Order Code RL32189
CRS Report for Congress
Received through the CRS Web
Terrorism and Security Issues Facing the
Water Infrastructure Sector
Updated May 24, 2006
Claudia Copeland
Specialist in Resources and Environmental Policy
Resources, Science, and Industry Division
Betsy A. Cody
Specialist in Natural Resources Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Terrorism and Security Issues Facing the
Water Infrastructure Sector
Summary
Damage to or destruction of the nation’s water supply and water quality
infrastructure by terrorist attack could disrupt the delivery of vital human services in
this country, threatening public health and the environment, or possibly causing loss
of life. Interest in such problems has increased greatly since the September 11, 2001,
terrorist attacks in New York City and at the Pentagon.
Across the country, water infrastructure systems extend over vast areas, and
ownership and operation responsibility are both public and private but are
overwhelmingly non-federal. Since the attacks, federal dam operators and water and
wastewater utilities have been under heightened security conditions and are
evaluating security plans and measures. There are no federal standards or agreed-
upon industry best practices within the water infrastructure sector to govern
readiness, response to security incidents, and recovery. Efforts to develop protocols
and tools are ongoing since the 2001 terrorist attacks. This report presents an
overview of this large and diverse sector, describes security-related actions by the
government and private sector since September 11, and discusses additional policy
issues and responses, including congressional interest.
Policymakers are considering a number of initiatives, including enhanced
physical security, better communication and coordination, and research. A key issue
is how additional protections and resources directed at public and private sector
priorities will be funded. In response, since FY2002 Congress has provided $740
million in appropriations for security at water infrastructure facilities (to assess and
protect federal facilities and support vulnerability assessments by non-federal
facilities) and passed a bill requiring drinking water utilities to conduct security
vulnerability assessments (P.L. 107-188). When Congress created the Department
of Homeland Security (DHS) in 2002 (P.L. 107-297), it gave DHS responsibilities
to coordinate information to secure the nation’s critical infrastructure, including the
water sector. Under Homeland Security Presidential Directive-7, the Environmental
Protection Agency (EPA) is the lead federal agency for protecting drinking water and
wastewater utility systems.
Recent congressional interest has focused on bills concerning security of
wastewater utilities. In the 109th Congress, the Senate Environment and Public
Works Committee has approved legislation to encourage wastewater treatment works
to conduct vulnerability assessments and develop site security plans (S. 2781).
Continuing attention to these issues in the 109th Congress is possible, along with
interest in how the federal government coordinates its own activities and
communicates policies and information to the water infrastructure sector. This report
will be updated as warranted.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Responses to Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Coordination and Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . 9
Appropriations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Policy Issues and Congressional Responses . . . . . . . . . . . . . . . . . . . . . . . . 12
Congressional Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Terrorism and Security Issues Facing the
Water Infrastructure Sector
Introduction
The September 11, 2001, attacks on the World Trade Center and the Pentagon
have drawn attention to the security of many institutions, facilities, and systems in
the United States, including the nation’s water supply and water quality
infrastructure. These systems have long been recognized as being potentially
vulnerable to terrorist attacks of various types, including physical disruption,
bioterrorism/chemical contamination, and cyber attack. Damage or destruction by
terrorist attack could disrupt the delivery of vital human services in this country,
threatening public health and the environment, or possibly causing loss of life.
Further, since most water infrastructure is government-owned, it may serve as a
symbolic and political target for some. This report presents an overview of this large
and diverse sector, describes security-related actions by the government and private
sector since September 11, and discusses additional policy issues and responses,
including congressional interest.
The potential for terrorism is not new. In 1941, Federal Bureau of Investigation
Director J. Edgar Hoover wrote, “It has long been recognized that among public
utilities, water supply facilities offer a particularly vulnerable point of attack to the
foreign agent, due to the strategic position they occupy in keeping the wheels of
industry turning and in preserving the health and morale of the American populace.”1
Water infrastructure systems also are highly linked with other infrastructures,
especially electric power and transportation, as well as the chemical industry which
supplies treatment chemicals, making security of all of them an issue of concern.
These types of vulnerable interconnections were evident, for example, during the
August 2003 electricity blackout in the Northeast United States: wastewater
treatment plants in Cleveland, Detroit, New York, and other locations that lacked
backup generation systems lost power and discharged millions of gallons of untreated
sewage during the emergency, and power failures at drinking water plants led to boil-
water advisories in many communities.
Background
Broadly speaking, water infrastructure systems include surface and ground water
sources of untreated water for municipal, industrial, agricultural, and household
needs; dams, reservoirs, aqueducts, and pipes that contain and transport raw water;
treatment facilities that remove contaminants from raw water; finished water
1 Hoover, J.E. “Water Supply Facilities and National Defense.” Journal of the American
Water Works Association. Vol. 33, no. 11 (1941): 1861.
CRS-2
reservoirs; systems that distribute water to users; and wastewater collection and
treatment facilities. Across the country, these systems comprise approximately
77,000 dams and reservoirs; thousands of miles of pipes, aqueducts, water
distribution, and sewer lines; 168,000 public drinking water facilities (many serving
as few as 25 customers); and about 16,000 publicly owned wastewater treatment
facilities. Ownership and management are both public and private; the federal
government has ownership responsibility for hundreds of dams and diversion
structures, but the vast majority of the nation’s water infrastructure is either privately
owned or owned by non-federal units of government.
