by Elizabeth M. Ferrarini

For decades, American Water Works Company, the largest operator of water treatment and distribution plants in North American, shuttled school children and customers through its hundreds of facilities in 29 states, Canada, and Puerto Rico. Bruce Larson, American Water's security director, says, "Water was an open business. Each facility has its own security guard, set of locks, and alarms."

But the events of the September 11, 2001, caused management at the $2 billion company to raise the physical security bar at the 711 treatment plants. Larson says, "We realized that terrorists could kill some of our 18 million customers with our own product."

Post-911, Bruce Larson undertook American Water's security challenge by becoming responsible and accountable for all physical security, information security, crisis management, and business continuity throughout North American operations. He immediately put together a security plan, which became the model for the entire North American company, including the treatment facilities. And in 2003, American Water became part of RWE Thames Water, the third largest global water resource company.

Here's what Larson, a 17-year security veteran and consultant to a Presidential advisor on Homeland Security issues, had to say about maintaining water-tight physical security at the company's facilities.

EL: What does physical security include?

BL: It focuses on the critical operations at all of the water treatment works around the country. Specifically, we look at every aspect of security, from access control all the way to control of sensitive documents, and alarms.

EL: How do you know you are getting good access control?

BL: One of our goals includes reducing the requirement for humans to provide physical security controls. To this end, we focused heavily on automated access control, automated alarm systems, and automated video systems. To enter buildings, employees go through a turnstile with a smart keycard. Front desk security people spend their time validating the identify of visitors, and making sure they are properly escorted. Since 911, we've revised our visitation process at the treatment sites, and now focus more on where employees go in a facility.

EL: How do you monitor all of these systems?

BL: We have extensive contracts for monitoring our various systems. All 90,000 alarm points, along with badge access controls and video monitoring, feed into one, central computer system, and we can access this system anywhere in the business from a Web-based GUI. Our 24/7 central command center staff focuses on managing incidents surrounding these alarms. Each facility's monitoring station enables the staff to be the first response source. Because of the diversity of the physical operations sites and the number of false alarms, we have a standard operating procedure set for responding to alarm signs.

EL: How have you integrated physical security with IT?

BL: We've converged the business processes. However, you're always going to have different sensor systems or control systems, firewalls, and locks on doors. Right now, it's passwords and badges. Eventually, employees will be able to use the same access control keycard to log on their desktop PCs. Also, if the IT help desk gets a security-related incident, then it's turned over to my staff to manage.

EL: What does the security staff at a facility consist of?

BL: Every facility has its own set of unique challenges. Some locations might require more physical security guards than other location. Typically, each facility has an operations person who owns the business, including all local security operations, and, as a result, functions, at the central security contact. We also have certified water treatment plant operators who treat the water and make sure it is distributed. These operators respond to emergency situations first, followed by emergency personnel, if needed. An operations person at our command center is also assigned to respond to situations.

EL: Since 911, what new things have you learned about emergency  situations or security breaches?

BL: Security incidents can cause business crises, and business crises can disrupt security. For example, if a terrorist breaks into a critical operations facility, then we have a major business crisis. A major hurricane can cause a business crisis and, in turn, affect both physical and informatic security; a significant number of operations in the New Orleans areas have been challenged by Hurricane Katrina.

EL: How do you select the security systems you use for physical  security?

BL: Whether it's firewall software or a video monitoring system, we use tried-and-true systems we can configure out of the box. I'm opposed to developing any type of system. Our business is water, not security.

EL: You've just started to get involved in security for some of the parent company's international sites. How does physical security differ abroad from that of North America?

BL: In the U.S., each state has a variety of controls. Likewise, each country has its own set of legislative and regulatory controls for physical security of the infrastructure. Each country also sets a different social responsibility code. Some countries want armed guards patrolling the facility's perimeter, while the UK doesn't want to see any weapons.

Also, the financial impact caused by a major crisis can vary substantially. If there's an outage at a water treatment plant in London, then millions of dollars are going down the drain every second. A similar outage might have a lesser financial impact if it happened in Puerto Rico.

--

Elizabeth M.  Ferrarini is an IT consultant from Boston, Massachusetts.