In March 2006, two teenage vandals illegally entered a 1.3 million gallon water tank in Blackstone, Mass. A five-gallon container with an odor was found on top of the tank, but in the end, authorities determined the water was not contaminated. The teenagers had defeated security by simply scaling a fence, smashing an electric meter, and breaking through the security apparatus that would have prevented them from climbing the tank's ladder.
An April 2006 city-wide municipal risk assessment revealed a significant exposure to water contamination that was overlooked in an EPA-required vulnerability assessment conducted in house. The city administration was dismayed to learn they had such blatant exposure to contamination given they conducted their own security vulnerability assessment within the last two years. Those city administrators are not alone; others may be operating under a similar false sense of security. All water systems serving greater than 3,300 persons were mandated by the Bioterrorism Act of 2002 to conduct vulnerability assessments to evaluate susceptibility to potential threats and identify corrective actions that could reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack, etc.).
There are numerous security vulnerability assessment tools available to community water system managers: (i.e. RAM-W, VSAT, NETCSC, FRWA Method and NRWA / ASDWA self-assessment) however, they each have potential deficiencies. None of those assessment tools provide:
The tools range from complex methodologies to simple self-assessment checklists that can be completed in a matter of minutes. Many smaller water systems have chosen to complete the latter, in many cases without the assistance of a properly qualified security expert. This is a risky endeavor that unfortunately happened all too routinely. It is also contrary to the directive in the self-assessment checklists, which state "This document is meant to encourage smaller systems to review their system vulnerabilities, but it may not take the place of a comprehensive review by security experts."