Wednesday, February 11, 2009

Water Sector Develops First Voluntary Security Snapshot

by Mickey McCarter

Report serves as a model for other sectors of critical infrastructure to analyze security gaps

The water infrastructure sector's information sharing and analysis center (ISAC) became the first industry sector to release metrics on its security performance at the very end of last year, setting a standard for other industry councils to follow.

"Until now, sector-specific metrics only existed in concept," Vance Taylor, a consultant at Catalyst Partners LLC who served as director of security policy for the Water ISAC, told HSToday.us.

"By voluntarily, developing, defining, analyzing and reporting on our security posture, the water sector has proved the Department of Homeland Security's concept of the partnership model works," he added. "You can work through the partnership model to develop a set of metrics and that the sector would be capable and willing to measure its own security process under a voluntary framework. That's very significant."

The results of the report, titled "Water Sector Measures Analysis," indicate the water sector is rising to meet security challenges. Drinking water and wastewater utilities are incorporating security into their budgets, training personnel on security, actively seeking validated threat information, putting chemical security protocols and safeguards in place, and reviewing their emergency response plans, Taylor declared.

The results as a whole indicated that drinking water and wastewater utilities are making significant progress in awareness, preparedness and resiliency. Ninety percent of responding utilities have incorporated security into their budgets and training; more than 90 percent regularly review their emergency response plans; and more than 90 percent are seeking validated security threat information.

The report also reveals gaps in security measures within the water industry. For example, only 42 percent of utilities had developed business continuity plans. Only 34 percent of wastewater utilities surveyed have a crisis communications plan.

"If we look at those specific areas of business continuity and crisis communications, you can see this is clearly an area where we need to improve," Taylor stated. "But this should not fall onto the shoulders of utility owners and operators or their associations to pick up themselves. We must work as a group-the Water Security Division and the Department of Homeland Security [DHS]. We need to work together to find out how fast to deploy resources to utilities to help them strengthen these efforts."

DHS should allocate dedicated funding to water security projects, Taylor argued. The economic recovery package approved by the Senate Tuesday contains about $2 billion for drinking water infrastructure projects and $6 billion for wastewater infrastructure projects, but none of that money specifically targets security or resiliency, he noted.

But government and industry alike would benefit from a pool of money with allocations for security projects so that utilities are not forced to choose between upgrading infrastructure and meeting security goals. The Water Sector Measures Analysis report provides a list of where the gaps are, enabling DHS and the water sector to work together to close those gaps.

"Utilities need to be able to fail gracefully when an incident occurs and be able to respond, recover and get back online as quickly and as effectively as possible," Taylor asserted.

Taylor, who served as one of the authors of the report, stressed that the water industry completed this security snapshot voluntarily. While the sector was required to conduct vulnerability assessments, the water utilities were very proactive in developing metrics and measuring industry-wide efforts to meet security goals, making security a priority, Taylor argued.

As such, advocates for federal regulation should examine how much more effective voluntary frameworks would be with dedicated resources or funding. Any discussion of federal mandates should arise only after the 18 industry sector coordinating councils identified in the National Infrastructure Protection Plan fail to meet standards voluntarily with enough resources to achieve their goals, Taylor advocated.

"There are some that would like to make federal requirements for security," he said. "To those groups, I would say you must have a willing sector. Before we jump to regulate, let's dedicate some resources there and see how much further we can go with that. If this is a partnership, it needs to be a two-way street."

DHS meanwhile has benefited from a first-of-its-kind voluntary assessment from an industry sector-specific coordinating council, providing it with a model of how the other 17 sectors of critical infrastructure could achieve the same ends.

As such, the federal government can capitalize on the diligence and responsibility of the water sector to spur developments in other sectors, Taylor commented.

The full (51 page) report is available at the Water ISAC's Web site .


No comments: