By Gay Porter DeNileon

The fax came across the desk of many US water utility executives on January 24, 2001.

"Last night, the FBI received a signed threat from a very credible, well-funded, North Africa-based terrorist group indicating that they intend to disrupt water operations in 28 US cities. Because the threat comes from a credible, well known source, with an organizational structure capable of carrying out such a threat, the FBI has asked utilities, particularly large drinking water systems, to take precautions and to be on the lookout for anyone or anything out of the ordinary" (AMWA,2001).

Even though the signature on the letter was later determined to be a hoax and the possibility of the threat being carried out successfully was considered to be "highly unlikely" by the Federal Bureau of Investigation (FBI, 2001), the alarm resonated in utility boardrooms and security offices across the US. The message was clear: As long as enemies of the United States exist, terrorism could strike an American water supply within our lifetimes, unless steps are taken to prevent such action.

The potential for threat is not new. "It has long been recognized that among public utilities, water supply facilities offer a particularly vulnerable point of attack to the foreign agent, due to the strategic position they occupy in keeping the wheels of industry turning and in preserving the health and morale of the American populace," wrote John Edgar Hoover, the first director of the FBI, shortly before the Japanese invasion of Pearl Harbor (Hoover, 1941).

While the prospective saboteur and some of his methods may have changed, the awareness and concern about an intentional attack on the nation's critical infrastructure has only heightened since the demise of the Cold War. Not only has the number of terrorist-type groups grown but they are increasingly extreme. "Modern terrorist groups tend to be decentralized, and many self-declared terrorists work alone," writes Michael T. Osterholm in his book about the threat of bioterrorism, Living Terrors (Osterholm et al, 2000). Also, the information highway has joined the traditional critical infrastructure underpinnings of the nation: transportation, banking and finance, energy, telecommunications, emergency response systems, and water supply. In May 1998, then President Clinton issued Presidential Decision Directive 63 (PDD 63), and a supporting, unclassified White Paper that defined the administration's policy on protecting the nation's critical infrastructure. The White Paper states, in part, "As a result of advances in information technology and the necessity of improved efficiency.. [the nation's critical infrastructures] have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failures, human error … and physical and cyber attacks." (National Security Council, 1998)

What are the threats?

"Three attributes are crucial to water supply users. There must be adequate quantities of water on demand; it must be delivered at sufficient pressure; and it must be safe for use. Actions that affect any of these three factors can be debilitating for the infrastructure," states the water sector summary report crafted by the presidential commission tasked with presenting a case for increased security measures of the nation's infrastructure (President's Commission, 1997). A variety of methods could be used to undermine these three essential functions of a water supply system.

Physical destruction. Many observers believe that physical destruction of water system components or the disruption of a water supply is a much more likely scenario than a contamination event. The loss of flow and pressure would not only cause problems for water cutomers, but drastically hinder firefighting efforts as well. Hoover identified eight potentially vulnerable points in a water utility in addition to "bacterial infection or other pollution of water," including damage to vital equipment by explosives, damage to interdependent infrastructure such as power stations, arson, and injury to personnel (Hoover, 1941). Explosives and guns are much easier to obtain than destructive quantities of contaminants, so the potential for conventional damage to be inflicted on a water supply is much higher than a contamination event. Damage of a physical nature includes disruption or destruction of:

Another concern is the potential for creating a system-wide water hammer effect by opening and closing major control valves too rapidly, resulting in a large number of simultaneous main breaks (President's Commission, 1997). This, and a loss of pressure that could affect firefighting capabilities, would not only jeopardize the water supply, but also tax the resources of utility staff and other public works personnel. As with any natural disaster that destroys utility facilities or threatens the delivery of safe water, the stress and overtime imposed on staff handling the situation is a factor that must be considered in the larger picture of preparedness and response.

Chlorine and other hazardous chemicals used in the treatment process also can be susceptible to attack, particularly during transport to the utility or at an unsecured plant site. Not only would the release of chlorine gas into a residential neighborhood be dangerous, but the interruption of the supply of chemicals to the treatment plant could undermine the disinfection process.

Bioterrorism/Chemical Contamination. As the subject of many conferences and workshops, as well as of fiction and nonfiction books and movies, bioterrorism is a buzzword that catches immediate attention. Technically, the term refers to massive contamination by a microbiological agent, but there is also concern about contamination by a toxic chemical, both of which, under certain circumstances, can be considered weapons of mass destruction (WMD). Major Donald C. Hickman, in a paper urging better protection of US Air Force water systems against deliberate contamination, cites the release of sewage into a Bohemian reservoir by Nazi agents, the dumping of animal carcasses and hazardous materials into the majority of Kosovo's wells, and the use of cherry laurel water, which contains cyanide, by Nero against his enemies in ancient Rome, to build his case (Hickman, 1999).

Generally, biological agents considered to be a WMD -- an agent capable of producing mass casualties and of being produced in mass quantities -- pose the most danger in aerosol form. Contamination would likely occur through the air in an interior space, such as the sarin attack in a Tokyo subway in 1995. In determining which chemical and biological agents that are most likely to be used in a terrorist attack, the FBI's main criteria are "high dermal or inhalation toxicity, common malicious use reported, and prior use by terrorists" (FBI, Feb. 1, 2001). Nelson P. Moyer, of the University Hygienic Laboratory, said, "The ideal waterborne agent of bioterrorism has a low infectious dose, produces severe gastrointestinal disease in a population with little or no immunity, and results in a higher percentage of systemic complications leading to death." (WQTC, Moyer, 2000)

While in the past, the Centers for Disease Control and Prevention (CDC) in Atlanta has focused on airborne routes, CDC is now focusing more research on the waterborne viability and resistance to disinfection of such agents of smallpox, anthrax, botulinum toxin, tularemia, and hemorrhagic fever viruses, which are Category A biological agents of high concern (CDC, 1999). Such research is not new, and other characteristics that are relevant to an agent's potential as a biological weapon include the agent's stability in the drinking water system, virulence, culturability in the quantity required, and resistance to detection and identification processes (Berger et al, 1955). CDC is also stockpiling antidotes and vaccines, has established a disease surveillance network in hospitals and other health care facilities to detect and identify unusual unexplained illnesses, and is working with public and private laboratories to facilitate the detection and identification of biological agents in the event of a terrorist attack (Hughes, 1999).

In water systems, the commonly held belief that "dilution is the solution," along with the multiple barrier approach used to detect and eliminate or deter naturally occurring pathogens, would likely prevent the successful introduction of a toxic chemical or microbiological agent at the source or in the treatment plant (WQTC, DeLeon, 2000). Also, "the opportunities for finding unobserved sites for sabotage are few, as compared with the distribution system," (Berger et al, 1955) which is particularly vulnerable because of its unguarded accessibility and the widespread area it reaches.

Backflow. Consider the unintentional release of aqueous fire-fighting foam into the Charlotte Mecklenburg Utilities distribution system through a fire hydrant when a fire truck pump was turned on before a valve was closed. The pump feeding the foam produced more pressure than the water pressure in the system, and without a backflow prevention device stopping it, more than 60 gallons of foam got into the neighborhood's pipes and taps (Krouse, 2001). Almost every home and building on a public water system has unprotected access to the distribution system; one wacko who understands hydraulics and access to a drum of toxic chemicals could inflict serious damage to a water supply in a neighborhood or pressure zone without detection pretty quickly in most communities. Contaminants could also be introduced into a system in distribution reservoirs and through fire hydrants.

Cyber attack. The threat and reality of cyber attacks can affect the entire infrastructure network. Prof. James T. Lambert of the University of Virginia, in a presentation to the participants of a US Environmental Protection Agency (USEPA) sponsored workshop, cited research showing that many water utility SCADA systems are susceptible to hacking, which could result in disclosure or theft of sensitive information, corruption of information, or, at the worst extreme, denial of service (USEPA/DOE Workshop: Lambert). Because many supervisory control and data acquisition (SCADA) systems are not connected to the Internet, the threat of a cyber attack is most likely to come from a disgruntled employee with access to the system.

Who poses a threat?

While a "terrorist" threat is typically expected to be carried out by an organized group or nation with a cause or statement to make, the disenfranchised loner, e.g., Unabomber Ted Kaczynski or Oklahoma City bomber Timothy McVeigh, is a more likely menace. The intentional acts can usually be categorized into five classes of perpetrators:

1. Vandals, who commit crimes of opportunity, such as a spontaneous action without a provoking cause. Examples include teenagers who skinny dip in a water tank then dump into the reservoir the excess paint they've used to scrawl their class year on the outside of the tank.

2. The lone wolf, a disenfranchised, often mentally ill individual who may target his victims for their ethnicity, beliefs, or other supposed infractions.

3. Insiders, particularly employees, former employees, or contractors, who are seeking revenge or venting anger over some real or imagined slight. Because of their inside knowledge of an operation, these perpetrators could feasibly inflict the most serious harm.

4. Activist groups or cults, not aligned with a country, but intent on making a statement, such as the Earth Liberation Front that claimed responsibility for burning down the $12 million Vail, Colo., ski lodge, or the Oregon cult that poisoned a salad bar and water system with salmonella.