The federal government has built hundreds of water projects, primarily dams
and reservoirs for irrigation development and flood control, with municipal and
industrial water use as an incidental, self-financed, project purpose. Many of these
facilities are critically entwined with the nation’s overall water supply, transportation,
and electricity infrastructure. The largest federal facilities were built and are
managed by the Bureau of Reclamation (Bureau) of the Department of the Interior
and the U.S. Army Corps of Engineers (Corps) of the Department of Defense.
Bureau reservoirs, particularly those along the Colorado River, supply water to
millions of people in southern California, Arizona, and Nevada via Bureau and non-
Bureau aqueducts. Bureau projects also supply water to 9 million acres of farmland
and other municipal and industrial water users in the 17 western states. The Corps
operates 276 navigation locks, 11,000 miles of commercial navigation channel, and
approximately 1,200 projects of varying types, including 609 dams. It supplies water
to thousands of cities, towns, and industries from the 9.5 million acre-feet of water
stored in its 116 lakes and reservoirs throughout the country, including service to
approximately one million residents of the District of Columbia and portions of
northern Virginia. The largest Corps and Bureau facilities also produce enormous
amounts of power. For example, Hoover and Glen Canyon dams on the Colorado
River represent 23% of the installed electrical capacity of the Bureau of
Reclamation’s 58 power plants in the West and 7% of the total installed capacity in
the Western United States. Similarly, Corps facilities and the Bureau’s Grand Coulee
Dam on the Columbia River provide 43% of the total installed hydroelectric capacity
in the West (25% nationwide). Still, despite its critical involvement in such projects,
especially in the West, the federal government is responsible for only about 5% of
the dams whose failure could result in loss of life or significant property damage. The
remaining dams belong to state or local governments, utilities, and corporate or
private owners.
A fairly small number of large drinking water and wastewater utilities located
primarily in urban areas (about 15% of the systems) provide water services to more
than 75% of the U.S. population. Arguably, these systems represent the greatest
targets of opportunity for terrorist attacks, while the large number of small systems
that each serve fewer than 10,000 persons are less likely to be perceived as key
targets by terrorists who might seek to disrupt water infrastructure systems.
However, the more numerous smaller systems also tend to be less protected and,
thus, are potentially more vulnerable to attack, whether by vandals or terrorists. A
successful attack on even a small system could cause widespread panic, economic
impacts, and a loss of public confidence in water supply systems.
CRS-3
Attacks resulting in physical destruction to any of these systems could include
disruption of operating or distribution system components, power or
telecommunications systems, electronic control systems, and actual damage to
reservoirs and pumping stations. A loss of flow and pressure would cause problems
for customers and would hinder firefighting efforts. Further, destruction of a large
dam could result in catastrophic flooding and loss of life. Bioterrorism or chemical
attacks could deliver widespread contamination with small amounts of
microbiological agents or toxic chemicals, and could endanger the public health of
thousands. While some experts believe that risks to water systems actually are small,
because it would be difficult to introduce sufficient quantities of agents to cause
widespread harm, concern and heightened awareness of potential problems are
apparent. Factors that are relevant to a biological agent’s potential as a weapon
include its stability in a drinking water system, virulence, culturability in the quantity
required, and resistance to detection and treatment. Cyber attacks on computer
operations can affect an entire infrastructure network, and hacking in water utility
systems could result in theft or corruption of information or denial and disruption of
service.
Responses to Security Concerns
Water infrastructure system designers, managers, and operators have long made
preparing for extreme events a standard practice. Historically, their focus has been
on natural events — major storms, blizzards, and earthquakes — some of which
could be predicted hours or longer before they occurred. When considering the risk
of manmade threats, operators generally focused on purposeful acts such as
vandalism or theft by disgruntled employees or customers, rather than broader
malevolent threats by terrorists, domestic or foreign. The events of September 11,
2001, changed this focus.
Federal dam operators went on “high-alert” immediately following the
September 11 terrorist attacks. The Bureau closed its visitor facilities at Grand
Coulee, Hoover, and Glen Canyon dams. Because of potential loss of life and
property downstream if breached, security threats are under constant review, and
coordination efforts with both the National Guard and local law enforcement officials
are ongoing. The Corps also operates under continued high defense alert and
temporarily closed all its facilities to visitors after September 11, although locks and
dams remained operational; most closed facilities later re-opened, but security is
being reassessed. Following a heightened alert issued by the federal government in
February 2003, the Bureau implemented additional security measures which remain
in effect at dams, powerplants, and other facilities, including limited access to
facilities and roads, closure of some visitor centers, and random vehicle inspections.
Although officials believe that risks to water and wastewater utilities are small,
operators have been under heightened security conditions since September 11. Local
utilities have primary responsibility to assess their vulnerabilities and prioritize them
for necessary security improvements. Most (especially in urban areas) have
emergency preparedness plans that address issues such as redundancy of operations,
public notification, and coordination with law enforcement and emergency response
officials. However, many plans were developed to respond to natural disasters,
domestic threats such as vandalism, and, in some cases, cyber attacks. Drinking
CRS-4
water and wastewater utilities coordinated efforts to prepare for possible Y2K
impacts on their computer systems on January 1, 2000, but these efforts focused more
on cyber security than physical terrorism concerns. Thus, it was unclear whether
previously existing plans incorporate sufficient procedures to address other types of
terrorist threats. Utility officials are reluctant to disclose details of their systems or
these confidential plans, since doing so might alert terrorists to vulnerabilities.
