matched with an existing profile stored in a database. If there is a match between the two, the locking mechanisms (which could be a physical lock, such as at a doorway, an electronic lock, such asat a computer terminal, or some other type of lock) are disengaged, and the individual is given access to the asset. A biometric security system is typically comprised of the following components:

  • A sensor, which measures/records a biometric characteristic or trait
  • A control panel, which serves as the connection point between various system components (The control panel communicates information back and forth between the sensor and the host computer, and controls access to the asset by engaging or disengaging the system lock based on internal logic and information from the host computer)
  • A host computer, which processes and stores the biometric trait in a database
  • Specialized software, which compares an individual image taken by the sensor with a stored profile or profiles
  • A locking mechanism which is controlled by the biometric system
  • A power source to power the system

Biometric Hand and Finger Geometry Recognition

Hand and finger geometry recognition is the process of identifying an individual through the unique “geometry” (shape, thickness, length, width, etc.) of that individual’s hand or fingers. Hand geometry recognition has been employed since the early 1980s and is among the most widely used biometric technologies for controlling access to important assets. It is easy to install and use, and is appropriate for use in any location requiring the use of two-finger highly accurate, non-intrusion biometric security. For example, it is currently used in numerous workplaces, daycare facilities, hospitals, universities, airports, and power plants.

A newer option within hand geometry recognition technology is finger geometry recognition (not to be confused with fingerprint recognition). Finger geometry recognition relies on the same scanning methods and technologies as does hand geometry recognition, but the scanner only scans two of the user’s fingers, as opposed to his entire hand. Finger geometry recognition has been in commercial use since the mid-1990s and is mainly used in time and attendance applications (i.e., to track when individuals have entered and exited a location). To date the only large-scale commercial use of two-finger geometry for controlling access is at Disney World, where season pass holders use the geometry of their index and middle finger to gain access to the facilities.

Hand and finger geometry recognition systems can be used in several different types of applications, including access control and time and attendance tracking. While time and attendance tracking can be used for security, it is primarily used for operations and payroll purposes (i.e., clocking in and clocking out). In contrast, access control applications are more likely to be security-related. Biometric systems are widely used for access control, and can be used on various types of assets, including entryways, computers, vehicles, etc. However, because of their size, hand/finger recognition systems are primarily used in entryway access control applications.

Iris Recognition

The iris, which is the colored or pigmented area of the eye surrounded by the sclera (the white portion of the eye), is a muscular membrane that controls the amount of light entering the eye by contracting or expanding the pupil (the dark center of the eye). The dense, unique patterns of connective tissue in the human iris were first noted in 1936, but it was not until 1994, when algorithms for iris recognition were created and patented, that commercial applications using biometric iris recognition began to be used extensively. There are now two vendors producing iris recognition technology: both the original developer of these algorithms and a second company which has developed and patented a different set of algorithms for iris recognition.

The iris is an ideal characteristic for identifying individuals because it is formed in utero, and its unique patterns stabilize around eight months after birth. No two irises are alike; neither an individual’s right or left irises, nor the irises of identical twins. The iris is protected by the cornea (the clear covering over the eye), and therefore it is not subject to the aging or physical changes (and potential variation) that are common to some other biometric measures, such as the hand, fingerprints, and the face. Although some limited changes can occur naturally over time, these changes generally occur in the iris’ melanin and therefore affect only the eye’s color, and not its unique patterns (in addition, because iris scanning uses only black and white images, color changes would not affect the scan anyway). Thus, barring specific injuries or certain rate surgeries directly affecting the iris, the iris’ unique patterns remain relatively unchanged over an individual’s lifetime.

Iris recognition systems employ a monochromatic, or black and white, video camera that uses both visible and near-infrared light to take video of an individual’s iris. Video is used rather than still photography as an extra security procedure. The video is used to confirm the normal continuous fluctuations of the pupil as the eye focuses, which ensures that the scan is of a living human being, and not a photograph or some other attempted hoax. A high resolution image of the iris is then captured or extracted from the video, using a device often referred to as a frame grabber. The unique characteristics identified in this image are then converted into a numeric code, which is stored as a template for that user.

Card Identification/Access/Tracking Systems

A card reader system is a type of electronic identification system that is used to identify a card and then perform an action associated with that card. Depending on the system, the card may identify where a person is or where they were at a certain time; or it may authorize another action, such as disengaging a lock. For example, a security guard may use his card at card readers located throughout a facility to indicate that he has checked a certain location at a certain time. The reader will store the information and/or send it to a central location, where it can be checked later to ensure that the guard has patrolled the area. Other card reader systems can be associated with a lock, so that the cardholder must have their card read and accepted by the reader before the lock disengages. A complete card reader system typically consists of the following components:

  • Access cards that are carried by the user
  • Card readers, which read the card signals and send the information to control units
  • Control units, which control the response of the card reader to the card
  • A power source

Numerous card reader systems are available. The primary differences between card reader systems are in the way that data is encoded on the cards and in the way these data are transferred between the card and the card reader, and in the types of applications for which they are best suited. However, all card systems are similar in the way that the card reader and control unit interact to respond to the card.

While card readers are similar in the way that the card reader and control unit interact to control access, they are different in the way data is encoded on the cards and the way these data are transferred between the card and the card reader. There are several types of technologies available for card reader systems. These include:

  • Proximity
  • Wiegand
  • Smartcard
  • Magnetic Stripe
  • Bar Code
  • Infrared
  • Barium Ferrite
  • Hollerith
  • Mixed Technologies

The level of security rate (low, moderate, or high) is determined based on the level of technology a given card reader system has and on how simple it is to duplicate that technology, and thus to bypass the security. Vulnerability ratings were based on whether the card reader can be damaged easily due to frequent use or difficult working conditions (i.e., weather conditions if the reader is located outside). Often this is influenced by the number of moving parts in the system—the more the moving parts, the greater the system’s potential susceptibility to damage. The life cycle rating is based on the durability of a given card reader system over its entire operational period. Systems requiring frequent physical contact between the reader and the card often have a shorter life cycle due to the wear and tear to which the equipment is exposed. For many card reader systems, the vulnerability rating and life cycle ratings have a reciprocal relationship. For instance, if a given system has a high vulnerability rating it will almost always have a shorter life cycle.

Card reader technology can be implemented for facilities of any size and with any number of users. However, because individual systems vary in the complexity of their technology and in the level of security they can provide to a facility, individual users must determine the appropriate system for their needs. Some important features to consider when selecting a card reader system include:

  • What level of technological sophistication and security does the card system have?
  • How large is the facility, and what are its security needs?
  • How frequently will the card system be used? For systems that will experience a high frequency of use it is important to consider a system that has a longer life cycle and lower vulnerability rating, thus making it more cost effective to implement.
  • Under what conditions will the system be used? (Will it be installed on the interior or exterior of buildings? Does it require light or humidity controls?) Most card reader systems can operate under normal environmental conditions, and therefore this would be a mitigating factor only in extreme conditions.
  • What are the system costs?


A fence is a physical barrier that can be set up around the perimeter of an asset. Fences often consist of individual pieces (such as individual pickets in a wooden fence, or individual sections of a wrought iron fence) that are fastened together. Individual sections of the fence are fastened together using posts, which are sunk into the ground to provide stability and strength for the sections of the fence hung between them. Gates are installed between individual sections of the fence to allow access inside the fenced area.

Fences are often used as decorative architectural features to separate physical spaces. They may also be used to physically mark the location of a boundary (such as a fence installed along a property line). However, a fence can also serve as an effective means for physically delaying intruders from gaining access to a water or wastewater asset. For example, many utilities install fences around their primary facilities, around remote pump stations, or around hazardous materials storage areas or sensitive areas within a facility. Access to the area can be controlled through security at gates or doors through the fence (for example, by posting a guard at the gate or by locking it). In order to gain access to the asset, unauthorized persons could have to go either around or through the fence.

Fences are often compared with walls when determining the appropriate system for perimeter security. While both fences and walls can provide adequate perimeter security, fences are often easier and less expensive to install than walls. However, they do not usually provide the same physical strength that walls do. In addition, many types of fences have gaps between the individual pieces that make up the fence (i.e., the spaces between chain links in a chain link fence or the space between pickets in a picket fence). Thus, many types of fences allow the interior of the fenced area to be seen. This may allow intruders to gather important information about the locations or defenses of vulnerable areas within the facility.

Numerous types of materials are used to construct fences, including chain link iron, aluminum, wood, or wire. Some types of fences, such as split rails or pickets, may not be appropriate for security purposes because they are traditionally low fences, and they are not physically strong. Potential intruders may be able to easily defeat these fences either by jumping or climbing over them or by breaking through them. For example, the rails in a split fence may be able to be broken easily.

Important security attributes of a fence include the height to which it can be constructed, the strength of the material comprising the fence, the method and strength of attaching the individual sections of the fence together at the posts, and the fence’s ability to restrict the view of the assets inside the fence. Additional considerations should include the ease of installing the fence and the ease of removing and reusing sections of the fence.

Some fences can include additional measures to delay, or even detect, potential intruders. Such measures may include the addition of barbed wire, razor wire, or other deterrents at the top of the fence. Barbed wire is sometimes employed at the base of fences as well. This can impede a would-be intruder’s progress in even reaching the fence. Fences may also be fitted with security cameras to provide visual surveillance of the perimeter. Finally, some facilities have installed motion sensors along their fences to detect movement on the fence. Several manufacturers have combined these multiple perimeter security features into one product and offer alarms, and other security features.

The correct implementation of a fence can make it a much more effective security measure. Security experts recommend the following when a facility constructs a fence:

  • The fence should be at least 7–9 feet high.
  • Any outriggers, such as barbed wire, that are affixed on top of the fence should be angled out and away from the facility, and not in and towards the facility. This will make climbing the fence more difficult, and will prevent ladders from being placed against the fence.
  • Other types of hardware can increase the security of the fence. This can include installing concertina wire along the fence (this can be done in front of the fence or at the top of the fence), or adding intrusion sensors, camera, or other hardware to the fence.
  • All undergrowth should be cleared for several feet (typically 6 ft) on both sides of the fence. This will allow for a clearer view of the fence by any patrols in the area.
  • Any trees with limbs or branches hanging over the fence should be trimmed so that intruders cannot use them to go over the fence. Also, it should be noted that fallen trees can damage fences, and so management of trees around the fence can be important. This can be especially important in areas where the fence goes through a remote area.
  • Fences that do not block the view from outside the fence to inside the fence allow patrols to see inside the fence without having to enter the facility.
  • “No Trespassing” signs posted along the fence can be a valuable tool in prosecuting any intruders who claim that the fence was broken and that they did not enter through the fence illegally. Adding signs that highlight the local ordinances against trespassing can further persuade simple troublemakers for illegally jumping or climbing the fence.

Films for Glass Shatter Protection

Most water and wastewater utilities have numerous windows on the outside of buildings, in doors, and in interior offices. In addition, many facilities have glass doors or other glass structures, such as glass walls or display cases. These glass objects are potentially vulnerable to shattering when heavy objects are thrown or launched at them, when explosions occur near them, or when there are high winds (for exterior glass). If the glass is shattered, intruders may potentially enter an area. In addition, shattered glass projected into a room from an explosion or from an object being thrown through a door or window can injure and potentially incapacitate personnel in the room. Materials that prevent glass from shattering can help to maintain the integrity of the door, window, or other glass object, and can delay an intruder from gaining access. These materials can also prevent flying glass and thus reduce potential injuries.

Materials designed to prevent glass from shattering include specialized films and coatings. These materials can be applied to existing glass objects to improve their strength and their ability to resist shattering. The films have been tested against many scenarios that could result in glass breakage, including penetration by blunt objects, bullets, high winds, and simulated explosions. Thus, the films are tested against both simulated weather scenarios (which could include both the high winds themselves and the force of objects blown into the glass) and criminal/terrorist scenarios, where the glass is subject to explosives or bullets. Many vendors provide information on the results of these types of tests, and thus potential users can compare different product lines to determine which products best suit their needs.

The primary attributes of films for shatter protection are:

  • The materials from which the film is made
  • The adhesive that bonds the film to the glass surface
  • The thickness of the film

Fire Hydrant Locks

Fire hydrants are installed at strategic locations throughout a community’s water distribution system to supply water for fire fighting. However, because there are many hydrants in a system, and because they are often located in residential neighborhoods, industrial districts, and other areas where they cannot be easily observed and/or guarded, they are potentially vulnerable to unauthorized access. Many municipalities, states, and EPA regions have recognized this potential vulnerability and have instituted programs to lock hydrants. For example, EPA Region 1 has included locking hydrants as number 7 on its “Drinking Water Security and Emergency Preparedness” Top Ten List for small groundwater suppliers.

A “hydrant lock” is a physical security device designed to prevent unauthorized access to the water supply through a hydrant. They can also ensure water and water pressure availability to fire fighters and prevent water theft and associated lost water revenue. These locks have been successfully used in numerous municipalities and in various climates and weather conditions.

Fire hydrant locks are basically steel covers or caps that are locked in place over the operating nut of a fire hydrant. The lock prevents unauthorized persons from accessing the operating nut and opening the fire hydrant valve. The lock also makes it more difficult to remove the bolts from the hydrant and access the system that way. Finally, hydrant locks shield the valve from being broken off. Should a vandal attempt to breach the hydrant lock by force and succeed in breaking the hydrant lock, the vandal will only succeed in bending the operating valve. If the hydrant’s operating valve is bent, the hydrant will not be operational, but the water asset remains protected and inaccessible to vandals. However, the entire hydrant will need to be replaced.

