[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
CONTROLLING BIOTERROR: ASSESSING OUR NATION'S DRINKING WATER SECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON ENVIRONMENT AND HAZARDOUS MATERIALS
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 30, 2004
__________
Serial No. 108-123
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
96-103PDF WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
JOE BARTON, Texas, Chairman
W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan
RALPH M. HALL, Texas Ranking Member
MICHAEL BILIRAKIS, Florida HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RICK BOUCHER, Virginia
PAUL E. GILLMOR, Ohio EDOLPHUS TOWNS, New York
JAMES C. GREENWOOD, Pennsylvania FRANK PALLONE, Jr., New Jersey
CHRISTOPHER COX, California SHERROD BROWN, Ohio
NATHAN DEAL, Georgia BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
CHARLIE NORWOOD, Georgia ANNA G. ESHOO, California
BARBARA CUBIN, Wyoming BART STUPAK, Michigan
JOHN SHIMKUS, Illinois ELIOT L. ENGEL, New York
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES W. ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi, Vice Chairman TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
STEVE BUYER, Indiana LOIS CAPPS, California
GEORGE RADANOVICH, California MICHAEL F. DOYLE, Pennsylvania
CHARLES F. BASS, New Hampshire CHRISTOPHER JOHN, Louisiana
JOSEPH R. PITTS, Pennsylvania TOM ALLEN, Maine
MARY BONO, California JIM DAVIS, Florida
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
LEE TERRY, Nebraska HILDA L. SOLIS, California
MIKE FERGUSON, New Jersey CHARLES A. GONZALEZ, Texas
MIKE ROGERS, Michigan
DARRELL E. ISSA, California
C.L. ``BUTCH'' OTTER, Idaho
JOHN SULLIVAN, Oklahoma
Bud Albright, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Environment and Hazardous Materials
PAUL E. GILLMOR, Ohio, Chairman
RALPH M. HALL, Texas HILDA L. SOLIS, California
JAMES C. GREENWOOD, Pennsylvania Ranking Member
HEATHER WILSON, New Mexico FRANK PALLONE, Jr., New Jersey
VITO FOSSELLA, New York ALBERT R. WYNN, Maryland
(Vice Chairman) LOIS CAPPS, California
STEVE BUYER, Indiana MICHAEL F. DOYLE, Pennsylvania
GEORGE RADANOVICH, California TOM ALLEN, Maine
CHARLES F. BASS, New Hampshire JANICE D. SCHAKOWSKY, Illinois
JOSEPH R. PITTS, Pennsylvania CHARLES A. GONZALEZ, Texas
MARY BONO, California PETER DEUTSCH, Florida
LEE TERRY, Nebraska BOBBY L. RUSH, Illinois
MIKE ROGERS, Michigan BART STUPAK, Michigan
DARRELL E. ISSA, California GENE GREEN, Texas
C.L. ``BUTCH'' OTTER, Idaho JOHN D. DINGELL, Michigan,
JOHN SULLIVAN, Oklahoma (Ex Officio)
JOE BARTON, Texas,
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Grumbles, Benjamin H., Acting Assistant Administrator for
Water, U.S. Environmental Protection Agency................ 37
Stephenson, John B., Director, Natural Resources and
Environment, Government Accountability Office.............. 44
Additional material submitted for the record:
Stephenson, John B., Director, Natural Resources and
Environment, Government Accountability Office, response for
the record................................................. 76
U.S. Environmental Protection Agency, response for the record 78
(iii)
CONTROLLING BIOTERROR: ASSESSING OUR NATION'S DRINKING WATER SECURITY
----------
THURSDAY, SEPTEMBER 30, 2004
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Environment
and Hazardous Materials,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:33, p.m., in
room 2322, Rayburn House Office Building, Hon. Paul E. Gillmor
(chairman) presiding.
Members present: Representatives Gillmor, Bass, Terry,
Rogers, Solis, Pallone, Capps, and Stupak.
Staff present: Tom Hassenboehler, majority counsel; Mark
Menezes, majority counsel; Jerry Couri, policy coordinator;
Peter Kielty, legislative clerk; and Dick Frandsen, minority
counsel.
Mr. Gillmor. The subcommittee will now come to order and
the Chair will recognize himself for the purposes of an opening
statement.
Many people believe that our government's focus on
protecting our infrastructure from terrorist attacks began
after the attacks on the World Trade Center and the Pentagon.
That assessment, I think, however, would be inaccurate.
It was over 50 years ago that the FBI was worried that an
attack on our Nation's drinking water system could have
devastating effects on the Nation's health and well-being.
Unfortunately, it took the scare our Nation felt 3 years ago
before Congress took action to fill in the legal gaps that
prevented real preparedness from occurring.
I am proud that our committee took the bipartisan lead with
the Public Health Security and Bioterrorism Response Act of
2002. This law took a major step forward in providing all
drinking water systems with legal direction for safeguarding
their product and their facilities.
This legislation not only recognized the need to protect
our large urban centers or 15 percent of the community water
systems that served 75 percent of the population, but also the
need to look after smaller systems that did not have the
resources but were every bit as vulnerable. Under this law,
each community water system serving more than 3,300 individuals
is required to conduct an assessment of the system's
vulnerability to terrorist acts or other intentional acts to
disrupt a safe and reliable drinking water supply. The Act also
requires these systems to prepare or revise emergency response
plans, incorporating the results of the vulnerability
assessments and to do so no later than 6 months after
completing them.
To pay for this, the Bioterrorism Act authorized funding to
provide financial assistance to community water systems
conducting those vulnerability assessments, preparing response
plans and addressing the basic security enhancements.
And finally, the Act authorized the EPA to review methods
by which terrorists or others could disrupt the provision of
safe water supplies and identify methods for preventing,
detecting, and responding to such disruptions.
These are all good things, but they are not--will not--
deter us from conducting the kind of oversight to make sure the
money spent is going to places where Congress intended; that
water utilities are complying with the rules set forth, and
that meaningful protections are occurring across our country.
In addition, we must know how the Federal apparatus that
has since come into play, including the Department of Homeland
Security, and subsequent Presidential directives are working in
guiding drinking water protection from terrorism.
I also want to note one part of the bioterrorism law that I
think was very important, and generated much discussion when we
passed the law. In trying to provide for the collection of
meaningful compliance information--and also discouraging the
use of this information in inappropriate ways, Congress
required water systems to certify to the EPA that they had
conducted a vulnerability assessment and submitted a copy of
the assessment to EPA. But, Congress also exempted the main
contents of the vulnerability assessments from disclosure under
the Freedom of Information Act.
In addition, the law directed EPA to develop protocols to
protect the assessments from unauthorized disclosure and
provides for civil and criminal penalties for inappropriate
disclosure of information by government officials. I am
interested in knowing how these protections are working.
And also, before closing my remarks, I want to thank our
witnesses who are with us today: Mr. Benjamin Grumbles of the
EPA, whom we have met with before; and Mr. John Stephenson,
director of Natural Resources and Environment of GAO. We are
very pleased to have you here, and we want you to know how much
we value your input.
I would like to recognize the ranking member of our
subcommittee, the gentlelady from California.
[The prepared statement of Hon. Paul Gillmor follows:]
Prepared Statement of Hon. Paul Gillmor, Chairman, Subcommittee on
Environment and Hazardous Materials
The Subcommittee will now come to order and the chair will
recognize himself for 5 minutes for the purposes of delivering an
opening statement.
Many people believe that our government's focus on protecting our
infrastructure from terrorist attacks began after the terrible attacks
on the World Trade Center and Pentagon that occurred on September 11,
2001. This assessment, however, would be false. Over 50 years ago, the
Federal Bureau of Investigation was worried that an attack on our
nation's drinking water system would have devastating effects on the
nation's human and economic health and well-being. Unfortunately, it
took the scare our nation felt three years ago before Congress took
action to fill in the legal gaps that prevented real preparedness from
occurring.
I am proud that our Committee took the bipartisan lead in
fashioning the Public Health Security and Bio-terrorism Preparedness
and Response Act of 2002. This law took a major step forward in
providing all drinking water systems with legal directions for
safeguarding their product and their facilities. I am particularly glad
that this legislation not only recognized the obvious need to protect
our large urban centers where 15 percent of all community water systems
serve 75 percent of the population, but also the need to look after
smaller systems that did not have the resources but were every bit, if
not more vulnerable than their big city brethren.
This law should make a real difference in the future safety of
drinking water systems. Under this law, each community water system
serving more than 3,300 individuals is required to conduct an
assessment of the system's vulnerability to terrorist attacks or other
intentional acts to disrupt the provision of a safe and reliable
drinking water supply. The Act also requires these systems to prepare
or revise emergency response plans incorporating the results of the
vulnerability assessments no later than 6 months after completing them.
To fund all these items, the Bioterrorism Act authorized funding to
provide financial assistance to community water systems conducting
vulnerability assessments, preparing response plans, and addressing
basic security enhancements and significant threats. Finally, the Act
authorized EPA to review methods by which terrorists or others could
disrupt the provision of safe water supplies, and identify methods for
preventing, detecting, and responding to such disruptions.
These are all good things, but they should not deter us from
conducting the kind of oversight that makes sure the money spent is
going to the places Congress intended, the water utilities are
complying with the rules set forth, and meaningful protections are
occurring across our country. In addition, we must know how the Federal
apparatus that has since come into play, including the Department of
Homeland Security, and subsequent presidential directives are guiding
drinking water protection from terrorism. This panel must not be
deterred in appropriately exercising its jurisdiction over drinking
water safety and supply. This is a charter that I take very seriously
as Chairman and it is one that no committee in the House can or should
do better.
I want, though, to make note of one part of the Bio-terrorism law
that I find very important and that generated much discussion when we
passed this law. In trying to carefully choreograph the dance between
the collection of meaningful compliance information and discouraging
the use of this information as a way to discover other places EPA might
wish to regulate, Congress required water systems to certify to EPA
that they have conducted a vulnerability assessment and submit a copy
of the assessment to EPA, but Congress also exempted the main contents
of the vulnerability assessments from disclosure under the Freedom of
Information Act. In addition, the law directed EPA to develop protocols
to protect the assessments from unauthorized disclosure, and provides
for civil and criminal penalties for inappropriate disclosure of
information by government officials. Forcing EPA to take sensitive
information was only acceptable to many of us if serious protections
were put into place on that material. I am interested in knowing how
those protections are working.
Finally, before closing my remarks, I want to thank our witnesses
who are here with us today. You know how much we value your input and
look forward to your testimony and commentary.
With that, I want to recognize the Ranking Member of the
Subcommittee, the gentle lady from California, Mrs. Solis, for 5
minutes for the purpose of delivering an opening statement.
Ms. Solis. Thank you, Mr. Chairman, and I thank you for
holding this hearing today. This is a very important issue for
many of us, the safety and security of our drinking water.
But I do have to say that I am a bit disappointed, because
I believe it is a disservice to the members of the subcommittee
that the Department of Homeland Security has failed to respond
to our request to testify before this subcommittee. And I find
it unfortunate that we are holding this hearing without the
benefit of hearing from the Inspector General of the
Environmental Protection Agency.
I understand we received a letter in our office, just today
that was faxed over, informing us that they could not come but
if we have any further questions, we could submit them. The
inspector general has released numerous reports critiquing the
status of security at facilities. And last September, the
Inspector General found serious vulnerabilities in the EPA's
action to combat contamination of our water supply as a result
of terrorism.
The Inspector General highlighted that EPA had failed to
sufficiently provide information about threats. Reports noted
that as a result, major utilities were having problems
identifying and prioritizing threats to our water supply.
I hope today that EPA will address the findings of the
Inspector General because these vulnerabilities are
unacceptable. We see the news in every day stories about
drinking water being tainted by lead and rocket fuel and other
contaminants.
When rocket fuel was found in milk, parents became outraged
and questioned whether it was safe to serve their children
milk. What would these same parents say if they knew about
unaddressed vulnerabilities in drinking water? It is the
responsibility of EPA to assure the public that not only have
water utilities filed the necessary paperwork, but that the
necessary upgrades have been made and that our drinking water
is safe and secure.
The city of Los Angeles Department of Water and Power
serves water and power to over 3.8 million users. In response
to 9/11, Los Angeles devised a 5-year plan to increase daily
sampling and test water quality. They installed security
cameras, increased helicopter patrols and reinforced security
barriers at water facilities.
These upgrades are being funded by an increase in consumer
rates. I support the efforts of Los Angeles to secure its water
facilities as much as possible. But I wonder where the EPA has
been as Los Angeles makes these upgrades. What kind of role has
EPA played in the development of the security policies of
cities across the country? What kind of guidance have you given
cities like Los Angeles. And why has the Inspector General time
and time again revealed vulnerabilities in EPA's guidance? I
hope we hear answers to these questions from EPA today.
Finally, I would also like to mention how unfortunate it is
that another year has gone by and Congress still has not
addressed chemical facility security.
There are more than 100 facilities nationwide, whose
vulnerability puts at risk more than 1 million people each. As
more than 60 editorials across the country have noted,
Congress's inability or refusal to act to secure chemical
facilities is a dereliction of duty. I sincerely hope this
dereliction of duty isn't because my colleagues are afraid to
challenge the chemical industry, the grave threat posed by
chemical facilities is unneccessary--and I only hope that we
will not be forced to regret this decision later.
Before I yield back the balance of my time, I would like to
ask for unanimous consent that if the ranking member of the
full committee, Mr. Dingell, and other and other members
provide opening statements, that they be allowed to be inserted
into the record.
Mr. Gillmor. Without objection, it will be so ordered. All
members will be able to submit opening statements to be
inserted in the record.
Does the gentleman from Michigan have an opening statement?
Mr. Rogers. I yield, Mr. Chairman.
Mr. Gillmor. The gentlemen yields.
The gentlewoman from California.
Mrs. Capps. Thank you very much, Mr. Chairman, for holding
this hearing.
The September 11 terrorist attacks on our country and the
anthrax incidents that followed changed the way we looked at
protecting our Nation's most critical infrastructure. They
raised serious questions about our preparedness to respond to
future catastrophic terrorist attacks, and they made Americans
concerned about all aspects of our safety, including our
drinking water supply.
The President raised drinking water concerns in his 2002
State of the Union Address. He stated that U.S. Forces in
Afghanistan found diagrams of U.S. Public water utilities and
that we are under ``continuing and immediate threats of future
attacks. A successful terrorist attack on a public water system
would be devastating.''
In addition, it would further damage public confidence and
safe and reliability supplies of drinking water, so we need
this afternoon to assess whether the administration is pursuing
an effective strategy to prevent or to respond to such attacks.
Many experts are concerned, and for good reason.
In fact, the EPA's Inspector General has conducted
preliminary research on how well we have evaluated water system
security activities. As you know, EPA has responsibility over a
safe-guarded water supply. In 2002, Congress passed a
Bioterrorism Act, and this bill required the water utilities to
assess vulnerabilities based on threat information provided by
EPA and then submit these vulnerability assessments to EPA for
their review. Vulnerability assessments are a necessary tool
for drinking water utilities to evaluate and identify their
vulnerabilities.
But vulnerability assessments alone don't protect us from
the threats. They only detect them. And according to the
Inspector General, EPA may not be taking the necessary steps to
maintain a safe and reliable drinking water supply. For
example, the IG has reported that due to limited threat
information provided by EPA, the utilities design their
assessments around pre-September 11 threats.
Based on interviews with key stakeholders, the IG went on
to include ``we believe that vulnerability assessments
submitted may emphasize traditional less consequential and less
costly threats such as vandalism or disgruntled employees.''
This is certainly not what we are talking about post-9/11.
How can we expect to adequately assess the specific
shortcomings of our public water systems, much less implement
protective measures, without an accurate evaluation of
realistic threats. The world changed on September 11. It
changed the way we need to detect and protect ourselves from
threat.
Yet if the IG's reports is accurate that water utilities
were not provided with updated and accurate threat information,
then the water utilities may be defending our water supply from
yesterday's disgruntled employees instead of today's enemies.