5. State-sponsored terrorist groups, such as those linked to known enemies of the US.

A state-sponsored group was the alleged signatory of the threatening letter to water utilities on January 24; the concern of the parties that notified utilities about the threat was that the group actually had the financial and technical resources to carry out a major disruption of water supplies in 28 cities. Not many members of the other four classes of perpetrators have that sort of financial or manpower resources, but that does not mean they are not resourceful. In 1998, a group of teenagers carefully plotted a way to get into the water treatment plant in Neenah, Wis., where they intended to throw dry soap in the filters and liquid soap on the floors, place trip wires where plant personnel would be impeded, and videotape the entire action. These teens also had a cache of 77 pounds of M-80 firecrackers, lighter fluid, bolt cutters, and baseball bats that they said were to be used to defend themselves if necessary (Wettering, 1999).

What is being done?

PDD 63 established the National Infrastructure Protection Center (NIPC), and appointed the USEPA as lead federal agency on critical infrastructure protection issues for the water supply sector (National Security Council, 1998). USEPA subsequently appointed Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies (AMWA) as the water sector liaison to the federal government on critical infrastructure. USEPA is funding, in cooperation with the AWWA Research Foundation, a research project to develop a vulnerability assessment methodology. AMWA established a national Critical Infrastructure Protection Advisory Group (CIPAG), which began meeting in January 2001. Comprised of industry representatives, with technical support from water associations and federal agencies such as USEPA, FBI, and the Department of Energy, the CIPAG is providing guidance to a variety of activities, including:

* an Information Sharing and Assistance Center (ISAC) for the water supply sector, which would allow secure transmission of threat information and other sensitive data;

* guidance documents that will outline what steps to take to protect a facility against attack, respond to attack, and mitigate the consequences of an attack;

* cooperative meetings of all critical infrastructure sectors, through the US Chamber of Commerce and the Critical Infrastructure Assurance Office, a federal coordinating office;

* a national infrastructure assurance plan for the water sector; and

* training activities.

CIPAG Chair Brian Ramaley of Newport News (Va.) Public Utilities will provide an update and overview of the group's activities at a Sunday workshop during the 2001 AWWA Annual Conference and Exposition (ACE) in June. The workshop, "Critical Infrastructure Terrorism and Security," will provide participants with the first view of the USEPA/AWWARF-funded vulnerability assessment tool being developed by Sandia National Laboratory, as well as some practical advice from FBI agents, researchers, and utility professionals who already have a program in place to address terrorist issues.

A number of public and private institutions are conducting research on issues related to critical infrastructure protection and have established training programs that will take participants through the basics of identification, response, and remediation, although most programs are not water sector specific. AWWA is planning to develop a 2 -3 day "Seminar in a Box" program in 2002 that would explore in-depth the issues presented at the 2001 ACE workshop. This seminar would provide trainers and materials on a request basis to utilities, AWWA sections, and other qualified groups or agencies.

What are other concerns?

One of the biggest issues that many water utility executives raise is the confidentiality of information, e.g., concerns that the public may have easy access to details of a vulnerability assessment under local and state Freedom of Information Act (FOIA) laws. The federal FOIA allows agencies to withhold information that "could reasonably be expected to endanger the life or physical safety of any individual," and "geological and geophysical information and data, including maps, concerning wells" (FOIA). Also at the federal level, most sensitive data would not be available, because utilities are not required to provides such information to USEPA or any other agency at this time. A water industry ISAC and the FBI/NIPC Infraguard program (see sidebar) may be the answer to some of these concerns. By limiting access to, and possibly encrypting information, only those with the proper access codes or passwords will be allowed read or browse specific data. The USEPA and AMWA are also working with the CIAO to assist municipal utilities in dealing with local and state FOIA laws. Utilities are advised, nevertheless, to have their attorneys review any plans to collect sensitive information, such as the results of vulnerability assessments, to ensure that the utility has a basis for withholding information under state and local laws.

What can utilities do?

Utilities must take it upon themselves to assess their vulnerabilities and prioritize them for necessary security improvements. The AWWARF vulnerability assessment tool will provide templates to assist utilities in this process, and the tool may be distributed through the ISAC. The steps that can be taken once the vulnerabilities are identified are numerous (see sidebar), and need to include outreach to local and regional law enforcement and emergency management officials, as well as federal and state agencies that would be involved in a terrorist situation (see sidebar on who does what in federal and state agencies). These officials should be invited to tour the water utility facilities so they are aware of its features and vulnerable points and can respond appropriately if an attack occurs. That personal contact will also raise the water utility's visibility on the radar screen of agencies, such as the local FBI field offices, that monitor terrorist activities, so they will think to notify the water utility in the event of a threat and to include utility staff in preparedness and emergency response training.

Most utilities have emergency preparedness plans that address redundancy of operations, public notification, chain of command, media response, emergency water supply, and other issues that need attention in a crisis. These plans should provide the backbone of a response strategy for a terrorist attack as well, but should be reviewed and updated to include a checklist or barometer (predetermined with input from local and federal law enforcement officials) to determine how serious the threat is and whether or not to

* increase security,

* issue boil-water or do-not-drink alerts,

* change operations (e.g., slow filter rate, increase/decrease chemicals),

* cease operations, or

* take other steps.

