43 Manual Psa Oms 2022

Ce document a ete delivre pour le compte de 7200106152 - editions ti // caroline JULLIN // 90.66.42.
145
Water security plan

Towards a more resilient drinking water
infrastructure
by Montserrat BATLLE RIBAS

Senior Innovation Specialist
Adasa Sistemas, Barcelona, Spain
Thomas BERNARD
Group Manager
Fraunhofer IOSB, Karlsruhe, Germany
Eyal BRILL
Owner
Decision Makers Ltd, Shoam, Israel
Maria Rosario COELHO
Head of Laboratory
Aguas do Algarve, Faro, Portugal
Parution : février 2022 - Ce document a ete delivre pour le compte de 7200106152 - editions ti // caroline JULLIN // 90.66.42.145
Maria Fátima COIMBRA

Executive Advisor
Águas de Portugal, Lisboa, Portugal
Jochen DEUERLEIN
Associate Director
3S Consult GmbH, Office Karlsruhe, Germany
Peter GATTINESI
Advisor on water infrastructure and security
United Kingdom
Philipp HOHENBLUM
Senior Water Expert
Environment Agency Austria, Vienna, Austria
Pierre PIERONNE
National water quality expert
Technical Division, SUEZ Water France, Paris, France
Jordi RAICH
European project manager
s::can GmbH, Vienna, Austria
Luís SIMAS
2 - 2022
Senior Adviser
Quality Department, ERSAR, Lisbon, Portugal
Rui TEIXEIRA
Head of Division
Water Division and Sanitation, Municipality of Barreiro, Barreiro, Portugal
EP 4 244
Rita UGARELLI
Chief Scientist
SINTEF Community, Oslo, Norway
Andreas WEINGARTNER
CEO
CasAgua Consulting GmbH, Traunkirchen, Austria
© by Editions TI. All rights reserved EP 4 244 – 1
tiwekacontentpdf_p4244 v1 Ce document a ete delivre pour le compte de 7200106152 - editions ti // caroline JULLIN // 90.66.42.145
Ce document a ete delivre pour le compte de 7200106152 - editions ti // caroline JULLIN // 90.66.42.145
WATER SECURITY PLAN _____________________________________________________________________________________________________________
Monica CARDARILLI
Project Officer
European Commission, Joint Research Centre, Ispra (VA), Italy
and Georgios GIANNOPOULOS
Team Leader
1. Drinking water security framework ................................................ EP 4 244 - 2

2. Risk assessment and management.................................................. — 3
3. Preparedness and planning................................................................ — 5
4. Technologies and tools for event detection and response....... — 7
5. WSecP from design to implementation and revision ................. — 14
6. Reflections and recommandations for water security............... — 16
7. Conclusions ............................................................................................ — 17
8. Glossary................................................................................................... — 17
Pour en savoir plus........................................................................................ Doc. EP 4 244
T he purpose of the Water Security Plan (WSecP) is the planning and imple-
mentation of preparedness, prevention, response and recovery strategies
against malicious attacks on drinking water supply systems. Deliberate conta-
mination could impact many people and disrupt interconnected services.
The Water Security Plan focuses on the protection and resilience of drinking
water infrastructure against intentional threats and provides guidance for
water utilities and decision makers. These proposals have been developed
from operational experiences of using innovative real-time monitoring tools
and technologies. Benefits from the latest tools and technologies include
improved resource allocation and optimization, and developing more effective
security solutions for water supply systems.
The concept has been elaborated to cover attacks along the entire distribu-
tion range from water source to tap, and addresses both large and small water
utilities.
The paper provides the framework upon which the Water Security Plan
should be elaborated, such as methodologies, system components, best prac-
tices and future perspectives. The aim is not to be exhaustive but rather to
offer an overarching picture of the key elements which should be considered
and implemented by water operators to enhance drinking water security.
The proposed Water Security Plan guidance has been produced by the
ERNCIP Thematic Group on “Chemical and Biological Risks to Drinking Water”.
The paper concludes with some recommendations and practical observations
for drinking water suppliers.
1. Drinking water security mentation at EU level. To achieve this, a Common Implementa-