Merely completing the vulnerability assessments are not going
to reduce these unacceptable security risks.
We have to also take corrective actions to reduce them.
While I am very disappointed the IG is not able to join us to
discuss these important issues, I certainly hope our witnesses
will address his concerns. In his absence, I ask unanimous
consent to insert two evaluation reports from the Office of the
Inspector General dated September 11, 2003 and September 24,
2003 into the record, Mr. Chairman.
Mr. Gillmor. Without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T6103.001
[GRAPHIC] [TIFF OMITTED] T6103.002
[GRAPHIC] [TIFF OMITTED] T6103.003
[GRAPHIC] [TIFF OMITTED] T6103.004
[GRAPHIC] [TIFF OMITTED] T6103.005
[GRAPHIC] [TIFF OMITTED] T6103.006
[GRAPHIC] [TIFF OMITTED] T6103.007
[GRAPHIC] [TIFF OMITTED] T6103.008
[GRAPHIC] [TIFF OMITTED] T6103.009
[GRAPHIC] [TIFF OMITTED] T6103.010
[GRAPHIC] [TIFF OMITTED] T6103.011
[GRAPHIC] [TIFF OMITTED] T6103.012
[GRAPHIC] [TIFF OMITTED] T6103.013
[GRAPHIC] [TIFF OMITTED] T6103.014
[GRAPHIC] [TIFF OMITTED] T6103.015
[GRAPHIC] [TIFF OMITTED] T6103.016
[GRAPHIC] [TIFF OMITTED] T6103.017
[GRAPHIC] [TIFF OMITTED] T6103.018
[GRAPHIC] [TIFF OMITTED] T6103.019
[GRAPHIC] [TIFF OMITTED] T6103.020
[GRAPHIC] [TIFF OMITTED] T6103.021
[GRAPHIC] [TIFF OMITTED] T6103.022
[GRAPHIC] [TIFF OMITTED] T6103.023
[GRAPHIC] [TIFF OMITTED] T6103.024
[GRAPHIC] [TIFF OMITTED] T6103.025
[GRAPHIC] [TIFF OMITTED] T6103.026
[GRAPHIC] [TIFF OMITTED] T6103.027
[GRAPHIC] [TIFF OMITTED] T6103.028
Mrs. Capps. Mr. Chairman, securing the extensive network of
our Nation's drinking water storage systems poses difficult
challenges but the stakes are too high to shirk this
responsibility. Tampering or destroying these systems would
leave large population areas without water for consumption or
fire-fighting purposes.
So I hope that precious time and money was not wasted by
the EPA's failure to insure accurate vulnerabilities
assessments keyed to post September 11 threats. Each day that
passes without insuring that the necessary security
enhancements are being undertaken is another day that our
Nation's water supplies remain vulnerable.
So once again, this is a very timely hearing. I thank you
for holding it and look forward to the testimony of our
witnesses.
I yield back.
Mr. Gillmor. The gentlewoman yields back. Does the
gentleman from Nebraska have an opening statement?
Mr. Terry. No.
Mr. Gillmor. The gentleman yields.
The gentleman from New Jersey.
Mr. Pallone. Thank you, Mr. Chairman.
I appreciate that you are giving us a chance in this
subcommittee to conduct an oversight hearing on water security,
which is one of the most pressing Homeland Security issues
facing our country.
While it is certainly good that we are discussing water
security, I want to express my dismay that this subcommittee,
in fact, the entire House, has not held a single hearing to
discuss security at the numerous chemical plants located in New
Jersey and across the Nation.
As many of my colleagues may be aware, I have introduced
H.R. 1861, the Chemical Security Act. This bill would, among
other things, require that EPA promulgate regulations directing
the owners of high priority chemical security plants to conduct
vulnerability assessments and create a prevention,
preparedness, and response plan much like the water programs
that we will be discussing today.
But I can't emphasize enough the danger posed by chemical
plants across the country. According to the EPA, there are 123
facilities across the country where release of chemicals could
threaten more than 1 million people. There are more than 750
facilities where such a release could threaten upwards of
100,000 people--and these are frightening numbers. Despite this
obvious threat, this subcommittee has done nothing on the
issue. Last October, several of my colleagues joined me in then
writing to then Chairman Tauzin asking that the committee
address chemical security, but we have seen nothing since.
Through some combination of congressional and executive
action, we have dealt port security, airline security and even
nuclear security. If we are serious about securing our homeland
and protecting our citizens, we need to address chemical
security immediately.
Today's hearing--if I can say, Mr. Chairman, I look forward
to the hearing and to hear what Mr. Grumbles and Mr. Stephenson
have to stay. But, as we mentioned, this panel is clearly
incomplete.
We are not going to hear from the EPA Inspector General,
who issued two reports last September that were critical of the
EPA's water security efforts. We are also not going to hear
from the Department of Homeland Security, whom I understand
simply refused to cooperate with the majority's request.
Yet this is a Congressional subcommittee. We have a serious
oversight responsibility and the power to demand serious
responses from the administration. And it is time this
subcommittee and the Congress stand up to this administration.
They are simply not cooperating. The Bush administration
doesn't cooperate, whether it is water security or the lack of
action on chemical security.
It is just a sad commentary on the state of oversight in
this Congress, in contrast to the days when a Democrat was in
the White House. This Congress has done very little to oversee
the actions of the Bush Administration.
Mr. Gillmor. The gentleman yields back.
Does the gentleman from New Hampshire have an opening
statement.
Mr. Bass. I do, Mr. Chairman, I do have an opening
statement I would like to have placed in the record.
Mr. Gillmor. Without objection.
Mr. Bass. I would like to spend a minute and a half to tell
an interesting little story.
We all remember 9/11 and what happened and how we found
ourselves wandering around Capitol Hill looking for a place to
go. I wound up at about noon, I think, in the headquarters of
the Capitol Police over next to The Monocle on the Senate side.
I was a motley crowd of Senators and Congressman sitting around
the table looking kind of dazed. And the chief of the Capitol
Police gave us a briefing, which was somewhat sketchy, about
what he thought was going on. And Senator Byrd from West
Virginia was there. And they had placed around the table all
these pitchers of water and so forth for us to drink.
Senator Byrd said, what reason do you have to believe that
the water supply in the District of Columbia hasn't been
poisoned yesterday, and that we are--can't drink the water? We
saw eight or 10 hands surreptitiously move across the table and
push the pitchers to the other side of the table.
It only points out--that for me, at least, I realized just
how significant protection of water resources can be in times
of crisis. And this is a very timely hearing. Given the fact
that only 15 percent of our water utilities control 75 percent
of the population of this country, this is localized high
priority for security. I think there are questions about
whether or not it is practical or possible to really affect
large segments of the population with any kind of ease, if you
will. But nonetheless, I think this is an important subject and
I commend the chairman for having this hearing and I yield
back.
[The prepared statement of Hon. Charles F. Bass follows:]
Prepared Statement of Hon. Charles F. Bass, a Representative in
Congress from the State of New Hampshire
Thank you Mr. Chairman. It is important to note that the safety of
our water supply is not a novel concern for our government. Since 1941,
the federal government has recognized the possible threat to our
national water supply--both by natural disasters and man-made threat.
The fear of terrorist attacks on U.S. water utilities existed prior to
9/11 when EPA was identified as the leading federal agency to oversee
security issues of our water infrastructure. Since the attack on
American soil, the need to identify and address vulnerability has only
become more imperative.
This hearing comes at a critical time due to the various
legislative efforts in both Houses to address the recommendations of
the 9/11 Commission. Since the creation of the Department of Homeland
Security, EPA has continually retained their jurisdiction over water
supply safety. It is critical for us to reassess how well this has
worked with identifying potential threats, identifying and addressing
points of vulnerability, and creating emergency plans. It is also
important for us to include water supply safety in any decision that is
related to coordination of intelligence and restructuring our agencies
involved in homeland security.
Finally, this hearing is critical in discussing some of the types
of potential threats that may exist to our water supply. Only 15% of
our water utilities supply 75% of our population--and it is important
for the public to understand the dangers that these utilities face.
Some experts have argued that due to dilution and lengthy time for
water to reach the home--the threat to public health is small. However,
a threat to actually destroying the infrastructure is much greater. By
including the public in these types of discussions, it helps elevate
any unnecessary fears that may exist.
I would like to thank our witnesses for being here today and look
forward to hearing their testimony. Thank you.
Mr. Gillmor. The gentleman yields back. Does the other
gentleman from Michigan have an opening statement?
Mr. Stupak. Yes, I do, Mr. Chairman, and thank you for
holding this hearing.
I want to thank Mr. Grumbles from the EPA and Mr.
Stephenson from the Government Accountability Office for being
here today as we discuss the safety and the security of our
Nation's drinking water.
While I appreciate the chance to hear from our two
witnesses today. I would have appreciated the chance to hear
from anyone from the EPA's office of Inspector General as well
considering the office's unique insight into this matter.
I would also like to hear testimony from the Department of
Homeland Security, which plays a role in this issue, but has
failed to respond to requests to testify before this
subcommittee. The state of our Nation's drinking water supply
is not something to be taken lightly. Clearly an attack on our
Nation's water supply could have devastating consequences. That
makes this hearing particularly important and the absence of
witnesses from today's Homeland Security more troubling.
The passage of the Bioterrorism Act--following September
11, utilities serving a population of 3003 people were required
to perform an submit an assessment of the water system's
vulnerability to terrorist attacks or other attacks which might
disrupt our drinking water supply. It is the EPA's
responsibilities as the lead Federal agency charged with
coordinating critical water infrastructure protection
activities--to see that water utilities meet the requirements
set forth by Congress in the Bioterrorism Act, as well as to
provide them with the necessary tools to do so.
However, the EPA office of Inspector General has issued
several reports in the last few years on this very subject
critiquing the status of security at these very facilities.
In fact, the report released by the Inspector General last
September found serious vulnerabilities in the EPA's actions to
prevent or combat contamination of our water supply as a result
of terrorism.
Specifically, EPA failed to provide adequate information
about terrorist threats, but did provide guidance to water
utilities on how to protect themselves from vandals. In short,
the EPA was directing the local water utilities to be on the
lookout for juvenile delinquents, not al Qaeda or terrorists.
As a result, water utilities were having problems identifying
and prioritizing threats to our water supply.
Given that vulnerability assessments serve as the
foundation for emergency response plans and for future security
enhancements, the Inspector General suggested that the EPA
monitor all water system submissions to insure that
vulnerability assessments identify and prioritize their
terrorist threats.
In other words, EPA needs to make this a priority. We can't
wait for an incident to happen. We need to take preventive
action now. I hope the EPA will address the findings of the
Inspector General today because these vulnerabilities are
unacceptable.
With that, Mr. Chairman, I yield back the balance of my
time.
[Additional statements submitted for the record follows:]
Prepared Statement of Hon. Joe Barton, Chairman, Committee on Energy
and Commerce
Thank you, Chairman Gillmor, for holding this oversight hearing
today on a very critical issue affecting the health and security of our
nation. Utilities across the country have long recognized that drinking
water may be vulnerable to terrorism of various types, including
physical disruption, bioterrorism, chemical contamination, and cyber
attacks. I am proud to say that this Committee was the first to act on
this issue after the attacks on September 11, with the passage of title
IV of the Bioterrorism Act of 2002. Title IV amended the Safe Drinking
Water Act to require each community water system serving more than the
3,300 individuals to conduct a ``vulnerability assessment'' of its
susceptibility to a terrorist attack or other intentional act intended
to substantially disrupt the ability of the system to provide safe
drinking water.
It is my understanding that the timelines for all of these systems
to have complied and submit their assessments have now passed. I look
forward to getting an update on this process. While recognizing our
drinking water systems' vulnerabilities is an important accomplishment,
we also need to determine what steps are necessary in adopting
appropriate security measures that address vulnerabilities and mitigate
the consequences of any attack.
I thank the witnesses for their cooperation in attending and I look
forward to hearing their testimony.
I yield back, Mr. Chairman.
______
Prepared Statement of Hon. John D. Dingell, a Representative in
Congress from the State of Michigan
Mr. Chairman, I welcome this oversight hearing to determine the
effectiveness of the Administration's implementation of the Safe
Drinking Water Act Amendments that were enacted as part of the Public
Health Security and Bioterrorism Preparedness and Response Act of 2002.
These provisions required drinking water utilities to assess the
vulnerabilities of their distribution systems and water supplies to the
potential threat of terrorist attacks. Water utilities were required to
submit these assessments to the Environmental Protection Agency (EPA)
so the government could ensure that they were properly conducted and
that the drinking water utilities were taking the necessary actions to
safeguard the public and protect drinking water supplies from potential
terrorist threats.
While I look forward to Mr. Grumbles's testimony today, I am very
disappointed that the Department of Homeland Security chose to ignore
the Subcommittee's request to provide a witness. The hearing will also
lack testimony from the EPA Inspector General's Office. This omission
is particularly disappointing because the EPA Inspector General has
issued four separate evaluation reports on EPA's performance and the
assessments conducted by the water utilities.
The Inspector General's findings are extremely disturbing, and are
worthy of this Subcommittee's careful review. For example, on September
23, 2003, the EPA Inspector General reported:
``The Bioterrorism Act requires community water systems to
prepare for and assess vulnerability to terrorist and other
intentional acts. However, based on our interviews, we believe
that vulnerability assessments submitted may emphasize
traditional, less consequential, and less costly threats, such
as vandalism or disgruntled employees. Therefore, vulnerability
assessments may not necessarily address terrorist scenarios or
the events of 9/11 that motivated passage of the Bioterrorism
Act.''
The Inspector General evaluation report dated September 11, 2003,
stated:
``EPA's Strategic Plan lacks fundamental components, such as
measurable performance results and information and analysis, to
ensure the greatest practicable reductions in risks to the
critical water sector infrastructure.''
If the vulnerability assessments are not addressing terrorist
scenarios, and if EPA cannot demonstrate the risk reduction and
security enhancements that have been achieved by water utilities, then
the public interest is not being served.
I also note that while Congress has provided the Administration
with the tools to assure and enhance security for water utilities,
airlines, ports, and nuclear facilities, nothing has been done for
chemical plants--one of our most vulnerable infrastructures that in the
event of a terrorist attack could result in catastrophic loss of life.
I urge the Committee to give this matter its full attention.
Mr. Gillmor. The gentleman yields back. The Chair will
recognize himself for some questions, after our witnesses
testify.
Mr. Grumbles.
STATEMENT OF BENJAMIN H. GRUMBLES, ACTING ASSISTANT
ADMINISTRATOR FOR WATER, U.S. ENVIRONMENTAL PROTECTION AGENCY
Mr. Grumbles. Thank you, Mr. Chairman, and Congresswoman
Solis, and members of the subcommittee. I am Ben Grumbles with
the office of water EPA. I am here to talk a little bit about
the progress we have made in the Bioterrorism Act of 2002, the
partnerships that have allowed progress to be made and also our
priorities and the challenges we face--and Mr. Chairman, I
would be remiss if I did not acknowledge, since I know
personally firsthand the role of this subcommittee and this
committee in crafting the bipartisan legislation, the
Bioterrorism Act of 2002 and moving forward with it.
And I can say that the administration is very proud of the
legislation and the success we have had to date in implementing
it.
I can also say--that while I will talk about some of the
statistics in terms of the vulnerability assessments and the
emergency response plans--that I agree full well with the
spirit and the tone of some of the statements that assessments
and plans by themselves do not make systems safer.
However, I can also say with confidence that--on the water
security front--we are smarter and safer as a country than we
were 3 years ago.
And a lot of that is due to the legislation and also, quite
frankly, the aggressive efforts of the EPA and the
administration to implement the legislation and to do things
outside of the legislation.
And perhaps most importantly, it has been the commitment
and the efforts of the utilities, the local officials, the
State drinking water agencies and others, some of the folks are
in the room behind me, to really move forward in terms of the
Bioterrorism Act.