Hydrant locks are designed so that the hydrants can be operated by special “key wrenches” without removing the lock. These specialized wrenches are generally distributed to the fire department, public works department, and other authorized persons so that they can access the hydrants as needed. An inventory of wrenches and their serial numbers is generally kept by a municipality so that the location of all wrenches is known. These operating key wrenches may only be purchased by registered lock owners.

The most important features of hydrant are their strength and the security of their locking systems. The locks must be strong so that they cannot be broken off. Hydrant locks are constructed from stainless or alloyed steel. Stainless steel locks are stronger and are ideal for all climates; however, they are more expensive than alloy locks. The locking mechanisms for each fire hydrant locking system ensure that the hydrant can only be operated by authorized personnel who have the specialized key to work the hydrant.

Hatch Security

A hatch is basically a door installed on a horizontal plane (such as in a floor, a paved lot, or a ceiling), instead of on a vertical plane (such as in a building wall). Hatches are usually used to provide access to assets that are either located underground (such as hatches to basements or underground storage areas) or located above ceilings (such as emergency roof exits). At water and wastewater facilities, hatches are typically used to provide access to underground vaults containing pumps, valves, or piping, or to the interior of water tanks or covered reservoirs. Securing a hatch by locking it or upgrading materials to give the hatch added strength can help to delay unauthorized access to any asset behind the hatch. Like all doors, a hatch consists of a frame anchored to the horizontal structure, a door or doors, hinges connecting the door(s) to the frame, and a latching or locking mechanism that keeps the hatch door(s) closed.

It should be noted that improving hatch security is straightforward, and that hatches with upgraded security features can be installed new, or they can be retrofit for existing applications. Many municipalities already have specifications for hatch security at their water and wastewater utility assets.

Depending on the application, the primary security-related attributes of a hatch are the strength of the door and frame, its resistance to the elements and corrosion, its ability to be sealed against water or gas, and its locking features. Hatches must be both strong and lightweight so that they can withstand typical static loads (such as people or vehicles walking or driving over them) while still being easy to open. In addition, because hatches are typically installed at outdoor locations, they are usually designed from corrosion-resistant metal that can withstand the elements. Therefore, hatches are typically constructed from high gauge steel or lightweight aluminum.

The hatch locking mechanism is perhaps the most important part of hatch security. There are a number of locks that can be implemented for hatches, including:

  • Slam locks (internal locks that are located within the hatch frame)
  • Recessed cylinder locks
  • Bolt locks
  • Padlocks

Intrusion Sensors

An exterior intrusion sensor is a detection device that is used in an outdoor environment to detect intrusions into a protected area. These devices are designed to detect an intruder, and then communicate an alarm signal to an alarm system. The alarm system can respond to the intrusion in many different ways, such as by triggering an audible or a visual alarm signal, or by sending an electronic signal to a central monitoring location that notifies security personnel of the intrusion. Intrusion sensors can be used to protect many kinds of assets. Intrusion sensors that protect physical space are classified according to whether they protect indoor, or “interior” space (i.e., an entire building or room within a building), or outdoor, or “exterior” space (i.e., a fence line or perimeter). Interior intrusion sensors are designed to protect the interior space of a facility by detecting an intruder who is attempting to enter, or who has already entered a room or building. In contrast, exterior intrusion sensors are designed to detect an intrusion into a protected outdoor/exterior area. Exterior protected areas are typically arranged as zones or exclusion areas placed so that the intruder is detected early in the intrusion attempt before the intruder can gain access to more valuable assets (e.g., into a building located within the protected area). Early detection creates additional time for security forces to respond to the alarm.

Buried Exterior Intrusion Sensors

Buried sensors are electronic devices that are designed to detect potential intruders. The sensors are buried along the perimeters of sensitive assets and are able to detect intruder activity both aboveground and belowground. Some of these systems are composed of individual, stand-alone sensor units, while other sensors consist of buried cables.

Ladder Access Control

Water and wastewater utilities have a number of assets that are raised above ground level, including raised water tanks, raised chemical tanks, raised piping systems, and roof access points into buildings. In addition, communications equipment, antennae, or other electronic devices may be located on the top of these raised assets. Typically, these assets are reached by ladders that are permanently anchored to the asset. For example, raised water tanks typically are accessed by ladders that are bolted to one of the legs of the tank. Controlling access to these raised assets by controlling access to the ladder can increase security at a water or wastewater utility.

A typical ladder access control system consists of some type of cover that is locked or secured over the ladder. The cover can be a casing that surrounds most of the ladder, or a door or shield that covers only part of the ladder. In either case, several rungs of the ladder (the number of rungs depends on the size of the cover) are made inaccessible by the cover, and these rungs can only be accessed by opening or removing the cover. The cover is locked so that only authorized personnel can open or remove it and use the ladder. Ladder access controls are usually installed at several feet above ground level, and they usually extend several feet up the ladder so that they cannot be circumvented by someone accessing the ladder above the control system. The important features of ladder access control are the size and strength of the cover and its ability to lock or otherwise be secured from unauthorized access.

The covers are constructed from aluminum or some type of steel. This should provide adequate protection from being pierced or cut through. The metals are corrosion resistant so that they will not corrode or become fragile from extreme weather conditions in outdoor applications. The bolts used to install each of these systems are galvanized steel. In addition, the bolts for each cover are installed on the inside of the unit so they cannot be removed from the outside.


A lock is a type of physical security device that can be used to delay or prevent a door, a window, a manhole, a filing cabinet drawer, or some other physical feature from being opened, moved, or operated. Locks typically operate by connecting two pieces together—such as by connecting a door to a door jamb or a manhole to its casement. Every lock has two modes—engaged (or “locked”) and disengaged (or “opened”). When a lock is disengaged, the asset on which the lock is installed can be accessed by anyone, but when the lock is engaged, the locked asset can be accessed by only those who have the access key.

Locks are excellent security features because they have been designed to function in many ways and to work on many different types of assets. Locks can also provide different levels of security depending on how they are designed and implemented. The security provided by a lock is dependent on several factors, including its ability to withstand physical damage (i.e., its resistance to being cut off, broken, or otherwise physically disabled) as well as its requirements for supervision or operation (i.e., combinations may need to be changed frequently so that they are not compromised and the locks remain secure). While there is no single definition of the “security” of a lock, locks are often described as minimum, medium, or maximum security. Minimum security locks are those that can be easily disengaged (or “picked”) without the correct key or code, or those that can be disabled easily (such as small padlocks that can be cut with bolt cutters). Higher security locks are more complex and thus are more difficult to pick, or are sturdier and more resistant to physical damage.

Many locks, such as many door locks, only need to be unlocked from one side. For example, most door locks need a key to be unlocked only from the outside. A person opens such devices, called single-cylinder locks, from the inside by pushing a button or by turning a knob or handle. Double-cylinder locks require a key to be locked or unlocked from both sides.

Manhole Intrusion Sensors

Manholes are located at strategic locations throughout most municipal water, wastewater, and other underground utility systems. Manholes are designed to provide access to the underground utilities, and therefore they are potential entry points to a system. For example, manholes in water or wastewater systems may provide access to sewer lines or vaults containing on/off or pressure reducing water valves. Because many utilities run under other infrastructure (roads and buildings), manholes also provide potential access points to critical infrastructure as well as water and wastewater assets. In addition, because the portion of the system to which manholes provide entry is primarily located underground, access to a system through a manhole increases the chance that an intruder will not be seen. Therefore protecting manholes can be a critical component of guarding an entire community.

The various methods for protecting manholes are designed to prevent unauthorized personnel from physically accessing the manhole, and to detect attempts at unauthorized access to the manhole. A manhole intrusion sensor is a physical security device designed to detect unauthorized access to the utility through a manhole. Monitoring a manhole that provides access to a water or wastewater system can mitigate two distinct types of threats. First, monitoring a manhole may detect access of unauthorized personnel to water or wastewater systems or assets through the manhole. Second, monitoring manholes may also allow the detection of the introduction of hazardous substances into the water system.

Several different technologies have been used to develop manhole intrusion sensors, including mechanical systems, magnetic systems, and fiber optic and infrared sensors. Some of these intrusion sensors have been specifically designed for manholes, while others consist of standard, off-the-shelf intrusion sensors that have been implemented in a system specifically designed for application in a manhole.

Manhole Locks

A manhole lock is a physical security device designed to delay unauthorized access to the utility through a manhole. Locking a manhole that provides access to a water or wastewater system can mitigate two distinct types of threats. First, locking a manhole may delay access of unauthorized personnel to water or wastewater systems through the manhole. Second, locking manholes may also prevent the introduction of hazardous substances into the wastewater or stormwater system.

Radiation Detection Equipment for Monitoring Personnel and Packages

A major potential threat facing water and wastewater facilities is contamination by radioactive substances. Radioactive substances brought on-site at a facility could be used to contaminate the facility, thereby preventing workers from safely entering the facility to perform necessary water treatment tasks. In addition, radioactive substances brought on-site at a water treatment plant could be discharged into the water source or the distribution system, contaminating the downstream water supply. Therefore, detection of radioactive substances being brought on-site can be an important security enhancement.

Various radionuclides have unique properties, and different pieces of equipment are required to detect different types of radiation. However, it is impractical and potentially unnecessary to monitor for specific radionuclides being brought on-site. Instead, for security purposes, it may be more useful to monitor for gross radiation as an indicator of unsafe substances.

In order to protect against these radioactive materials being brought on-site, a facility may set up monitoring sites outfitted with radiation detection instrumentation at entrances to the facility. Depending on the specific types of equipment chosen, this detection equipment would detect radiation emitted from people, packages, or other objects being brought through an entrance.

One of the primary differences between the different types of detection equipment is the means by which the equipment reads the radiation. Radiation may be detected either by direct measurement or through sampling. Direct radiation measurement involves measuring radiation through an external probe on the detection instrumentation. Some direct measurement equipment detects radiation emitted into the air around the monitored object. Because this equipment detects radiation in the air, it does not require that the monitoring equipment make physical contact with the monitored object. Direct means for detecting radiation include using a walk-through portal-type monitor that would detect elevated radiation levels on a person or in a package, or by using a handheld detector, which would be moved or swept over individual objects to locate a radioactive source.

Some types of radiation, such as alpha or low energy beta radiation, have a short range and are easily shielded by various materials. These types of radiation cannot be measured through direct measurement. Instead, they must be measured through sampling. Sampling involves wiping the surface to be tested with a special filter cloth, and then reading the cloth in a special counter. For example, specialized smear counters measure alpha and low energy beta radiation.

Reservoir Covers

Reservoirs are used to store raw or untreated water. They can be located underground (buried), at ground level, or on an elevated surface. Reservoirs can vary significantly in size; small reservoirs can hold as little as 1,000 gallons, while larger reservoirs may hold many millions of gallons. Reservoirs can be either natural or man-made. Natural reservoirs can include lakes or other contained water bodies, while man-made reservoirs usually consist of some sort of engineered structure, such as a tank or other impoundment structure. In addition to the water containment structure itself, reservoir systems may also include associated water treatment and distribution equipment, including intakes, pumps, pump houses, piping systems, and chemical treatment and chemical storage areas.

Drinking water reservoirs are of particular concern because they are potentially vulnerable to contamination of the stored water, either through direct contamination of the storage area or through infiltration of the equipment, piping, or chemicals associated with the reservoir. For example, because many drinking water reservoirs are designed as aboveground, open-air structures, they are potentially vulnerable to airborne deposition, bird and animal wastes, human activities, and dissipation of chlorine or other treatment chemicals. However, one of the most serious potential threats to the system is direct contamination of the stored water through dumping contaminants into the reservoir. Utilities have taken various measures to mitigate this type of threat, including fencing off the reservoir, installing cameras to monitor for intruders, and monitoring for changes in water quality. Another option for enhancing security is covering the reservoir using some type of manufactured cover to prevent intruders from gaining physical access to the stored water. Implementing a reservoir cover may or may not be practical depending on the size of the reservoir (for example, covers are not typically used on natural reservoirs because they are too large for the cover to be technically feasible and cost effective). This section will focus on drinking water reservoir covers, where and how they are typically implemented, and how they can be used to reduce the threat of contamination of the stored water. While covers can enhance the reservoir’s security, it should be noted that covering a reservoir typically changes the reservoir’s operational requirements. For example, vents must be installed in the cover to ensure gas exchange between the stored water and the atmosphere.

A reservoir cover is a structure installed on or over the surface of the reservoir to minimize water quality degradation. The three basic design types for reservoir covers are:

  • Floating
  • Fixed
  • Air-supported

A variety of materials are used when manufacturing a cover, including reinforced concrete, steel, aluminum, polypropylene, chlorosulfonated polyethylene, or ethylene interpolymer alloys. There are several factors that affect a reservoir cover’s effectiveness, and thus its ability to protect the stored water. These factors include:

  • The location, size, and shape of the reservoir
  • The ability to lay and/or support a foundation (for example, footing, soil, and geotechnical support conditions)
  • The length of time reservoir can be removed from service for cover installation or maintenance
  • Aesthetic considerations
  • Economic factors, such as capital and maintenance costs

It may not be practical, for example, to install a fixed cover over a reservoir if the reservoir is too large or if the local soil conditions cannot support a foundation. A floating or air-supported cover may be more appropriate for these types of applications.