Water supply was one of eight critical infrastructure systems identified in
President Clinton’s 1998 Presidential Decision Directive 63 (PDD-63)2 as part of a
coordinated national effort to achieve the capability to protect the nation’s critical
infrastructure from intentional acts that would diminish them. These efforts focused
primarily on the 340 large community water supply systems which each serve more
than 100,000 persons. The Environmental Protection Agency (EPA) was identified
as the lead federal agency for liaison with the water supply sector. In response, in
2000, EPA established a partnership with the American Metropolitan Water
Association (AMWA) and American Water Works Association (AWWA) to jointly
undertake measures to safeguard water supplies from terrorist acts. AWWA’s
Research Foundation has contracted with the Department of Energy’s Sandia
National Laboratory to develop a vulnerability assessment tool for water systems (as
an extension of methodology for assessing federal dams). EPA is supporting an
ongoing project with the Sandia Lab to pilot test the physical vulnerability
assessment tool and develop a cyber vulnerability assessment tool. An Information
Sharing and Analysis Center (ISAC) supported by an EPA grant became operational
under AMWA’s leadership in December 2002. It will allow for dissemination of
alerts to drinking water and wastewater utilities about potential threats or
vulnerabilities to the integrity of their operations that have been detected and viable
resolutions to problems.3
Some research on water sector infrastructure protection is underway. The
Department of the Army is conducting research in the area of detection and treatment
to remove various chemical agents. The Federal Emergency Management Agency
(FEMA) is leading an effort to produce databases of water distribution systems and
to develop assessment tools for evaluating threats posed by the introduction of a
biological or chemical agent into a water system. The Centers for Disease Control
and Prevention is developing guidance on potential biological agents and the effects
of standard water treatment practices on their persistence. However, in the January
2001 report of the President’s Commission on Critical Infrastructure Protection,
ongoing water sector research was characterized as a small effort that leaves a
number of gaps and shortfalls relative to U.S. water supplies.4 This report stated that
gaps exist in four major areas, concerns that remain relevant and are guiding
policymakers now.
2 “The Clinton Administration’s Policy on Critical Infrastructure Protection: Presidential
Decision Directive 63.” May 22, 1998. See [http://www.fas.org/irp/offdocs/paper598.htm].
3 For additional information, see [http://www.waterisac.org/].
4 Critical Infrastructure Assurance Office. Report of the President of the United States on
the Status of Federal Critical Infrastructure Protection Activities. January 2001. 209 p. See
[http://www.iwar.org.uk/cip/resources/ciao/final-ciao.pdf].
CRS-5
! Threat/vulnerability risk assessments,
! Identification and characterization of biological and chemical agents,
! A need to establish a center of excellence to support communities in
conducting vulnerability and risk assessment, and
! Application of information assurance techniques to computerized
systems used by water utilities, as well as the oil, gas, and electric
sectors, for operational data and control operations.
Less attention has been focused on protecting wastewater treatment facilities
than drinking water systems, perhaps because destruction of them likely represents
more of an environmental threat (i.e., by release of untreated sewage) than a direct
threat to life or public welfare. Vulnerabilities do exist, however. Large
underground collector sewers could be accessed by terrorist groups for purposes of
placing destructive devices beneath buildings or city streets. Pipelines can be made
into weapons via the introduction of a highly flammable substance such as gasoline
through a manhole or inlet. Explosions in the sewers can cause collapse of roads,
sidewalks, and adjacent structures and injure and kill people nearby. Damage to a
wastewater facility prevents water from being treated and can impact downriver
water intakes. Destruction of containers that hold large amounts of chemicals at
treatment plants could result in release of toxic chemical agents, such as chlorine gas,
which can be deadly to humans if inhaled and, at lower doses, can burn eyes and skin
and inflame the lungs.
Since the terrorist attacks, many water and wastewater utilities have switched
from using chlorine gas as disinfection to alternatives which are believed to be safer,
such as sodium hypochlorite or ultraviolet light. However, some consumer groups
remain concerned that many wastewater utilities continue to use chlorine gas,
including facilities that serve heavily populated areas. To prepare for potential
accidental releases of hazardous chemicals from their facilities, 2,816 wastewater and
drinking water utilities, water supply systems, and irrigation systems already are
subject to risk management planning requirements under the Clean Air Act, but some
observers advocate requiring federal standards to ensure that facilities using
dangerous chemicals, such as wastewater treatment plants, use the best possible
industry practices (practices that are referred to as Inherently Safer Technologies, or
ISTs) to reduce hazards.5
In March 2006, the Government Accountability Office (GAO) reported on a
survey of security measures at 200 of the nation’s largest wastewater utilities.6 GAO
found that many have made security improvements since the 2001 terrorist attacks.
Most utilities said they have completed, or intend to complete, a plan to conduct
some type of security assessment. More than half of responding facilities indicated
they did not use potentially dangerous gaseous chlorine as a wastewater disinfectant.
However, the report noted that these utilities have made little effort to address
5 See, for example, Environmental Defense. Eliminating Hometown Hazards, Cutting
Chemical Risks at Wastewater Treatment Facilities. December 2003. 14 p.