Well, what I would like to do is to focus on a couple of
the aspects, Title IV of the Bioterrorism Act that you all were
instrumental in drafting and enacting and overseeing.
First of all, we have some excellent numbers to report on
the vulnerability assessments. The first number is 100 percent.
That is the number that reflects the compliance rate of the
large drinking water systems throughout the country. They have
all submitted their vulnerability assessments to EPA.
The other number I would like to mention is 98 percent.
That is the number of medium-sized community water systems that
have submitted their vulnerability assessments. 89 percent.
That is the number of emergency response plan certifications
that have been submitted by the medium-sized communities.
The last number is 88 percent, and that is the number of
small systems--those between 3,300 population and 50,000 in
population--that have submitted their vulnerability
assessments.
And, Mr. Chairman, what these numbers mean is that the
country is listening, the utilities throughout the country
using our guidance and following the law have submitted their
vulnerability assessments. There is a much greater awareness,
and they have also largely submitted all of their
certifications with respect to the emergency response plans. I
would also like to say that we have partnered with the domestic
preparedness office of the Department of Homeland Security to
offer workshops to train drinking water utilities on emergency
response planning.
What are some of the priorities and activities that we are
focusing on? One of them, which is critically important, is to
move beyond just the identifying risks, doing vulnerability
assessments and preparing emergency response plans. A high
priority of the agency is to provide the tools, the training,
the technical assistance to actually implement those plans.
That means taking measures of prevention, hardening facilities,
taking various steps to insure that the drinking water systems
throughout the country are truly safer and more secure.
I think it is critically important that water utilities
stay up to date on the threat information. The agency has been
providing threat information, our baseline threats documents or
guidance to utilities on preparing their vulnerability
assessments are actions that we take pride in and recognize can
help our partners do the important job they need to do.
I just want to mention a couple other items, Mr. Chairman,
that are significantly important. One of those is that the
Agency is working on implementation of Presidential Directive
9. It is the homeland security Presidential Directive number 9
that was issued in January 2004.
That is a comprehensive and ambitious directive to us to
improve and increase the monitoring and surveillance of the
Nation's drinking water systems. Monitoring is critically
important and we are putting a high priority on working with
our partners and our other members of the Federal family,
certainly the Department of Homeland Security to follow through
on the President's directive.
The other thing I wanted to mention is an excellent example
of the partnerships that are critically important to the
success of water security, and that is we are working with the
American Society of Civil Engineers to develop physical
security guidelines that utilities should consider in
designing, managing and operating their systems.
Mr. Chairman, there are over 2 million miles of pipe in the
country with respect to drinking water facilities. What that
tells all of us is that one of the priority areas in
implementing your legislation, our legislation, is to focus in
on the distribution systems, that is a primary focus, and we
will certainly continue to do that through our research plan,
through our actions and through coordinating our responses
under the Presidential directives.
The last thing I want to mention, Mr. Chairman, are of the
challenges and opportunities. Several of your colleagues have
mentioned some of the key issues, and I would like to reiterate
them.
One of the challenges is to recognize that the
vulnerability assessments should be living documents. The
visions, the great legislation of the 2002 Bioterrorism Act
essentially left it that those were one-time assessments. I
think what we have learned in our coordinations with other
partners with GAO, with the Inspector General, is that there
would be great value if those documents were living documents
and would be revisited and revised and updated and adapted,
modernized. So that is a very important thing to keep in mind.
The other one, the final one, Mr. Chairman, is the
vulnerability assessments themselves. We think it is very
important for you and your colleagues to keep in mind the
delicate balance of insuring the security of those assessments,
certainly as it relates to site specific information. Again,
what the Inspector General told us and what we very much
appreciate hearing--and what GAO and others tell us is that--
there can be value to aggregate data based in general on the
vulnerability assessments that can help shed information and
light on our research plans, our priorities. That is another
thing for the committee to keep in mind.
Mr. Chairman, I thank you and your colleagues for your
patience, and we look forward to answering any of your
questions.
[The prepared statement of Benjamin H. Grumbles follows:]
Prepared Statement of Benjamin H. Grumbles, Acting Assistant
Administrator for Water, U.S. Environmental Protection Agency
INTRODUCTION
Good afternoon Chairman Gillmor and Members of the Committee. I am
Benjamin H. Grumbles, Acting Assistant Administrator for Water at the
United States Environmental Protection Agency. I welcome this
opportunity to speak to you today about our progress to date in water
security, our vision for the future, and the challenges we face in
enhancing the security of the Nation's water infrastructure.
Promoting the security of the Nation's water infrastructure is one
of the most significant undertakings and responsibilities of the Agency
in a post-September 11 world. An attack, or even a credible threat of
an attack, on water infrastructure could seriously jeopardize the
public health and economic vitality of a community. As you know,
drinking water and wastewater utilities can be vulnerable to a variety
of attacks, including, for example, physical destruction of critical
water system components, release of hazardous chemicals, intrusion into
cyber systems, and intentional contamination of drinking water.
Over the past three years, EPA has worked diligently to support the
water sector in improving water security and the sector has taken their
charge seriously. Through Congressional authorization under the Public
Health Security and Bioterrorism Preparedness and Response Act of 2002
(the Bioterrorism Act), and through Presidential mandates under
Homeland Security Presidential Directives 7, 9 and 10, EPA has been
entrusted with important responsibilities for coordinating the
protection of the water sector.
We have good news to report on our progress to date. However, much
work remains to be done. Understanding one's vulnerability is only the
first step in what is a multi-step process to improving security. Many
water systems that have completed their vulnerability assessments are
now saying, ``we have identified our weaknesses, now what do we do?''
The next steps involve adopting security measures that both address
vulnerabilities and mitigate the consequences of an attack.
EPA's water security work has focused on helping utilities assess
their vulnerabilities and creating a baseline of security-related
information. Existing and future efforts include providing tools and
assistance that drinking water and wastewater systems need to address
vulnerabilities by identifying up-to-date security enhancements,
sharing information on threats and contaminants, and training on
emergency response.
Our goal is to provide the water sector and related emergency
response, law enforcement, and public health officials with the tools,
training, and information they need to prevent, prepare, and respond to
terrorist threats. EPA also needs to continue to provide programs that
forge critical links between the water sector and those who support or
could support the sector in detecting and responding to threats and
incidents, such as local law enforcement and public health departments.
Indeed partnerships are absolutely a key factor in our success. The
water sector includes approximately 54,000 community drinking water
systems and 16,000 publicly owned wastewater treatment works
nationwide. Reaching the entire water sector requires strong
partnerships among EPA, state water and homeland security officials,
and technical assistance providers. Our work also demands extensive
coordination and communication among federal agencies including the
Department of Homeland Security, the Department of Health and Human
Services, the Department of Defense and the intelligence community,
among others.
As a result of the partnerships we have developed and EPA's long-
standing relationship with the water sector, we have fulfilled the
requirements of the Bioterrorism Act of 2002 and made headway on
several other fronts, as well.
implementation of title iv b drinking water security and safety
Required Vulnerability Assessments and Emergency Response Plans
Under the Act, each community water system (CWS) providing drinking
water to more than 3,300 persons must conduct a vulnerability
assessment, certify its completion, and submit a copy of the assessment
to EPA according to a specified schedule. In addition, each system must
prepare or revise an emergency response plan that incorporates the
findings of the vulnerability assessments and certify to EPA within six
months of completing a vulnerability assessment that the system has
completed such a plan.
Using FY 2002 supplemental appropriation funds, EPA provided grants
to support the development of vulnerability assessments and emergency
response plans. EPA issued $51 million in direct grants to 399 of the
largest community water utilities that serve populations greater than
100,000 people. Working with training organizations and State drinking
water administrators, EPA provided $20 million in grants to provide
technical assistance to small and medium community water systems.
EPA has received all of the vulnerability assessments and emergency
response plan certifications from the Nation's largest community water
systems. To date, we have received vulnerability assessments from 98%
of the medium-sized community water systems that were due December 31,
2003, and 89% of their emergency response plan certifications. The
smallest community water systems covered by the Act were required to
submit their vulnerability assessments to us by June 30, 2004. We have
received over 7,000 vulnerability assessments from this group,
amounting to an 88% submission rate. What these numbers mean is that
water systems serving collectively over 230 million people have
completed vulnerability assessments: a remarkable achievement in so
short a time. Despite this success, EPA continues to work to ensure
that we receive all vulnerability assessments and emergency response
plan certifications so that all of the Nation's community water systems
serving more than 3,300 people reach the same critical milestone.
Of course, most of the credit should go to those who actually
prepared the vulnerability assessments and emergency response plans:
the water systems themselves. Without their commitment to enhancing
security for their consumers, we would not have seen such a high
response rate.
Information on Baseline Threats and Protection Protocols
The Bioterrorism Act also required EPA to develop and provide
baseline threat information to community water systems in order to aid
them in performing vulnerability assessments. EPA developed the
Baseline Threat Information for Vulnerability Assessments of Community
Water Systems (Baseline Threat Document) in consultation with many
stakeholders, including other federal agencies, state and local
governments, water industry associations, and technical experts. The
Baseline Threat Document provides utilities with information to (1)
undertake risk-based vulnerability assessments of their assets, (2)
analyze potential threats, and (3) consider the consequences of a
variety of modes of attack. The document, whose distribution is limited
largely to community water systems, lists vulnerability assessment
tools and other information resources to help water systems learn more
about the potential threats in their areas.
To further assist community water systems in completing their
vulnerability assessments and emergency response plans, in January
2003, EPA released a document titled, Instructions to Assist Community
Water Systems in Complying with the Public Health Security and
Bioterrorism Preparedness and Response Act of 2002. An addendum to the
instructions was released in October 2003. The instructions outline the
steps that water utilities should take to transmit their vulnerability
assessments and certifications to EPA. The instructions and a
supporting fact sheet also outline the six key elements and all
components of the system, as specified in the Act that must be
considered in the vulnerability assessment.
Besides the commitment of the utilities and Congressional support
for funding, we attribute the success in meeting the requirements of
the Act to several factors. First, to aid the development of
vulnerability assessments and emergency response plans, EPA supported
the creation of analytical tools, training, and technical assistance
for the range of sizes of drinking water systems. Vulnerability
assessment tools include the Risk Assessment Methodology for Water,
which has since been adapted for small and medium drinking water
utilities; the CD-ROM software Vulnerability Self-Assessment Tool for
drinking water and wastewater systems; and Security and Emergency
Management System for small drinking water systems.
Second, working with our many partners, EPA-sponsored training and
workshops in 2002 and 2003 which reached several thousand community
drinking water and wastewater utility officials, training providers,
and utility contractors. These efforts have trained drinking water and
waste water systems that serve most of the U.S. population.
To aid the development of emergency response plans, as required by
the Act, EPA developed guidance outlining the elements of a sound plan
followed by a toolbox entitled the Response Protocol Toolbox: Planning
and Responding to Contamination Threats to Drinking Water Systems,
which is designed to help utilities prepare for and respond to
intentional contamination threats and incidents.
Over the past year, EPA has partnered with DHS's Office of Domestic
Preparedness to offer a series of workshops to train drinking water
utilities on emergency response planning. A series of two-day workshops
feature a tabletop exercise of an intentional contamination event in a
public water supply. The goal of the exercise is to bring
representatives of the key response agencies (e.g., FBI, local and
state police, emergency responders, state regulatory agencies, state
and local health departments) together to apply the guidance provided
during the first day of training.
While EPA has worked to ensure that community water systems fulfill
their obligations under the Bioterrorism Act, the Agency has not
ignored wastewater systems or small community drinking water systems
(serving 3,300 and fewer), which are not subject to specific provisions
of the Bioterrorism Act requiring the completion of vulnerability
assessments and emergency response plans. EPA also has provided
guidance and training to these utilities on how to conduct
vulnerability assessments, prepare emergency response plans, and
address threats from terrorist attacks.
Research
The Act also places a premium on ensuring that research is carried
out to support security efforts. Section 1434 of the Act stipulates
that EPA shall work collaboratively to review methods to prevent,
detect, and respond to the intentional contamination of water systems,
including a review of equipment, early warning notification systems,
awareness programs, distribution systems, treatment technologies and
biomedical research. Section 1435 requires the review of methods by
which the water system and all its parts could be intentionally
disrupted or rendered ineffective or unsafe, including methods to
interrupt the physical infrastructure, the computer infrastructure, and
the treatment process.
To meet EPA's mandate under these sections, the Office of Water
partnered with the newly established National Homeland Security
Research Center in EPA's Office of Research and Development to draft
the Water Security Research and Technical Support Action Plan. The
Action Plan, released in March 2004, addresses each of the research
requirements under the Bioterrorism Act. It describes the research and
technologies needed to better address drinking water supply, water
treatment, finished water storage, and drinking water distribution
system vulnerabilities. It also addresses water security research needs
for wastewater treatment and collection infrastructure, which includes
sanitary and storm sewers or combined sanitary-storm sewer systems,
wastewater treatment, and treated wastewater discharges. EPA is
implementing activities described in the plan, which was vetted with
water stakeholders and reviewed by the National Academy of Science.
FULFILLING OUR GOAL: ACTIVITIES, PLANS AND CHALLENGES
As I mentioned earlier, our goal is to provide the water sector the
tools, training, and information they need to comprehensively address
water security. With utilities and our other partners, we are aiming to
minimize the opportunity for terrorist attack on drinking water or
wastewater systems by identifying and reducing potential risks and to
maximize our ability to detect and respond to terrorist attacks. Let me
give you some examples of the activities we have underway and
challenges we face to support this goal.
Identifying Risk
In addition to undertaking vulnerability assessments, it is vital
that water utilities stay up-to-date on threat information in order to
fully understand their potential risk. Funded in large part by EPA, the
Water Information Sharing and Analysis Center, known as the WaterISAC,
became operational in December 2002. It was developed to provide
drinking water and wastewater systems with a highly secure Web-based
environment for early warning of potential physical, contamination, and
cyber threats and for information about security. The 311 utilities
that currently subscribe to the WaterISAC provide drinking water to 60
percent of the U.S. population. Forty-five State drinking water primacy
agencies are members of the WaterISAC, which provides a mechanism to
reach the majority of small and medium drinking water systems. Key EPA
staff also have access.
Efforts are underway to expand membership in the WaterISAC and to
develop the ancillary Water Security Channel (WaterSC) that will allow
the WaterISAC to send e-mail alerts on security issues and share basic
security information directly with a much larger group of drinking
water and wastewater systems.
Recently, the Department of Homeland Security announced plans to
expand its secure, computer-based counter-terrorism network to the
critical infrastructures, working first with the water and electricity
sectors. The National Homeland Security Information Network (HSIN)
reaches state homeland security offices, emergency operations centers
around the country, and has a significant law enforcement
communications component. EPA is working with the appropriate
organizations to determine how the WaterISAC and HSIN can best serve
water sector utilities.
In addition, EPA works with the Department of Homeland Security and
the broader intelligence community to improve threat information
relevant to water utilities. This involves training intelligence
officers on the vulnerabilities of water utilities and providing secure
mechanisms, such as the WaterISAC, to communicate sensitive information
to the utilities.
Reducing Risk
Early warning mechanisms can significantly reduce the risk of
public health impacts and community service disruptions. Issued in
January 2004, Homeland Security Presidential Directive (HSPD 9)
outlines EPA's responsibilities to develop a robust, comprehensive
surveillance and monitoring program to provide early warning in the
event of a terrorist attack using biological, chemical, or radiological
contaminants. HSPD 9 also directs EPA to develop a nationwide
laboratory network to support the routine monitoring and response
requirements of the surveillance program.
EPA worked closely with water utilities, state officials and other
federal agencies, for example the Department of Health and Human
Services, the Department of Homeland Security and the Department of
Defense, to formulate the conceptual framework for building such a
surveillance and laboratory capability. Specific activities supporting
this analysis included: 1) development of a standardized field
screening and sampling kit; 2) identification of the highest priority
contaminant threats and the most vulnerable infrastructure points
through an inter-agency workgroup, 3) evaluation of new and emerging
detection technologies; and 4) collaboration with the Centers for
Disease Control and Prevention (CDC) to develop an alliance of drinking
water laboratories with CDC's Laboratory Response Network.
In recognition that a robust detection program is only one part of
an effective security strategy, EPA developed a variety of policies,
procedures, physical enhancements, and best practices that assist water
utilities in preventing attacks and protecting critical infrastructure
components. For example, EPA's Security Product Guides provide
information on a variety of products available to enhance physical
security (including monitoring equipment) and electronic or cyber
security. Several products will assist utilities in preventing or
delaying potential adversaries as well as detecting incidents. In
addition, EPA has worked with the American Society of Civil Engineers
to develop physical security guidelines that utilities should consider
in designing, managing, and operating their systems.
Implementing security enhancements can prove to be a challenge for
many water-sector utilities who also face competing demands for
replacement of aging infrastructure and making process improvements to
meet public health requirements. EPA and water-sector stakeholders need
to continue educating elected officials, water boards, rate-setting
entities, and consumers about the importance and need for security
enhancements at drinking water and wastewater utilities and the
multiple benefits that can be derived from these enhancements. EPA has
provided guidance on how the Drinking Water State Revolving Fund and
the Clean Water State Revolving Fund may be used to lend financial
support for such improvements.
Preparing to Respond
Due to the dispersed nature of water utilities B the Nation's
drinking water utilities have about 2 million miles of pipe B it is a
great challenge to protect against determined aggressors. Consequently,
it is critically important that water utilities be prepared to respond
effectively at any time. Building on workshops already given in FY 2003
and FY2004, EPA will continue to stress the importance of emergency
response planning, drills and exercises for water utilities and
associated emergency response, law enforcement and public health
officials.
Several Homeland Security Presidential Directives (HSPDs) issued
within the year also relate to emergency response. For example, HSPD 8
(December, 2003) establishes policies to strengthen the Nation's
preparedness to prevent and respond to threatened or actual domestic
terrorist attacks, major disasters, and other emergencies by
establishing mechanisms for improved delivery of federal preparedness
assistance to state and local governments. Also, HSPD 10: Biodefense
for the 21st Century (April, 2004), which is currently a classified
document, reaffirms EPA's responsibilities under HSPD 9 while adding a
clear directive on the Agency's responsibilities in decontamination
efforts. It provides direction to further strengthen the Biodefense
Program through threat awareness, prevention and protection,
surveillance and detection, and response and recovery.
CHALLENGES AND OPPORTUNITIES
While progress has been made toward securing drinking water and
wastewater utilities, a number of challenges and opportunities remain,
and EPA is taking steps to meet them both from national and local
perspectives .
EPA was designated as the Sector Specific Agency responsible for
infrastructure protection activities for the nation's drinking water
and wastewater systems under HSPD 7, entitled Critical Infrastructure
Identification, Prioritization, and Protection (December, 2003). As
such, EPA is responsible for: 1) identifying, prioritizing, and
coordinating infrastructure protection activities for the nation's
drinking water and wastewater treatment systems; 2) working with
federal departments and agencies, state and local governments, and the
private sector to facilitate vulnerability assessments; 3) encouraging
the development of risk management strategies to protect against and
mitigate the effects of potential attacks on critical resources; and 4)
developing mechanisms for information sharing and analysis. As I have
explained, work is underway to fulfill many of these responsibilities.
To portray a comprehensive picture of security activities for the
water sector, under HSPD 7, EPA is leading the development of a water
sector specific plan as part of the DHS-led National Infrastructure
Protection Plan production process.
In developing the plan, we identified some additional issues for
ensuring that water utilities implement effective security programs.
For example, updates of drinking water utilities' vulnerability
assessments and emergency response plans, or the implementation of
security enhancements identified by the vulnerability assessment, are
not required. The water sector recognizes the need for both
vulnerability assessments and emergency response plans to be living
documents, revised periodically to ensure their applicability.
Furthermore, sector representatives have expressed to the Agency the
need for clear expectations of what constitutes effective security
programs so that they can justify and obtain the resources needed to
improve security.
To address this challenge, the Agency asked the National Drinking
Water Advisory Council (NDWAC), a formal advisory committee to the
Agency, to consider establishing a Water Security Working Group to (1)
characterize effective voluntary utility security programs for drinking
water and wastewater utilities, (2) consider ways to provide
recognition and incentives that facilitate adoption of such programs,
and (3) recommend mechanisms to measure the extent of implementation.
The NDWAC agreed and the resultant Working Group is made up of sixteen
members chosen on the basis of experience, geographic location, and
their unique drinking water, wastewater, and/or security perspectives.
During the first meeting of the workgroup, it was clear that the
Working Group will consider the need for an iterative approach whereby
utilities periodically revisit both vulnerability assessments and
emergency response plans.
Another issue that we identified relates to EPA's ability to share
the information contained in or derived from vulnerability assessments
that are required by the Act to be submitted to the Agency by Community
Water Systems. Currently, consistent with the protective provisions of
the Bioterrorism Act, EPA must designate individuals before sharing
assessment information with them. Clearly, it is extremely important to
protect the site-specific vulnerability information contained in these
vulnerability assessments and the Agency guards this information
fiercely. Aggregated information on vulnerabilities of the sector,
however, could be helpful in identifying priorities for security
improvements and research. Both the Government Accountability Office
and EPA's Inspector General have pointed out the need for this
information to guide our efforts at the federal level.
CONCLUSION
EPA has developed a water security program that meets our critical
responsibilities as expressed in Homeland Security Presidential
Directive 7, which assigns to EPA a pivotal role in coordinating and
facilitating the protection of the Nation's drinking water and
wastewater systems. EPA has produced a broad array of tools and
assistance that the water sector is using to assess its vulnerabilities
and to develop emergency response plans. As a result of our efforts,
drinking water systems collectively serving over 230 million people
have submitted vulnerability assessments. We have worked effectively
with our partners within the sector and also reached out to build new
relationships with important partners beyond the sector to ensure that
water and wastewater utilities receive the information and support they
need to reduce risk and consequences of an attack.
Thank you for the opportunity to describe our accomplishments, new
mandates and program needs, challenges, and vision for the future of
water infrastructure security. Looking forward, we will continue to
work closely with Congress, our water sector partners, federal agencies
and various stakeholders to ensure that citizens across the country are
confident in the security of their water and wastewater utilities. I
will be happy to answer any questions you may have.
Mr. Gillmor. Thank you very much, Mr. Grumbles.
Mr. Stephenson.
STATEMENT OF JOHN B. STEPHENSON, DIRECTOR, NATURAL RESOURCES
AND ENVIRONMENT, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Stephenson. Thank you, Mr. Chairman, members of the
subcommittee.
Drinking water utilities have long been recognized as
potentially vulnerable to terrorist attacks of various types,
including physical disruption, bioterrorism, chemical
contamination and cyber attack. Terrorists could disrupt not
only the availability of safe drinking water, but also the
delivery of vital services that depend on these water supplies,
such as fire suppression. Such concerns were greatly amplified
by the September 11 attacks on the World Trade Center and the
Pentagon--and then by the discovery of training manuals in
Afghanistan, detailing how terrorist trainees could support
attacks on drinking water systems.
Congress, as you know, has committed over $140 million in
fiscal years 2002 through 2004 to help systems assess their
vulnerability to terrorist threats and to develop response
plans.
My testimony today is based on a report that we did last
year on how best to use these funds. To develop this report, we
examined the key security-related vulnerabilities affecting the
Nation's drinking water systems; how Federal funds could best
be used; and, specific activities that the Federal Government
should support to improve drinking water security.
To address these issue, we assembled a panel of 43
nationally recognized experts and in selecting these experts we
sought individuals who were widely recognized as possessing
expertise on one or more key aspects of drinking water
security. We also sought to achieve a balance in representation
from key Federal agencies, key State and local agencies,
industry and nonprofit organizations and water utilities of
various sizes. Here is what our experts said.
Nearly 75 percent of the experts identified the
distribution system as the most vulnerable of all system
components with source water supplies, critical information or
data systems and chemicals stored onsite as the next most
important vulnerability. A typical drinking water system with a
supply source water facility and distribution system--the
distribution system was cited as the greatest vulnerability
because it is easily accessible at so many points, such as a
fire hydrant or a standpipe within a building.
In fact, the water is post treatment, meaning that a
chemical, biological or radiological agent would be virtually
undetectable until it was too late to prevent harm.
The experts also identified a lack of redundancy in
biosystems and a lack of information on the most serious
threats as overarching vulnerabilities.
In responding to our questions about how Federal funds
could best be used, about 90 percent of our experts said that
allocation decisions should be based on the vulnerabilities
assessments prepared under Bioterrorism Act.
In addition, the experts gave the highest funding priority
to utilities serving high density populations followed closely
by utilities serving critical assets such as military bases or
other sensitive government utilities.
When asked to identify the most effective mechanisms for
distributing these Federal funds--over half the experts favored
direct Federal grants--but many favored a Federal requirement
for matching funds pass a grant condition.
Fewer experts recommended that using the drinking water
State resolving fund, cautioning that it would not be as
effective for making near-term security upgrades, and that it
might dilute the fund's original purpose of infrastructure
upgrade.
Finally, when we ask our experts to identify and set
priorities for security-enhancing activity, most deserving of
Federal support, their responses fell into three categories.
The first was physical, and physical improvements including the
development of real-time monitoring technologies, increasing
laboratory capacity and physical hardening.
The second was education and training to be provided to
both utility and nonutility personnel responsible for
preventing, responding to and recovering from an attack.
And three, strengthened operational relationships,
especially between water utilities and other agencies such as
public health, enforcement agencies, and neighborhood utilities
that may have a key role in emergency response.
In conclusion, we recommended that EPA consider the
information in this report as it determines how best to
allocate security-related Federal funds among drinking water
utilities, which method should be used to distribute the funds
and what specific activities should be supported. EPA agreed to
do so. As it moves forward with the drinking water security
program, we think it is doing so.
Mr. Chairman, that concludes the summary of my statement
and I will take questions.
[The prepared statement of John B. Stephenson follows:]
Prepared Statement of John B. Stephenson, Director, Natural resources
and Environment, U.S. Government Accountability Office
Mr. Chairman and Members of the Subcommittee: Drinking water
utilities across the country have long been recognized as potentially
vulnerable to terrorist attacks of various types, including physical
disruption, bioterrorism, chemical contamination, and cyber attack.
Damage or destruction by terrorists could disrupt not only the
availability of safe drinking water, but also the delivery of vital
services that depend on these water supplies, such as fire suppression.
Such concerns were greatly amplified by the September 11, 2001, attacks
on the World Trade Center and the Pentagon and then by the discovery of
training manuals in Afghanistan detailing how terrorist trainees could
support attacks on drinking water systems.
Congress has since committed significant federal funding to assist
drinking water utilities--with over $140 million appropriated from
fiscal year 2002 through fiscal year 2004--to help systems assess their
vulnerabilities to terrorist threats and develop response plans. As
significant as these funds are, drinking water utilities are asking the
federal government to support efforts that go beyond the planning for
upgrading drinking water security to the actual implementation of
security upgrades. Consequently, at the request of the Senate Committee
on Environment and Public Works, we examined (1) the key security-
related vulnerabilities affecting the nation's drinking water systems;
(2) the criteria that experts believe should be used to determine how
federal funds are allocated among recipients to improve their security,
and the methods that should be used to distribute these funds; and (3)
specific activities that experts believe the federal government should
support to improve drinking water security. My testimony is based on
our October 2003 report entitled, Drinking Water: Experts' Views on How
Future Federal Funding Can Best Be Spent to Improve Security.
To prepare our October 2003 report on these issues, we assembled a
panel of nationally recognized experts. In selecting members for the
expert panel, we sought individuals who were widely recognized as
possessing expertise on one or more key aspects of drinking water
security. We also sought to achieve balance in representation from key
federal agencies, key state or local agencies, key industry and
nonprofit organizations, and water utilities of varying sizes.
In summary:
Our expert panel identified several key physical assets as the most
seriously vulnerable to terrorist attacks. Nearly 75 percent of
the experts (32 of 43) identified one or more components of the
distribution system. In fact, more experts identified the
distribution system as the single most important vulnerability
(12 of 43) of all system components. The other physical assets
most frequently cited were source water supplies, critical
information systems, and chemicals that are stored on site for
use in the treatment process. Importantly, the experts also
identified overarching vulnerability issues that may involve
multiple system components, or even an entire drinking water
system. Chief among these issues were (1) a lack of redundancy
in vital systems, which increases the likelihood that an attack
could render a system inoperable; and (2) the difficulty many
systems face due to a lack of information on the most serious
threats to which they are exposed. In general, the panelists'
observations were similar to those of major public and private
organizations that have assessed the vulnerability of these
systems to terrorist attacks, including the National Academy of
Sciences, Sandia National Laboratories, and key industry
associations.
About 90 percent of the experts agreed ``strongly'' or ``somewhat''
that allocation decisions should be based on assessments of
drinking water utilities' vulnerabilities, which the utilities
are required to prepare by the Public Health Security and
Bioterrorism Preparedness and Response Act of 2002. In
addition, the experts favored funding priority for utilities
serving high-density populations, with over 90 percent
indicating that they deserve at least a ``high'' priority and
over 50 percent indicating they deserve ``highest'' priority.
Utilities serving critical assets (such as military bases and
other sensitive government facilities, national icons, and key
cultural or academic institutions) were also recommended as
high-priority recipients. When asked to identify the most
effective mechanisms for distributing these federal funds to
recipients, over half the experts indicated that direct federal
grants would be ``very effective'' in doing so. Many also
favored including a requirement for matching funds as a grant
condition. Fewer experts recommended using the Drinking Water
State Revolving Fund (DWSRF) for this purpose, particularly to
support upgrades that need to be implemented quickly.
When asked to identify and set priorities for security-enhancing
activities most deserving of federal support, the experts most
frequently identified activities that fell into three broad
categories:
Physical and technological improvements--needed for both physical
alterations to improve the security of drinking water
systems, and for the development of technologies to
prevent, detect, or respond to an attack. The need to
develop near real-time monitoring technologies, which would
be particularly useful in quickly detecting contaminants in
water that has already left the treatment plant for the
consumer, had by far the strongest support.
Education and training--to be provided to both utility and
nonutility personnel responsible for preventing, responding
to, and recovering from an attack. These activities
include, among other things, support for simulation
exercises to provide responders with experience in carrying
out utilities' emergency response plans; specialized
training of utility personnel responsible for security;
general training of utility personnel to augment security
awareness among all staff; and multidisciplinary consulting
teams to independently analyze utilities' security
preparedness and recommend security-related improvements.
Strengthened operational relationships--especially between water
utilities and other agencies (public health agencies,
enforcement agencies, and neighboring utilities, among
others) that may have key roles in an emergency response.
This category also includes developing common protocols to
engender a consistent approach among utilities in detecting
and diagnosing threats, and the testing of local emergency
response systems to ensure that participating agencies
coordinate their actions effectively.
BACKGROUND
Drinking water systems vary by size and other factors, but as
illustrated in figure 1, they most typically include a supply source,
treatment facility, and distribution system. A water system's supply
source may be a reservoir, aquifer, or well, or a combination of these
sources. Some systems may also include a dam to help maintain a stable
water level, and aqueducts and transmission pipelines to deliver the
water to a distant treatment plant. The treatment process generally
uses filtration, sedimentation, and other processes to remove
impurities and harmful agents, and disinfection processes such as
chlorination to eliminate biological contaminants. Chemicals used in
these processes, most notably chlorine, are often stored on site at the
treatment plant. Distribution systems comprise water towers, piping
grids, pumps, and other components to deliver treated water from
treatment systems to consumers. Particularly among larger utilities,
distribution systems may contain thousands of miles of pipes and
numerous access points.
Nationwide, there are more than 160,000 public water systems that
individually serve from as few as 25 people to 1 million people or
more. As figure 2 illustrates, nearly 133,000 of these water systems
serve 500 or fewer people. Only 466 systems serve more than 100,000
people each, but these systems, located primarily in urban areas,
account for early half of the total population served.
Until the 1990s, emergency planning at drinking water utilities
generally focused on responding to natural disasters and, in some
cases, domestic threats such as vandalism. In the 1990s, however, both
government and industry officials broadened the process to account for
terrorist threats. Among the most significant actions taken was the
issuance in 1998 of Presidential Decision Directive 63 to protect the
nation's critical infrastructure against criminal and terrorist
attacks. The directive designated the Environmental Protection Agency
(EPA) as the lead federal agency to address the water infrastructure
and to work with both public and private organizations to develop
emergency preparedness strategies. EPA, in turn, appointed the
Association of Metropolitan Water Agencies to coordinate the water
industry's role in emergency preparedness. During this time, this
public-private partnership focused primarily on cyber security threats
for the several hundred community water systems that each served over
100,000 persons. The partnership was broadened in 2001 to include both
the drinking water and wastewater sectors, and focused on systems
serving more than 3,300 people.
Efforts to better protect drinking water infrastructure were
accelerated dramatically after the September 11 attacks. EPA and the
drinking water industry launched efforts to share information on
terrorist threats and response strategies. They also undertook
initiatives to develop guidance and training programs to assist
utilities in identifying their systems' vulnerabilities. As a major
step in this regard, EPA supported the development, by American Water
Works Association Research Foundation and Sandia National Laboratories,
of a vulnerability assessment methodology for larger drinking water
utilities. The push for vulnerability assessments was then augmented by
the Public Health Security and Bioterrorism Preparedness and Response
Act of 2002 (Bioterrorism Act). Among other things, the act required
each community water system serving more than 3,300 individuals to
conduct a detailed vulnerability assessment by specified dates in 2003
or 2004, depending on their size.
Since we issued our report in October, several Homeland Security
Presidential Directives (HSPDs) were issued that denote new
responsibilities for EPA and the water sector. HSPD 7 designates EPA as
the water sector's agency specifically responsible for infrastructure
protection activities, including developing a specific water sector
plan for the National Infrastructure Protection Plan that the
Department of Homeland Security must produce. HSPD 9 directs EPA to
develop a surveillance and monitoring program to provide early warning
in the event of a terrorist attack using diseases, pests, or poisonous
agents. EPA is also charged, under HSPD 9, with developing a nationwide
laboratory network to support the routine monitoring and response
requirements of the surveillance program. HSPD 10 assigns additional
responsibilities to EPA for decontamination efforts.
To obtain information for our analysis, we conducted a three-phase,
Web-based survey of 43 experts on drinking water security. In
identifying these experts, we sought to achieve balance in terms of
area of expertise (i.e., state and local emergency response,
engineering, epidemiology, public policy, security and defense,
drinking water treatment, risk assessment and modeling, law
enforcement, water infrastructure, resource economics, bioterrorism,
public health, and emergency and crisis management). In addition, we
attempted to achieve participation by experts from key federal
organizations, state and local agencies, industry and nonprofit
organizations, and water utilities serving populations of varying
sizes. To obtain information from the expert panel, we employed a
modified version of the Delphi method. The Delphi method is a
systematic process for obtaining individuals' views and seeking
consensus among them, if possible, on a question or problem of
interest. Since first developed by the RAND Corporation in the 1950s,
the Delphi method has generally been implemented using face-to-face
group discussions. For this study, however, we administered the method
through the Internet. We conducted our work in accordance with
generally accepted government auditing standards between July 2002 and
August 2003.
Experts Identified Key Vulnerabilities That Could Compromise Drinking
Water Systems' Security
Our panel of experts identified several key physical assets of
drinking water systems as the most vulnerable to intentional attack. In
general, their observations were similar to those of public and private
organizations that have assessed the vulnerability of these systems to
terrorist attacks, including the National Academy of Sciences, Sandia
National Laboratories, and key industry associations. In particular, as
shown in figure 3, nearly 75 percent of the experts (32 of 43)
identified the distribution system or its components as among the top
vulnerabilities of drinking water systems. Experts also identified
overarching issues compromising how well these assets are protected.
Chief among these issues are (1) a lack of redundancy in vital systems,
which increases the likelihood that an attack could render a system
inoperable; and (2) the difficulty many systems face in understanding
the nature of the threats to which they are exposed.
I would first like to discuss the distribution system, since it was
cited most frequently as a key vulnerability by our panelists. The
distribution system delivers drinking water primarily through a network
of underground pipes to homes, businesses, and other customers. While
the distribution systems of small drinking water utilities may be
relatively simple, larger systems serving major metropolitan areas can
be extremely complex. One such system, for example, measures water use
through 670,000 metered service connections, and distributes treated
water through nearly 7,100 miles of water mains that range from 2
inches to 10 feet in diameter. In addition to these pipelines and
connections, other key distribution system components typically include
numerous pumping stations, treated water storage tanks, and fire
hydrants.
In highlighting the vulnerability of distribution systems, our
panelists most often cited their accessibility at so many points. One
expert, for example, cited the difficulty in preventing the
introduction of a contaminant into the distribution system from inside
a building ``regardless of how much time, money, or effort we spend
protecting public facilities.'' Experts also noted that since the water
in the distribution system has already been treated and is on the way
to the consumer, the distribution of a chemical, biological, or
radiological agent in such a manner would be virtually undetectable
until it was too late to prevent harm. While research on the fate and
transport of contaminants within water treatment plants and
distribution systems is under way, according to one expert, limited
technologies are readily available that can detect a wide range of
contaminants once treated water is released through the distribution
system for public use.
Several other components, though not considered as critical as the
distribution system, were still the subject of concern. Nearly half the
experts (20 of 43) identified source water as among drinking water
systems' top vulnerabilities. One expert noted, for example, that
``because of the vast areas covered by watersheds and reservoirs, it is
difficult to maintain security and prevent intentional or accidental
releases of materials that could have an adverse impact on water
quality.'' Yet some experts cited factors that mitigate the risks
associated with source water, including (1) the source water typically
involves a large volume of water, which in many cases could dilute the
potency of contaminants; (2) the length of time (days or even weeks)
that it typically takes for source water to reach consumers; and (3)
the source water will go through a treatment process in which many
contaminants are removed.
Also cited as vulnerabilities were the sophisticated computer
systems that drinking water utilities have come to rely upon to manage
key functions. These Supervisory Control and Data Acquisition (SCADA)
systems allow operators to monitor and control processes throughout
their drinking water systems. Although SCADA systems have improved
water utilities' efficiency and reduced costs, almost half of the
experts on our panel (19 of 43) identified them as among these
utilities' top vulnerabilities.
Thirteen of the 43 experts identified treatment chemicals,
particularly chlorine used for disinfection, as among utilities' top
vulnerabilities. Experts cited the inherent danger of storing large
cylinders of a chemical on site, noting that their destruction could
release toxic gases in densely populated areas. Some noted, however,
that this risk has been alleviated by utilities that have chosen to use
the more stable liquid form of chlorine instead of the more vulnerable
compressed gas canisters that have traditionally been used.
Finally, experts identified overarching issues that compromise the
integrity of multiple physical assets, or even the entire drinking
water system. Among these is the lack of redundancy among vital
systems. Many drinking water systems are ``linear''--that is, they have
single transmission lines leading into the treatment facility and
single pumping stations along the system, and often use a single
computer operating system. They also depend on the electric grid,
transportation systems, and single sources of raw materials (e.g.,
treatment chemicals). Many experts expressed concern that problems at
any of these ``single points of failure'' could render a system
inoperable unless redundant systems are in place. Experts also cited
the lack of sufficient information to understand the most significant
threats confronting individual utilities. According to the American
Water Works Association, assessments of the most credible threats
facing a utility should be based on knowledge of the ``threat profile''
in its specific area, including information about past events that
could shed light on future risks. Experts noted, however, that such
information has been difficult for utilities to obtain. One expert
suggested that the intelligence community needs to develop better
threat information and share it with the water sector.
Experts' Views on the Allocation and Distribution of Federal Funds
Many drinking water utilities have been financing at least some of
their security upgrades by passing along the costs to their customers
through rate increases. Given the cost of these upgrades, however, the
utility industry is also asking that the taxpayer shoulder some of the
burden through the appropriations process. Should Congress and the
administration agree to this request, they will need to address key
issues concerning who should receive the funds and how they should be
distributed. With this in mind, we asked our panel of experts to focus
on the following key questions: (1) To what extent should utilities'
vulnerability and risk assessment information be considered in making
allocation decisions? (2) What types of utilities should receive
funding priority? and (3) What are the most effective mechanisms for
directing these funds to recipients?
Regarding the first of these questions, about 90 percent of the
experts (39 of 43) agreed ``strongly'' or ``somewhat'' that funds
should be allocated on the basis of vulnerability assessment
information, with some citing the vulnerability assessments (VAs)
required by the Bioterrorism Act as the best available source of this
information. Several experts, however, pointed to a number of
complicating factors. Perhaps the most significant constraint is the
Bioterrorism Act's provision precluding the disclosure of any
information that is ``derived'' from vulnerability assessments
submitted to EPA. The provision protects sensitive information about
each utility's vulnerabilities from individuals who may then use the
information to harm the utility. Hence, the law specifies that only
individuals designated by the EPA Administrator may have access to the
assessments and related information. Yet, according to many of the
experts, even those individuals may face constraints in using the
information. They may have difficulty, for example, in citing
vulnerability assessments to support decisions on allocating security-
related funds among utilities, as well as decisions concerning research
priorities and guidance documents. Others cited an inherent dilemma
affecting any effort to set priorities for funding decisions based on
the greatest risk--whatever does not receive attention becomes a more
likely target.
Regarding the second question concerning the types of utilities
that should receive funding priority, 93 percent of the experts (40 of
43) indicated that utilities serving high-density population areas
should receive a high or the highest priority in funding (See figure
4.). Fifty-five percent deemed this criterion as the highest priority.
Most shared the view of one expert who noted that directing limited
resources to protect the greatest number of people is a common factor
when setting funding priorities. Experts also assigned high priority to
utilities serving critical assets, such as national icons representing
the American image, military bases, and key government, academic, and
cultural institutions.
At the other end of the spectrum, only about 5 percent of the
experts (2 of 43) stated that utilities serving rural or isolated
populations should receive a high or highest priority for federal
funding. These two panelists commented that such facilities are least
able to afford security enhancements and are therefore in greatest need
of federal support. Importantly, the relatively small percentage of
experts advocating priority for smaller systems may not fully reflect
the concern among many of the experts for the safety of these
utilities. For example, several who supported higher priority for
utilities serving high-density populations cautioned that while
problems at a large utility will put more people at risk, utilities
serving small population areas may be more vulnerable because of weaker
treatment capabilities, fewer highly trained operators, and more
limited resources.
Regarding the mechanisms for distributing federal funds, 86 percent
of the experts (37 of 43) indicated that direct grants would be
``somewhat'' or ``very'' effective in allocating federal funds (See
figure 5.) One expert cited EPA's distribution of direct security-
related grant funds in 2002 to larger systems to perform their VAs as a
successful initiative. Importantly, 74 percent also supported a
matching requirement for such grants as somewhat or very effective. One
expert pointed out that such a requirement would effectively leverage
limited federal dollars, thereby providing greater incentive to
participate.
The Drinking Water State Revolving Fund (DWSRF) received somewhat
less support as a mechanism for funding security enhancements. About
half of the experts (22 of 43) indicated that the fund would be
somewhat or very effective in distributing federal funds, but less than
10 percent indicated that it would be very effective.1 One
expert cautioned that the DWSRF should be used only if a process were
established that separated funding for security-related needs from
other infrastructure needs. Others stated that as a funding mechanism,
the DWSRF would not be as practical as other mechanisms for funding
improvements requiring immediate attention, but would instead be better
suited for longer-term improvements.
---------------------------------------------------------------------------
\1\ The DWSRF program provides federal grant funds to states, which
in turn allow the states to help public water systems in their efforts
to protect public health and ensure their compliance with the Safe
Drinking Water Act. States may use the funds to provide loans to public
water systems, and may reserve a portion of their grants to finance
other projects that protect sources of drinking water and enhance the
technical, financial, and managerial capacity of public water systems.
---------------------------------------------------------------------------
Activities Experts Identified as the Most Deserving of Federal Support
When experts were asked to identify specific security-enhancing
activities most deserving of federal support, their responses generally
fell into three categories: (1) physical and technological upgrades to
improve security and research to develop technologies to prevent,
detect, or respond to an attack, (2) education and training to support,
among other things, simulation exercises to provide responders with
experience in carrying out emergency response plans, and specialized
training of utility security staff; and (3) strengthening key
relationships between water utilities and other agencies that may have
key roles in an emergency response, such as public health agencies, law
enforcement agencies, and neighboring drinking water systems.
As illustrated in figure 6, specific activities to enhance physical
security and support technological improvements generally fell into
nine subcategories. Of these, the development of ``near real-time
monitoring technologies,'' capable of providing near real-time data for
a wide array of potentially harmful water constituents, received far
more support for federal funding than any other subcategory--over 93
percent of the experts (40 of 43) rated this subcategory as deserving
at least a high priority for federal funding. More significantly,
almost 70 percent (30 of 43) rated it the highest priority--far
surpassing the rating of any other category. These technologies were
cited as critical in efforts to quickly detect contamination events,
minimize their impact, and restore systems after an event has passed.
The experts' views were consistent with those of the National Academies
of Science, which in a 2002 report highlighted the need for improved
monitoring technologies as one of four highest-priority areas for
drinking water research and development.2 The report noted
that such technologies differ significantly from those currently used
for conventional water quality monitoring, stating further that sensors
are needed for ``better, cheaper, and faster sensing of chemical and
biological contaminants.''
---------------------------------------------------------------------------
\2\ Making the Nation Safer: The Role of Science and Technology in
Countering Terrorism, p. 250. The National Research Council of the
National Academies. (Washington, D.C.: The National Academies Press,
2002).
---------------------------------------------------------------------------
In addition to real-time monitoring technologies, the experts
voiced strong support for (1) increasing laboratories' capacity to deal
with spikes in demand caused by chemical, biological, or radiological
contamination of water supplies, and (2) ``hardening'' the physical
assets of drinking water facilities through improvements such as adding
or repairing fences, locks, lighting systems, and cameras and other
surveillance equipment. Regarding the latter of these two, however,
some experts cited inherent limitations in attempting to
comprehensively harden a drinking water facility's assets. In
particular, they noted in particular that, unlike nuclear power or
chemical plants, a drinking water system's assets are spread over large
geographic areas, particularly the source water and distribution
systems.
Regarding efforts to improve education and training, over 90
percent of the experts (39 of 43) indicated that improved technical
training for security-related personnel warrants at least a high
priority for federal funding. (See figure 7.) Over 55 percent (24 of
43) indicating that it deserved the highest priority. To a lesser
extent, experts supported general training for other utility personnel
to increase their awareness of security issues. The panelists also
underscored the importance of conducting regional simulation exercises
to test emergency response plans, with more than 88 percent (38 of 43)
rating this as a high or highest priority for federal funding. Such
exercises are intended to provide utility and other personnel with the
training and experience needed both to perform their individual roles
in an emergency and to coordinate these roles with other responders.
Finally, about half the experts assigned at least a high priority to
supporting multidisciplinary consulting teams (``Red Teams''),
comprising individuals with a wide array of backgrounds, to provide
independent analyses of utilities' vulnerabilities.
As illustrated in figure 8, experts also cited the need to improve
cooperation and coordination between drinking water utilities and
certain other organizations as key to improving utilities' security.