In addition to the practical considerations for installation of these types of covers, there are a number of operations and maintenance (O&M) concerns that affect the utility of a cover for specific applications, including how different cover materials will withstand local climatic conditions, what types of cleaning and maintenance will be required for each particular type of cover, and how these factors will affect the covers lifespan and its ability to be repaired when it is damaged.

The primary feature affecting the security of a reservoir cover is its ability to maintain its integrity. Any type of cover, no matter what its construction material, will provide good protection from contamination by rainwater or atmospheric deposition, as well as from intruders attempting to access the stored water with the intent of causing intentional contamination. The covers are large and heavy, and it is difficult to circumvent them to get into the reservoir. At the very least, it would take a determined intruder, as opposed to a vandal, to defeat the cover.

Side-Hinged Door Security

Doorways are the main access points to a facility or to rooms within a building. They are used on the exterior or in the interior of buildings to provide privacy and security for the areas behind them. Different types of doorway security systems may be installed in different doorways depending on the needs or requirements of the buildings or rooms. For example, exterior doorways tend to have heavier doors to withstand the elements and to provide some security to the entrance of the building. Interior doorways in office areas may have lighter doors that may be primarily designed to provide privacy rather than security. Therefore, these doors may be made of glass or lightweight wood. Doorways in industrial areas may have sturdier doors than do other interior doorways and may be designed to provide protection or security for areas behind the doorway. For example, fireproof doors may be installed in chemical storage areas or in other areas where there is a danger of fire. Because they are the main entries into a facility or a room, doorways are often prime targets for unauthorized entry into a facility or an asset. Therefore, securing doorways may be a major step in providing security at a facility. A doorway includes four main components:

  • The door, which blocks the entrance. The primary threat to the actual door is breaking or piercing through the door. Therefore, the primary security features of doors are their strength and resistance to various physical threats, such as fire or explosions.
  • The door frame, which connects the door to the wall. The primary threat to a door frame is that the door can be pried away from the frame. Therefore, the primary security feature of a door frame is its resistance to prying.
  • The hinges, which connect the door to the door frame. The primary threat to door hinges is that they can be removed or broken, which will allow intruders to remove the entire door. Therefore, security hinges are designed to be resistant to breaking. They may also be designed to minimize the threat of removal from the door.
  • The lock, which connects the door to the door frame. Use of the lock is controlled through various security features, such as keys, combinations, etc., such that only authorized personnel can open the lock and go through the door. Locks may also incorporate other security features, such as software or other systems to track overall use of the door or to track individuals using the door, etc.

Each of these components is integral to providing security for a doorway, and upgrading the security of only one of these components while leaving the other components unprotected may not increase the overall security of the doorway. For example, many facilities upgrade door locks as a basic step for increasing the security of a facility. However, if the facilities do not also focus on increasing security for the door hinges or the door frame, the door may remain vulnerable to being removed from its frame, thereby defeating the increased security of the door lock.

The primary attribute for the security of a door is its strength. Many security doors are 4–20 gauge hollow metal doors consisting of steel plates over a hollow cavity reinforced with steel stiffeners to give the door extra stiffness and rigidity. This increases resistance to blunt force used to try to penetrate through the door. The space between the stiffeners may be filled with specialized materials to provide fire-, blast-, or bullet resistance to the door. The Window and Door Manufacturers Association has developed a series of performance attributes for doors. These include:

  • Structural resistance
  • Forced entry resistance
  • Hinge style screw resistance
  • Split resistance
  • Hinge resistance
  • Security rating
  • Fire resistance
  • Bullet resistance
  • Blast resistance

The first five bullet points provide information on a door’s resistance to standard physical breaking and prying attacks. These tests are used to evaluate the strength of the door and the resistance of the hinges and the frame in a standardized way. For example, the Rack Load Test simulates a prying attack on a corner of the door. A test panel is restrained at one end, and a third corner is supported. Loads are applied and measured at the fourth corner. The Door Impact Test simulates a battering attack on a door and frame using impacts of 200 foot pounds by a steel pendulum. The door must remain fully operable after the test. It should be noted that door glazing is also rated for resistance to shattering, etc. Manufacturers will be able to provide security ratings for these features of a door as well.

Door frames are an integral part of doorway security because they anchor the door to the wall. Door frames are typically constructed from wood or steel, and they are installed such that they extend for several inches over the doorway that has been cut into the wall. For added security, frames can be designed to have varying degrees of overlap with, or wrapping over, the underlying wall. This can make prying the frame from the wall more difficult. A frame formed from a continuous piece of metal (as opposed to a frame constructed from individual metal pieces) will prevent prying between pieces of the frame.

Many security doors can be retrofit into existing frames; however, many security door installations include replacing the door frame as well as the door itself. For example, bullet resistance per Underwriter’s Laboratory (UL) 752 requires resistance of the door and frame assembly, and thus replacing the door only would not meet UL 752 requirements.

Valve Lockout Devices

Valves are utilized as control elements in water and wastewater process piping networks. They regulate the flow of both liquids and gases by opening, closing, or obstructing a flow passageway. Valves are typically located where flow control is necessary. They can be located in-line or at the pipeline, tank entrance, and exit points. They can serve multiple purposes in a process pipe network, including:

  • Redirecting and throttling flow
  • Preventing backflow
  • Shutting off flow to a pipeline or tank (for isolation purposes)
  • Releasing pressure
  • Draining extraneous liquid from pipelines or tanks
  • Introducing chemicals into the process network
  • Providing access points for sampling process water

Valves are located at critical junctures throughout water and wastewater systems, both on-site at treatment facilities and off-site within water distribution and wastewater collection systems. They may be located either aboveground or below ground. Because many valves are located within the community, it is crucial that protection against valve tampering be provided. For example, tampering with a pressure relief valve could result in a pressure buildup and potential explosion in the piping network. On a larger scale, addition of a pathogen or chemical to the water distribution system through an unprotected valve could result in the release of that contaminant to the general population.

Various security products are available for protecting aboveground vs. belowground valves. For example, valve lockout devices can be purchased to protect valves and valve controls located aboveground. Vaults containing underground valves can be locked to prevent access to these valves. Valve-specific lockout devices are available in a variety of colors, which can be useful in distinguishing different valves. For example, different-colored lockouts can be used to distinguish the type of liquid passing through the valve (i.e., treated, untreated, potable, chemical), or to identify the party responsible for maintaining the lockout. Implementing a system of different-colored locks on operating valves can increase system security by reducing the likelihood of an operator inadvertently opening the wrong valve and causing a problem in the system.

Vent Security

Vents are installed in aboveground, covered water reservoirs, and underground reservoirs to allow ventilation of the stored water. Specifically, vents permit the passage of air that is being displaced from, or drawn into, the reservoir as the water level in the reservoir rises and falls due to system demands. Small reservoirs may require only one vent, whereas larger reservoirs may have multiple vents throughout the system.

The specific vent design for any given application will vary depending on the design of the reservoir, but every vent consists of an open-air connection between the reservoir and the outside environment. Although these air exchange vents are an integral part of covered or underground reservoirs, they also represent a potential security threat. Improving vent security by making the vents tamper-resistant or by adding other security features, such as security screens or security covers, can enhance the security of the entire water system. Many municipalities already have specifications for vent security at their water assets. These specifications typically include the following requirements:

  • Vent openings are to be angled down or shielded to minimize the entrance of surface and/or rainwater into the vent through the opening.
  • Vent designs are to include features to exclude insects, birds, animals, and dust.
  • Corrosion-resistant materials are to be used to construct the vents.

Some states have adopted more specific requirements for added vent security at their water utility assets. For example, the State of Utah’s Department of Environmental Quality, Division of Drinking Water, Division of Administrative Rules (DAR), provides specific requirements for public drinking water storage tanks. The rules for drinking water storage tanks as they apply to venting are set forth in Utah-R309-545-15: “Venting,” and include the following requirements:

  • Drinking water storage tank vents must have an open discharge on buried structures.
  • The vents must be located 24–36 inches above the earthen covering.
  • The vents must be located and sized to avoid blockage during winter conditions.

In a second example, Washington State’s “Drinking Water Tech Tips: Sanitary Protection of Reservoirs” document states that vents must be protected to prevent the water supply from being contaminated. The document indicates that non-corrodible No. 4 mesh may be used to screen vents on elevated tanks. The document continues to state that the vent opening for storage facilities located underground or at ground level should be 24–36 inches above the roof or ground and that it must be protected with a No. 24 inch mesh non-corrodible screen. New Mexico’s administrative code also specifies that vents must be covered with No. 24 mesh (NMAC Title 20, Chapter 7, Subpart I, 208.E). Washington and New Mexico, as well as many other municipalities, require vents to be screened using a non-corrodible mesh to minimize the entry of insects, other animals, and rain-borne contaminants into the vents. When selecting the appropriate mesh size, it is important to identify the smallest mesh size that meets both the strength and durability requirements for that application.

Visual Surveillance Monitoring

Visual surveillance is used to detect threats through continuous observation of important or vulnerable areas of an asset. The observations can also be recorded for later review or use (for example, in court proceedings). Visual surveillance systems can be used to monitor various parts of collection, distribution, or treatment systems, including the perimeter of a facility, outlying pumping stations, or entry or access points into specific buildings. These systems are also useful in recording individuals who enter or leave a facility, thereby helping to identify unauthorized access. Images can be transmitted live to a monitoring station, where they can be monitored in real time, or they can be recorded and reviewed later. Many facilities have found that a combination of electronic surveillance and security guards provides an effective means of facility security. Visual surveillance is provided through a closed circuit television (CCTV) system, in which the capture, transmission, and reception of an image is localized within a closed “circuit.” This is different than other broadcast images, such as over-the-air television, which is broadcast over the air to any receiver within range. At a minimum, a CCTV system consists of:

  • One or more cameras
  • A monitor for viewing the images
  • A system for transmitting the images from the camera to the monitor

Water Monitoring Devices

Note: Adapted from Spellman, F.R., Water Infrastructure Protection and Homeland Security, Government Institutes Press, Lanham, Md, 2007.

Proper security preparation really comes down to a three-legged approach: Detect, Delay, Respond. The third leg of security, to detect, is discussed in this section. Specifically, this section deals with the monitoring of water samples to detect toxicity and/or contamination. Many of the major monitoring tools that can be used to identify anomalies in process streams or finished water that may represent potential threats are discussed, including:

  • Sensors for monitoring chemical, biological, and radiological contamination
  • Chemical sensor—Arsenic measurement system
  • Chemical sensor for toxicity (adapted BOD analyzer)
  • Chemical sensor—total organic carbon analyzer
  • Chemical sensor—Chlorine measurement system
  • Chemical sensor—portable cyanide analyzer
  • Portable field monitors to measure volatile organic compounds (VOCs)
  • Radiation detection equipment
  • Radiation detection equipment for monitoring water assets
  • Toxicity monitoring/toxicity meters

Water quality monitoring sensor equipment may be used to monitor key elements of water or wastewater treatment processes (such as influent water quality, treatment processes, or effluent water quality) to identify anomalies that may indicate threats to the system. Some sensors, such as sensors for biological organisms or radiological contaminants, measure potential contamination directly, while others, particularly some chemical monitoring systems, measure “surrogate” parameters that may indicate problems in the system but do not identify sources of contamination directly. In addition, sensors can provide more accurate control of critical components in water and wastewater systems and may provide a means of early warning so that the potential effects of certain types of attacks can be mitigated. One advantage of using chemical and biological sensors to monitor for potential threats to water and wastewater systems is that many utilities already employ sensors to monitor potable water (raw or finished) or influent/effluent for Safe Drinking Water Act (SDWA) or Clean Water Act (CWA) water quality compliance or process control.

Chemical sensors that can be used to identify potential threats to water and wastewater systems include inorganic monitors (e.g., chlorine analyzer), organic monitors (e.g., total organic carbon analyzer), and toxicity meters. Radiological meters can be used to measure concentrations of several different radioactive species. Monitors that use biological species can be used as sentinels for the presence of contaminants of concern, such as toxins. At the present time, biological monitors are not in widespread use and very few bio-monitors are used by drinking water utilities in the United States.

Monitoring can be conducted using either portable or fixed-location sensors. Fixed-location sensors are usually used as part of a continuous, on-line monitoring system. Continuous monitoring has the advantage of enabling immediate notification when there is an upset. However, the sampling points are fixed and only certain points in the system can be monitored. In addition, the number of monitoring locations needed to capture the physical, chemical, and biological complexity of a system can be prohibitive. The use of portable sensors can overcome this problem of monitoring many points in the system. Portable sensors can be used to analyze grab samples at any point in the system, but have the disadvantage that they provide measurements only at one point in time.

Sensors for Monitoring Chemical, Biological, and Radiological Contamination

Toxicity tests measure water toxicity by monitoring adverse biological effects on test organisms. Toxicity tests have traditionally been used to monitor wastewater effluent streams for National Pollutant Discharge Elimination System (NPDES)permit compliance or to test water samples for toxicity. However, this technology can also be used to monitor drinking water distribution systems or other water/wastewater streams for toxicity. Currently, several types of bio-sensors and toxicity tests are being adapted for use in the water/wastewater security field. The keys to using bio-monitoring or bio-sensors for drinking water or other water/wastewater asset security are rapid response and the ability to use the monitor at critical locations in the system, such as in water distribution systems downstream of pump stations, or prior to the biological process in a wastewater treatment plant. While there are several different organisms that can be used to monitor for toxicity (including bacteria, invertebrates, and fish), bacteria-based bio-sensors are ideal for use as early warning screening tools for drinking water security because bacteria usually respond to toxics in a matter of minutes. In contrast to methods using bacteria, toxicity screening methods that use higher-level organisms such as fish may take several days to produce a measurable result. Bacteria-based bio-sensors have recently been incorporated into portable instruments, making rapid response and field-testing practical. These portable meters detect decreases in biological activity (e.g., decreases in bacterial luminescence), which are highly correlated with increased levels of toxicity.

At the present time, few utilities are using biologically based toxicity monitors to monitor water/wastewater assets for toxicity, and very few products are now commercially available. Several new approaches to the rapid monitoring of microorganisms for security purposes (e.g., microbial source tracking) have been identified. However, most of these methods are still in the research and development phase.

Chemical Sensors—Arsenic Measurement System

Arsenic is an inorganic toxin that occurs naturally in soils. It can enter water supplies from many sources, including erosion of natural deposits; runoff from orchards and runoff from glass and electronics production wastes; or leaching from products treated with arsenic, such as wood. Synthetic organic arsenic is also used in fertilizer. Arsenic toxicity primarily associated with inorganic arsenic ingestion has been linked to cancerous health effects, including cancer of the bladder, lungs, skin, kidney, nasal passages, liver, and prostate. Arsenic ingestion has also been linked to noncancerous cardiovascular, pulmonary, immunological, and neurological, endocrine problems. According to USEPA’s Safe Drinking Water Act (SDWA) Arsenic Rule, inorganic arsenic can exert toxic effects after acute (short-term) or chronic (long-term) exposure. Toxicological data for acute exposure, which is typically given as an LD50 value (the dose that would be lethal to 50% of the test subjects in a given test), suggests that the LD50 of arsenic ranges 1–4 mg/kg of body weight. This dose would correspond to a lethal dose range of 70–280 mg for 50% of adults weighing 70 kg. At nonlethal, but high, acute doses, inorganic arsenic can cause gastroenterological effects, shock, neuritis (continuous pain), and vascular effects in humans. USEPA has set a maximum contaminant level goal of 0 for arsenic in drinking water; the current enforceable maximum contaminant level (MCL) is 0.050 mg/L. As of January 23, 2006, the enforceable MCL for arsenic will be 0.010 mg/L.

The SDWA requires arsenic monitoring for public water systems. The Arsenic Rule indicates that surface water systems must collect one sample annually; groundwater systems must collect one sample in each compliance period (once every three years). Samples are collected at entry points to the distribution system, and analysis is done in the lab using one of several USEPA-approved methods, including Inductively Coupled Plasma Mass Spectroscopy (ICP-MS, USEPA 200.8) and several atomic absorption (AA) methods. However, several different technologies, including colorimetric test kits and portable chemical sensors, are currently available for monitoring inorganic arsenic concentrations in the field. These technologies can provide a quick estimate of arsenic concentrations in a water sample. Thus, these technologies may be useful for spot-checking different parts of a drinking water system (for example, reservoirs and isolated areas of distribution systems) to ensure that the water is not contaminated with arsenic.

Chemical Sensors—Adapted BOD Analyzer

One manufacturer has adapted a BOD analyzer to measure oxygen consumption as a surrogate for general toxicity. The critical element in the analyzer is the bioreactor, which is used to continuously measure the respiration of the biomass under stable conditions. As the toxicity of the sample increases, the oxygen consumption in the sample decreases. An alarm can be programmed to sound if oxygen reaches a minimum concentration (i.e., if the sample is strongly toxic). The operator must then interpret the results into a measure of toxicity. Note that, at the current time, it is difficult to directly define the sensitivity and/or the detection limit of toxicity measurement devices because limited data is available regarding the specific correlation of decreased oxygen consumption and increased toxicity of the sample.

Chemical Sensors—Total Organic Carbon Analyzer

Total organic carbon (TOC) analysis is a well-defined and commonly used methodology that measures the carbon content of dissolved and particulate organic matter present in water. Many water utilities monitor TOC to determine raw water quality or to evaluate the effectiveness of processes designed to remove organic carbon. Some wastewater utilities also employ TOC analysis to monitor the efficiency of the treatment process. In addition to these uses for TOC monitoring, measuring changes in TOC concentrations can be an effective “surrogate” for detecting contamination from organic compounds (e.g., petrochemicals, solvents, and pesticides). Thus, while TOC analysis does not give specific information about the nature of the threat, identifying changes in TOC can be a good indicator of potential threats to a system. TOC analysis includes inorganic carbon removal oxidation of the organic carbon into CO2, and quantification of the CO2. The primary differences between different on-line TOC analyzers are in the methods used for oxidation and CO2 quantification.

The oxidation step can be high or low temperature. The determination of the appropriate analytical method (and thus the appropriate analyzer) is based on the expected characteristics of the wastewater sample (TOC concentrations and the individual components making up the TOC fraction). In general, high temperature (combustion) analyzers achieve more complete oxidation of the carbon fraction than do low temperature (wet chemistry/UV) analyzers. This can be important both in distinguishing different fractions of the organics in a sample and in achieving a precise measurement of the organic content of the sample. Three different methods are also available for detection and quantification of carbon dioxide produced in the oxidation step of a TOC analyzer. These are:

  • Nondispersive infrared (NDIR) detector
  • Colorimetric methods
  • Aqueous conductivity methods

The most common detector that on-line TOC analyzers use for source water and drinking water analysis is the nondispersive infrared detector.

Although the differences in analytical methods employed by different TOC analyzers may be important in compliance or process monitoring, high levels of precision and the ability to distinguish specific organic fractions from a sample may not be required for detection of a potential chemical threat. Instead, gross deviations from normal TOC concentrations may be the best indicator of a chemical threat to the system.

The detection limit for organic carbon depends on the measurement technique used (high or low temperature) and the type of analyzer. Because TOC concentrations are simply surrogates that can indicate potential problems in a system, gross changes in these concentrations are the best indicators of potential threats. Therefore, high-sensitivity probes may not be required for security purposes. However, the following detection limits can be expected:

  • High temperature method (between 680°C and 950°C or higher in a few special cases, best possible oxidation): = 1 mg/L carbon
  • Low temperature method (below 100°C, limited oxidation potential): = 0.2 mg/L carbon

The response time of a TOC analyzer may vary depending on the manufacturer’s specifications, but it usually takes from 5 minutes to 15 minutes to get a stable, accurate reading.

Chemical Sensors—Chlorine Measurement System

Residual chlorine is one of the most sensitive and useful indicator parameters in water distribution system monitoring. All water distribution systems monitor for residual chlorine concentrations as part of their Safe Drinking Water Act (SDWA) requirements, and procedures for monitoring chlorine concentrations are well established and accurate. Chlorine monitoring assures proper residual at all points in the system, helps pace rechlorination when needed, and quickly and reliably signals any unexpected increase in disinfectant demand. A significant decline or loss of residual chlorine could be an indication of potential threats to the system. Several key points regarding residual chlorine monitoring for security purposes are provided below:

  • Chlorine residuals can be measured using continuous on-line monitors at fixed points in the system, or by taking grab samples at any point in the system and using chlorine test kits or portable sensors to determine chlorine concentrations.
  • Correct placement of residual chlorine monitoring points within a system is crucial to early detection of potential threats. For example, while dead ends and low-pressure zones are common trouble spots that can show low residual chlorine concentrations, these zones are generally not of great concern for water security purposes because system hydraulics will limit the circulation of any contaminants present in these areas of the system.
  • Monitoring point and monitoring procedures for SDWA compliance vs. system security purposes may be different, and utilities must determine the best use of on-line, fixed monitoring systems vs. portable sensors/test kits to balance their SDWA compliance and security needs.

Various portable and on-line chlorine monitors are commercially available. These range from sophisticated on-line chlorine monitoring systems to portable electrode sensors to colorimetric test kits. On-line systems can be equipped with control, signal, and alarm systems that notify the operator of low chlorine concentrations, and some may be tied into feedback loops that automatically adjust chlorine concentrations in the system. In contrast, the use of portable sensors or colorimetric test kits requires technicians to take a sample and read the results. The technician then initiates the required actions based on the results of the test.

Several measurement methods are currently available to measure chlorine in water samples, including:

  • N,N-Diethyl-p-phenylenediamine (DPD) colorimetric method
  • Iodometric method
  • Amperometric electrodes
  • Polarographic membrane sensors

It should be noted that there can be differences in the specific type of analyte, the range, and the accuracy of these different measurement methods. In addition, these different methods have different operations and maintenance requirements. For example, DPD systems require periodic replenishment of buffers, whereas polarographic systems do not. Users may want to consider these requirements when choosing the appropriate sensor for their system.

Chemical Sensors—Portable Cyanide Analyzer

Portable cyanide detection systems are designed to be used in the field to evaluate potential cyanide contamination of a water asset. These detection systems use one of two distinct analytical methods—either a colorimetric method or an ion selective method—to provide a quick, accurate cyanide measurement that does not require laboratory evaluation. Aqueous cyanide chemistry can be complex. Various factors, including the water asset’s pH and redox potential, can affect the toxicity of cyanide in that asset. While personnel using these cyanide detection devices do not need to have advanced knowledge of cyanide chemistry to successfully screen a water asset for cyanide, understanding aqueous cyanide chemistry can help users to interpret whether the asset’s cyanide concentration represent a potential threat. Therefore, a short summary of aqueous cyanide chemistry, including a discussion of cyanide toxicity, is provided below. For more information, the reader is referred to Greenberg et al. (1999).

Cyanide (CN) is a toxic carbon-nitrogen organic compound that is the functional portion of the lethal gas hydrogen cyanide (HCN). The toxicity of aqueous cyanide varies depending on its form. At near-neutral pH, “free cyanide” (which is commonly designated as “CN,”although it is actually defined as the total of HCN and CN) is the predominant cyanide form in water. Free cyanide is potentially toxic in its aqueous form, although the primary concern regarding aqueous cyanide is that it could volatilize. Free cyanide is not highly volatile (it is less volatile than most VOCs, but its volatility increases as the pH decreases below 8). However, when free cyanide does volatilize, it volatilizes in its highly toxic gaseous form (gaseous HCN). As a general rule, metal-cyanide complexes are much less toxic than free cyanide because they do not volatilize unless the pH is low.

Analyses for cyanide in public water systems are often conducted in certified labs using various USEPA-approved methods, such as the preliminary distillation procedure with subsequent analysis by a colorimetric, ion selective electrode, or flow injection methods. Lab analyses using these methods require careful sample preservation and pretreatment procedures and are generally expensive and time consuming. Using these methods, several cyanide fractions are typically defined:

  • Total cyanide—This includes free cyanide (CN + HCN) and all metal-complexed cyanide.
  • Weak acid dissociable (WAD) cyanide—This includes free cyanide (CN + HCN) and weak cyanide complexes that could be potentially toxic by hydrolysis to free cyanide in the pH range 4.5–6.0.
  • Amenable cyanide—This includes free cyanide (CN + HCN) and weak cyanide complexes that can release free cyanide at high pH (11–12) (this fraction gets its name because it includes measurement of cyanide from complexes that are “amenable” to oxidation by chlorine at high pH). To measure “Amenable Cyanide,” the sample is split into two fractions. One of the fractions is analyzed for “Total Cyanide” as above. The other fraction is treated with high levels of chlorine for approximately one hour, dechlorinated, and distilled per the above “Total Cyanide” method. “Amenable Cyanide” is determined by the difference in the cyanide concentrations in these two fractions.
  • Soluble cyanide—This is measured by using the preliminary filtration step, followed by “Total Cyanide” analysis described above.

As discussed above, these different methods yield various different cyanide measurements which may or may not give a complete picture of that sample’s potential toxicity. For example, the “Total Cyanide” method includes cyanide complexed with metals, some of which will not contribute to cyanide toxicity unless the pH is out of the normal range. In contrast, the “WAD Cyanide” measurement includes metal-complexed cyanide that could become free cyanide at low pH, and “Amendable Cyanide” measurements include metal-complexed cyanide that could become free cyanide at high pH. Personnel using these kits should therefore be aware of the potential differences in actual cyanide toxicity versus the cyanide measured in the sample under different environmental conditions.

Ingestion of aqueous cyanide can result in numerous adverse health effects and may be lethal. USEPA’s Maximum Contamination Level (MCL) for cyanide in drinking water is 0.2 μg/L (0.2 parts per million, or ppm). This MCL is based on free cyanide analysis per the “Amenable Cyanide” method described above (USEPA has recognized that very stable metal-cyanide complexes such as iron-cyanide complex are non-toxic, unless exposed to significant UV radiation, and these fractions are therefore not considered when defining cyanide toxicity). Ingestion of free cyanide at concentrations in excess of this MCL causes both acute effects (e.g., rapid breathing, tremors, and neurological symptoms) and chronic effects (e.g., weight loss, thyroid effects, and nerve damage). Under the current primary drinking water standards, public water systems are required to monitor their systems to minimize public exposure to cyanide levels in excess of the MCL.

Hydrogen cyanide gas is also toxic, and the Office of Safety and Health Administration (OSHA) has set a permissible exposure limit (PEL) of 10 ppmv for HCN inhalation. HCN also has a strong, bitter, almond-like smell and an odor threshold of approximately 1 ppmv. Considering the fact that HCN is relatively non-volatile (see above), a slight cyanide odor emanating from a water sample suggests very high aqueous cyanide concentrations—greater than 10–50 mg/L, which is in the range of a lethal or near lethal dose with the ingestion of one pint of water.

Portable Field Monitors to Measure VOCs

Volatile organic compounds (VOCs) are a group of highly utilized chemicals that have widespread applications, including use as fuel components, as solvents, and as cleaning and liquefying agents in degreasers, polishes, and dry cleaning solutions. VOCs are also used in herbicides and insecticides for agricultural applications. Laboratory-based methods for analyzing VOCs are well established; however, analyzing VOCs in the lab is time consuming—obtaining a result may require several hours to several weeks depending on the specific method. Faster, commercially available methods for analyzing VOCs in the field include use of portable gas chromatographs (GC), mass spectrometer (MS), or gas chromatographs/mass spectrometers (GC/MS), all of which can be used to obtain VOC concentration results within minutes. These instruments can be useful in rapid confirmation of the presence of VOCs in an asset, or for monitoring an asset on a regular basis. In addition, portable VOC analyzers can analyze a wide range of VOCs, such as toxic industrial chemicals (TICs), chemical warfare agents (CWAs), drugs, explosives, and aromatic compounds. There are several easy-to-use, portable VOC analyzers currently on the market that are effective in evaluating VOC concentrations in the field. These instruments utilize gas chromatography, mass spectroscopy, or a combination of both methods, to provide near laboratory-quality analysis for VOCs.

Radiation Detection Equipment

Radioactive substances (radionuclides) are known health hazards that emit energetic waves and/or particles that can cause both carcinogenic and non-carcinogenic health effects. Radionuclides pose unique threats to source water supplies and water treatment, storage, or distribution systems because radiation emitted from radionuclides in water systems can affect individuals through several pathways—by direct contact with, ingestion or inhalation of, or external exposure to the contaminated water. While radiation can occur naturally in some cases due to the decay of some minerals, intentional and non-intentional releases of man-made radionuclides into water systems are also a realistic threat.

Threats to water and wastewater facilities from radioactive contamination could involve two major scenarios. First, the facility or its assets could be contaminated, preventing workers from accessing and operating the facility/assets. Second, at drinking water facilities, the water supply could be contaminated, and tainted water could be distributed to users downstream. These two scenarios require different threat reduction strategies. The first scenario requires that facilities monitor for radioactive substances being brought on-site; the second requires that water assets be monitored for radioactive contamination. While the effects of radioactive contamination are basically the same under both threat types, each of these threats requires different types of radiation monitoring and different types of equipment.

Radiation Detection Equipment for Monitoring Water Assets

Most water systems are required to monitor for radioactivity and certain radionuclides, and to meet Maximum Contaminant Levels (MCLs) for these contaminants, to comply with the Safe Drinking Water Act (SDWA). Currently, USEPA requires drinking water to meet MCLs for beta/photon emitters (including gamma radiation), alpha particles, combined radium 226/228, and uranium. However, this monitoring is required only at entry points into the system. In addition, after the initial sampling requirements, only one sample is required every 3–9 years, depending on the contaminant type and the initial concentrations. While this is adequate to monitor for long-term protection from overall radioactivity and specific radionuclides in drinking water, it may not be adequate to identify short-term spikes in radioactivity, such as from spills, accidents, or intentional releases. In addition, compliance with the SDWA requires analyzing water samples in a laboratory, which results in a delay in receiving results. In contrast, security monitoring is more effective when results can be obtained quickly in the field. In addition, monitoring for security purposes does not necessarily require that the specific radionuclides causing the contamination be identified. Thus, for security purposes, it may be more appropriate to monitor for non-radionuclide-specific radiation using either portable field meters, which can be used as necessary to evaluate grab samples, or online systems, which can provide continuous monitoring of a system.

Ideally, measuring radioactivity in water assets in the field would involve minimal sampling and sample preparation. However, the physical properties of specific types of radiation combined with the physical properties of water make evaluating radioactivity in water assets in the field somewhat difficult. For example, alpha particles can only travel short distances and they cannot penetrate through most physical objects. Therefore, instruments designed to evaluate alpha emissions must be specially designed to capture emissions at a short distance from the source, and they must not block alpha emissions from entering the detector. Gamma radiation does not have the same types of physical properties, and thus it can be measured using different detectors.

Measuring different types of radiation is further complicated by the relationship between the radiation’s intrinsic properties and the medium in which the radiation is being measured. For example, gas-flow proportional counters are typically used to evaluate gross alpha and beta radiation from smooth, solid surfaces, but due to the fact that water is not a smooth surface, and because alpha and beta emissions are relatively short range and can be attenuated within the water, these types of counters are not appropriate for measuring alpha and beta activity in water. An appropriate method for measuring alpha and beta radiation in water is by using a liquid scintillation counter. However, this requires mixing an aliquot of water with a liquid scintillation “cocktail.” The liquid scintillation counter is a large, sensitive piece of equipment, so it is not appropriate for field use. Therefore, measurements for alpha and beta radiation from water assets are not typically made in the field.

Unlike the problems associated with measuring alpha and beta activity in water in the field, the properties of gamma radiation allow it to be measured relatively well in water samples in the field. The standard instrumentation used to measure gamma radiation from water samples in the field is a sodium iodide (Nal) scintillator.

Although the devices outlined above are the most commonly used for evaluating total alpha, beta, and gamma radiation, other methods and devices can be used. In addition, local conditions (i.e., temperature, humidity) or the properties of the specific radionuclides emitting the radiation may make other types of devices or other methods more optimal to achieve the goals of the survey than the devices noted above. There, experts or individual vendors should be consulted to determine the appropriate measurement device for any specific application.

An additional factor to consider when developing a program to monitor for radioactive contamination in water assets is whether to take regular grab samples or sample continuously. For example, portable sensors can be used to analyze grab samples at any point in the system, but have the disadvantage that they provide measurements only at one point in time. On the other hand, fixed-location sensors are usually used as part of a continuous, on-line monitoring system. These systems continuously monitor a water asset, and could be outfitted with some type of alarm system that would alert operators if radiation increased above a certain threshold. However, the sampling points are fixed and only certain points in the system can be monitored. In addition, the number of monitoring locations needed to capture the physical and radioactive complexity of a system can be prohibitive.

Toxicity Monitoring/Toxicity Meters

Toxicity measurement devices measure general toxicity to biological organisms, and detection of toxicity in any water/wastewater asset can indicate a potential threat to the treatment process (in the case of influent toxicity), to human health (in the case of drinking water toxicity), or to the environment (in the case of effluent toxicity). Currently, whole effluent toxicity tests (WET tests), in which effluent samples are tested against test organisms, are required of many National Pollutant Discharge Elimination System (NPDES) discharge permits. The WET tests are used as a complement to the effluent limits on physical and chemical parameters to assess the overall effects of the discharge on living organisms or aquatic biota. Toxicity tests may also be used to monitor wastewater influent streams for potential hazardous contamination, such as organic heavy metals (arsenic, mercury, lead, chromium, and copper) that might upset the treatment process.

The ability to get feedback on sample toxicity from short-term toxicity tests or toxicity “meters” can be valuable in estimating the overall toxicity of a sample. On-line real-time toxicity monitoring is still under active research and development. However, there are several portable toxicity measurement devices commercially available. They can generally be divided into categories based on the different ways they measure toxicity:

  • Meters measuring direct biological activity (e.g., luminescent bacteria) and correlating decreases in this direct biological activity with increased toxicity
  • Meters measuring oxygen consumption and correlating decrease in oxygen consumption with increased toxicity.

Communication and Integration

This section discusses those devices necessary for communication and integration of water and wastewater system operations, such as electronic controllers, two-way radios, and wireless data communications. Electronic controllers are used to automatically activate equipment (such as lights, surveillance cameras, audible alarms, or locks) when they are triggered. Triggering could be in response to a variety of scenarios, including tripping of an alarm or a motion sensor; breaking of a window or a glass door; variation in vibration sensor readings; or simply through input from a timer. Two-way wireless radios allow two or more users that have their radios tuned to the same frequency to communicate instantaneously with each other without the radios being physically lined together with wires or cables. Wireless data communications devices are used to enable transmission of data between computer systems and/or between a SCADA server and its sensing devices, without individual components being physically linked together via wires or cables. In water and wastewater utilities, these devices are often used to link remote monitoring stations (i.e., SCADA components) or portable computers (i.e., laptops) to computer networks without using physical wiring connections.

Electronic Controllers

An electronic controller is a piece of electronic equipment that receives incoming electric signals and uses preprogrammed logic to generate electronic output signals based on the incoming signals. While electronic controllers can be implemented for any application that involves inputs and outputs (for example, control of a piece of machinery in a factor), in a security application, these controllers essentially act as the system’s “brain,” and can respond to specific security-related inputs with preprogrammed output response. These systems combine the control of electronic circuitry with a logic function such that circuits are opened and closed (and thus equipment is turned on and off) through some preprogrammed logic. The basic principle behind the operation of an electrical controller is that it receives electronic inputs from sensors or any device generating an electrical signal (for example, electrical signals from motion sensors), and then uses it preprogrammed logic to produce electrical outputs (for example, these outputs could turn on power to a surveillance camera or to an audible alarm). Thus, these systems automatically generate a preprogrammed, logical response to a preprogrammed input scenario.

The three major types of electronic controllers are timers, electromechanical relays, and programmable logic controllers (PLCs), which are often called “digital relays.” Each of these types of controller is discussed in more detail below. Timers use internal signal/inputs (in contrast to externally generated inputs) and generate electronic output signals at certain times. More specifically, timers control electric current flow to any application to which they are connected, and can turn the current on or off on a schedule pre-specified by the user. Typical timer range (amount of time that can be programmed to elapse before the timer activates linked equipment) is from 0.2 seconds to 10 hours, although some of the more advanced timers have ranges of up to 60 hours. Timers are useful in fixed applications that don’t require frequent schedule changes. For example, a timer can be used to turn on the lights in a room or building at a certain time every day. Timers are usually connected to their own power supply (usually 120–240V).

In contrast to timers, which have internal triggers based on a regular schedule, electromechanical relays and PLCs have both external inputs and external outputs. However, PLCs are more flexible and more powerful than are electromechanical relays, and thus this section focuses primarily on PLCs as the predominant technology for security-related electronic control applications. Electromechanical relays are simple devices that use a magnetic field to control a switch. Voltage applied to the relay’s input coil creates a magnetic field, which attracts an internal metal switch. This causes the relay’s contacts to touch, closing the switch and completing the electrical circuit. This activates any linked equipment. These types of systems are often used for high voltage applications, such as in some automotive and other manufacturing processes.

Two-Way Radios

Two-way radios, as discussed here, are limited to a direct unit-to-unit radio communication, either via single unit-to-unit transmission and reception, or via multiple handheld units to a base station radio contact and distribution system. Radio frequency spectrum limitations apply to all handheld units, and directed by the Federal Communications Commission (FCC). This also distinguishes a handheld unit from a base station or base station unit (such as those used by an amateur (ham) radio operator), which operate under different wave length parameters.

Two-way radios allow a user to contact another user or group of users instantly on the same frequency, and to transmit voice or data without the need for wires. They use “half-duplex” communications, or communication that can be only transmitted or received; it cannot transmit and receive simultaneously. In other words, only one person may talk, while other personnel with radio(s) can only listen. To talk, the user depresses the talk button and speaks into the radio. The audio then transmits the voice wirelessly to the receiving radios. When the speaker has finished speaking and the channel has cleared, users on any of the receiving radios can transmit, either to answer the first transmission or to begin a new conversation. In addition to carrying voice data, many types of wireless radios also allow the transmission of digital data, and these radios may be interfaced with computer networks that can use or track these data. For example, some two-way radios can send information such as global positioning system (GPS) data, or the ID of the radio. Some two-way radios can also send data through a SCADA system.

Wireless radios broadcast these voice or data communications over the airwaves from the transmitter to the receiver. While this can be an advantage in that the signal emanates in all directions and does not need a direct physical connection to be received at the receiver, it can also make the communications vulnerable to being blocked, intercepted, or otherwise altered. However, security features are available to ensure that the communications are not tampered with.

Wireless Data Communications

A wireless data communication system consists of two components: a “Wireless Access Point” (WAP) and a “Wireless Network Interface Card” (sometimes also referred to as a “Client”), which work together to complete the communications link. These wireless systems can link electronic devices, computers, and computer systems together using radio waves, thus eliminating the need for these individual components to be directly connected together through physical wires. While wireless data communications have widespread applications in water and wastewater systems, they also have limitations. First, wireless data connections are limited by the distance between components (radio waves scatter over a long distance and cannot be received efficiently, unless special directional antenna are used). Second, these devices only function if the individual components are in a direct line of sight with each other, since radio waves are affected by interference from physical obstructions. However, in some cases, repeater units can be used to amplify and retransmit wireless signals to circumvent these problems. The two components of wireless devices are discussed in more detail below.

The wireless access point provides the wireless data communication service. It usually consists of a housing (which is constructed from plastic or metal depending on the environment it will be used in) containing a circuit board; flash memory that holds software; one of two external ports to connect to existing wired networks; a wireless radio transmitter/receiver; and one or more antenna connections. Typically, the WAP requires a one-time user configuration to allow the device to interact with the local area network (LAN). This configuration is usually done via a web-driven software application which is accessed via a computer.

A wireless network interface card or client is a piece of hardware that is plugged in to a computer and enables that computer to make a wireless network connection. The card consists of a transmitter, functional circuitry, and a receiver for the wireless signal, all of which work together to enable communication between the computer, its wireless transmitter/receiver, and its antenna connection. Wireless cards are installed in a computer through a variety of connections, including USB Adapters, or Laptop CardBus (PCMCIA) or Desktop Peripheral (PCI) cards. As with the WAP, software is loaded onto the user’s computer, allowing configuration of the card so that it may operate over the wireless network.