6 U.S. Government Accountability Office. Securing Wastewater Facilities, Utilities Have
Made Important Upgrades but Further Improvements to Key System Components May Be
Limited by Costs and Other Constraints. GAO-06-390. March 2006. 64 p.
CRS-6
collection system vulnerabilities, due to the technical complexity and expense of
securing collection systems that cover large areas and have many access points.
Some told GAO investigators that taking other measures, such as converting from
gaseous chlorine, took priority over collection system protections.
There are no federal standards or agreed-upon industry best practices within the
water infrastructure sector to govern readiness, response to security incidents, and
recovery. EPA is not authorized to require water infrastructure systems to implement
specific security improvements or meet particular security standards. Efforts to
develop voluntary protocols and tools are ongoing since the 2001 terrorist attacks.
Wastewater and drinking water utility organizations are implementing computer
software and training materials to evaluate vulnerabilities at large, medium, and
small utility systems, and EPA has provided some grant assistance for conducting
vulnerability assessments. Out of funds appropriated in January 2002 (P.L. 107-117),
EPA awarded $51 million for vulnerability assessment grants to 449 large drinking
water utilities, averaging $115,000 per utility. Out of subsequent appropriations,
EPA has been targeting grants to “train the trainers,” delivering technical assistance
to organizations such as the Rural Community Assistance Program and the Water
Environment Federation that, in turn, can assist and train personnel at thousands of
medium and small utilities throughout the country.
With financial support from EPA, drinking water and wastewater utility, and
engineering groups have developed three security guidance documents, issued in
December 2004, that cover the design of online contaminant monitoring systems, and
physical security enhancements of drinking water, wastewater, and stormwater
infrastructure systems. The documents provide voluntary guidelines for assisting
utilities that have completed vulnerability assessments to mitigate vulnerabilities of
their systems through the design, construction, operation, and maintenance of both
new and existing systems.
EPA has taken a number of organizational and planning steps to strengthen
water security. The agency created a National Homeland Security Research Center
within the Office of Research and Development to develop the scientific foundations
and tools that can be used to respond to attacks on water systems. In September
2003, it created a Water Security Division, taking over activities initiated by a Water
Protection Task Force after the September 11 terrorist attacks. The office will train
water utility personnel on security issues, support the WaterISAC, and implement the
agency’s comprehensive research plan. Early in 2004, EPA formed an advisory
group of drinking water and wastewater utilities, called the Water Security Working
Group, to advise on the development of best security practices and policies for water
utilities.
EPA has issued both a Water Security Research and Technical Support Action
Plan, identifying critical research needs and providing an implementation plan for
addressing those needs, and a Strategic Plan for Homeland Security. The Strategic
Plan, which is not limited to water security concerns, identifies several mission-
critical areas on which EPA intends to focus its homeland security planning: critical
infrastructure protection; preparedness, response, and recovery; communication and
information; protection of EPA personnel and infrastructure; and self-evaluation.
CRS-7
There has been criticism of some of these EPA efforts, however. A preliminary
review of the Research and Action Plan by a panel of the National Research Council
identified some gaps, suggested alternative priorities, and noted that the Plan is silent
on the financial resources required to complete the research and to implement needed
countermeasures to improve water security.7 In 2003, EPA’s Inspector General
issued an evaluation report on the initial Strategic Plan for Homeland Security and
concluded that the agency had not outlined how resources, activities, and outputs will
achieve the water security program’s goals. Moreover, the Inspector General said
that EPA lacks fundamental components, such as performance measures, for
monitoring program performance against goals.8 EPA responded that long-term
objectives for critical water infrastructure protection activities could be identified in
a future revised strategic plan. A second Homeland Security Strategy, issued in
October 2004, updates the initial strategy principally by reflecting projected funding
and resources for the next two years on EPA’s strategic objectives and recognizing
the evolving role of the Department of Homeland Security.9
The Government Accountability Office (GAO) has issued two reports
discussing how future federal funding can best be spent to improve security at
drinking water10 and wastewater utilities.11 Both reports are based on views of
subject matter experts identified by GAO. In the drinking water report, specific
activities judged by the experts to be most deserving of federal support included
physical and technological upgrades, education and training for staff and responders,
and strengthening key relationships between water utilities and others such as law
enforcement and public health agencies. In the wastewater report, the experts cited
the replacement of gaseous chemicals used in the disinfection process with less
hazardous alternatives as a key activity deserving of federal funds, along with
improving local, state, and regional collaboration, and support facilities’ vulnerability
assessments. Asked how federal funds should be allocated, both groups of experts
favored giving priority to utilities that serve critical assets (such as public health
institutions, government, and military bases) and to utilities serving areas with large
populations.
Officials have been reassessing federal infrastructure vulnerabilities for several
years. The Bureau of Reclamation’s site security program is aimed at ensuring
protection of the Bureau’s 252 high- and significant-hazard dams and facilities and
7 National Academies Press. A Review of the EPA Water Security Research and Technical
Support Action Plan: Parts I and II. Water Science and Technology Board. 2003.
8 U.S. Environmental Protection Agency. Office of Inspector General. EPA Needs a Better
Strategy to Measure Changes in the Security of the Nation’s Water Infrastructure. Report
No. 2003-M-00016, Sept. 11, 2003.
