Title: Protocol Development and Beta Testing of Wastewater Vulnerability Assessments for U'S' Army Faciliti
1Protocol Development and Beta Testing of
Wastewater Vulnerability Assessments for U.S.
Army Facilities
- Jennifer L. Dauphinais and Andrew R. Maly
- NDIA - 30th Environmental and Energy Symposium
Exhibition - April 5, 2004
2Background
- After 9/11 threats to infrastructure became a
concern - Damage to WW treatment works can cause
- Environmental damage
- Pollution of drinking water sources
- Long-term health effects
- Wastewater Treatment Works Security Act of 2003
- 200 million for vulnerability assessments (VA)
- In Senate awaiting further action
3Purpose
- To implement a VA protocol that highlight themes
commonly encountered on armed forces
installations - To determine a wastewater systems
vulnerabilities and provide recommendations to
fortify the systems against - physical destruction
- Intentional contamination
- cyber-attack
- To identify deficits in the protocol that should
be revised before the next VA
4VA Protocol
- Timeline
- Pre-assessment coordination
- In-brief
- Site assessment
- Risk evaluation
- Out-brief
- Report
5From start to finish a vulnerability assessment
should be completed within six months
6Army installations often require extensive
pre-assessment coordination
- Team requirements
- Request design drawings, maps, ERPs, SOPs, etc.
- Request access to personnel familiar with and
involved in wastewater treatment, collection and
monitoring - Request access to all physical components of the
wastewater system, either escorted or unescorted
7It is essential to have key installation
personnel available and involved in the VA
- Installation Commander
- Installation security/Provost Marshal
- Department of Public Works Director
- Environmental Office Chief
- PM and other medical Chiefs
- Water system manager/supervisor
- Plumbing staff
- Military intelligence
- Fire department chief
- HAZMAT/Safety Chief
- Director of Contracting
8There are three main threats to a wastewater
treatment facility
- Physical Destruction
- Arson
- Explosives
- Physically accosting personnel
- Intentional Contamination
- Chemical
- Biological
- Radiological
- Cyber Attack
9An assessment strategy is necessary when
inspecting facilities
- Look through the eyes of the aggressor
- What are their capabilities?
- What would be their modes of attack?
- Visit all components on and off the installation
- Approach each asset as a possible attack target
- Should complete day and night assessments
10Common Vulnerabilities
- Fencing
- In need of repair
- Vegetation overgrowth
11Common Vulnerabilities Continued
- Fencing
- No fence/vegetation setback distances
- Washed-out dirt
- Poor grounds keeping - debris
12Common Vulnerabilities Continued
- Chemical storage
- Visible from roads
- Un-enclosed, easy-access
13Access to facility is a serious security issue
- Is the facility or any components near
- public transportation routes?
- public recreation areas?
14Night assessments may uncover new vulnerabilities
- Lighting structures present but bulbs burnt out
- Ineffective locks/barbed wire
15Efforts to enhance the physical security plan
should address four key concepts
16Intentional contamination can lead to ineffective
or complete loss of treatment
- Contamination is most likely to occur
- at a remote location or
- by someone knowledgeable of facility operations
17As technology increases the vulnerability to
cyber-attack also increases
- Involves the electronic disruption of control,
monitoring, or communication systems - Can be performed at great distances from the
installation - Should use a cyber expert to evaluate
vulnerability
18Once vulnerabilities have been determined, risk
can be assigned
- Make initial best estimate of
19Risk measurement results from probability/severity
combination
20Example of vulnerability matrix
21The next step in the VA is an exit briefing
- Present the Extremely High or High risks
- Conduct an open discussion over risks
- Does everyone agree with risk values?
- Are there risks that were overlooked?
- Countermeasures?
- Explain future VA team actions
- Schedule
- Report
22Finishing touches
- Send draft report for corrections
- Transmitting the report
- Installation security POC
- Email
- Hardcopy
- Finalize report
23Acknowledgements
- Water Supply Management Program, USACHPPM
- Utilities and Installations