Two of the primary applications for wireless data communications systems are to enable mobile or remote connections to a LAN, and to establish wireless communications links between SCADA remote telemetry units (RTUs) and sensors in the field. Wireless car connections are usually used for LAN access from mobile computers. Wireless cards can also be incorporated into RTUs to allow them to communicate with sensing devices that are located remotely.

Cyber Protection Devices

Various cyber protection devices are currently available for use in protecting utility computer systems. These protection devices include anti-virus and pest eradication software, firewalls, and network intrusion hardware/software. These products are discussed in this section.

Anti-Virus and Pest Eradication Software

Anti-virus programs are designed to detect, delay, and respond to programs or pieces of code that are specifically designed to harm computers. These programs are known as “malware.” Malware can include computer viruses, worms, and Trojan horse programs (programs that appear to be benign but which have hidden harmful effects). Pest eradication tools are designed to detect, delay, and respond to “spyware” (strategies that websites use to track user behavior, such as by sending “cookies” to the user’s computer), and hacker tools that track keystrokes (keystroke loggers) or passwords (password crackers).

Viruses and pests can enter a computer system through the Internet or through infected floppy disks or CDs. They can also be placed onto a system by insiders. Some of these programs, such as viruses and worms, then move within a computer’s drives and files, or between computers if the computers are networked to each other. This malware can deliberately damage files, utilize memory and network capacity, crash application programs, and initiate transmissions of sensitive information from a PC. While the specific mechanisms of these programs differ, they can infect files, and even the basic operating program of the computer firmware/hardware.

The most important features of an anti-virus program are its abilities to identify potential malware and to alert a user before infection occurs, as well as its ability to respond to a virus already resident on a system. Most of these programs provide a log so that the user can see what viruses have been detected and where they were detected. After detecting a virus, the anti-virus software may delete the virus automatically, or it may prompt the user to delete the virus. Some programs will also fix files or programs damaged by the virus.

Various sources of information are available to inform the general public and computer system operators about new viruses being detected. Since anti-virus programs use signatures (or snippets of code or data) to detect the presence of a virus, periodic updates are required to identify new threats. Many anti-virus software providers offer free upgrades that are able to detect and respond to the latest viruses.


A firewall is an electronic barrier designed to keep computer hackers, intruders, or insiders from accessing specific data files and information on a utility’s computer network or other electronic/computer systems. Firewalls operate by evaluating and then filtering information coming through a public network (such as the Internet) into the utility’s computer or other electronic system. This evaluation can include identifying the source or destination addresses and ports, and allowing or denying access based on this identification. Two methods are used by firewalls to limit access to the utility’s computers or other electronic systems from the public network:

  • The firewall may deny all traffic unless it meets certain criteria.
  • The firewall may allow all traffic through unless it meets certain criteria.

A simple example of the first method is to screen requests to ensure that they come from an acceptable (i.e., previously identified) domain name and Internet protocol address. Firewalls may also use more complex rules that analyze the application data to determine if the traffic should be allowed through. For example, the firewall may require user authentication (i.e., use of a password) to access the system. How a firewall determines what traffic to let through depends on which network layer it operates at and how it is configured. Firewalls may be a piece of hardware, a software program, or an appliance card that contains both.

Advanced features that can be incorporated into firewalls allow for the tracking of attempts to log-on to the local area network system. For example, a report of successful and unsuccessful long-in attempts may be generated for the computer specialist to analyze. For systems with mobile users, firewalls allow remote access into the private network by the use of secure log-on procedures and authentication certificates. Most firewalls have a graphical user interface for managing the firewall. In addition, new Ethernet firewall cards that fit in the slot of an individual computer bundle provide additional layers of defense (like encryption and permit/deny) for individual computer transmissions to the network interface function. The cost of these new cards is only slightly higher than that of traditional network interface cards.

Network Intrusion Hardware and Software

Network intrusion detection and prevention systems are software- and hardware-based programs designed to detect unauthorized attacks on a computer network system. Whereas other applications such as firewalls and anti-virus software share similar objectives with network intrusion systems, network intrusion systems provide a deeper layer of protection beyond the capabilities of these other systems because they evaluate patterns of computer activity rather than specific files. It is worth noting that attacks may come from either outside or within the system (i.e., from an insider), and that network intrusion detection systems may be more applicable to detecting patterns of suspicious activity from inside a facility (i.e., accessing sensitive data, etc.) than are other information technology solutions. Network intrusion detection systems employ a variety of mechanisms to evaluate potential threats. The types of search and detection mechanisms are dependent upon the level of sophistication of the system. Some of the available detection methods include:

  • Protocol analysis—It is the process of capturing, decoding, and interpreting electronic traffic. The protocol analysis method of network intrusion detection involves the analysis of data captured during transactions between two or more systems or devices, and the evaluation of these data to identify unusual activity and potential problems. Once a problem is isolated and recorded, problems or potential threats can be linked to pieces of hardware or software. Sophisticated protocol analysis will also provide statistics and trend information on the captured traffic.
  • Traffic anomaly detection—It identifies potential threatening activity by comparing incoming traffic to “normal” traffic patterns, and identifying deviations. It does this by comparing user characteristics against thresholds and triggers defined by the network administrator. This method is designed to detect attacks that span a number of connections, rather than a single session.
  • Network honeypot—This method establishes non-existent services in order to identify potential hackers. A network honeypot impersonates services that don’t exist by sending fake information to people scanning the network. It identifies the attacker when they attempt to connect to the service. There is no reason for legitimate traffic to access these resources because they don’t exist; therefore any attempt to access them constitutes an attack.
  • Anti-intrusion detection system evasion techniques—These methods are designed to identify attackers who may be trying to evade intrusion detection system scanning. They include methods called IP defragmentation, TCP streams reassembly, and deobfuscation.

These detection systems are automated, but they can only indicate patterns of activity, and a computer administer or other experienced individual must interpret activities to determine whether or not they are potentially harmful. Monitoring the logs generated by these systems can be time consuming, and there may be a learning curve to determine a baseline of “normal” traffic patterns from which to distinguish potential suspicious activity.


In Queensland, Australia, on April 23, 2000, police stopped a car on the road and found a stolen computer and radio inside. Using commercially available technology, a disgruntled former employee had turned his vehicle into a pirate command center of sewage treatment along Australia’s Sunshine Coast.

The former employee’s arrest solved a mystery that had troubled the Maroochy Shire wastewater system for two months. Somehow the system was leaking hundreds of thousands of gallons of putrid sewage into parks, rivers and the manicured grounds of a Hyatt Regency hotel—marine life died, the creek water turned black and the stench was unbearable for residents. Until the former employee’s capture—during his 46th successful intrusion—the utility’s managers did not know why.

Specialists study this case of cyber-terrorism because it is the only one known in which someone used a digital control system deliberately to cause harm. The former employee’s intrusion shows how easy it is to break in—and how restrained he was with his power.

To sabotage the system, the former employee set the software on his laptop to identify itself as a pumping station, and then suppressed all alarms. The former employee was the “central control station” during his intrusions, with unlimited command of 300 SCADA nodes governing sewage and drinking water alike.

Gellman (2002)

The bottom line: As serious as the former employee’s intrusions were they pale in comparison with what he could have done to the fresh water system—he could have done anything he liked.

In 2000, the Federal Bureau of Investigation (FBI) identified and listed threats to critical infrastructure. These threats are listed and described in Table 3.1. In the past few years, especially since 9/11, it has been somewhat routine for us to pick up a newspaper or magazine or view a television news program where a major topic of discussion is cyber security or the lack thereof. Many of the cyber intrusion incidents we read or hear about have added new terms or new uses for old terms to our vocabulary. For example, old terms such as Trojan Horse, worms, and viruses have taken on new connotations in regard to cyber security issues. Relatively new terms such as scanners, Windows NT hacking tools, ICQ hacking tools, mail bombs, sniffer, logic bomb, nukers, dots, backdoor Trojan, key loggers, hackers’ Swiss knife, password crackers, and BIOS crackers are now commonly encountered.

Table 3.1   Threats to Critical Infrastructure Observed by the FBI



Criminal groups

There is an increased use of cyber intrusions by criminal groups who attack systems for the purpose of monetary gain.

Foreign intelligence services

Foreign intelligence services use cyber tools as part of their information gathering and espionage activities.


Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use.


Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into Web sites to send a political message.

Information warfare

Several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power—impacts that, according to the Director of Central Intelligence, can affect the daily lives of Americans across the country.

Inside threat

The disgruntled organization insider is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes outsourcing vendors.

Virus writers

Virus writers are posing an increasingly serious threat. Several destructive computer viruses and “worms” have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, and Code Red.

Source:FBI, 2000.

Not all relatively new and universally recognizable cyber terms have sinister connotations or meanings, of course. Consider, for example, the following digital terms: backup, binary, bit byte, CD-ROM, CPU, database, e-mail, HTML, icon, memory, cyberspace, modem, monitor, network, RAM, Wi-Fi (wireless fidelity), record, software, World Wide Web—none of these terms normally generate thoughts of terrorism in most of us. There is, however, one digital term that most people have not heard of: SCADA. This is not the case, however, with those who work with the nation’s critical infrastructure, including water/wastewater. SCADA, or Supervisory Control And Data Acquisition System (also sometimes referred to as Digital Control Systems or Process Control Systems), plays an important role in computer-based control systems. Many water/wastewater systems use computer-based systems to remotely control sensitive processes and system equipment previously controlled manually. These systems (commonly known as SCADA) allow a water/wastewater utility to collect data from sensors and control equipment located at remote sites. Common water/wastewater system sensors measure elements such as fluid level, temperature, pressure, water purity, water clarity, and pipeline flow rates. Common water/wastewater system equipment includes valves, pumps, and mixers for mixing chemicals in the water supply.

What Is SCADA?

Simply, SCADA is a computer-based system that remotely controls processes previously controlled manually. SCADA allows an operator using a central computer to supervise (control and monitor) multiple networked computers at remote locations. Each remote computer can control mechanical processes (pumps, valves, etc.) and collect data from sensors at its remote location. Thus the phrase: Supervisory Control and Data Acquisition, or SCADA. The central computer is called the Master Terminal Unit, or MTU. The operator interfaces with the MTU using software called Human Machine Interface, or HMI. The remote computer is called Program Logic Controller (PLC) or Remote Terminal Unit (RTU). The RTU activates a relay (or switch) that turns mechanical equipment “on” and “off.” The RTU also collects data from sensors.

Initially, stages utilities ran wires, also known as hardwire or land lines, from the central computer (MTU) to the remote computers (RTUs). Because remote locations can be located hundreds of miles from the central location, utilities have begun to use public phone lines and modems and to lease telephone company lines, and radio and microwave communication. More recently, they have also begun to use satellite links, the Internet, and newly developed wireless technologies.

Because the SCADA systems’ sensors provided valuable information, many utilities established “connections” between their SCADA systems and their business system. This allowed utility management and other staff access to valuable statistics, such as water usage. When utilities later connected their systems to the Internet, they were able to provide stakeholders with water/wastewater statistics on the utility’s web pages.

SCADA Applications in Water/Wastewater System

As stated above, SCADA systems can be designed to measure a variety of equipment operating conditions and parameters or volumes and flow rates or water quality parameters, and to respond to change in those parameters either by alerting operators or by modifying system operation through a feedback loop system without having personnel physically visit each process or piece of equipment on a daily basis to check it and/or ensure that it is functioning properly. SCADA systems can also be used to automate certain functions, so that they can be performed without the need to be initiated by an operator (e.g., injecting chlorine in response to periodic low chlorine levels in a distribution system, or turning on a pump in response to low water levels in a storage tank). As described above, in addition to process equipment, SCADA systems can also integrate specific security alarms and equipment, such as cameras, motion sensors, lights, and data from card reading systems, thereby providing a clear picture of what is happening at areas throughout a facility. Finally, SCADA systems also provide constant, real-time data on processes, equipment, location access, etc., for the necessary response to be made quickly. This can be extremely useful during emergency conditions, such as when distribution mains break or when potentially disruptive BOD spikes appear in wastewater influent.

Because these systems can monitor multiple processes, equipment, and infrastructure and then provide quick notification of, or response to, problems or upsets. SCADA systems typically provide the first line of detection for atypical or abnormal conditions. For example, a SCADA system connected to sensors that measure specific water quality parameters is measured outside of a specific range. A real-time customized operator interface screen could display and control critical systems monitoring parameters.

The system could transmit warning signals back to the operators, such as by initiating a call to a personal pager. This might allow the operators to initiate actions to prevent contamination and disruption of the water supply. Further automation of the system could ensure that the system initiated measures to rectify the problem. Preprogrammed control functions (e.g. shutting a valve, controlling flow, increasing chlorination, or adding other chemicals) can be triggered and operated based on SCADA utility.

SCADA Vulnerabilities

According to USEPA (2005), SCADA networks were developed with little attention paid to security, making the security of these systems often weak. Studies have found that, while technological advancements introduced vulnerabilities, many water/wastewater utilities have spent little time securing their SCADA networks. As a result, many SCADA networks may be susceptible to attacks and misuse. Remote monitoring and supervisory control of processes had begun to develop in the early 1960s, and they adopted many technological advancements. The advent of minicomputers made it possible to automate a vast number of once manually operated switches. Advancements in radio technology reduced the communication costs associated with installing and maintaining buried cable in remote areas. SCADA systems continued to adopt new communication methods including satellite and cellular. As the price of computers and communications dropped, it became economically feasible to distribute operations and to expand SCADA networks to include even smaller facilities.