Among the organizations most often identified as critical to this
effort are public health and law enforcement agencies, which have data
that can help utilities better understand their vulnerabilities and
respond to emergencies. In addition, the experts cited the value of
utilities' developing mutual aid arrangements with neighboring
utilities. Such arrangements sometimes include, for example, sharing
back-up power systems or other critical equipment. One expert described
an arrangement in the San Francisco Bay Area--the Bay Area Security
Information Collaborative (BASIC)--in which eight utilities meet
regularly to address security-related topics. Finally, over 90 percent
of the experts (39 of 43) rated the development of common protocols
among drinking water utilities to monitor drinking water threats as
warranting a high or highest priority for federal funding. Drinking
water utilities vary widely in how they perceive threats and detect
contamination, in large part because few common protocols exist that
would help promote a more consistent approach toward these critical
functions. Some experts noted, in particular, the need for protocols to
guide the identification, sampling, and analysis of contaminants.
Observations
In 2002, EPA's Strategic Plan on Homeland Security set forth the
goal of significantly reducing unacceptable security risks at water
utilities across the country by completing appropriate vulnerability
assessments; designing security enhancement plans; developing emergency
response plans; and implementing security enhancements. The plan
further committed to providing federal resources to help accomplish
these goals as funds are appropriated.
Key judgments about which recipients should get funding priority,
and how those funds should be spent, will have to be made in the face
of great uncertainty about the likely targets of attacks, the nature of
attacks (whether physical, cyber, chemical, biological, or
radiological), and the timing of attacks. The experts on our panel have
had to consider these uncertainties in developing their own judgments
about these issues. These judgments, while not unanimous on all
matters, suggested a high degree of consensus on a number of key
issues.
We recognize that such sensitive decisions must ultimately take
into account political, equity, and other considerations. But we
believe they should also consider the judgments of the nation's most
experienced individuals regarding these matters, such as those included
on our panel. It is in this context that we offer the results presented
in this testimony as information for Congress and the administration to
consider as they seek the best way to use limited financial resources
to reduce threats to the nation's drinking water supply.
Mr. Chairman, this completes my prepared statement. I would be
happy to respond to any questions you or other Members of this
Subcommittee may have.
[GRAPHIC] [TIFF OMITTED] T6103.029
[GRAPHIC] [TIFF OMITTED] T6103.030
[GRAPHIC] [TIFF OMITTED] T6103.031
[GRAPHIC] [TIFF OMITTED] T6103.032
Mr. Gillmor. Thank you very much, Mr. Stephenson.
The Chair will recognize himself for some questions.
First question to Mr. Grumbles, or you could jump in, too,
if you wanted, Mr. Stephenson, is could you give us some kind
of indication as the amount of poison or contaminant it would
take to have widespread impact on a system? I think there is,
you know, the movie version where you get some bad guy with a
vial, he dumps it in a reservoir and he poisons a city. Other
people have said to really cause any widespread harm you would
have to be dumping contaminants equal to several tanks, trucks
full.
Could you just give us some kind of ballpark indication of
how much contaminant it would take to poison a system?
Mr. Stephenson. Well, I will make a comment before Ben
does. But that is, in fact, why the distribution system was
cited as the greatest vulnerability. Source water, such as a
reservoir, is pretreatment, and is not a very effective way to
contaminate drinking water.
However, when is the last time you saw a truck backed up to
a fire hydrant and assumed he was taking water out of the
system? He could just as easily be putting a contaminant into
the system. Since it is post treatment, it goes directly to the
homes or businesses from there. And that is why I think our
experts cited that as a very high vulnerability.
Mr. Grumbles. Mr. Chairman, I think the question you asked
is on the minds of a lot of people, and the simple basic answer
is that it truly does depend--it depends on the contaminant and
the situation. So there is--no real short answer to that. It
just largely varies, based on the contaminant involved and the
nature of placing the contaminant within the system.
Mr. Gillmor. To follow up on that, during the hearing in
the House Science Committee in 2001--and I think actually you
were working on the staff there at the time--EPA was working on
a state of knowledge report with DOD, Centers for Disease
Control, FBI, Food and Drug Administration, the Office of
Homeland Security, to compile and assess known information
about biological, chemical and radiological contaminants, as
well as a detection technology.
Could you tell us what the status is of that working group,
and is EPA still working to find out about new contaminants?
Mr. Grumbles. Yes, sir. Based on the findings of an
interagency work group that we convened to address the state of
the knowledge--this is the report that you referenced--we
include recommendations on vulnerabilities of water systems
that should be considered, along with the potential mitigation
actions in our baseline threat document.
Our baseline threat document is a critically important
document that we provided to utilities back in 2002, to help
assist them in vulnerability assessments and to prepare an
emergency response plan. So what we are currently doing is
undertaking analyses to fill in gaps in the knowledge and
working with other agencies as well to do so.
Developing analytical methods for some contaminants, for
determining the effectiveness of disinfection practices for
particular contaminants. That is some of the examples of the
things we are doing. So I appreciate the chance to talk a
little bit about that state of the knowledge report and how we
have been following up.
Mr. Gillmor. So basically, you have been disseminating some
of that information through the assessment process; is that
correct?
Mr. Grumbles. That is correct, providing it to the
utilities to help inform them. I guess it is important to
clarify as well. We need to provide the information to
utilities as they were tasked with developing their
vulnerability assessments. We did indeed flag concerns about
terrorism.
It wasn't just the pre9/11 world, it was post 9/11. So it
was very important to clarify. We included that information in
terms of the baseline threat document.
But the state of the knowledge report also fed into that
effort to provide guidance.
Mr. Gillmor. A quick question for Mr. Stephenson.
Recognizing that rural water systems are at least able to
afford security enhancements, but also recognizing that even in
your study, your experts suggested that utilities serving high-
density populations should receive the highest priority in
funding.
Do you have any suggestions as to how we ought to allocate
Federal funding and in that respect, did your study have a
significant amount of experts representing rural communities?
Mr. Stephenson. I believe we had a member of the Rural
Water Association on it. But obviously the high density
populations--the 466 large systems that serve over 50 percent
of the population always came up as a higher priority--even
though we tried to get balanced representation across our 43
experts. As you know, the Bioterrorism Act addresses systems
bigger than 3,300 but even at that suggests that EPA provides
guidance to the smaller utilities, and I believe there are over
160,000 facilities that serve less than 500. So it becomes
economies of scale, I guess as to how you could best provide
funding for those small public systems.
Mr. Grumbles. Mr. Chairman, I would just like to add that
while the priorities--and the focuses and the timeframes in the
Bioterrorism Act focused on the larger systems--we have not
lost sight of the fact that thousands and thousands of smaller
systems in the country should be doing their part as well. EPA
has provided--over the last several years--about 25 percent of
its budget for the water security efforts to the small systems,
$36 million for training and technical assistance and working
with small systems through workshops and indirect assistance
with rural water circuit riders.
Mr. Gillmor. Thank you.
The gentlelady from California.
Ms. Solis. Thank you, Mr. Chairman. This is for Mr.
Grumbles from EPA. The Inspector General suggested that the EPA
needs to analyze the quality of the vulnerability assessments
submitted by large utilities to determine whether they
adequately address the threats envisioned by the Bioterrorism
Act. Has the EPA analyzed the quality of all the vulnerability
assessments of the 350 largest systems that served over 116
million Americans?
Mr. Grumbles. Congresswoman, I really appreciate the
question. In my conversations with the Inspector General and in
taking to heart recommendations she has, sometimes we don't
always agree with them, but they are always helpful to see
where the Inspector General might have information.
On this particular issue, what we agreed to do was to
convene a prestigious subgroup of the National Drinking Water
Advisory Council, the Water Security Working Group, and we have
specifically tasked them with developing measures to gauge
``the quality or the effectiveness of the plans.''
Ms. Solis. How many have been analyzed? Do you have a
number?
Mr. Grumbles. How many have been?
Ms. Solis. Of the largest 350 that have actually been
analyzed by EPA?
Mr. Grumbles. Well, we have received all of the
vulnerability assessments.
Ms. Solis. Right. But that doesn't mean that you have
analyzed them. Are they?
Mr. Grumbles. Well, we follow the--a couple of points.
First of all, we have very specific framework for reviewing the
quality of the vulnerability assessments as laid out in the
statute. Our job and interpretation of the statute has been
that EPA reviews them to insure compliance with the basic
requirements, provisions of the law--as is the intent of
Congress--and so we have reviewed all of the vulnerability
assessments on the quality component.
What we have specifically asked is to get this independent
group that includes experts from various sectors, governmental,
nongovernmental to look at that issue and to develop measures
for effectiveness to help address that question of what is the
quality of the vulnerability assessments.
Ms. Solis. So that can vary depending on whatever report
you can get from one of these 350 large systems? I mean, this
is very--this is somewhat, very subjective.
Mr. Grumbles. Well, a couple of things again. I think that
one of the things that, the Drinking Water Advisory Council,
their water security working group, is not specifically
reviewing each of the vulnerability assessments themselves,
that is an important point. And the way the law is currently
written, I don't think that would be legal, unless we----
Ms. Solis. Why would that not be legal?
Mr. Grumbles. Unless we designated each and every one of
those.
Ms. Solis. I guess what I am trying to understand, if you
have 350 large systems that you are supposed to be collecting
data for, and you want to try to get some standard or criteria,
if they are all needing--or what we have set out that they
should need, and you have an expert group looking at that, it
doesn't really give me a sense that we have some uniformity
here. I mean, it could vary. You could get different feedback
from different parts of the----
Mr. Grumbles. I don't think we have, there is--not a real
disagreement here. I think I need to communicate more clearly.
We recognize that it is important not to have just a
subjective--I mean, basically what the Inspector General was
getting at, I believe, was what is the overall quality of these
vulnerability assessments?
Ms. Solis. But they have questioned that. They have
questioned your measurement of that.
Mr. Grumbles. Right. And we working with them said, you
know, it would be good to get some helpful criteria to define
what is an effective security program. And that specifically is
what the Drinking Water Advisory Council is tasked to come up
with to help shed some light to share and share with us what
that is.
So I think----
Ms. Solis. My understanding is that you do have clear
authority to do assessments for each of these vulnerability
assessment studies. That is my understanding. You have just
said something different earlier.
Mr. Grumbles. No. We do specifically review each of the
vulnerability assessments.
Ms. Solis. But you haven't. You haven't done all of them?
Mr. Grumbles. No. We have. We have them all. We have
received them all within the agency.
Ms. Solis. Right. And they have all been analyzed and
assessed by the EPA.
Mr. Grumbles. My staff is informing me that the large ones,
the 400-plus vulnerability assessments that we have received,
we have reviewed.
Ms. Solis. Can I have that? I would like to have that in
writing----
Mr. Grumbles. Sure.
Ms. Solis. [continuing] for this committee. And if you can
guarantee that as well.
My time is almost up. I just have a question with respect
to when, say, a water facility submits their plan and after you
find that there might be some questions or issues about their
plan with respect to--I don't want to say terrorism--but, say,
maybe disgruntled employees that may disrupt the facility. How
do you separate that out from looking at plants for addressing
terrorism?
Mr. Grumbles. Let me make sure I understand. Separating
vandalism from terrorism?
Ms. Solis. My understanding is that there has been a lot of
reporting of that in these plans, and there hasn't been enough?
Mr. Grumbles. In the emergency response plans or
vulnerability assessment?
Ms. Solis. Vulnerability assessment.
Mr. Grumbles. Am I allowed to talk about--you know, I would
welcome the opportunity to talk with you on--to the extent I
can, the specifics of the vulnerability assessments, but, I
think, not in a public forum.
Ms. Solis. Okay.
Mr. Grumbles. I would like to emphasize, and clarify what I
have said with respect to the Inspector General, we have worked
with the Inspector General, designated several of their people
to actually look at and review the vulnerability assessments.
And so if I, if that was not clear, I wanted to make sure that
that was clear.
Mr. Gillmor. I will come back, I guess, to that question.
Mr. Grumbles. And that was after, after they gave us the
report, we said we will designate you and you can review,
actually review the vulnerability assessments. So. I think we
are working with them--and we want to particularly also get the
working group from the National Drinking Water Advisory Council
to have some objective criteria as to what is a successful
program.
Ms. Solis. I guess in the report that I am seeing right in
front of me, right now, you believe that you can analyze
information in vulnerability assessments because this would
violate the Public Health Security Safety and Bioterrorism
Preparedness and Response Act. That was your response. However,
the council says that EPA does, in fact, have the authority as
well as the responsibility to collect and analyze necessary
information on these sources. That is what the inspector
general said.
Mr. Grumbles. And I believe that we, through Congress'
leadership in appropriating funds for grants for vulnerability
assessments--it is also our responsibility to ensure that the
purposes of the grant are carried out; and so the basic
requirements that are in those statutes about vulnerability
assessments are done. So that as we have gotten the large
vulnerability assessments and reviewed them, we have
specifically looked at those factors, taken that into account.
And we welcome the inspector general's comments and the
National Drinking Water Advisory Council's objective criteria
that they will use for quality.
Mr. Gillmor. The gentlelady's time has expired.
Just as a point of information, the limitations that Mr.
Grumbles was talking about were, I think, in section 1435 of
the conference report of the Bioterrorism Act as to what type
of thing they can do.
The gentleman from Michigan, Mr. Rogers.
Mr. Rogers. I will pass.
Mr. Gillmor. The gentleman passes.
The other gentleman from the northern peninsula.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Grumbles, in this legislation you got $160 million to
do these assessments, these vulnerability assessments. And the
way I read this report, EPA has not done a very good job.
While you have done a good job of getting the reports in,
the vulnerability assessments are really pre-9/11. In other
words, these assessments, because of lack of leadership from
the EPA, more utilities focused on vandals, criminals, and
disgruntled employees in their vulnerability assessment.
Contractors further stated--these contractors that Mr.
Stephenson talked about, further stated that EPA has not
provided utilities the intelligence data or threat information
required to justify the security upgrades necessary to defend
against terrorism. While the terrorist attacks of 9/11 and
subsequent passage of the Bioterrorism Act served as a catalyst
for the vulnerability assessments, limited threat information
provided by the EPA resulted in utilities subjectively
designing their assessments around pre-9/11 threats.
After filtering threat information through the RAMW
methodology, most of the water security experts we interviewed
who were familiar with vulnerability assessments concluded that
the only threats utilities could realistically address were
those they encountered before 9/11, being the vandals, the
criminals and disgruntled employees. One utility representative
we interviewed said that the contractor they hired to conduct
their vulnerability assessment discouraged them from addressing
higher threat levels like terrorism.
So, in answer to Ms. Solis' questions and that, while you
have a lot of paperwork to submit to the EPA, it doesn't meet
the guidelines put forth by the Bioterrorism Act, and it is
really not a question of money because, you know, $160 million
should have at least given us some kind of ideas, not what
happened before 9/11.
The reason why you had the Bioterrorism Act was because of
9/11, and it seems like we have missed the whole point here
because of lack of guidance from the EPA.
Mr. Grumbles. Congressman, I would say a couple of things.
One, I would respectfully--respectfully would disagree with the
characterization in the sense that when we put together the
baseline threat document and when we put additional guidance
forward with utilities, we did emphasize terrorism and
terrorist attacks.
I would also say that based on our customer surveys, the
information we have gotten from our customers, the utilities,
we have gotten a large sense of satisfaction in terms of the
guidance and information that was provided.
The last point I would make, Congressman, is that while we
feel that we have provided guidance, helpful guidance, to
utilities in developing vulnerability assessments this first
round, these initial vulnerability assessments are not the be
all and end all. I fully----
Mr. Stupak. I would hope not, because you haven't even
addressed terrorism according to this report. And this isn't
the Office of Inspector General; this is from your own internal
documents. This is your own reports.
Mr. Grumbles. I think that the vulnerability assessments
are viewed as a step forward. I think that they continue to,
and will, improve. And--they need to be living documents, and
they will only improve.