tion Strategy (CIS) was established in 2001, developing several
framework guidance documents to address topics from the identification of
water bodies [2] to recommendations on monitoring [3] [4] and
reporting [5] [6], up to public participation [7] and economics [8].
Water is a lifeline sector, which serves communities and busi-
nesses on a daily basis raising a number of shared technical chal- In particular, drinking water policy ensures that water intended
lenges among water authorities, utility operators, and other for human consumption can be supplied safely [9] on a life-long
relevant stakeholders. basis, and this represents a strong contribution to the broader EU
water protection [10], management [11] and treatment [12].
The implementation of EU water policy [1] is one of the main
reasons to develop common understanding of the key issues and To this end, the recently adopted new Drinking Water
to agree on common solutions to ensure a harmonised imple- Directive [13] introduces new obligations for Member States,
EP 4 244 – 2 © by Editions TI. All rights reserved
______________________________________________________________________________________________________________ WATER SECURITY PLAN
reinforcing the recommendations of the World Health Organisation cept. For this reason, TG Water has elaborated the Water
on safety standards for drinking water from source to Security Plan (WSecP) guidance, devoted to improving the con-
distribution [14]. trol of water security [34] [35] [36].
Supply of safe drinking water is an essential element for the
functioning of our society and economy, and thus rated as critical
infrastructure [15]. Disruptions of such services, especially those
To remember
with cross-border and potentially pan-European implications, have
potentially serious negative implications for citizens, business, – Secure water infrastructure builds on deep knowledge of
governments and the environment [16] [17] [18] [19]. The frame of potential hostile actions that may cause service disruption. An
the emerging security threat landscape is also evolving [20], add- effective information exchange between government services
ing new vulnerabilities within water supply systems. and water service providers is indispensable.
– Technical solutions are one element for increasing water
Therefore, it is necessary to increase the resilience of drinking
utilities’ resilience which needs to be embedded in an organi-
water infrastructure, where protection is one element alongside
zational security concept such as a Water Security Plan
prevention and mitigation, business continuity and recovery. To
(WSecP).
achieve this, it is essential to have a thorough knowledge of the
type of threats that water infrastructure can face.
In this paper, Security is defined as the ideal state of

well-being, undisrupted, undisturbed and protected integrity of
2. Risk assessment
an asset against dangers that are caused intentionally by hos- and management
tile human actions [21].
Recent news on malicious attacks [22] [23] [24] on drinking water 2.1 Water safety and security
infrastructures demonstrates that the threat is realistic and under-
scores the vulnerability of such infrastructure [25]. While safety and security are closely related tasks of every water
utility, varying definitions and examples of these terms can be
Surveillance and assessment of the credibility and seriousness
found in the literature [34] [35] [36] [37]. In order to support a com-
of threats is a task of the security intelligence services [21]. For
mon understanding for the purpose of this paper:
their part, water utilities need to identify potential vulnerabilities
in order to take protective measures and increase their