9 U.S. Environmental Protection Agency. “Homeland Security Strategy.” October 2004.
46 p.
10 U.S. Government Accountability Office. “Drinking Water, Experts’ Views on How
Future Federal Funding Can Best Be Spent to Improve Security.” GAO-04-29, October
2003. 69 p.
11 U.S. Government Accountability Office. “Wastewater Facilities, Experts’ Views on How
Federal Funds Should Be Spent to Improve Security.” GAO-05-165, January 2005. 70 p.
CRS-8
58 hydroelectric plants. After September 11, the Bureau committed to conducting
vulnerability and risk assessments at 280 high-priority facilities. Risk assessments
at these facilities were completed between FY2002 and FY2004. These assessments
resulted in recommendations now being implemented to enhance security procedures
and physical facilities, such as additional security staffing, limited vehicle and visitor
access, and coordination with local law enforcement agencies. The Corps
implements a facility protection program to detect, protect, and respond to threats to
Corps facilities and a dam security program to coordinate security systems for Corps
infrastructure. It also implements a national emergency preparedness program which
assists civilian governments in responding to all regional/national emergencies,
including acts of terrorism. Both agencies participate in the Interagency Committee
on Dam Safety (ICODS), which is part of the National Dam Safety Program that is
led by FEMA.
A February 2003 White House report12 presented a national strategy for
protecting the nation’s critical infrastructures and identified four water sector
initiatives: identify high-priority vulnerabilities and improve site security; improve
monitoring and analytic capabilities; improve information exchange and coordinate
contingency planning; and work with other sectors to manage unique risks resulting
from interdependencies. It also proposed establishing an ISAC for information
sharing among dam operators (no such ISAC has yet been created). The strategy is
intended to focus national protection priorities, inform resource allocation processes,
and be the basis for cooperative public and private protection actions.
Department of Homeland Security. The Department of Homeland
Security (DHS, established in P.L. 107-29713) has a mandate to coordinate securing
the nation’s critical infrastructure, including water infrastructure, through
partnerships with the public and private sectors. It is responsible for detailed
implementation of core elements of the national strategy for protection of critical
infrastructures. One of its tasks is to assess infrastructure vulnerabilities, an activity
that wastewater and drinking water utilities have been doing since September 11,
under their own initiatives and congressional mandates (P.L. 107-188, discussed
below). The legislative reorganization did not transfer Corps or Bureau
responsibilities for security protection of dams and other facilities or EPA’s
responsibilities to assist drinking water and wastewater utilities.
In December 2003, President Bush issued Homeland Security Presidential
Directive/HSPD-7 which establishes a national policy for the federal government to
identify, prioritize, and protect critical infrastructure as a part of homeland security.14
The directive called for DHS to integrate all security efforts among federal agencies
12 The White House. Office of Homeland Security. The National Strategy for the Physical
Protection of Critical Infrastructures and Key Assets. 90 p.
13 For current information on the Department, see CRS products identified at [http://beta.
crs.gov/cli/level_2.aspx?PRDS_CLI_ITEM_ID=60].
14 The White House. December 17, 2003 Homeland Security Presidential Directive/
HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection. HSPD-7
superseded PDD-63, which started the process of federal protection of critical infrastructure
even before the 2001 terrorist attacks.
CRS-9
and to complete a comprehensive national plan for critical infrastructure protection
by December 2004. The Department missed that deadline for completing a National
Infrastructure Protection Plan. A February 2005 interim report focusing on federal
role and outlining a risk management framework to guide future efforts was criticized
for the fact that it failed to address private sector roles — an important element, since
nearly 85% of the nation’s infrastructure is in private hands. In November 2005,
DHS issued a revised report, titled a draft National Infrastructure Protection Plan.
It proposes a framework of partnerships between private industry sectors and the
government that would work together to secure the nation’s vital resources. For
example, EPA would work with water treatment systems, while dams would
cooperate with DHS. Those agencies, in conjunction with private industry partners,
would generate sector-specific plans which would be due 180 days after the broader
national plan was accepted.
While more comprehensive than the February 2005 interim report, it also was
criticized by some. For example, in the November report, DHS described a plan to
develop a risk analysis method that would include a uniform means of measuring risk
and assessing consequences across infrastructure sectors. Some drinking water and
wastewater treatment industry officials commented that this proposal, known as the
Risk Analysis and Management for Critical Asset Protection (RAMCAP), raised
concern that it could force some facilities to conduct new, or revise existing,
vulnerability assessments. Drinking water industry officials said they were
concerned that the new method may not recognize vulnerability assessments that
many drinking water utilities have already completed under requirements of the 2002
Bioterrorism Preparedness Act (see page 14).
Coordination and Information Sharing. The Homeland Security
Department’s involvement in water security concerns has been growing, although
under HSPD-7, EPA continues as the lead federal agency to ensure protection of
drinking water and wastewater treatment systems from possible terrorist acts and
other sabotage. Since early 2004 DHS has been preparing guidance documents on
how each infrastructure sector, including water systems, can protect itself from
security threats. DHS contractors visited several water utilities and asked to view
pertinent information, including the utilities’ vulnerability assessments. EPA sources
have said that the DHS contractors may not have authority to view the vulnerability
assessments, but Department officials cited HSPD-7 as giving the department
authority to conduct water system inspections, because of its lead role in coordinating
critical infrastructure protection. For some time, the two agencies have been working
to clarify their roles in providing security to water utilities.