And I think utilities have done a good job in this first
round. We are in a new era after the Bioterrorism Act, and I
think they have done a good job, and our job is to provide them
additional information.
Mr. Stupak. Your own document says--from Jeffrey K. Harris,
Director of Program Evaluations, Cross-Media Issues, was to
Tracy Meehan, Assistant Administrator for Office of Water,
certainly doesn't say that. And if you look at the IG report,
it says--let me quote here on page 5:
``One of the security experts we interviewed stated the EPA
did not provide adequate threat information. Officials at the
Sandia National Laboratory stated that the EPA threat guidance
missed the mark because EPA did not set minimum threat levels
against which utilities need to assess their vulnerabilities.''
If you don't have any standard, I guess you could call
anything a success because you have no standard to judge it
against. And that is where we think the leadership is lacking
from the EPA.
Mr. Grumbles. Congressman, do you know if the inspector
general had reviewed any of the vulnerability assessments when
that statement was made?
See, my information----
Mr. Stupak. Well, that is why we want the inspector general
here. If he is not here, we can't answer it. You can't answer
it. I can't answer it.
So let me ask you this one: How about you? Has the EPA
exercised its authority and required any drinking water
utilities to take corrective actions to address vulnerabilities
to terrorist acts or other intentional acts? Have you, EPA,
exercised your authority requiring them to do anything to take
corrective action, other than submit these plans?
Mr. Grumbles. I guess my point----
Mr. Stupak. No, no, just a yes or no.
Come on now, corrective action or not. Did you guys direct
anyone to take corrective action or not?
Mr. Grumbles. Enforcement action?
Take any enforcement--I don't know.
Mr. Stupak. You have the authority and are required that if
there is a lack of security at these water utility places, you
have the right and the authority to require them to take
corrective action. Have you done that, in looking at these
plans, since you had 400 sitting in your office from the large
utilities?
Mr. Grumbles. We take our responsibilities and authority
seriously. And I am not sure that we have the authority to take
an enforcement action in that situation.
I can assure you----
Mr. Stupak. Okay. Whether you need the authority, did EPA
do anything, whether you had the authority or not?
Let us pretend you had it for a minute, okay? Did you take
any corrective action, or are all these plans, all 400, just
perfect?
Mr. Grumbles. If we had the authority, then our first step
would be to ensure compliance assurance. And then if the
community didn't take those steps, then we would take an
enforcement action.
Mr. Stupak. So you haven't taken any enforcement action
yet?
Mr. Grumbles. Well, we think that we have exercised the
current authorities that we have, current legal authorities.
And I would emphasize, Mr. Chairman, that the whole--the
underlying basis for progress here is partnership with the
communities.
Mr. Stupak. Well, you know, under authority--I am looking
at a letter here April 22, 2002. It is from Christy Todd
Whitman, EPA Director, to John Dingell. On page 2 of that
letter it says, ``The language contained in 3448''--that is the
bioterrorism bill--''amending the Safe Drinking Water Act,
section 1431, provides EPA with adequate authority to respond
in situations involving significant vulnerability.''
So that is why I asked my question, since you have the
authority and are required. So did you take any action to
address these significant----
Mr. Grumbles. I appreciate your clarifying that because
that is the provision in the statute that deals with imminent
and substantial endangerment. And I am not--I don't--and
fortunately, I don't think we have had any situations where we
have exercised that rare authority to step in in the context of
a vulnerability assessment or an emergency response plan.
Mr. Stupak. I am out of time, but I will keep going if you
let me.
Mr. Gillmor. How about we come back for another round?
Mr. Stupak. Sure.
Mr. Gillmor. Mr. Terry apparently got tired of waiting, so
we will recognize him when he comes back, although he did have
a couple of questions.
In fact, I know what he was going to ask. I might ask one
of those questions on his behalf; and that is, one of the
bigger concerns is making sure that EPA is not ignoring small
water systems in order to focus solely on the largest drinking
water systems. It was his understanding that EPA had been using
money to provide the trainer grants, to provide a number of
environmental professionals to give training and technical
assistance to water systems serving fewer than 50,000 people.
And then his question was: ``What is the status of this
program?''
Mr. Grumbles. Yes, sir.
Mr. Gillmor. And what other actions is EPA taking to help
smaller water systems?
And the third part of that was, what fraction of the
drinking water security budget is being spent on smaller
systems?
Mr. Grumbles. Since 2002, what EPA has done is what--we
have provided $36 million for training and technical assistance
for the small water systems, those less than 50,000, under the
terms of the Bioterrorism Act. This is approximately 25 percent
of the budget 2002 through 2004.
We have used a multi-pronged approach, Mr. Chairman, to try
to reach the nearly 8,000 systems that are--those less than
50,000 that are required to undertake vulnerability assessments
and develop or revise emergency response plans. Besides
training the trainers, Mr. Chairman, we provided direct
assistance to trainers such as the rural water circuit riders.
So, as a result, the number I have is that more than 88
percent of the small systems have met the deadline for
submitting the vulnerability assessments. So, again, while the
focus, I think, of the drafters and of the Nation also is on
timeframes for the large metropolitan areas, we certainly
recognize the importance of getting out assistance and ensuring
that the smaller systems throughout the country are also
assessing and developing emergency response plans and getting
the information they need to secure their systems.
Mr. Gillmor. Then also--although not as good looking as Mr.
Terry, I am standing in for him.
Mr. Stephenson, how helpful will real-time monitoring
technologies, capability of providing near real-time data for a
wide array of potentially harmful contaminants be in addressing
security issues? And why do you think this technology received
the most support for Federal funding?
Mr. Stephenson. I think the experts felt that because the
distribution system was the most vulnerable, these detection
and monitoring capabilities would be placed in the distribution
systems so that would give real-time information if there was a
contaminant in the system. Facilities currently have no
capacity to do this. So they felt a lot of research was needed
in that area, more so than hardening or anything else; and I
think that is why that cropped up as the highest priority from
our experts.
Mr. Gillmor. And Mr. Grumbles, how does EPA receive threat
information? Does it come from FBI, DHS, or other parts of the
Intelligence Community? And what is the extent of collaboration
with DHS? And what are the procedures to make sure that
information flows down the chain to water systems in a timely
manner?
Mr. Grumbles. Well, Mr. Chairman, how do we get our
information? We get it through a variety of sources, primarily
DHS, FBI, CIA. We are working very closely with the Department
of Homeland Security. While we are the sector-specific lead for
the water infrastructure sector, we do report to them and we
work very closely with them.
And we also within the agency have an Office of Emergency
Preparedness, as well as an Office of Homeland Security, to
help provide specific liaison to the other agencies throughout
the Federal family of Homeland Security individuals.
Mr. Gillmor. Thank you, Mr. Grumbles.
And we will go to another round of questions.
And, Ms. Solis.
Ms. Solis. Thank you, Mr. Chairman. I would like to request
unanimous consent to also submit several editorial articles to
support action to decrease threats at chemical facilities.
Mr. Gillmor. Without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T6103.033
[GRAPHIC] [TIFF OMITTED] T6103.034
[GRAPHIC] [TIFF OMITTED] T6103.035
Ms. Solis. Thank you.
Mr. Grumbles, going back to Los Angeles, we are a very
large urban center there, and obviously the DWP is one of the
largest water providers in Los Angeles. They have submitted
their plan, a 5-year plan, and my understanding is that you
have received that. But, looking at it, there are so many
issues that just kind of beg to be answered.
One is that they have a budget problem with respect to
employees there having to somewhat police and provide
surveillance for their facilities. And overtime is a big issue
because they have not come up with, say, installing electronic
surveillance equipment.
What types of advice do you give to agencies like that to
urge them or at least to direct more grant money so that they
can accomplish this goal, knowing that they are faced with
these--and L.A. isn't the only one. I am sure this is with a
lot of other facilities.
How is it that you get back to them, and what is the
timeframe if there are changes that you think could help or to
modify their plan? What is it that you do to get back to them?
Mr. Grumbles. I--you mentioned L.A., and that is a perfect
example of a city where there is so much at stake and where
initiative has already occurred and they are moving out front.
And then it translates into, they have developed plans and very
specific milestones to try to increase the security of their
system--how do they finance it and fund it, and how do they,
you know, get there.
One of our jobs that we take extremely seriously is to
provide not only the tools and the training, but the technical
assistance, ways to find additional funding, and to also use
some of the existing Federal funding that might be there, if
not through the Department of Homeland Security, through EPA.
We have some funding through the drinking water State revolving
funds, and we issue guidance expressly for the purpose of going
to States to help the cities use some of those funds that
traditionally have been used for drinking water, maximum
contaminant level compliance and drinking water treatment
plants, and to use those funds for security-related
enhancements.
Some of these areas, when you talk about overtime or
increased O&M, those may not be eligible for assistance under
that drinking water State revolving fund, and so there are
other tools or financial assistance. Sometimes, as you and your
constituents know better than anyone, ultimately it is the
ratepayer, the customer, that is going to be paying more for
enhanced security, just like they pay more for enhanced
drinking water regulations that we issue.
Ms. Solis. At what point do you get back to the different
water purveyors, especially the large ones, in terms of their
plan, though? What do you do to go back and maybe review or
even audit?
Mr. Grumbles. Are you talking about--when you say ``a
plan,'' are you talking about----
Ms. Solis. Vulnerability.
Mr. Grumbles. The vulnerability assessment?
Ms. Solis. Yes. If there are some questions, a red flag
goes up or something, how quickly do you get back to them to
let them know that you perceive there is a problem or an issue
here?
Mr. Grumbles. I don't know a timeframe.
Ms. Solis. I mean, this is obviously very, very important.
And you haven't set up any standard to get to do that?
Mr. Grumbles. We have a good dialog with the drinking water
utility associations across the country. We meet regularly with
them, provide them information.
Ms. Solis. That is not what I am asking.
Mr. Grumbles. Well, I think one of the mechanisms--probably
the Region 9 office might be the closest EPA office to get back
to them on some of the specifics of the questions they might
have. But our Office of--our Water Security Division does
provide information.
Some of the--Congresswoman, some of the venues that we
would use would be through our workshops that we have with
utilities and cities. We are very pleased that we are part of
the funding and supporting the water--ISAC, Information Sharing
and Analysis Center, which is a secure Web-based system that
cities, large and small, utilities, once they get security pass
words can use to get helpful information on some of their very
real security-related issues.
Ms. Solis. But limited to the funds, very limited funds
available, right, to make any changes?
Mr. Grumbles. They would certainly say that. And I would
say, from a Federal EPA budget, funding is always a difficult
challenge. And as we move into the implementation stage, it
will continue to be a challenge. But we are taking that very
seriously and looking at funding as a Federal partner with
localities and States as we look into the next budget cycle.
Mr. Gillmor. The gentlelady's time has expired.
The gentleman from Michigan.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Grumbles, sort of getting back to where I left off, let
me ask the question this way: Has the EPA requested any
drinking water utility to take specific corrective action to
address vulnerabilities to terrorist attacks?
Mr. Grumbles. I guess I should say I would like to make
sure that I answer it correctly, and I probably need to get
back to you for purposes of the record on that.
I am told no.
Mr. Stupak. Okay. The large utilities were supposed to be
done March 31, 2003, to submit their vulnerability assessments
to you. That has been 18 months ago, and we haven't directed
anyone to take any corrective actions. So the answer on that is
no, right?
So then, if that is the case, you said in your opening
statement that ``We are smarter and we are safer from terrorist
attack because of the work of the EPA.'' but with all
seriousness, how is the public assured that the necessary
security enhancements are being taken by their water utilities?
We have these assessments done; there has been no
corrective action. How do we reassure the public?
Mr. Grumbles. I think you are raising a good question, and
that is exactly what is the responsibility of the U.S. EPA in
implementing and taking steps in the Bioterrorism Act of 2002
after we get the vulnerability assessments.
I don't read the statute as saying that EPA has a specific
authority to follow up.
Mr. Stupak. Well, when you look at the Presidential
Decision Directive 63, issued in May 1998, it designated the
EPA as the lead agency for assuring the protection of the
Nation's water infrastructure. And so that was back in 1998,
even before we had 9/11.
And then the Bioterrorism Act also makes that a
requirement. You are the lead agency.
Mr. Grumbles. Congressman, a couple points: One is, we do
have a broad authority under 1431, as you and your staff know
full well, that if there is an imminent and substantial
endangerment to public health, then under that provision--which
has been in the statute for a long time prior to the 9/11
incident or the Bioterrorism Act of 2002--we will use our
enforcement discretion and exercise that. We haven't done that
to date.
With respect to the Presidential Directive 63, I mean, we
do take seriously, and we continue to take seriously under the
Presidential directives that have come after the Bioterrorism
Act of 2002, our responsibilities to carry out the act and also
to coordinate and do increased surveillance and monitoring.
Mr. Stupak. Well, you know, we have got the Safe Drinking
Water Act, we have Presidential Directive 63, we have the
Bioterrorism Act of 2002. Is there some authority you want that
would make it clearer for you your responsibility that you are
the lead agency to protect the Nation's utilities and your
water infrastructure in this country?
Is there some other authority you need or are looking for?
Mr. Grumbles. I think that it remains an open question as
to whether or not Congress needs to revise the statute to
provide us additional authority. I think we have our focus
right now----
Mr. Stupak. Well, we think we have given you three types of
authority: Directive 63, the Safe Drinking Water Act, and the
Bioterrorism Act.
Now, we are the guys who write this stuff, men and women
who write it, so--but from your point of view, since you are
supposed to be responsible for carrying it out, you tell us,
are you missing some authority? Is someone telling you, Geez,
that is a nice suggestion that I should do this to make sure
the safe drinking water in Los Angeles is safer, but you know
what, EPA, you don't have the authority.
Has anyone ever told you guys that?
Mr. Grumbles. I think, as I--I did want to emphasize in the
statement, Congressman, Congress in reviewing the
implementation of the Bioterrorism Act of 2002 should
acknowledge and recognize that what that statute did,
critically important and successful statute, was to set up a
planning and vulnerability assessment framework, emergency
response planning. We are carrying that out and implementing
that, and so I am not here to seek additional regulatory or
enforcement authorities. I know that our focus is on providing
the tools and the training, the technical assistance to
utilities to carry out their plans as they develop them.
Mr. Stupak. Well, more than just vulnerability assessment.
Again, go back to the letter I read to you earlier from the EPA
Director Christy Todd Whitman again, once again, dated April
22, 2002.
And, Mr. Chairman, I ask this letter be made part of the
record.
Mr. Gillmor. Without objection.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T6103.036
[GRAPHIC] [TIFF OMITTED] T6103.037
[GRAPHIC] [TIFF OMITTED] T6103.038
[GRAPHIC] [TIFF OMITTED] T6103.039
Mr. Stupak. The letter to Mr. Dingell. And again I go to
page 2, the top paragraph. The language contained in H.R.
3448--that is the Bioterrorism Act--amending the Safe Drinking
Water Act, section 1431, provides EPA with adequate authority
to respond to situations involving significant vulnerability.
So according to the EPA Director, back then Christy Todd
Whitman, you had significant authority to do what has to be
done, and your job is really to make sure the public water
supplies and distributions are secure from terrorist attack,
more than just take assessments of utilities. You have a real
responsibility here. And I am afraid the public, if they are
watching this thing at all or hearing anything about this
hearing, there is not a lot of assurance that the necessary
security enhancements are being taken to make sure their water
is safe.
Mr. Grumbles. Well, I would disagree with you respectfully,
Congressman. There is no doubt that work needs to be done, and
there is no doubt that EPA will exercise its existing
authorities that it has in the Bioterrorism Act as well as the
Safe Drinking Water Act. And it is also no doubt to us that
there needs to be continued cooperative discussion, compliance
assurance. Our top priority has been, Congressman, to ensure
that the systems get in their vulnerability assessments and
their emergency response plans, certify that they have done
their emergency response plans, and that we work with the other
Federal and State and local entities on workshops, tools and
training, and update and improve their plans that they use--
view them as living documents that need to be continuously
improved.