Advances in information technology and the necessity of improved efficiency have resulted in increasingly automated and interlinked infrastructures, and have created new vulnerabilities due to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Some areas and examples of possible SCADA vulnerabilities include:

  • Human—People can be tricked or corrupted, and may commit errors.
  • Communications—Messages can be fabricated, intercepted, changed, deleted, or blocked.
  • Hardware—Security features are not easily adapted to small self-contained units with limited power supplies.
  • Physical—Intruders can break into a facility to steal or damage SCADA equipment.
  • Natural—Tornadoes, floods, earthquakes, and other natural disasters can damage equipment and connections.
  • Software—Programs can be poorly written.

A survey found that many water utilities were doing little to secure their SCADA network vulnerabilities (Ezell, 1998); for example, many respondents reported that they had remote access, which can allow an unauthorized person to access the system without being physically present. More than 60% of the respondents believed that their systems were not safe from unauthorized access and use. Twenty percent of the respondents even reported known attempts, successful unauthorized access, or use of their system. Yet 22 of 43 respondents reported that they do not spend any time ensuring their network is safe and 18 of 43 respondents reported that they spend less than 10% of their time ensuring network safety.

SCADA system computers and their connections are susceptible to different types of information system attacks and misuse such as system penetration and unauthorized access to information. The Computer Security Institute and Federal Bureau of Investigation conduct an annual Computer Crime and Security Survey (FBI, 2004). The survey reported on ten types of attacks or misuse, and reported that viruses and denial of service had the greatest negative economic impact. The same study also found that 15% of the respondents reported abuse of wireless networks, which can be a SCADA component. On average, respondents from all sectors did not believe that their organization invested enough in security awareness. Utilities as a group reported a lower average computer security expenditure/investment per employee than many other sectors such as transportation, telecommunications, and finance.

Sandia National Laboratories’ Common Vulnerabilities in Critical Infrastructure Control Systems described some of the common problems it has identified in the following five categories (Stamp et al., 2003):

  1. System data—Important data attributes for security include availability, authenticity, integrity, and confidentiality. Data should be categorized according to its sensitivity, and ownership and responsibility must be assigned. However, SCADA data is often not classified at all, making it difficult to identify where security precautions are appropriate.
  2. Security administration—Vulnerabilities emerge because many systems lack a properly structured security policy, equipment, and system implementation guides, configuration management, training, and enforcement and compliance auditing.
  3. Architecture—Many common practices negatively affect SCADA security. For example, while it is convenient to use SCADA capabilities for other purposes such as fire and security systems, these practices create single points of failure. Also, the connection of SCADA networks to other automation systems and business networks introduces multiple entry points for potential adversaries.
  4. Network (including communication links)—Legacy systems’ hardware and software have very limited security capabilities, and the vulnerabilities of contemporary systems (based on modern information technology) are publicized. Wireless and shared links are susceptible to eavesdropping and data manipulation.
  5. Platforms—Many platform vulnerabilities exist, including retention of default configurations, poor password practices, shared accounts, inadequate protection for hardware, and non-existent security monitoring controls. In most cases, important security patches are not installed, often due to concern about negatively impacting system operation; in some cases, technicians are contractually forbidden from updating systems by their vendor agreements.

The following incident helps to illustrate some of the risks associated with SCADA vulnerabilities.

  • During the course of conducting a vulnerability assessment, a contractor stated that personnel from his company penetrated the information system of a utility within minutes. Contractor personnel drove to a remote substation and noticed a wireless network antenna. Without leaving their vehicle, they plugged in their wireless radios and connected to the network within 5 minutes. Within 20 minutes they had mapped the network, including SCADA equipment, and accessed the business network and data.

This illustrates what a cyber security advisor from Sandia National Laboratories specialized in SCADA stated—that utilities are moving to wireless communication without understanding the added risks.

The Increasing Risk

According to GAO (2003), historically, security concerns about control systems (SCADA included) were related primarily to protecting against physical attack and misuse of refining and processing sites or distribution and holding facilities. However, more recently there has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources, including hotel governments, terrorist groups, disgruntled employees, and other malicious intruders. In addition, to control system vulnerabilities mentioned earlier, several factors have contributed to the escalation of risk to control systems, including (1) the adoption of standardized technologies with known vulnerabilities, (2) the connectivity of control systems to other networks, (3) constraints on the implementation of existing security technologies and practices, (4) insecure remote connections, and (5) the widespread availability of technical information about control systems.

Adoption of Technologies with Known Vulnerabilities

When a technology is not well known, widely used, understood, or publicized, it is difficult to penetrate it and thus disable it. Historically, proprietary hardware, software, and network protocols made it difficult to understand how control systems operated—and therefore how to hack into them. Today, however, to reduce costs and improve performance, organizations have been transitioning from proprietary systems to less expensive, standardized technologies such as Microsoft’s Windows and Unix-like operating systems and the common networking protocols used by the Internet. These widely used standardized technologies have commonly known vulnerabilities, and sophisticated and effective exploitation tools are widely available and relatively easy to use. As a consequence, both the number of people with the knowledge to wage attacks and the number of systems subject to attack have increased. Also, common communication protocols and the emerging use of Extensible Markup Language (commonly referred to as XML) can make it easier for a hacker to interpret the content of communications among the components of a control system.

Control systems are often connected to other networks—enterprises often integrate their control system with their enterprise networks. This increased connectivity has significant advantages, including providing decision makers with access to real-time information and allowing engineers to monitor and control the process control system from different points on the enterprise network. In addition, enterprise networks are often connected to the networks of strategic partners and to the Internet. Further, control systems are increasingly using wide area networks and the Internet to transmit data to their remote or local stations and individual devices. This convergence of control networks with public and enterprise networks potentially exposes the control systems to additional security vulnerabilities. Unless appropriate security controls are deployed in the enterprise network and the control system network, breaches in enterprise security can affect the operation of control systems. According to industry experts, the use of existing security technologies, as well as strong user authentication and patch management practices, is generally not implemented in control systems because control systems operate in real time, typically are not designed with cybersecurity in mind, and usually have limited processing capabilities.

Existing security technologies such as authorization, authentication, encryption, intrusion detection, and filtering of network traffic and communications require more bandwidth, processing power, and memory than control system components typically have. Because controller stations are generally designed to do specific tasks, they use low-cost, resource-constrained microprocessors. In fact, some devices in the electrical industry still use the Intel 8088 processor, introduced in 1978. Consequently, it is difficult to install existing security technologies without seriously degrading the performance of the control system.

Further, complex passwords and other strong password practices are not always used to prevent unauthorized access to control systems, in part because this could hinder a rapid response to safety procedures during an emergency. As a result, according to experts weak passwords that are easy to guess, shared, and infrequently changed are reportedly common in control systems, including the use of default passwords or even no password at all.

In addition, although modern control systems are based on standard operating systems, they are typically customized to support control system applications. Consequently, vendor-provided software patches are generally either incompatible or cannot be implemented without compromising service shutting down “always-on” systems or affecting interdependent operations.

Potential vulnerabilities in control systems are exacerbated by insecure connections. Organizations often leave access links—such as dial-up modems to equipment and control information—open for remote diagnostics, maintenance, and examination of system status. Such links may not be protected with authentication of encryption, which increases the risk of hackers using these insecure connections to break into remotely controlled systems. Also, control systems often use wireless communications systems, which are especially vulnerable to attack, or leased lines that pass through commercial telecommunications facilities. Without encryption to protect data as it flows through these insecure connections or authentication mechanisms to limit access, there is limited protection for the integrity of the information being transmitted.

Public information about infrastructures and control systems is available to potential hackers and intruders. The availability of this infrastructure and vulnerability data was demonstrated by a university graduate student, whose dissertation reportedly mapped every business and industrial sector in the American economy to the fiberoptic network that connects them—using material that was available publicly on the Internet, none of which was classified. Many of the electric utility officials who were interviewed for the National Security Telecommunications Advisory Committee’s Information Assurance Task Force’s Electric Power Risk Assessment expressed concern over the amount of information about their infrastructure that is readily available to the public.

In the electric power industry, open sources of information—such as product data and educational videotapes from engineering associations can be used to understand the basics of the electrical grid. Other publicly available information—including filings of the Federal Energy Regulatory Commission (FERC), industry publications, maps, and material available on the Internet—is sufficient to allow someone to identify the most heavily loaded transmission lines and the most critical substations in the power grid.

In addition, significant information on control systems is publicly available—including design and maintenance documents, technical standards for the interconnection of control systems and RTUs, and standards for communication among control devices—all of which could assist hackers in understanding the systems and how to attack them. Moreover, there are numerous former employees, vendors, support contractors, and other end users of the same equipment worldwide with inside knowledge of the operation of control systems.

Cyber Threats to Control Systems

There is a general consensus—and increasing concern—among government officials and experts on control systems about potential cyber threats to the control systems that govern our critical infrastructures. As components of control systems increasingly make critical decisions that were once made by humans, the potential effect of a cyber threat becomes more devastating. Such cyber threats could come from numerous sources, ranging from hostile governments and terrorist groups to disgruntled employees and other malicious intruders. Based on interviews and discussions with representatives throughout the electric power industry, the Information Assurance Task Force of the National Security Telecommunications Advisory Committee concluded that an organization with sufficient resources, such as a foreign intelligence service or a well-supported terrorist group, could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity and without having to set foot in the target nation.

In July 2002, National Infrastructure Protection Center (NIPC) reported that the potential for compound cyber and physical attacks, referred to as “swarming attacks,” is an emerging threat to the U.S. critical infrastructure. As NIPC reports, the effects of a swarming attack include slowing or complicating the response to a physical attack. For instance, a cyber attack that disabled the water supply or the electrical system in conjunction with a physical attack could deny emergency services the necessary resources to manage the consequences—such as controlling fires, coordinating actions, and generating light.

Control systems, such as SCADA, can be vulnerable to cyber attacks. Entities or individuals with malicious intent might take one or more of the following actions to successfully attack control systems:

  • Disrupting the operation of control systems by delaying or blocking the flow of information through control networks, thereby denying the availability of the networks to control system operations
  • Making unauthorized changes to programmed instructions in PLCs, RTUs, or DCS controllers, change alarm thresholds, or issue unauthorized commands to control equipment, which could potentially result in damage to equipment (if tolerances are exceeded), premature shutdown of processes (such as prematurely shutting down transmission lines), or even disabling of control equipment
  • Sending false information to control system operators either to disguise unauthorized changes or to initiate inappropriate actions by system operators
  • Modifying the control system software and producing unpredictable results
  • Interfering with the operation of safety systems

In addition, in control systems that cover a wide geographic area, remote sites are often unstaffed and may not be physically monitored. If such remote systems are physically breached, the attackers could establish a cyber connection to the control network.

Securing Control Systems

Several challenges must be addressed to effectively secure control systems against cyber threats. These challenges include: (1) the limitations of current security technologies in securing control systems; (2) the perception that securing control systems may not be economically justifiable; and (3) the conflicting priorities within organizations regarding the security of control systems. A significant challenge in effectively securing control systems is the lack of specialized security technologies for these systems. The computing resources in control systems that are needed to perform security functions tend to be quite limited, making it very difficult to use security technologies within control system networks without severely hindering performance. Securing control systems may not be perceived as economically justifiable. Experts and industry representatives have indicated that organizations may be reluctant to spend more money to secure control systems. Hardening the security of control systems would require industries to expend more resources, including acquiring more personnel, providing training for personnel, and potentially prematurely replacing current systems that typically have a lifespan of about 20 years. Finally, several experts and industry representatives indicated that the responsibility for securing control systems typically includes two separate groups: IT security personnel and control system engineers and operators. IT security personnel tend to focus on securing enterprise systems, while control system engineers and operators tend to be more concerned with the reliable performance of their control systems. Further, they indicate that, as a result, those two groups do not always fully understand each other’s requirements and collaborate to implement secure control systems.

Steps to Improve SCADA Security

The President’s Critical Infrastructure Protection Board and the Department of Energy (DOE) have developed the steps outlined below to help organizations improve the security of their SCADA networks. DOE (2001) points out that these steps are not meant to be prescriptive or all-inclusive. However, they do address essential actions to be taken to improve the protection of SCADA networks. The steps are divided into two categories: specific actions to improve implementation, and actions to establish essential underlying management processes and policies (DOE, 2001).