resilience [26] [27] [28]. This requires an effective information Safety is used to address any type of contamination risk to
exchange between governmental services and the critical infra- drinking water except intentional contamination (of crimi-
structure operator [29] [30]. nal/terrorist nature), whereas Security aims to address inten-
In order to guarantee water safety, the World Health Organiza- tional attacks on water distribution networks (e.g.
tion (WHO) has advocated the implementation of risk assessment, contamination), control systems (e.g. cyber attack) and infor-
management, planning and response through Water Safety mation systems (e.g. fake news).
Plans (WSP) [17] [18], recently reinforced by the EU’s new Drink-
ing Water Directive [13]. Nevertheless, nowadays it is not sufficient When comparing the risk assessment processes of the WHO
to guarantee water safety only. It is also very important to ensure Water Safety Plan [38] [39] [40] with the herein proposed WSecP,
that all infrastructures associated with water, from source to tap the different safety vs. security perspectives make evident some
(i.e. abstraction, treatment and distribution), maintain their core variances that need to be addressed.
functions and operations in order to provide quality, quantity, and
continuity of water supply in the event of malicious contamination. In particular, a ‘traditional’ WSP does not explicitly or specifically
Hence, it is crucial that the security aspect of drinking water distri- consider intentional contamination. This may lead to consideration
bution systems is also thoroughly considered. This will enable mit- of procedures and resource allocation differently at some (few)
igation of the occurrence and impact of malicious events that can critical points, where security-related needs may not automatically
affect the normal functioning of these systems, and ensure the be covered or considered. The addition of the security aspect does
necessary response capacity to return quickly to normality after a not cause additional cost and effort to a WSP, but it rather induces
disruptive event. The aim is to minimise the risk of the harmful a widening of the planning scope, a re-thinking of some critical
impact of security-related events on human health, using an procedures, and a re-location – sometimes also addition – of some
approach designed to be integrated with existing WSP. resources [41].
The European Reference Network for Critical Infrastructure Pro-
tection (ERNCIP) established the Thematic Group on “Chemical
and biological risks to drinking water” (TG Water) [32] in order to
2.2 Water security threats
help operators of water infrastructure to respond to deliberate and vulnerabilities
chemical and/or biological (CB) contamination of drinking water.
Real-time water quality monitoring systems, early warning sys- Risk assessment and risk management provide the basis for the
tems and related laboratory confirmatory analyses are central tech- design and implementation of the WSecP whose primary purpose
niques to respond to CB threats [33]. The basic idea is to use is to be able to better respond to incidents in the water supply sys-
innovative technical solutions to rapidly identify a malicious attack tem, such as:
to the drinking water infrastructure and to alert the operator. Ide- – deliberate contamination with hazardous chemicals (terrorism)
ally, such a system is integrated in the daily operation of utilities, or biological agents (bioterrorism);
and therefore serves both security and safety aspects. By monitor- – contamination resulting from cyber terrorism;
ing as close to real time as possible, any contamination in the sup- – sabotage;
ply system should be detected in the shortest time possible to – vandalism.
allow the operator to react and mitigate. The perpetrators of these threats can generally be categorized as
Technical solutions are one element in increasing a utility’s resil- either internal or external to the water utility or its community [42]
ience, but need to be embedded in an organizational security con- [43]. Internal threats may arise from disgruntled employees cur-
rently or previously employed by the organization. A ‘disgruntled 2.3 Requirements and protocols
trusted insider’ provides the greatest vulnerability, as this com-
bines intent with the knowledge and capability. External threats
for water security
can range from mindless vandalism to state-sponsored terrorism.
The first step in security planning should be a risk assessment,
Critical infrastructure is an attractive target for terrorists due to
whereby the identified threats of malicious activities would be con-
the potential consequences and ripple effects of a successful
sidered in conjunction with the vulnerabilities of the water system
attack. The distribution components of a water system are espe-
infrastructure to manage the potential impact from an incident, in
cially at risk due to the potentially large number of people that
terms of casualties and numbers of people affected by loss of
could be affected by an attack. ‘Lone-wolf’ actors are known to
access to drinking water. The following steps are the basis for
have conspired to use CB weapons to attack a water system, and
developing and maintaining a secure water infrastructure.
state-sponsored actors also have the means to undertake such
attacks [44]. 1. Each drinking water system operator should conduct security
Drinking water systems must be prepared for the threat of delib- vulnerability assessment and management as part of their emer-
erate acts of sabotage, including terrorist activities meant to con- gency response plan to determine if there are areas needing
taminate the water supply or destroy the drinking water system improved security measures, according to the most likely (secu-
itself. Therefore, the risks to the operator and to its customers (e.g. rity) risk scenarios. This process should be carried out in colla-
hospitals, military, administration or government buildings, stadi- boration with intelligence services and other security authorities.
ums, hotels, places of tourist accommodation, commercial centres) Help from external consultancy could also be an option, if opera-
need to be assessed, since a physical/cyber attack to a drinking tors are not technically experienced.
water supply system could have serious consequences.
2. Drinking water operators, intelligence services and other
The following are common elements of security risk assessment security authorities should evaluate vulnerability through assess-
and management which should be incorporated into any evalua- ment and management tools, using the most appropriate tool,
tion method. according to their needs and size. The use of a security vulnera-
bility self-assessment tool, and a ‘Certification of Completion’
form that can be submitted to the security authorities and regula-
Characterization of the water system, including its mis- tors as verification that the assessment was done, are both
sion and objectives. strongly recommended.
– What threats are there against this target?
3. All security deficiencies identified in the security assess-
– What is the probability of these threats materializing
ment should be addressed. The most obvious and cost-effective
(based on past incidents, information by national authorities,

security improvements should be prioritized first.
etc.)?
– How can the most likely threats materialize (since they are 4. A written security plan should be produced. It should
the ones that should be addressed first), i.e., modi operandi? include a complete description of the security requirements, such
– What security issues are likely to be exploited by threat as procedures for daily checks of the water system infrastructure
agents to materialize threats? and information about alarm systems.
– What is the potential impact of exploiting each of these This documentation must be only available to those who need
vulnerabilities? this information to ensure the security of the system and must be
– Definition and implementation of security measures (pro- stored in a secure location.
tection) with a view to reducing or eliminating identified
vulnerabilities. 5. The local police authorities should be involved in order to
include the facility in their routine patrols, providing them with a
– Definition and implementation of measures to reduce the map of the system with the critical components highlighted.
impacts arising from the exploitation of vulnerabilities by
threat agents (crisis management, resilience, redundancies, 6. Everyone can be involved in routine surveillance, particu-
recovery, business continuity). larly communities near the key infrastructures. The general public
– Development of a prioritized plan for risk reduction. should be asked to watch for unusual activity around drinking
water system facilities, with clear instructions (e.g. phone num-
bers) for quick and easy reporting of suspicious behaviour.
The availability of information about the threats posed by terror-
ism varies across Member States. Some countries have proactive 7. A protocol with the hospitals should be established for syn-
agencies monitoring the threats from terrorism, while other coun- dromic surveillance, determining the periodicity and the
tries may include consideration of these threats within their contacts of both entities for the exchange of information.
National Risk Assessment [45] [46] [47] [48] [49] [50]. In this regard,
water utility operators need to refer to their relevant national/local 8. A protocol with one or more laboratories should be
security authorities and obtain whatever relevant threat informa- established, to include pre-defined procedures to be followed in
tion is available to them. case of physical/cyber events to drinking water systems. The pro-
tocol should include access outside normal working hours and
Finally, threats must be analysed ‘in perspective’. The utility weekends, especially for entities that do not have their own labora-
operator needs to assess its weakest points, and consider what tory, or those who do, but may need support for more specific ana-
actions a potential attacker might employ against them. From this, lyses.
the water utility operator can identify its level of exposure. The
probability associated with a potential threat could be estimated Through this risk assessment and management process, a pro-
for a determined period of time related to a long-term relative tection level should be set as a target. By analysing consequences,
occurrence frequency, or to a degree of confidence that an event utility operators could identify critical components, harden, or
will occur. secure those that can reasonably be better protected, and develop
response plans in the event of a successful attack. It also provides
Example : a probability scale could be adopted. It can identify a a basis for future review, by enabling the identification of changes
low, moderate, or high probability of the threat materializing in each of to the risks through updates to the infrastructure, or new intelli-
the short, medium, and long terms. gence on the threats of deliberate attack.
physical attack, including poisoning, and assessment of the sever-

To remember ity of the event, in terms of the ability of a given scenario to evolve
into a risk event with impact on the service. The scenarios can be
– Common elements of security risk assessment and mana- customized by the user through the support of a scenario planner
gement should be incorporated in any evaluation method to application.
tackle physical/cyber threats and vulnerabilities of drinking
water supply systems.
– Security requirements and protocols should be established 3.2 Adding the security aspect to water
and documented through a WSecP, enabling the identification monitoring
of new/changing risk landscapes with continuous updating
and revision. Monitoring of drinking water networks represents the starting
point to detect contamination release. Depending on the type of
contamination, existing system configuration and operation may
change when introducing security to the objectives of water moni-
3. Preparedness and planning toring. The connections between the three main purposes of water
monitoring (Traditional; Safety; Security) are analysed below:
1. The installation of a ‘traditional’ water distribution network
3.1 Water distribution modelling operation and monitoring system aims to:
and security scenarios – cover water quality assurance and legal aspects such as the
ability to safeguard and prove regular and continuous compliance
The risk assessment and management process also informs the within mandatory limits and standards;
water utility operator about the benefits of using modelling tools – address operational aspects such as increased efficiency and
and techniques to support preparedness and to develop secu- increased system stability;
rity-related scenarios affecting the water distribution networks. In – serve economic aspects such as cost savings by reduced sam-
this sense, hydraulic simulation models are indispensable tools for pling and laboratory analysis.
drinking water security.
The number of monitoring points found today in drinking water
Planning and operation of modern water distribution networks
networks ranges from 0 to about 5 per 100 000 inhabitants which is
are complex tasks that require a very good understanding of the
still extremely few, given how far the few sensors will be from
network hydraulics. Planning for emergency situations needs to be
most individual consumers, considering the health-critical nature
undertaken without causing impact to the live system. For that rea-
of drinking water.
son, hydraulic simulation models are used as digital twins of the
entire distribution system including pipe network, consumer con- The ‘dynamic water quality map’ (figure 1) [55] would be the
nections, control valves, pumping and rechlorination stations as ultimate tool for utility managers. It allows observation of concen-
well as storage facilities, where the digital twin represents the tration changes in real time on a map/GIS system, so any opera-
properties and hydraulic behaviour of the physical system as accu- tional strategies can be implemented and their effect observed in
rately as required: the range of events that can be studied is real time, or even modelled, and be predicted. An evenly distrib-
greatly increased, leading to an improved preparedness. uted sensor network based on an individual number of monitoring
points is the basis of such a tool.
Example : scenarios can be studied for improving security pre- The strategic planning process aims to develop a concept that
paredness including the spread of contamination. satisfies both safety and security aspects. In particular, safety inte-
grates both accidental contamination risk points and vulnerability
The scientific community is now proposing examples of points, with a focus on contamination risk. However, security can-
stress-testing platforms (STP) in which the hydraulic model (physi- not focus on contamination risk points because intentional con-
cal layer) is integrated with the cyber topology (cyber layer) [51] tamination can happen at almost any point and time, and therefore
defined by the so-called cyber nodes (e.g. PLC and levels of sen- must focus more on vulnerability. Only by keeping both aspects in
sors in tanks or actuators in pumping stations). The STPs can be mind can water monitoring enhance both safety and security.
used to assess the ability of a cyber or physical threat to evolve
into a risk to the service provided.
In practice, it should be noted that there is still a gap between
the theoretical capabilities of digital twins and the actual situation 1.6
at water utilities. Small and medium sized companies in charge of 1.4 1.8
running the water supply in many European countries often suffer 1.2
1.0 1.6
from insufficient data about their network (e.g. pipe characteristics,
valve locations and operational states). In such cases, the improve- 1.4
0.8
ment of network data needs to be addressed alongside the installa- 1.4
1.2
tion of new sensors and modern devices. 1.2
The value of a digital twin is strongly connected to the quality of 0.5 1.0
the underlying data and to the usability of the simulation tools. 1.0 0.8
Currently, these tools are usually quite complex and it is difficult 0.5 0.5
for the user to define certain scenarios. Consequently, there are
ongoing activities aiming to provide simple browser-based inter- 0.8
faces to the user, and to establish a live connection to the GIS
environment (e.g. Project W-Net4.0 [52]). 0.5
0.5
Similarly, the STOP-IT project [53] has developed a risk assess-
ment and evaluation framework, which supports water utilities at
tactical level to improve preparedness in case of crisis
management [54]. The framework allows stress testing of water Figure 1 – An example of a dynamic water quality “Heat Map” for
distribution systems against potential scenarios of cyber and/or chlorine concentrations (mg/L) [55]
System Assessment
Module 2 Describe the water supply system

Operational Monitoring
Module 3 Identify hazards and hazardous

events and assess the risks
Module 6 Define monitoring of the control
Module 4 Determine and validate control measures, measures
reassess and prioritize the risks
Develop, implement and maintain Verify the effectiveness
Module 5 Module 7
an improvement/upgrade plan of the WSP
Figure 2 – Selection of core modules of the WHO Water Safety Plan [56]
2. The Water Safety Plan is a tool for strategic and preventive – Reliability: use of proven, reliable, lowest maintenance sensors
reduction of risk of any type of unintentional contamination which only.
can be set up on top of a ‘traditional’ monitoring system, or fully – Stations should be independent of mains power, and easily
integrated with it [40]. It represents a systematic approach that accessible.
stretches over all steps in the water supply system from catchment – Maintenance: according to a well-defined plan, target interval
to consumer, by applying a multi-barrier methodology whose main should be six months or longer.
goal is consumer health. Of those steps, system assessment and – Data quality: intelligent, self-learning validation and
operational monitoring (figure 2) [56] form the core of a WSP, as event-detection algorithms and software.
below. – Central data: well-customized central data management sys-
In support of WSP, continuous monitoring is especially impor- tem (CDMS).
tant to detect any fast spreading of water contamination [57]. For – User interface: barrier-free access to the system and data via
utilities that are pro-actively implementing a WSP, the installation an intuitive, easy-to-use Graphical User Interface (GUI).
of 5 to 10 monitoring points per 100 000 consumers currently Institutional
seems to be typical, derived from an empirical analysis of urban
– The value of security is fully understood by utility managers

utilities [58]. This number is increasing with availability of smart
and operators.
and cost-efficient sensors, communication systems and data man-
– Security is fully integrated through every-day, multi-purpose
agement technologies and tools.
and long-term use of the security system and the produced data.
The status of WSP implementation in several countries is – Implementation and regular training of Standard Operating
described by the WHO [39], where the two main benefits reported Procedures (SOP) which is more an organizational than a technolo-
are not safety-specific, but rather towards “improved system man- gical challenge.
agement of water supplies”, followed by “increased awareness, – Real use of alarms: alarms are trusted, used and escalated
knowledge and understanding among staff of water supplies”. The according to SOP, at a false-to-true alarm rate of better than 10 to
main deficits identified in this WHO report include three security 1 (less than 10 false alarms for 1 true alarm).
relevant aspects.
Security should always be aligned with safety, and with normal
– Day-to-day operation and sustainability: focus on risk network operation. Indeed, security connects to the different pur-
assessment, management and improvement planning should be poses of water monitoring, hence that is not a separate effort but
balanced by greater attention to the ongoing operations, manage- needs to be integrated with ‘traditional’ and safety systems.
ment, monitoring and review aspects that allow integration of a Extra budget, resources and efforts for a water utility, already
WSP into day-to-day operations and sustainability [59]. under stress from the implementation of a WSP, should be mini-
– WSP audit practice: the majority of WSP implementing mized. Otherwise, in absence of an immediate, recognizable threat,
countries do not yet practise regular auditing, highlighting an the acceptance of the WSecP module will not be good enough to
important need to strengthen WSP impact and sustainability maintain its sustainability and achieve resilience.
through independent oversight and assessment [60].
– Financial barriers: a need for improved communication of
the gains possible from a WSP at minimal cost, as well as greater 3.3 Planning and integration of security
promotion and funding (e.g. by governments, external support into existing systems
agencies, etc.) to help target and sustain financial investments [61].
3. Unlike safety-relevant events, intentional contamination can It must be stressed that conventional monitoring by taking ran-
happen at almost any point in the system, and is hardly predic- dom or scheduled samples and analysing them in the laboratory,
table. Therefore, the chosen point of contamination will be a pro- while increasing safety to some extent, is useless for increasing
duct of accessibility of hydraulic infrastructure and predicted security against intentional contamination. Only real-time data are
impact of contamination. In order to maximize the number of pro- useful in the security context [57] [62].
tected water consumers and minimize the reach, duration and For water security it can be stated that: “Catching the event in
impact of a contamination event, real-time monitoring is even real-time and estimating the degree of deviation is considered
more crucial for security than for safety. In particular, the key ele- much more important than identification and quantification of the
ments of success of a water security monitoring network can be contaminant, which still remains with the laboratory” [63].
grouped by their technical and institutional dimensions, as follows. The master variables determining a system selection process
Technical can be summarized.
– To satisfy also ‘traditional’ multi-purpose use, online parame- 1. Target protection level/s (political decision).
ters should correlate to classical laboratory parameters: for control, 2. City areas and special areas to be covered by monitoring
compliance, and reporting. (political, social), overlapping with target protection levels.
Budget A : 1 × 106 €/5 years Budget B : 3 × 106 €/5 years Budget C : 5 × 106 €/5 years
100% 100% 100%
15 A-Stations 26 A-Stations
5 A-Stations 80%
80% 80%
70 B-Stations
Protection level
Protection level
Protection level
43 B-Stations
60% 60% 60%
50% 50% 50%
15 B-Stations 40%
40% 40%
70 C-Stations 116 C-Stations
24 C-Stations
20% 20% 20%
250 D-Stations 250 D-Stations
125 D-Stations
0% 0% 0%
0% 20% 40% 60% 80% 100% 0% 20% 40% 60% 80% 100% 0% 20% 40% 60% 80% 100%
City area covered City area covered City area covered
