​AMERICANS CONSUME more than 340 billion gallons of water each day, according to the American Water Works Association (AWWA). Although there has never been a confirmed terrorist attack on a water utility, experts say the industry is vulnerable, and utilities—most of which are owned by the private sector—are scrambling to make security a top priority.

One major wrench in the works is that there has been relatively little guidance from the Department of Homeland Security or the Environmental Protection Agency (the body that governs water safety), says Alan Roberson, director of security and regulatory affairs at AWWA. The Biosecurity Act of 2002 did require water utilities serving more than 3,300 people to perform a vulnerability assessment, but with few security-related regulations in place, the industry has largely been left to protect itself.

“The first thing that we’re trying to do is institute a security culture at water plants so that everyone understands it is important,” says Roberson.

Physical threats (such as the threat of a bomb attack on a facility), cyber threats (such as terrorist taking control of the SCADA software utilities use), and contamination are the three primary vulnerabilities facing the industry, Roberson says. Countering these threats involves detailed background checks of water employees, better training for those in contact with the water supply, and basic perimeter security. The industry is also considering whether each employee at a water plant should go through mandatory security-awareness training.

At Aqua America, which provides water for more than 2.5 million residents of 13 states, employees are subject to background screening during the hiring process. Although anyone certified by the EPA must go through background investigations, it is still rather rare for a company to require background investigations for all employees, says Roberson.

Screening at Aqua America includes criminal history and driver’s license checks. In addition, employees are put through security awareness classes that teach what to look for and when and to whom suspicious activity should be reported. “That was one of the most important parts of higher security measures taken here: employee awareness throughout the company, being aware, being more watchful,” says Steve Tagert, vice president of production for Aqua America.

In addition, Aqua America holds security meetings once or twice a month (depending on the national threat level). These are attended by representatives from each of the company’s operating regions. In the meetings, security events that occurred at the company’s various plants are discussed, as are security events that have happened around the country. These meetings allow the company to create a corporate-wide security culture while ensuring that each plant is doing all it can to protect the water supply.

Hardening facilities and incorporating greater security technologies is also very important, says Roberson. To that end Aqua America has stopped all public tours of their facilities, which were common prior to 9-11. The company has also instituted increased security measures at many of its plants, including card access, CCTV, and door alarms.

Many of these technologies were added after the vulnerability assessment the company was required to perform. “We can’t protect our entire system 100 percent, so what we’ve done is determine the most critical parts of our system and the single points of failure in our system, and ... they have been given the highest security priorities,” Tagert says.

Water utilities were not required to take any risk reduction actions as a result of the Biosecurity Act, but many have done so anyway. According to a Government Accountability Office report, each of the eight water systems evaluated in the report have made improvements to security as a result of the Biosecurity vulnerability assessment.

While protecting the plants is extremely important, says Roberson, harmful agents can enter the water supply by other means, such as through fire hydrants. For example, there have been several cases of the fire department inadvertently contaminating the water supply due to fire-retardant foam (which is mixed with water from the hydrants) being back-cycled into the hydrant through the hose.

Most water utilities require special keys for anyone to gain access to the hydrants. In addition, Tagert says, Aqua America has been educating local police as to the threat posed by unauthorized use of hydrants. The police are now more diligent in observing hydrant use.

Aqua America also actively tests the water supply for contaminants, including potential bio/chem agents. The company will not disclose its specific screening procedures or the technologies it employs. Tagert says the company is always looking for cutting-edge technologies that can help it do better.

The EPA does require testing water for some contaminants, such as lead, but biological contaminants and other potentially dangerous agents are often very difficult to accurately detect. One reason is that biological agents can be easily confused with other pollutants, thereby creating too many false positives to merit government mandates.

Some companies, such as JMAR, have manufactured detection systems designed specifically for biological agents, but these systems are, as yet, not widely used by water utilities because they are very new to the marketplace.