In the fall of 2004, water utilities formed a new 24-member group, the Water
Sector Coordinating Council, to work with federal officials. One of its functions is
to be a point of contact for DHS to vet potential water security policies, allowing
one-stop shopping for federal officials. Also at that time, DHS created a new
information-sharing network, called the Homeland Security Information Network
(HSIN). Both it and the existing WaterISAC share the goal of providing security
information to water utilities, but they differ in some respects. The WaterISAC is a
private, subscription service (although it receives some federal funding) that provides
information to about 530 water utilities and others on security matters. The HSIN,
a software program, is a free, federally funded platform for information sharing. It
CRS-10
is not limited to the water sector, and it provides no information by itself; it acts as
a bulletin board where DHS, EPA, and utilities can post security-related information.
Distinct from the HSIN and the WaterISAC is the Water Security Channel
(WaterSC), launched in 2004 as a free service of the WaterISAC, which disseminates
EPA and DHS general security bulletins at the request of those agencies to more than
8,000 utilities.
Appropriations. In P.L. 107-38, the 2001 Emergency Supplemental
Appropriations Act, enacted one week after September 11, Congress appropriated
$40 billion for recovery from and response to the terrorist attacks. The President
allocated $20 billion of this total (about $30 million went to water infrastructure),
and in October 2001, he requested allocation of the remaining $20 billion to be
distributed by Congress. The request included $245 million for federal water
infrastructure programs: $30 million for security at Bureau facilities; $139 million
for security at Corps facilities; and $45.5 million to EPA for drinking water
vulnerability assessments. P.L. 107-117, the DOD and Emergency Supplemental
Appropriations Act for FY2002, provided the full amounts requested for the Bureau
and the Corps and increased funding for EPA, including $91 million to strengthen
security at large drinking water systems through vulnerability assessments and other
non-structural security efforts.
In July 2002, Congress approved an FY2002 supplemental appropriations bill
that included $50 million more in EPA grants for vulnerability assessments by small
and medium-size drinking water systems and $108 million for security activities at
Corps facilities (P.L. 107-206). However, on August 13, President Bush announced
that he would not utilize $5.1 billion designated as contingent emergency funds in the
bill, including the EPA grant and Corps funds. That decision had the effect, in the
words of the White House, of a “pocket veto” by the President of the contingent
emergency spending.
The President’s FY2003 budget requested $115 million for security at water
infrastructure facilities, consisting of $28.4 million for the Bureau; $65 million for
the Corps; and $22 million for EPA, including $15 million for vulnerability
assessments at small and medium-size drinking water systems. Final action on
appropriations for these agencies was delayed until February 2003. In P.L. 108-7,
Congress appropriated $85 million for water infrastructure security programs,
approving the amounts requested for EPA and the Bureau, but $30 million less than
was requested for the Corps’ facility security program. In P.L. 108-11, the FY2003
supplemental appropriations bill, Congress provided an additional $39 million for the
Corps and $25 million for the Bureau, for increased security measures at their
facilities.
For FY2004, Congress appropriated funds for water infrastructure security at
levels requested by the Administration, including $31.95 million for EPA to support
utility vulnerability assessments and the WaterISAC (in P.L. 108-199), $12.9 million
CRS-11
for the Corps, and $27.8 million for the Bureau (appropriations for the Bureau and
the Corps are included in P.L. 108-137).15
The President’s FY2005 budget requested $125.3 million for water security,
consisting of:
! $11.1 million for EPA (to support training and development of
voluntary industry best practices for security and $5 million for state
grants, the same amount provided in FY2003 and FY2004; the
request was $21 million less in total than the FY2004 request,
largely due to the completion of vulnerability assessments by
drinking water utilities, which EPA has previously assisted);
! $43.2 million for the Bureau ($15.4 million more than was requested
for FY2004), intended to fund full implementation of the agency’s
physical security, personnel and information security, and law
enforcement program and to advance the physical hardening
improvements that were identified in the Bureau’s security risk
assessments in FY2002; and
! $12 million for the Corps (approximately the same as requested for
FY2004) to cover non-project specific protective measures at Corps
administrative buildings and other general use facilities. Also, the
Corps budget requested an additional $60 million for security
measures at various specific individual water resource projects
around the country, for total facility protection funds of $72 million.
In P.L. 108-447, the Consolidated Appropriations Act, 2005, Congress appropriated
water security funds in the amounts requested for these agencies.16
The President’s FY2006 budget request for water infrastructure totaled $177
million.
! $55 million for EPA. The request included two initiatives that
accounted for the higher FY2006 request: $40 million for a program
to be called Water Sentinel, a proposed pilot program to provide
cities with an early warning system to detect biological or other
contamination of drinking water systems; and $4 million for a
related new program, the Water Alliance for Threat Reduction, to
train utility operators at the highest risk systems. The EPA request
also included $5 million for state grants and $3 million for water
security information sharing, such as support for the WaterISAC.
15 FY2004 appropriated amounts reflect a provision in P.L. 108-199 which mandated a
0.59% rescission to accounts and to each nondefense discretionary program, project and
activity funded by that legislation, as well as previously enacted FY2004 appropriations
acts, including P.L. 108-137.