Mr. Stupak. With that answer, I take it you agreed with us
that you have the authority; that you have done a bunch of
assessments. But what I haven't heard you say in answer to my
questions here today, you haven't taken any corrective action
to make sure that these security enhancements are in fact in
place. Your own internal document basically said the
evaluations were based upon pre-9/11, which is basically
vandals, criminals, and disgruntled employees, and because they
didn't get any guidelines from you as to what we should be
looking for post-9/11.
Mr. Gillmor. The gentleman's time has expired. But the
Chair would extend the gentleman's time long enough for me to
ask the gentleman if he would yield to me.
Mr. Stupak. I would be happy to yield to the chairman.
Mr. Gillmor. I just want to point out as a factual matter
the letter that you cited predated, as I understand it, the
passage of the Bioterrorism Act, and whatever authority EPA may
have, there was no specific authority that I am aware of in the
Bioterrorism Act for them to take the action that you refer to.
EPA may have it under other provisions, but I don't think under
the Bioterrorism Act.
Mr. Stupak. The language read in was, it was really--the
question was, the reason why there was a letter between Christy
Todd Whitman and Mr. Dingell was because they were asking about
the existing language in the Safe Drinking Water Act, did it
provide a broad enough general authority to require actions to
address security concerns. But then they went into the language
contained in 3448, which was the bioterrorism. And they felt
that with the two of them, with both 3448, the Safe Drinking
Water Act, Presidential Directive 63, they had more than enough
authority to carry it out, not only just to ask for
assessments, vulnerability assessments, but actually to take
corrective action as they are the lead agency, as Directive 63
pointed out, to make sure that we have the assessments done
properly post-9/11, corrective action be taken if necessary,
and Congress was to, as the bioterrorism acts, appropriate
moneys to make sure it is done. Of the $160 million that has
been allocated, plus there was an emergency supplemental after
9/11 of $89, so about $240 million, $250 million, we have a lot
of assessments that the expert says it isn't worth the paper it
is written on and no corrective action since then.
Mr. Gillmor. You and I are basically the spokesmen, Mr.
Stupak, for dueling staff assessments, and the assessment that
I am getting was that EPA asserted that authority before the
passage of the act, but Congress didn't agree with that. But
that is something we can get cleaned up at another time.
I want to thank the members who have participated in the
hearing. I particularly want to thank Mr. Grumbles and Mr.
Stephenson for your usual very helpful testimony, and the
meeting stands adjourned.
[Whereupon, at 3:57 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Mr. John B. Stephenson
Director
Natural Resources & Environment
Government Accountability Office
441 G Street, NW
Washington DC, 20548
Dear Mr. Stephenson: This is to express our appreciation to you for
testifying before the House Energy and Commerce Subcommittee on
Environment & Hazardous Materials on September 30, 2004 for the hearing
entitled Controlling Bioterror: Assessing Our Nation's Drinking Water
Security.
Pursuant to the Chair's order, the hearing record remains open to
allow Members to submit questions to witnesses. I would appreciate it
if you could respond to these questions, and provide an electronic copy
of your response no later than the close of business on Friday, October
29, 2004, in order to facilitate the printing of the hearing record.
The electronic copy (in Word or WordPerfect format) can be e-mailed to
[email protected].
Thank you again for your time and effort in preparing and
delivering testimony before the Subcommittee.
Sincerely,
Paul E. Gillmor, Chairman
Subcommittee on Environment and hazardous Materials
Attachment
Question 1. According to an October 2003 report done for the Senate
Committee on Environment and Public Works, GAO stated that security
experts generally agree that decisions for allocating federal money for
security improvements should be based primarily on (1) population
density and (2) information contained in vulnerability assessments.
Such efforts though could be complicated by Title IV's requirement that
EPA develop protocols to protect from vulnerability assessments from
disclosure to unauthorized individuals. As such, how do you square this
recommendation with the requirements of the law?
Response. As authorized reviewers of Vulnerability Assessments
(VAs), designated EPA officials may examine submitted VAs, and could
use them in making funding decisions and recommendations without
compromising the requirements of Title IV. As a practical matter,
however, such funding decisions would be realistic only at an aggregate
level (e.g., for making judgments about the future direction of
research, the types of training and their target audiences, and other
technical assistance). As we noted in our report, the use by EPA
officials of VA information to make--and defend--decisions about
allocation among individual recipients could indeed be complicated by
Title IV's requirement to protect VAs from disclosure to unauthorized
individuals. Experts also cited other complications that would
complicate utility-specific allocation decisions based on VA
information. For example, several noted that even if access to
vulnerability assessments was available, using VAs would require a high
degree of interpretation on someone's part, and it's not altogether
clear how such judgments would be made among potential recipients.
Question 2. Based on your report, and recognizing the need for
infrastructure funding, is it your opinion that some of this funding
need for security enhancements should go through ratepayer increases,
especially recognizing the current under-valuation of drinking water?
Do you think it's reasonable to make local communities bear some of the
costs in making these security upgrades?
Response. The degree to which the federal government supports
utility efforts to improve security is a policy decision to be made by
the Congress and the Administration. Our report sought advice on the
most efficient ways to allocate and spend federal funds should they be
appropriated. As a practical matter, many utilities are already
financing at least some of their security upgrades by passing along the
costs to their customers through rate increases. We would expect
ratepayers to continue to shoulder much of these costs in the future.
It is also worth noting that in responding to the question concerning
desirable financing mechanisms, our experts voiced strong support for
cost-sharing between the utility and the federal government, lending
further weight to the notion that improved utility security is in large
part a local responsibility.
Question 3. Your report recognized the physical assets of the
distribution system as the single most important vulnerability of all
system components. Recognizing the infrastructure needs of drinking
water utilities and how the physical deterioration of pipes and
transmission systems can lead to security vulnerabilities, do you agree
with EPA that some SRF money helps improve security?
Response. As a financing mechanism, use of the SRF for security
enhancements did not rank as high as a number of other mechanisms
identified by our expert panel. Nonetheless, the majority of experts
did site the Fund as either ``very effective'' or ``somewhat
effective'' as an approach for distributing funds. Moreover, one would
expect the SRF to be particularly appropriate in circumstances--as
suggested in the question--in which addressing basic infrastructure
needs (``physical deterioration of pipes and transmission systems'')
can, at the same time, address security-related concerns. The
efficiency of this ``dual use'' concept has been widely accepted at
EPA, among the experts on our panel, and elsewhere.
Question 4. In your opinion, and based on your report, can the
three categories of security-enhancing activities: physical and
technological improvements, education and training, and strengthening
operational relationships; be achieved or strengthened without further
congressional action? What is your assessment of how likely the
utilities are to cooperate in this further action?
Response. There is little doubt that some of these security-
enhancing activities would continue to take place without federal
funds, and our report documents a number of utility initiatives to
pursue some of them. At the same time, our work suggests, at least
anecdotally, that the degree to which some of these enhancements are
implemented will be a function of the level of federal support
provided. For example, the experts overwhelmingly cited the use of
real-time monitoring technologies as the single most important physical
security enhancement that can be applied to drinking water facilities.
However, many of the experts noted that smaller utilities would simply
be unable to deploy these technologies without federal support. In
addition, while regional collaboration is taking place within some
states as our report noted (BASIC in the San Francisco area and MADIRT
in North Carolina), there may be a need for federal attention to
encourage collaboration in broader regions of the country.
Question 5. Recognizing the fact that the vulnerability assessment
information is highly protected in order to protect sensitive
information about each utility from those who may use the information
to harm the utility, how, in your opinion and based on your study, is
it possible to adopt security measures that both address
vulnerabilities and mitigate the consequence of attack?
Response. The requirement for vulnerability assessments helps to
ensure that each utility goes through the systematic process of
identifying its vulnerabilities and, by extension, developing plans to
address those vulnerabilities through the addition of preventive
measures and response plans. In that sense, the secrecy imposed on
vulnerability information by Title IV does not necessarily prevent
utilities from adopting security measures that address vulnerabilities
identified by their VAs.
Question 6. Recognizing that the primary mission of the Drinking
Water SRF is to facilitate compliance with federal drinking water
regulations and that this requirement alone makes the competition
fierce and the funds scarce, do you believe that the drinking water SRF
should be used as a main funding source for security enhancements at
drinking water utilities?
Response. For the reasons cited in the question, we believe it
would be inappropriate to rely on the SRF as a main source of funding
for security enhancements, particularly if supplemental funding was not
provided to the SRF specifically for this purpose. As noted in response
to question #3, few of the experts on our panel supported the SRF as a
primary source of funding for security enhancements, with some citing
the competing demands already placed on the Fund for its primary
purpose of funding basic infrastructure improvements.
Question 7. There is interest in the development and deployment of
technologies that can detect contamination at the various stages of the
community water system's intake valves, treatment plant, and delivery
network. What is the status of these activities? How helpful will real
time monitoring technologies, capable of providing near real time data
for a wide array of potentially harmful water constituents, be in
addressing security issues and why do you think this technology
received the most support for federal funding than any other category?
Response. The development and deployment of advanced monitoring
technologies are still in their early stages, according to EPA's 2004
``Water Security Research and Technical Action Plan.'' The Plan speaks,
for example, of the continuing need to develop monitoring technologies
for biological, chemical, and radiological contaminants and threats;
and of the need to develop ``drinking water early warning systems.''
The development and deployment of such technologies received the widest
support of any single security-enhancing activity cited by our expert
panel for the reasons cited in the question--they hold great promise in
providing real-time data for a wide array of potentially harmful water
contaminants. This capability is particularly crucial in the water
distribution system: once a contaminant is introduced at this late
stage, there is little protection between a potentially deadly
contaminant and an unsuspecting public. In such a situation, time to
alert unsuspecting consumers would be of critical importance, and a
real-time monitoring capability may be the only option to provide that
time.
Question 8. Recognizing the fact that drinking water distribution
systems are so vulnerable due to their accessibility at so many points,
do you envision the magnitude of the risk ever reaching a point where
these systems could be fully and adequately protected? While water
utilities have all assessed their vulnerabilities?
Response. It is hard to imagine a scenario in which all drinking
water systems could be ``fully and adequately protected.'' We believe,
however, that well-conceived and properly funded security-enhancing
strategies can help considerably to maximize deterrence against an
attack; improve early detection should an attack take place; and
improve response capabilities to help mitigate an attack's impacts. We
also see value in encouraging utilities to revisit and upgrade
vulnerability assessments over time; threats will likely change over
time as will the strategies available to address deterrence, detection,
and response.
______
U.S. Environmental Protection Agency
Office of the Inspector General
The Honorable Paul E. Gillmor
Chairman
Subcommittee on Environment and Hazardous Materials
Committee on Energy and Commerce
U.S. House of Representatives
Washington, DC 20515-6115
Dear Mr. Chairman: Enclosed are responses to questions for the
record stemming from the September 30, 2004, hearing ``Controlling
Bioterror: Assessing Our Nation's Drinking Water Security.'' We
appreciate the opportunity to comment on this important issue. If your
staff should have any questions on these responses, please contact
Eileen McMahon, Assistant Inspector General for Congressional and
Public Liaison, at (202) 566-2391.
Sincerely,
Nikki L. Tinsley
Enclosure
RESPONSES TO QUESTIONS FROM CHAIRMAN GILLMOR
Question 1: In your report entitled ``EPA Needs to Assess the
Quality of Vulnerability Assessments Related to the Security of the
Nation's Water Supply Report No. 2003-M-00013 Dated September 24,
2003,'' you cited that water systems did not consider the terrorist
threat or distribution systems when undertaking their vulnerability
assessments. Please clarify whether this conclusion was made before or
after you were granted access to the vulnerability assessments. If the
conclusions were drawn before you had access to the vulnerability
assessments, would your conclusions change following your access?
Answer: We want to clarify that we did not state in our report that
water utilities failed to consider terrorist threats or distribution
systems when undertaking their vulnerability assessments. We reported
in EPA Needs to Assess the Quality of Vulnerability Assessments Related
to the Security of the Nation's Water Supply (Report No. 2003-M-00013),
dated September 24, 2003, that ``based on our interviews, we believe
that vulnerability assessments submitted may emphasize traditional,
less consequential, and less costly threats, such as vandalism or
disgruntled employees. Therefore, vulnerability assessments may not
necessarily address terrorist scenarios or the events of 9/11 that
motivated passage of the Bioterrorism Act.'' (emphasis added) We based
our conclusions on interviews with water security experts, EPA
officials, and water utility personnel we talked with prior to gaining
access to the vulnerability assessments. While the Act prohibits us
from publicly discussing the information we obtained from the
vulnerability assessments, the statements contained in our report
remain valid.
Question 2: In your report entitled ``EPA Needs to Assess the
Quality of Vulnerability Assessments Related to the Security of the
Nation's Water Supply Report No. 2003-M-00013 Dated September 24,
2003,'' you stated that neither the Bioterrorism Act nor EPA identified
a minimum threat level against which water utilities should assess
their vulnerabilities. However, this statement did not take into
account that baseline threat information for vulnerability assessments
of community water systems was the topic of an extensive stakeholder
meeting where a wide variety of members from the water industry,
including large systems, utilities, municipalities, and rural systems
were represented. The consensus at the meeting was that the design
basis threat selection should be left to individual utilities to
account for the uniqueness of each water system while incorporating the
threat information gained from local FBI offices and other security
experts. How then do you suggest a federal standardized threat level in
light of this evaluation, recognizing the inherent differences in
community water systems nationwide?
Answer: As we reported, ``neither the Bioterrorism Act nor EPA
identified a minimum threat level against which water utilities should
assess their vulnerabilities.'' Water security experts, including staff
from Sandia National Laboratory (the contractor EPA used to develop one
of the vulnerability assessment methodologies), support our conclusion
that EPA should have set a minimum threat level against which utilities
needed to assess their vulnerabilities. According to Sandia officials,
EPA's practice of not setting minimum security measures left threat
determinations open to interpretation, and thus inconsistent
application of the vulnerability assessment methodology. For example,
one water security expert contracted to conduct several large utility
assessments said that, even after vulnerability assessment training
conducted subsequent to the terrorist attacks on 9/11, water utilities
tended to focus on vandals, criminals, and disgruntled employees.
Furthermore, in our report, Survey Results on Information Used by
Water Utilities to Conduct Vulnerability Assessments (Report No. 2004-
M-0001), dated January 20, 2004, state and local auditors found that 10
of the 16 water utilities utilized the Federal Bureau of Investigation
(FBI) as a source of threat information, and only 3 of the utilities
found FBI's threat information useful.
While we agree about the uniqueness of the vulnerabilities of each
water system, even if EPA required utilities to assess threats at a
standardized level, the utilities still had the flexibility to decide
whether or how to protect against any vulnerability identified.
EPA's actions subsequent to the issuance of our report support our
conclusion that EPA should have set a standardized threat level even in
the face of unique utility characteristics. First, during an April 2004
interview with our team, an EPA official described the Agency's plans
to conduct 60 threat scenario-driven emergency response field exercises
across the country including training on ``model emergency response
plans'' for utility consideration. Second, during an April 2004
meeting, a senior official from EPA's Water Security Division described
the Agency's initiative to identify best security practices ``since the
water industry has very little standards for security.'' EPA based its
initiative to develop minimum guidance on security enhancements on a
utility's size (e.g., fence height, the need for intrusion alarms) and
EPA will vary guidance for rural/small water systems since they face
different security issues. Moreover, regional EPA staff with access to
the vulnerability assessments believe that utilities still have not
made the cultural leap to considering terrorist scenarios rather than
focusing on fencing and lighting as response mechanisms. Finally, EPA
formed a Water Security Working Group charged with: (1) identifying,
compiling, and characterizing best security practices and policies for
drinking water utilities; (2) considering mechanisms to provide
recognition and incentives to implement them; and (3) considering
mechanisms to measure the extent of implementation of these best
security practices and policies.