Figure 3 – Comparing the efficiency of different monitoring concepts for increasing protection
3. Types of monitoring stations (technical). but rather overlap in a strategic planning process which satisfies
4. Event detection performance/probability of monitoring sta- both aspects.
tions (technical).
5. Costs (CApital and OPerating EXpenses: CAPEX & OPEX) of
monitoring stations (commercial). To remember
6. Budget: ‘value of security’ (political, economic).
– Planning and operations of water distribution systems
Each master variable contains several sub-variables, and should should focus on network hydraulics, stress tests and secu-
be represented by a separate model. The relationship between rity-related scenarios.
these variables is complex, and cannot be modelled accurately.
– Security should always be aligned with safety and with
normal network operation since they overlap in a strategic
Example
planning process.
A study was conducted for a large city to compare different
concepts for their effect on protection levels, at different budgetary
levels. A very simple spatial-hydraulic model was sufficiently accurate
to determine the general parameters. It was found that it would not
be efficient to invest in just five high performance monitoring stations 4. Technologies and tools for
of Type A, because only a small part of the city area can be protected
by that approach, even if at a high protection level, resulting in an ‘eli- event detection and
tist’ approach. On the other hand, it does not substantially increase
the protection level when installing many (125 to 250) low-end sen- response
sors of Type D at monitoring points all over the network. The most
efficient investment would be the combination of a moderate number
of mid-level sensors of Type B or C, with a few high-end stations of 4.1 Online monitoring and event
Type A at the most vulnerable points in the system [64] [65] [66] [67] detection tools
[68] [69] (figure 3).
On-line monitoring is a crucial part of the WSecP [34] [35] [36]. A
It has been observed that a dense network of mid-cost reliable rapid detection and response to any potential threat is key in
sensors gives broader protection than the installation of only a few reducing the risk to public health (figure 6). Therefore, deployment
expensive high-end stations: of on-line sensors is crucial to tackle contamination in real time.
– better spatial coverage; Traditional sampling and analysis in the laboratory is not suitable
– faster detection due to the vicinity to the point of contamina- for this purpose, although laboratory analysis is still essential to
tion and consumption; confirm, identify and quantify the pollution/contaminant.
– allows sectoral closure and flushing; Different technologies now exist [33] [70] [71] [72] that allow
– redundancy increases information reliability: ‘swarm intelli- water utilities to establish early warning systems by combining
gence’; on-line monitoring and event detection software [57] [73] [74] [75].
– more reliable, more trusted, alarms taken more seriously. The integration of the network of sensors into the Supervisory
Control And Data Acquisition (SCADA) system by different proto-
While making some general cost considerations:
cols (e.g. profibus DP, Modbus RTU, Modbus TCP/IP, etc.) as well
– the monitoring system cost is only a fraction of the total secu- as into the daily standard operation procedures of the water utility
rity system cost, but is very visible in the CAPEX – and in the bud- is crucial [76]. This should assure that basic preventive mainte-
get; nance and data verification from the sensor network are per-
– there is no Return On Investment (ROI) on Security; formed, so the data are robust over time.
– CAPEX is typically only 30 to 35% of 10 yrs. monitoring system
Sensor placement is also a key decision in matters of drinking
total cost; sensor cost is typically only 25% of CAPEX;
water security. Water utility operators will need to know their vul-
– OPEX portion is often underestimated; big factor is cost of data nerabilities in the network to choose the best locations to install
management if not implemented properly. the sensors, which could be helped by using software and model-
The two following maps (figures 4 and 5) indicate the allocation ling. The type of distribution network, the number of reservoirs,
of monitoring stations accordingly to safety and security purposes the length and the diameter of the pipes, and the hydraulic compo-
respectively. Their positions and tools do not exclude each other, nent will all need to be taken into account.
Contamination Risk Points Overlapping Contamination Risk with Vulnerability

