|
Infrastructure
Security A great deal of money and time has been spent by the U.S. Environmental Protection Agency (EPA) addressing the nation's concerns with the security of our water supply. The EPA's Water Protection Task Force and Regional Offices, working with many partners, are taking actions to improve the security of the nation's drinking water and wastewater infrastructure. Actions are underway to provide direct grant assistance to large, publicly owned drinking water facilities; to support development of tools, training and technical assistance for small and medium drinking water and wastewater utilities; and to promote information sharing, and research to improve treatment and detection methods. Sandia National Laboratory, under Interagency Agreement between the EPA and the Department of Energy, will provide training to selected firms in the performance of a vulnerability assessment methodology--known as Risk Assessment Methodology for Water Utilities (RAM-W). The goal of the program, referred to as Train-the-Trainers, is to provide experienced trainers who will then offer this course nationally to consultants, water utilities, and government entities. All trainers licensed by Sandia will be required to publicly offer this training course a minimum number of times. The goal is to have high-quality vulnerability assessments conducted at drinking water and wastewater utilities. In an effort to support counter terrorism activities in the states and at drinking water and wastewater utilities, the EPA received supplemental appropriations from Congress this fiscal year. The EPA is using the appropriations to provide grant assistance to large (regularly servicing over 100,000 people) publicly owned systems, for up to $115,000 to develop a vulnerability assessment, emergency response/operating plan, security enhancement plans and designs, or a combination of these efforts. In accordance with Sandia's assessment methodology, a facility authority, with the assistance of a certified RAM-W Specialist, is to examine his facility and determine the components or processes that are critical to continued operation if there was any sort of attack on the facility. Each process is given a numeric value based on the degree of vulnerability, the probability of attack, and other factors. Values are then calculated for each part of the facility and ranked to vulnerabilities from most critical to least critical. The facility authority is to use this information to create a plan of action to restore the process in the event that it is harmed. There, however, seems to be a limitation to the methodology being used during the assessments. Too much time and effort is being invested in establishing the statistical value of the degree of risk rather than placing attention on creating new methodologies, tools, or tactics to secure a facility. Case in point, no expert is able to predict the type of attack to be expected on a facility. Infrastructure security is the process of a site-specific investigation identifying the risks to a facility and the tactics and measures used to prevent them. The key difference is the prevention of an attack, rather than how to assume production after an attack. Both are extremely important issues, but clearly different. Therefore, I believe the tools and tactics used to secure a facility should be much like those used to secure a military base. The facility must be evaluated for breaches in security followed by the selection of appropriate tools and tactics to counter the risk. TACTICS A wide variety of tools and tactics are used, covering a broad range of associated costs. They should be implemented starting with the least expensive and perceivably the easiest to implement. For example, changes to existing policy and procedure is a great starting point. I once worked with a facility with a no smoking policy in the buildings, but provided no place for smokers to take a break. As a result, smokers propped open doors and disabled detection devices rather than walk in the rain on their break. By designating an existing area for smokers to use, all problems were solved and at no cost to the facility authority. As the sophistication of the solution increases, so does the cost. Most facility authorities would not consider operation without a SCADA system, but many feel that an access control system is not needed. An access control system actually combines many systems, such as key control and biometric detection devices, into one system, simplifying the authority's job but certainly elevating the cost. The most expensive way to secure a facility is to hire, or contract for additional security personnel. At a base increase with cost of staff, the facility must also equip personnel with the required tools and supporting procedures to do their job correctly. Always plan to train personnel and provide additional periodic training as a refresher. Along with new electronic tools must also come new procedures that govern the methods and tools that are used to assist in providing a secure facility. Electronics are not a solution. They are simply tools that aid in bringing about the solutions. CONCERNS One of the main concerns is keeping outsiders away from the facility. This is accomplished by creating a multi-layered secure environment starting as far away from the critical systems as possible and working inward with intrusion detection at each layer. It is easier and more cost effective to incorporate the systems while a new facility is being built, but a system can be installed in an existing facility to address specific concerns as well. It is also important to establish the proper response procedures addressing violation at each layer, getting more severe as the level of threat increases. The tactics that could be employed include permanent and actuating bollards, multiple rows of fencing with proximity cables and infrared detection, barbed wire or concertina, sally ports at roadways and walkways, surveillance cameras, thorny plantings, and adequate lighting. During the design of a new facility or the security assessment of an existing facility, the principals of Crime Prevention Through Environmental Design (CPTED) should be used to address the layout of the facilities. Such CPTED items to address include site lighting, line of sight for natural surveillance, signage and visual queues directing visitors, proper plantings to direct traffic flow and limit hiding places, proper building shell materials and shapes to limit break-ins and victimization zones, and perimeter security and vehicular traffic control. Another concern may be how to protect chemicals' and production materials' storage places from willful harm. Depending on the size and contents of tanks, they can be stored underground or within a dedicated building, limiting sight and access by outsiders. Early detection of the inbound raw materials and physical security from that point into the plant will provide action time to stop contamination that could harm biological agents in the plant. Storage of processed drinking water is of great concern to the EPA and the public. Water stored in tanks or towers is more easily contained than in reservoirs. There should also be procedures established with local law enforcement and air traffic control to create a no trespassing zone around the site of water storage. When reservoirs are located at parks or other places of public access, planning for automobile parking must be researched to limit the possibility of large-scale contamination. CONCLUSION Each facility site is different -- one may be rural while another is urban. Because of this site difference, the tools and methods will most likely differ from facility to facility. This is why the facility authority should partner with an experienced security designer to review and establish plans for an infrastructure system. Submitted by: |