Some utilities have checklists for their customer service staff, so if a threat comes in, the person manning the phone can help identify who and where the threat came from. The checklist includes questions about tone of voice, gender, whether or not the voice was disguised or muffled, and background noise. Again, law enforcement agencies can help in crafting or supplying such a checklist, and should be notified immediately if a threat is phoned in to a utility.

Aftermath

News item from a California daily:

"It had a look that is common to weekend vandalism: the cut screen, the mess in the building, the spilled material. But the building was the control room for Grass Valley's water treatment plant, and the mysterious bright red substance was spilled into the Sierra foothill town's water supply over the weekend. …

The plant will remain out of commission probably until early next week and the 2,300 residences and businesses will continue to receive 1.2 mgd from the Nevada Irrigation District." (Cox, 1999)

The FBI alert that went out to utilities on Jan. 24, 2001, was initially sent to about 300 of the largest metropolitan suppliers. Smaller utilities, however, tend to be less protected and thus more vulnerable to attack, whether it be by teenage vandals or by state-sponsored terrorists. Every utility that has had to repaint a graffiti-riddled water tower or replace stolen signs around a reservoir has witnessed how vulnerable it is to outside intrusion. Consider those incidents and multiply them by a factor of evil intent to cause harm, and then consider just how safe your facility is from an deliberate act of aggression. For, as J. Edgar Hoover said (Hoover, 1941), "We must not be lulled into a false sense of security. The thrusts of the subversive agent must be met and thwarted at every turn. The methods of operation of the saboteur and the espionage agent are limited only by their ingenuity."

REFERENCES

Association of Metropolitan Water Agencies (AMWA) Jan. 24, 2001. memorandum to utilities serving 100,000 customers or more.

Berger, B. and Stevenson, A. 1955. Feasibility of Biological Warfare Against Public Water Supplies. Jour. AWWA, 47:2:101

Centers for Disease Control and Prevention (CDC). 1999. Worksheet. Critical Biological Agents for Public Health Preparedness.

Cox, J. Oct. 13, 1999. "Vandals Pollute Grass Valley Water Supply: Two Teens Held." The Sacramento Bee.

Federal Bureau of Investigation (FBI). Jan. 24, 2001. Memorandum to AMWA.

FBI. Feb. 1, 2001."FBI contacts for suspicious pesticide/organophosphate nerve gas incidents." Memorandum to Poison Control Centers.

Freedom of Information Act. 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 2422. <http://www.fas.org/sgp/foia/foia.html>

Hickman, D.C., 1999. A Chemical and Biological Warfare Threat: USAF Water Systems at Risk. The Counterproliferation Papers Future Warfare Series No. 3. USAF Counterproliferation Center, Air War College, Air University, Maxwell Air Force Base, Alabama.

Hoover, J.E. Water Supply Facilities and National Defense. 1941. Jour. AWWA, 33:11:1861

Hughes, J.H. Apr. 10, 1999. Statement before the Subcommittee on Technology, Terrorism, and Government Information Subcommittee on Youth Violence Committee on the Judiciary US Senate.

Krouse, M. 2001. Backflow Incident Sparks Improvements. Opflow. Vol. 27, No. 2.

USEPA/DOE Workshop on Protecting our Water Supply Infrastructure: Lambert, J.T., Risk Management of SCADA Systems. 2000. Argonne, Ill.

Osterholm, M.T. & Schwartz, J. 2000. Living Terrors: What America Needs to Know to Survive the Coming Bioterrorist Catastrophe. Delacorte Press.

National Security Council (NSC). May 22, 1998. White Paper Policy on Critical Infrastructure Protection: Presidential Decision Directive 63.

President's Commission on Critical Infrastructure Protection. Oct. 13, 1997. Critical Foundations: Protecting America's Infrastructures.

Sandia National Laboratories Water Surety Workshop. Danneels, J.J., Methodology for Improving the Security of the Water Infrastructure. 2000. Albuquerque, N.M.

University of North Carolina. June 1999. Public Health Grand Rounds Satellite Broadcast Bioterrorism: Implications for Public Health. <http://publichealthgrandrounds.unc.edu/bioterrorism.htm>

Water Quality Technology Conference: De Leon, R. and Stewart, M. Evaluation of Vulnerability to Microbial Threats. Proc. 2000 AWWA WQTC, Salt Lake City.

Water Quality Technology Conference: Moyer, N.P., Infectious Risks from Public Drinking Water or The Bioterrisit's CCL. Proc. 2000 AWWA WQTC, Salt Lake City.

Wettering, L. 1999. Teens or Terrorists: Plant Security Tested by Devious Plot. Opflow. Vol 25, No. 3.