Presentation to: THEAMERICAN WATER WORKS ASSOCIATION OUR RESOURCES / OUR LIFE A STRATEGY FOR FACILITY PROTECTION By: Mark A. Graves, AIA DMJMH+N

SECURITY MASTER PLANNING I.Asset Definition II.Threat Definition & Vulnerability Analysis III.Development of Security Measures - Electronic Security - Physical Barriers - Policies and Procedures - Security Personnel IV. Selection of Security Countermeasures V. The Design Process

I.ASSET DEFINITION PROCESS  Interview Stakeholders - Senior Management, Mid Management, & Operations Professionals  Identify Components of Your Operation - Research & Development - Plants & Equipment - Employee Morale

I.ASSET DEFINITION PROCESS -List and Classify Assets * Tangible Assets - Plant and Equipment - Raw Materials - Specialized Personnel * Operating Elements - Production - Maintenance - Administration *Facility Infrastructure - Power - Communications with Outside Resources - Domestic Water Requirements - Cooling and Heating Equipment - Access (Road, River Pathways)

I.ASSET DEFINITION PROCESS -List and Classify Assets (Cont.) *Processing Operations - Computer & Equip. Hardware Central Processing Equip. Data Storage Communications Equip. - Software Operating Software Utilities & Applications Communications - Physical Plant Support (Emergency) Dual Comm. Power Supply UPS Battery Back-Up System Emergency Generators Emergency Drinking Water Emergency Cooling Tower Make-Up Water

I.ASSET DEFINITION PROCESS -List and Classify Assets (Cont.) *Intangible Assets - Information Utility Confidential Info. Complaints Service Data - Utility Image Reputation Staff Morale Hiring Practices

I.ASSET DEFINITION PROCESS -Classify Assets  VITAL– Loss Would be Catastrophic  IMPORTANT – Loss Would Prove Seriously Disruptive  SECONDARY – Loss Would Prove Relatively Insignificant

II.THREAT ASSESSMENT  CRIMINAL  NATURAL  ACCIDENTS

II.THREAT ASSESSMENT PROCESS  CRIMINAL * Possible Crimes - Burglary & Robbery - Larceny & Arson - Assault & Theft - Bribery & Extortion - Terrorism & Sabotage - Vandalism - Drug / Alcohol Abuse * Review Internal Loss Data * Review Internal Crime Data (National & Local)  NATURAL DISASTERS - Floods - Tornadoes - Hurricanes - Blizzards - Earthquakes  ACCIDENTS - Hazardous Materials - Fire - Explosion - Industrial Safety - Negligence Exposure (The Contractor)

II.THREAT ASSESSMENT LIST AND CLASSIFY  PROBABILITY OF OCCURANCE *Probable:Expect Event to Occur *Possible:Circumstances Expected for that Event *Unlikely:Possible But Unlikely  SEVERITY OF OCCURANCE *Devastating:Disastrous Event *Moderate:Survivable *Insignificant:Relatively Inconsequential 

III.SECURITY MASTER PLANNING  Vulnerability Analysis *Develop Analysis Group - Facilitator - Crime Specialist - Resource Specialist (Site Manager) - Computer Systems Specialist - Structural / Architectural Facilities Specialist - Plant Engineering Specialist *Establish Assets and Threats to Specific Facility * Prioritize Results

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Correlate Assets and Threats *Develop Team Analysis - Operational Management - Facility Engineering - Data Processing Management - Administration Issues * Develop Contrived Scenarios

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples: - Site Access:Improper Vehicular Access Travel Lane Capacity Planned Roadway Access Blockade Adjacent Rail-Line Blockage Poor Vehicular & Pedestrian Monitoring Control System Poor General Site Access Control (Passive / Active Monitoring) - Building Envelope: Building Stand-Off Distances Building Envelope Resistance to Blast/Forced Entry Door & Window Resistance to Forced Entry & Ballistics Intrusion

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples: - Building Envelope (Cont.): Visual Exposure of Personnel From Uncontrolled Areas Building Access by Vehicles (Parking, Deliveries, Waiting Areas) - Public / Employee Building Access Control: Perimeter Door Access Control Staff Identification System Visitor Identification / Holding Area Control Employee / Maintenance Personnel Internal Access Control

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples (Cont.): - Power:Commercial Substation Attack Emergency Power Fuel Line Attack Internal Power line Sabotage - HVAC:Chem / Bio Air Born Contaminants Internal Chem / Bio Release Water Contaminant Intro. to HVAC Supply System Power Fluctuations (Brown Out)

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples (Cont.): - HVAC (Cont.):Power Failure (Re-Start Time) Maintenance Sabotage Poor Maintenance Personnel Training Parts Manufacturer Reliability

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples (Cont.): - Domestic Water Supply: Introduction of Contaminants Upstream Line Disruption natural accidental intentional disruption

III.SECURITY MASTER PLANNING  Vulnerability Analysis - Process *Facility Infrastructure Vulnerability Examples (Cont.): - Telephone / Data Lines: Attack or Human Error on External Lines Internal Employee / Maintenance Sabotage - Natural Gas: Attack or Human Error on External Lines Explosive Sabotage

IV.SELECTION OF COUNTERMEASURES Process 1. Define Defensive Strategy - Least Dangerous Events – Most Likely to Occur - Most Dangerous Events – Least Likely to Occur 2. Define Priorities 3. Define Requirements - Regulatory and Legal (National Guidelines) Vital Asset – Probable Devastating Threat. Primary, Secondary, Tertiary Important Asset – Unlikely and Moderate Threat. Primary Assets 4. Select Countermeasures - Electronic (Active) Monitoring and Surveillance - Physical (Passive) Barriers - Policy and Procedure Initiatives - Security Personnel (Staffing and Training)

IV.SELECTION OF COUNTERMEASURES Applications - Electronic  Access Control - Employee and Visitor Access ID Badge Software. (Palm, Retinal, Visual Guard ID Verification, and Proximity Readers) - Vehicle Access Control Software (Vehicle Bar Code, Proximity, Driver ID Readers) - Vehicle Arrest Systems. Sally Port Configuration (Delta Barriers & Gates).  Intrusion Monitoring - Entry and Perimeter Detection (Subsurface, Vibration, Motion, and Infrared Detection) - Perimeter Lighting - Door Position Detection. (Alarmed Release Delay, Electronic Lockdown)  CCTV - Full Operation at Low Light Levels - Pan, Tilt, Zoom Capability - Event Recording  Duress - Emergency Alert Devices

IV.SELECTION OF COUNTERMEASURES Applications – Electronic (Cont.)  Security Communication - Radio Dispatch System - Private Intercom System / LAN - Public Address Group Communication - Telephone / Internet WAN  Life Safety - Fire and Toxic Substance Detection  Process Supervision - Infrastructure Monitoring - Process System Monitoring - Vehicle Access Control Software (Vehicle Bar Code, Proximity, Driver ID Readers) - Vehicle Arrest Systems. Sally Port Configuration (Delta Barriers & Gates).  Computer Security - Virus Detection Programs - File Encryption - System Sweeps - Distributed System Architecture  Screening - Walk Thru Metal Detection - Large Package Inspection - Mail Inspection

IV.SELECTION OF COUNTERMEASURES Applications – Physical Design  Environmental Site Enhancements - Eliminate Straight Drive Aisles at Building (Reduce Vehicle Speed) - Ditch/Berm Grading Mote - Landscape Deterrents - Maximize Building Location Setback (Government Standards)  Building Configuration - Configure Building Elements Remoting Sensitive Areas from Perimeter wall. Elevate as High as Functionally Feasible.  - Fire and Toxic Substance Detection  Process Supervision - Infrastructure Monitoring - Process System Monitoring - Vehicle Access Control Software (Vehicle Bar Code, Proximity, Driver ID Readers) - Vehicle Arrest Systems. Sally Port Configuration (Delta Barriers & Gates).  Building Envelope - Blast Resistant Structural System. Develop to Deter Progressive Collapse - Blast Resistant Skin - Forced Entry, Ballistic Entry, and Blast Resistant Doors - FEBR Windows at First Levels, Ballistic only Above. - Roof Mounted Air Intake

IV.SELECTION OF COUNTERMEASURES App’s – Physical Design (Cont.)  Locking Mechanisms - Electromagnetic Remote Operated Locks - Forced Entry Locks - Carefully Articulated Door Hardware  Internal Compartmentalization - Design Layout to Limit Unnecessary Access to Operation Sensitive Areas  Building Infrastructure Redundancy is Paramount. - Redundancy is Paramount. - Separate Power Feeds from Different Grids - Emergency Power Generation - UPS for Critical Systems - Back-Up Battery System for UPS Assurance - On-Site Storage Tanks for Emergency Conditions (Determine Emergency Duration) Domestic and HVAC Water (and/or Well as Allowed) Diesel Fuel for Generators Fire Water as Required Sanitary Tank

IV.SELECTION OF COUNTERMEASURES App’s – Policy & Procedures  Accounting - Audits for Fraud - Inventory Control  Drug and Alcohol Abuse - Termination Guidelines - Assistance Guidelines  Disaster Avoidance and Recovery - Mitigation Strategy - Delegation of Authority - Implementation - Training Exercises  Facility Access - Access Levels - Credentials  Security Management - Operating Philosophy - Security Plan Updates  Personnel - Background Investigations - Debriefing - Heightened Security Awareness

IV.SELECTION OF COUNTERMEASURES App’s – Security Personnel  Management Philosophy - Legal Requirements vs. Necessary Service  Security Training  Community Relations  Operations - Command Center - Mobile Patrols - Fixed Posts - Investigations  Post Orders  Law Enforcement Liaisons

V.SYSTEM AND FACILITY DESIGN  Design Criteria  Conceptual Design  Preliminary Design  Final Design  Importance of Consensus Throughout the Process

WHY?