16 P.L. 108-447 contained a required 0.80% rescission to accounts and to each nondefense
discretionary program, project and activity funded in the legislation, including for homeland
security activities.
CRS-12
! $50 million for the Bureau of Reclamation, consisting of $20.5
million for facility fortification and $29.5 million for guards and
surveillance, studies, and review. Of the total amount, $17.7 million
would to be allocated for five dam facilities that have been
designated National Critical Infrastructure: Hoover, Shasta, Grand
Coulee, Glen Canyon, and Fulsom.
! $72 million total for the Army Corps of Engineers, consisting of $29
million for project specific facility security upgrades, $31 million for
recurring security costs (i.e., guards and monitoring), and $12
million to cover protection of all non-project specific protective
measures at administrative buildings and other general use facilities.
Congressional action on FY2006 appropriations endorsed the President’s $72
million request for the Army Corps of Engineers but provided less than the requested
amounts for EPA and the Bureau of Reclamation. Appropriators provided water
security funding for EPA totaling $20 million. The principal difference from the
budget request was funding for the new Water Sentinel program of $5 million ($35
million less than requested). House appropriators said that EPA needs to develop
clear goals and milestones for this program, seek the advice of the agency’s Science
Advisory Board, and justify the funding request more clearly. Appropriators also
provided less than $1 million for the new Water Alliance for Threat Reduction
initiative ($3 million less than requested). In addition, appropriators provided $40
million for the Bureau’s site security program, $10 million less than requested. The
reduction was made because the Bureau is expected to receive approximately $10
million in reimbursements for security guards and patrols from project beneficiaries
at the Bureau’s facilities.
Appropriations for water infrastructure security have totaled $739.9 million
since the September 11 attacks.
For FY2007, the President’s budget requests $135.6 million for water
infrastructure programs, consisting of $39.6 million for the Bureau of Reclamation
(including continuing security risk assessments and reassessments for designated
facilities and ongoing efforts to ensure the long-term security of all Reclamation
facilities), $43 million for the Army Corps of Engineers for non-project-specific
security and protection measures (amounts for project-specific measures, as in the
FY2006 budget request, cannot be easily identified), and $53 million for EPA
homeland security water programs. For EPA, the principal changes from FY2006 are
higher requests for the Water Sentinel program (total request of $37.7 million) and
for the Water Alliance for Threat Reduction ($4 million total).
Policy Issues and Congressional Responses
Congress and other policymakers have been considering a number of initiatives
in this area, including enhanced physical security, communication and coordination,
and research. Regarding physical security, a key question is whether protective
measures should be focused on the largest water systems and facilities, where risks
to the public are greatest, or on all, since small facilities may be more vulnerable. A
related question is responsibility for additional steps, because the federal government
has direct control over only a limited portion of the water infrastructure sector. The
CRS-13
distributed and diverse nature of ownership (federal, non-federal government, and
private) complicates assessing and managing risks, as does the reality of limited
resources. The adequacy of physical and operational security safeguards is an issue
for all in this sector. One possible option for federal facilities (dams and reservoirs
maintained by the Bureau and the Corps) is to restrict visitor access, including at
adjacent recreational facilities, although such actions could raise objections from the
public. Some operators of non-federal facilities and utilities are likewise concerned.
As a precaution after September 11, New York City, which provides water to 9
million consumers, closed its reservoirs indefinitely to all fishing, hiking, and boating
and blocked access to some roads.
Policymakers have examined measures that could improve coordination and
exchange of information on vulnerabilities, risks, threats, and responses. This is a
key objective of the WaterISAC and also of the Department of Homeland Security,
which includes, for example, functions of the National Infrastructure Protection
Center (NIPC) of the FBI that brings together the private sector and government
agencies at all levels to protect critical infrastructure, especially on cyber issues. One
issue of interest is how the Department is coordinating its activities with ongoing
security efforts by other federal agencies and non-federal entities that operate water
infrastructure systems, including its implementation of the comprehensive national
plan required by Presidential Directive/HSPD-7. This issue arose in 2004 as a result
of moves by DHS to carry out its mandates for assessing and protecting critical
infrastructure, although EPA remains the lead federal agency for the water sector (see
above discussion).
For some time, the two agencies have been working to clarify their roles in
providing security to water utilities and in other areas and have negotiated
agreements concerning joint research projects and coordination for specific field
operations. Nevertheless, in the conference report accompanying the FY2005
Consolidated Appropriations Act, Congress directed EPA to enter into a
memorandum of understanding (MOU) with DHS to define the relationship of the
two entities with regard to the protection and security of the nation. The
memorandum was expected to specifically identify areas of responsibilities and the
potential costs (including which entity pays, in whole or part) for meeting such
responsibilities.17 In response, EPA did not enter into a new MOU but instead, in
November 2005, issued a report that identifies general authorities that govern EPA’s
and DHS’s respective actions, ongoing projects that reflect coordination, and existing
project-specific MOUs.
This joint report on roles and responsibilities still may not resolve the growing
potential for duplication and overlap among agencies. Currently, for example,
policies are being developed both by DHS and EPA, and both agencies are being
assisted by separate advisory groups — the Water Sector Coordinating Council
works principally with DHS, while EPA has its own Water Security Working Group.
