While protecting public infrastructure systems from potential disasters is not a new concept, owners and consultants have felt an urgent calling to this task since 9/11. Government agencies at all levels are assessing water, wastewater and power systems from top to bottom, looking for chinks in the armor and ways to upgrade security within budget constraints. Some owners initiated assessments long before 9/11, while others are now scrambling to meet federal deadlines.

The Public Health Security and Bioterrorism Response Act requires drinking water systems serving 100,000 people or more to complete vulnerability assessments and submit them to the U.S. Environmental Protection Agency by March 2003, followed by an emergency response plan within six months. Systems serving between 50,000 and 100,000 people have until December 2003, and systems serving between 3,300 and 50,000 people have until June 2004 to complete assessments.

CLOSED Some say results of assessments of water and power systems should not be publicized. (Photo courtesy of Bureau of Reclamation)

To help systems fund the assessments, Congress allotted EPA $53 million in grants for the large systems. Over 380 grants have been awarded so far, says Janet Pawlukiewicz, director of EPA's water protection task force. "We are aiming to help systems become more secure as soon as possible," she says. Funding for smaller systems is in the works.

EPA specifies that owners use a structured risk-assessment approach to determine the vulnerability of their systems. Many owners are using a series of processes known as RAM-D, RAM-T and RAM-W–Risk Assessment Methodology for dams, transmission and water, respectively. The methods, developed at Sandia National Laboratories, Albuquerque, systematically assess threats, consequences and vulnerability before evaluating consequence mitigation and security upgrade options, says Rudy Matalucci, Sandia's project leader.

While the RAM methods use "a fair amount of science, they also require intuition and logic," says Mike Rosenberger, vice president with CH2M Hill Cos. in Portland, Ore. "The challenge is to figure out how to mitigate the most risks with the funds available." CH2M Hill has worked on over 50 risk-assessments in the past year, although many were under way before 9/11, he says.

Other consultants have used proprietary risk assessment methods developed by themselves. Kansas City-based Black & Veatch, which developed an in-house procedure in the early 1990s, has used a combination of Sandia and its own methods. "It depends on the comfort level" of the particular agency, says Allen Rose, vice president in the company's special projects group, which had four people working on water-wastewater security assessments prior to 9/11, but now has nearly 50.

Owners are also tapping expertise outside the traditional engineering community. Arlington, Va.-based Veridian Corp., which specializes in defense and intelligence work, has performed assessments on dams and water and power systems for several cities and the Bureau of Reclamation. System owners "are not traditional operators in security so they don't have access to all the information" on terrorist threats, says Ed Jopeck, director of security analysis and risk management. Veridian typically teams with an engineering firm on its infrastructure assessments.

One of Veridian's clients, the Portland, Ore., Bureau of Water Works, is burying its five open water storage reservoirs to prevent deliberate contamination. The work "was going to be done anyway, but we moved it up" after 9/11, says Ross Walker, a city spokeswoman. The $65-million first phase of the project is scheduled over the next five years, with costs borne by customers.

Besides making physical improvements, owners are taking a number of nonstructural steps, such as adding site security patrols, building access controls and installing surveillance cameras. Phoenix has spent over $4 million on such measures since 9/11, and has allotted similar amounts for the next several years, says Ken Koski, a city spokesman.

Some nonstructural measures also require physical improvements. To provide real-time surveillance video across one or more facilities often requires increased communication bandwidth, such as new fiber-optic cable, to keep video feeds separate from supervisory control and data acquisition systems, says Alan Wong, client service manager for homeland security with HDR Inc., Omaha. "You don't want to mix live video with SCADA," he says. "The good news is utilities can fold these projects into other contracts."


Owners need to be more cognizant of interaction between different infrastructure components, such as water, power and communications, say some industry experts. "They need to focus on interdependencies," says Paula Scalingi, president of Vienna, Va.-based Scalingi Group LLC, and a former Central Intelligence Agency analyst. In a power outage, a highly automated water system "could be a secondary target," she says.

To span multiple agencies and disciplines, Scalingi recommends regional initiatives such as one undertaken by the Pacific Northwest Economic Region, a consortium of several northwestern states and Canadian provinces. PNWER formed its Partnership for Regional Infrastructure Security last year specifically to address multiple infrastructure vulnerabilities.

Background infrastructure components such as inland waterways also need to be assessed, says Robert Underwood, vice president of security risk management for Carter & Burgess, Fort Worth, Texas. "Inland navigation keeps traffic off our highways and affects commerce," he says. "You don't want an outage that would force shippers to use alternate methods."

Data protection remains a concern of owners and consultants. The Association of Metropolitan Water Agencies, Washington, D.C., is working with its members and other agencies to tighten disclosure of information that has previously been available through public channels, says Jeff Mosher, director of technical services. "The public needs to know there's a systematic approach" being used on risk assessments, adds Sandia's Matalucci. "But the results need to be protected."

On Sept. 12, AMWA contracted a team led by the Dallas office of Westin Engineering Inc. to design, build and operate a Web-based security information clearinghouse for drinking water utilities. The Water Information Sharing and Analysis Center (www.waterisac.org) will give "member utilities…the access they need to protect against potential threats to their security," says Diane VanDe Hei, AMWA executive director.

Under a $657,000 contract, the Westin team is charged with having the information center fully operational by December, according to an AMWA spokesman.