Twenty-One Steps to Increase SCADA Security

The following steps focus on specific actions to be taken to increase the security of SCADA networks:

  1. Identify all connections to SCADA networks Conduct a thorough risk analysis to assess the risk and necessity of each connection to the SCADA network. Develop a comprehensive understanding of all connections to the SCADA network, and how well those connections are protected. Identify and evaluate the following types of connections:
    • Internal local area and wide area networks, including business networks
    • The Internet
    • Wireless network devices, including satellite uplinks
    • Modem or dial-up connections
    • Connections to business partners, vendors, or regulatory agencies
  2. Disconnect unnecessary connections to the SCADA network To ensure the highest degree of security of SCADA systems, isolate the SCADA network from other network connections to as great a degree as possible. Any connection to another network introduces security risks, particularly if the connection creates a pathway from or to the Internet. Although direct connections with other networks may allow important information to be passed efficiently and conveniently, insecure connections are simply not worth the risk; isolation of the SCADA network must be a primary goal to provide needed protection. Strategies such as utilization of “demilitarized zones” (DMZs) and data warehousing can facilitate the secure transfer of data from the SCADA network to business networks. However, they must be designed and implemented properly to avoid introduction of additional risk through improper configuration.
  3. Evaluate and strengthen the security of any remaining connections to the SCADA networks Conduct penetration testing or vulnerability analysis of any remaining connections to the SCADA network to evaluate the protection posture associated with these pathways. Use this information in conjunction with risk management processes to develop a robust protection strategy for any pathways to the SCADA network. Since the SCADA network is only as secure as its weakest connecting point, it is essential to implement firewalls, intrusion detection systems (IDSs), and other appropriate security measures at each point of entry. Configure firewall rules to prohibit access from and to the SCADA network, and be as specific as possible when permitting approved connections. For example, an Independent System Operator (ISO) should not be granted “blanket” network access simply because there is a need for a connection to certain components of the SCADA system. Strategically place IDSs at each entry point to alert security personnel of potential breaches of network security. Organization management must understand and accept responsibility or risks associated with any connection to the SCADA network.
  4. Harden SCADA networks by removing or disabling unnecessary services SCADA control servers built on commercial or open-source operating systems can be exposed to attack default network services. To the greatest degree possible, remove or disable unused services and network demons to reduce the risk of direct attack. This is particularly important when SCADA networks are interconnected with other networks. Do not permit a service or feature on a SCADA network unless a thorough risk assessment of the consequences of allowing the service/feature shows that the benefits of the service/feature far outweigh the potential for vulnerability exploitation. Examples of services to remove from SCADA networks include automated meter reading/remote billing systems, e-mail services, and Internet access. An example of a feature to disable is remote maintenance. Numerous secure configurations such as the National Security Agency’s series of security guides. Additionally, work closely with SCADA vendors to identify secure configurations and coordinate any and all changes to operational systems to ensure that removing or disabling services does not cause downtime, interruption of service, or loss of support.
  5. Do not rely on proprietary protocols to protect your system Some SCADA systems are unique, proprietary protocols for communications between field devices and servers. Often the security of SCADA systems is based solely on the secrecy of these protocols. Unfortunately, obscure protocols provide very little “real” security. Do not rely on proprietary protocols or factory default configuration settings to protect your system. Additionally, demand that vendors disclose any backdoors or vendor interfaces to your SCADA systems, and expect them to provide systems that are capable of being secured.
  6. Implement the security features provided by device and system vendors Older SCADA systems (most systems in use) have no security features whatsoever, SCADA system owners must insist that their system vendor implement security features in the form of product patches or upgrades. Some newer SCADA devices are shipped with basic security features, but these are usually disabled to ensure ease of installation. Analyze each SCADA device to determine whether security features are present. Additionally, factory default security settings (such as in computer network firewalls) are often set to provide maximum usability, but minimal security. Set all security features to provide the maximum security only after a thorough risk assessment of the consequences of reducing the security level.
  7. Establish strong controls over any medium that is used as a backdoor into the SCADA network Where backdoors or vendor connections do exist in SCADA systems, strong authentication must be implemented to ensure secure communications. Modems, wireless, and wired networks used for communications and maintenance represent a significant vulnerability to the SCADA network and remote sites. Successful “war dialing” or “war driving” attacks could allow an attacker to bypass all of the other controls and have direct access to the SCADA network or resources. To minimize the risk of such attacks, disable inbound access and replace it with some type of callback system.
  8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring To be able to effectively respond to cyber attacks, establish an intrusion detection strategy that includes alerting network administrators of malicious network activity originating from internal or external sources. Intrusion detection system monitoring is essential 24 hours a day; this capability can be easily set up through a pager. Additionally, incident response procedures must be in place to allow an effective response to any attack. To complement network monitoring, enable logging on all systems and audit system logs daily to detect suspicious activity as soon as possible.
  9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns Technical audits of SCADA devices and networks are critical to ongoing security effectiveness. Many commercial and open-source security tools are available that allow system administrators to conduct audits of their systems/networks to identify active services, patch level, and common vulnerabilities. The use of these tools will not solve systemic problems, but will eliminate the “paths of least resistance” that an attacker could exploit. Analyze identified vulnerabilities to determine their significance, and take corrective actions as appropriate. Track corrective actions and analyze this information to identify trends. Additionally, retest systems after corrective actions have been taken to ensure that vulnerabilities were actually eliminated. Scan non-production environments actively to identify and address potential problems.
  10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security Any location that has a connection to the SCADA network is a target, especially unmanned or unguarded remote sites. Conduct a physical security survey and inventory access points at each facility that has a connection to the SCADA system. Identify and assess any source of information including remote telephone/computer network/fiber optic cables that could be tapped; radio and microwave links that are exploitable computer terminals and that could be accessed; and wireless local area network access points. Identify and eliminate single points of failure. The security of the site must be adequate to detect or prevent unauthorized access. Do not allow “live” network access points at remote, unguarded sites simply for convenience.
  11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios Establish a “Red Team” to identify potential attack scenarios and evaluate potential system vulnerabilities. Use a variety of people who can provide insight into the weaknesses of the overall network, SCADA system, physical systems, and security controls. People who work on the system every day have great insight into the vulnerabilities of your SCADA network and should be consulted when identifying potential attack scenarios and possible consequences. Also, ensure that the risk from a malicious insider is fully evaluated, given that this represents one of the greatest threats to an organization. Feed information resulting from the “Red Team” evaluation into risk management processes to assess the information and establish appropriate protection strategies.

The following steps focus on management actions to establish an effective cyber security program:

  • 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users Organization personnel need to understand the specific expectations associated with protecting information technology resources through the definition of clear and logical roles and responsibilities. In addition, key personnel need to be given sufficient authority to carry out their assigned responsibilities. Too often, good cyber security is left up to the initiative of the individual, which usually leads to inconsistent implementations and ineffective security. Establish a cyber security organizational structure that defines roles and responsibilities and clearly identifies how cyber security issues are escalated and who is notified in an emergency.
  • 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection Develop and document robust information security architecture as part of a process to establish an effective protection strategy. It is essential that organizations design their network with security in mind and continue to have a strong understanding of their network architecture throughout its lifecycle. Of particular importance, an in-depth understanding of the functions that the systems perform and the sensitivity of the stored information is required. Without this understanding, risk cannot be properly assessed and protection strategies may not be sufficient. Documenting the information security architecture and its components is critical to understanding the overall protection strategy, and identifying single points of failure.
  • 14. Establish a rigorous, ongoing risk management process A thorough understanding of the risks to network computing resources from denial-of-service attacks and the vulnerability of sensitive information to compromise is essential to an effective cyber security program. Risk assessments form the technical basis of this understanding are critical to formulating effective strategies to mitigate vulnerabilities and to preserve the integrity of computing resources. Initially, perform a baseline risk analysis based on current threat assessment to use for developing a network protection strategy. Due to rapidly changing technology and the emergence of new threats on a daily basis, an ongoing risk assessment process is also needed so that routine changes can be made to the protection strategy to ensure it remains effective. Fundamental to risk management is the identification of residual risks with a network protection strategy in place and acceptance of that risk by management.
  • 15. Establish a network protection strategy based on the principle of defense-in-depth A fundamental principle that must be part of any network protection strategy is defense-in-depth. Defense-in-depth must be considered early in the design phase of the development process, and must be an integral consideration in all technical decision-making associated with the network. Utilize technical and administrative controls to mitigate threats from identified risks to as great a degree as possible at all levels of the network. Single points of failure must be avoided, and cyber security defense must be layered to limit and contain the impact of any security incidents. Additionally, each layer must be protected against other systems at the same layer. For example, to protect against the inside threat, restrict users to access only those resources necessary to perform their job functions.
  • 16. Clearly identify cyber security requirements Organizations and companies need structured security programs with mandated requirements to establish expectations and allow personnel to be held accountable. Formalized policies and procedures are typically used to establish and institutionalize a cyber security program. A formal program is essential for establishing a consistent, standards-based approach to cyber security through an organization and eliminates sole dependence on individual initiative. Policies and procedures also inform employees of their specific cyber security responsibilities and the consequences of failing to meet those responsibilities. They also provide guidance regarding actions to be taken during a cyber security incident and promote efficient and effective actions during a time of crisis. As part of identifying cyber security requirements, include user agreements and notification and warning banners. Establish requirements to minimize the threat from malicious insiders, including the need for conducting background checks and limiting network privileges to those absolutely necessary.
  • 17. Establish effective configuration management processes A fundamental management process needed to maintain a secure network is configuration management. Configuration management needs to cover both hardware configurations and software configurations. Changes to hardware or software can easily introduce vulnerabilities that undermine network security. Processes are required to evaluate and control any change to ensure that the network remains secure. Configuration management begins with well-tested and documented security baselines for your various systems.
  • 18. Conduct routine self-assessments Robust performance evaluation processes are needed to provide organizations with feedback on the effectiveness of cyber security policy and technical implementation. A sign of a mature organization is one that is able to self-identify issues, conduct root cause analyses, and implement effective corrective actions that address individual and systemic problems. Self-assessment processes that are normally part of an effective cyber security program include routine scanning for vulnerabilities, automated auditing of the network, and self-assessments of organizational and individual performance.
  • 19. Establish system backups and disaster recovery plans Establish a disaster recovery plan that allows for rapid recovery from any emergency (including a cyber attack). System backups are an essential part of any plan and allow rapid reconstruction of the network. Routinely exercise disaster recovery plans to ensure that they work and that personnel are familiar with them. Make appropriate changes to disaster recovery plans based on lessons learned from exercises.
  • 20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance Effective cyber security performance requires commitment and leadership from senior managers in the organization. It is essential that senior management establish an expectation for strong cyber security and communicate this to their subordinate managers throughout the organization. It is also essential that senior organizational leadership establish a structure for implementation of a cyber security program. This structure will promote consistent implementation and the ability to sustain a strong cyber security program. It is then important for individuals to be held accountable for their performance as it relates to cyber security. This includes managers, system administrators, technicians, and users/operators.
  • 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls Release data related to the SCADA network only on a strict, need-to-know basis, and only to persons explicitly authorized to receive such information. “Social engineering,” the gathering of information about a computer or computer network via questions to naïve users, is often the first step in a malicious attack on computer networks. The more information revealed about a computer or computer network, the more vulnerable the computer/network is. Never divulge data revealed to a SCADA network, including the names and contact information about the system operators/administrators, computer operating systems, and/or physical and logical locations of computers and network systems over telephones or to personnel unless they are explicitly authorized to receive such information. Any requests for information by unknown persons need to be sent to a central network security location for verification and fulfillment. People can be a weak link in an otherwise secure network. Conduct training and information awareness campaigns to ensure that personnel remain diligent in guarding sensitive network information, particularly their passwords.

The Bottom Line on Security

Again, when it comes to the security of our nation and even of water/wastewater treatment facilities, few have summed it better than Governor Ridge (Henry, 2002).

Now, obviously, the further removed we get from September 11, I think the natural tendency is to let down our guard. Unfortunately, we cannot do that. The government will continue to do everything we can to find and stop those who seek to harm us. And I believe we owe it to the American people to remind them that they must be vigilant, as well.

Chapter Review Questions

Thought-Provoking Questions (Answers Will Vary):

  • 3.1 Do you feel that water and/or wastewater facilities are realistic targets for terrorism? Why?
  • 3.2 Are we more vulnerable to homegrown terrorists than foreign terrorists? Explain.

References and Recommended Reading

DOE, 2001. 21 Steps to Improve Cyber Security of SCADA Networks. Washington, DC: Department of Energy.
Ezell, B.C. , 1998. Risks of Cyber Attack to Supervisory Control and Data Acquisition. Charlottesville, VA: University of Virginia.
FBI, 2000. Threat to Critical Infrastructure. Washington, DC: Federal Bureau of Investigation.
FBI, 2004. Ninth Annual Computer Crime and Security Survey. Washington, DC: FBI: Computer Crime Institute and Federal Bureau of Investigation.
GAO, 2003. Critical Infrastructure Protection: Challenges in Securing Control System. Washington, DC: United States General Accounting Office.
Gellman, B. , 2002. Cyber-Attacks by Al Qaeda Feared: Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say. Washington Post, June 27, p. A01.
Greenberg, J.M. , Mendoza-Gomez, E.X. , & Parronell, V. , 1999. The Chemistry of Life Origins. Dordrecht, Netherlands and London, UK: Kluwer Publishers, pp. 190–194.
Henry, K. , 2002. New Face of Security. Government Security. April, pp. 30–31.
IBWA, 2004. Bottled Water Safety and Security. Alexandria, VA: International Bottled Water Association.
NIPC, 2002. National Infrastructure Protection Center Report. Washington, DC: National Infrastructure Protection Center.
Stamp, J. et al., 2003. Common Vulnerabilities in Critical Infrastructure Control Systems, 2nd ed. Sandia National Laboratories.
USEPA, 2004. Water Security: Basic Information. Accessed 09/30/07 @
USEPA, 2005. EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known SCADA Vulnerabilities. In: Harris, J. (Ed.) Final Briefing Report. Washington, DC: USEPA.
Search for more...
Back to top

Use of cookies on this website

We are using cookies to provide statistics that help us give you the best experience of our site. You can find out more in our Privacy Policy. By continuing to use the site you are agreeing to our use of cookies.