Similarly, information sharing and dissemination even in this one sector are
occurring through several different mechanisms: DHS supports the Homeland
17 H.Rept. 108-792, to accompany H.R. 4818, Consolidated Appropriations Act, 2005,
Congressional Record, daily edition, Nov. 19, 2004, p. H10850.
CRS-14
Security Information Network (HSIN), while drinking water and wastewater utilities
also may receive security-related advisories from two other sources, the WaterISAC
and the Water Security Channel. Some have questioned the multiple advisory
groups, on top of existing entities, and in particular the potential that the several
mechanisms for sharing homeland security information could transmit inconsistent
information and make the exchange of information more complicated, not less.
Others are optimistic that the systems and groups will sort themselves out into
compatible and complementary networks of information sharing, but that process
could take considerable time.
In its March 2006 report, GAO commented on these multiple information
services designed to communicate information to the water sector, but also
acknowledged EPA’s and DHS’s ongoing efforts to coordinate their activities to
advance water sector security. GAO recommended that DHS and the Water Sector
Coordinating Council identify areas where information-sharing networks supported
by EPA and DHS (especially the WaterISAC and HSIN) could be better coordinated
to avoid operational duplications and overlap and to ensure that security threat
information is provided to water systems on a timely basis. Water utility industry
groups responded to GAO’s recommendation by saying that such coordination efforts
are, in fact, underway.
Another information issue concerns the extent of EPA’s ability to collect and
analyze security data from water utilities, especially information in vulnerability
assessments submitted under the Bioterrorism Preparedness Act (discussed below).
EPA officials believe that the act permits reviewing utility submissions for overall
compliance and allows aggregation of data but precludes the agency from asking for
or analyzing data showing changes in security levels, as a safeguard against
unintended release of such information. Others, including EPA’s Inspector General,
believe that EPA has the authority and responsibility to review and analyze the
information in order to identify and prioritize threats and to develop plans to protect
drinking water supplies.
Among the research needs being addressed are tools for vulnerability and risk
analysis, identification and response to biological/chemical agents, real-time
monitoring of water supplies, and development of information technology. The cost
of additional protections and how to pay for them are issues of interest, and
policymakers continue to consider resource needs and how to direct them at public
and private sector priorities. An issue of great interest to drinking water and
wastewater utilities is how to pay for physical security improvements, since currently
there are no federal funds dedicated to these purposes and utilities generally must pay
for improvements using the same revenue or funding sources also needed for other
types of capital projects.
Congressional Activity. The 107th and 108th Congresses conducted
oversight on a number of these issues and considered legislation to address various
policy issues, including government reorganization, and additional appropriations.
In May 2002, Congress approved the Public Health Security and Bioterrorism
Preparedness and Response Act (P.L. 107-288). Title IV of that act requires drinking
water systems serving more than 3,300 persons to conduct vulnerability analyses and
to submit the assessments to EPA. The legislation authorizes grant funding to assist
CRS-15
utilities in meeting these requirements. (For information, see CRS Report RL31294,
Safeguarding the Nation’s Drinking Water: EPA and Congressional Actions, by
Mary Tiemann.) Legislation authorizing the Bureau to contract with local law
enforcement to protect its facilities also was enacted during the 107th Congress (P.L.
107-69).
In 2001, the House and Senate considered but did not enact legislation
authorizing a six-year grant program for research and development on security of
water supply and wastewater treatment systems (H.R. 3178, S. 1593). Some of the
drinking water research provisions in these bills were included in the Bioterrorism
Preparedness Act. In October 2002, the House approved a bill authorizing $220
million in grants and other assistance for vulnerability assessments by wastewater
treatment utilities (H.R. 5169), but the Senate did not act on a related bill (S. 3037).
In the 108th Congress, legislation authorizing vulnerability assessment grants to
wastewater utilities was approved by the House on May 7, 2003, by a 413-7 vote
(H.R. 866, identical to H.R. 5169 in the 107th Congress). The Senate Environment
and Public Works Committee approved related legislation on May 15, 2003 (S. 1039,
S.Rept. 108-149). No further action occurred, due in part to concerns expressed by
some that the legislation did not require that vulnerability assessments be submitted
to EPA, as is the case with drinking water assessments required by the 2002
Bioterrorism Preparedness Act.
Wastewater security issues are again receiving attention in the 109th Congress.
On May 23, the Senate Environment and Public Works Committee approved S. 2781.
It is similar to S. 1039 in the 108th Congress in that it encourages wastewater utilities
to conduct vulnerability assessments and authorizes $220 million to assist utilities
with assessments and preparation of site security plans. It also includes provisions
responding to GAO’s March 2006 report that found that utilities have made little
effort to address vulnerabilities of collection systems, which may be used by terrorists
to introduce hazardous substances or as access points for underground travel to a
potential target (Securing Wastewater Facilities, Utilities Have Made Upgrades but
Further Improvements to Key System Components May Be Limited by Costs and
Other Constraints, GAO-06-390). S. 2781 authorizes EPA to conduct research on
this topic. During consideration of the bill, the Senate committee rejected an
amendment that would have required, rather than encouraged, treatment works to
conduct vulnerability assessments and also would have required high-risk facilities
to switch from using chlorine and similar hazardous substances to other chemicals
that are often referred to as “inherently safer technologies.”
Continuing attention to these issues is likely during the remainder of the 109th
Congress, along with interest in how the federal government coordinates its own
activities and communicates policies and information to the water infrastructure
sector.