! Vulnerability Points
Biggest harm potential:

1. High local density of people
2. „Vulnerable“ people Pesticides
3. „System relevant“ entities Filling Abandonned
Industrial Site
Soccer
Fertilizer
! Stadium
Factory
Military
! Base
Government University
Abandonned ! Building ! Campus
Landfill
City Hospital ! ! Shopping
Mall
Car Factory Amusement

! Park
Large
Motorway
Crossing Diversified Industrial
Complex
Figure 4 – Sensor placement for a Water SAFETY Plan – Contamination risk and vulnerability
Focus on Vulnerability –
! Vulnerability Points Contamination can be inserted „anywhere“
Biggest harm potential:

1. High local density of people
2. „Vulnerable“ people
3. „System relevant“ entities
Soccer
! Stadium
Military
! Base
Government University
! Building ! Campus
City Hospital ! ! Shopping
Mall
Amusement
! Park
Figure 5 – Sensor placement for a Water SECURITY Plan – Focus on vulnerability
Figure 6 – Real time detection sensor network

Parameter 2
Parameter
e 1
Figure 7 – Usual relation behaviour of two parameters (green) versus relation behaviour out of confidence acceptance interval (red)
The water quality parameters to be monitored depend on detection software by the water quality manager of the water util-
national legislations [77], on the risk assessment performed by the ity is very relevant, and sensitivity is also gained. This allows the
water utility, and also on water treatment and operation software to distinguish between changes in water quality due to
practices [78]. However, in general, the following parameters standard or normal operations, and events that do not qualify as
should be included as a minimum: normal. The system hence learns from what the operator considers
– disinfectant parameters (i.e. chlorine, monochloramine, etc.); a ‘normal’ behaviour pattern in parameters and spectrum, in order
– turbidity; to notify when there is a deviation from the normal-considered
– pH; pattern (figure 7).
– conductivity;
– organic carbon. In the example below (figure 8), the UV-VIS spectrum of normal
drinking water from the distribution network can be seen. Then,
Ideally, all of these parameters should be monitored, whatever around 9 a.m., an intentional contamination was simulated by swit-
the size of the network; the actual number of sensors would ching into a closed loop pilot and introducing, for a few minutes,
depend on the length and complexity of the network. drinking water which was spiked at a NO3 concentration above
Generic information like UV-VIS spectrum absorbance, coupled 50 ppm. The peak of NO3 absorbance at low UV range was detected
to software to detect deviations from a non-polluted drinking water immediately and it was classified by the water utility as an event in
matrix, is also highly recommended [57][73]. Training of the event case it might happen in the future.
EVENT
60
50
40
60
30
50
Absorbance (Abs/m)
20
40 10
30 0
– 10
20
10
14 Jul-15 07 00
0
– 10 14 Jul-15 09 00
300
400
500 14 Jul-15 11 00
600
Wavelength (m) 700
Figure 8 – UV-VIS spectrum of drinking water with a punctual contamination of drinking water spiked at a NO3 concentration above 50 ppm in
a closed loop pilot
With on-line monitoring stations integrating different sensors and adapted to the various threats resulting from deliberate water con-
probes, a multivariable approach to safeguard drinking water quality tamination allows:
is possible by combination of different water quality parameters and
– the necessary analysis to be accomplished as fast as possible
indicators. Whenever possible, microbial on-line monitoring should

be integrated into the early warning system [62] [73]. to minimise the impact on the water supply in the affected areas,
and a fast response to the contamination event;
For a contaminant to pose an immediate risk to consumers’
health, it has to be present at high concentrations [79] [80]. In this – the greatest possible number of potential contaminants to be
regard, the response of such multi-parameter on-line monitoring identified;
stations has already been tested by different water utilities with – the possibility for the analysis to be performed on a 24h/365
satisfactory results when adding contaminants at concentrations of days basis.
LD50 and also at much lower concentrations in the low range of
mg/L. When an alarm is triggered from one or several on-line mon- An innovative and progressive approach starts with an initial
itoring stations because one or more water quality parameters assessment of the detection of chemical toxic compounds and/or
deviate from ‘normal’ behaviour, the operator should have proce- microbial agents using simple, non-targeted technologies, such as
dures in place to verify the alarm, communicate it, and react by the Toxicity and the Adenosine Triphosphate (ATP) tests. The next
isolating that sector of the network, thereby mitigating the risk [74] step is to identify the specific compound causing the contamination
[81] [82]. by performing rapid tests using targeted technologies, such as
immunoassay-based, Polymerase Chain Reaction (PCR), sequencing
Concerning the investment costs, they mostly include the con- technologies and field analysis by gas chromatography (GC/MS).
struction of chambers to install the sensors, with construction These targeted technologies are based on tests available on the
costs higher in a dense urban area than in a rural area. Finally, market, with a focus on rapidness and reliability of results, and aim
maintenance costs must be taken into account where a good main- to identify specific compounds or microorganisms in the water [71].
tenance is essential to ensure quality and effective actions.
Depending on the outcomes of these tests and the objectives of
the utility, further analyses may be required; a full diagnosis may
4.2 Rapid detection of chemical need to be performed using conventional laboratory tests
and biological contaminants (figure 9).
Drinking water suppliers are strongly encouraged to establish
In the event of potentially intentional contamination of drinking appropriate and standardised sampling capabilities, analytical
water, the risk to public health must be minimised. This requires methodologies and procedures to support monitoring, surveil-
confirmation of contamination and, if possible, identification of the lance, response and recovery in contamination events [78].
contaminant [83] [84] [85] [86].
Depending on specific objectives and risk management options, Ideally, each utility should have an in-house sampling team
water utilities and laboratories can select the appropriate analytical capable of collecting samples, performing basic field analysis and
approach using the information provided by existing technologies responding immediately in an emergency.
that can quickly detect and identify CB contaminants in a water The use of non-targeted technologies should preferably be also
supply system [71] in support to the WSecP [34]. carried out internally. Subsequent rapid targeted tests could be
Searching for the nature of the water contaminant in an emer- carried out internally, or contracted out to external laboratories, in
gency will require a reliable, quick response (within a few hours) which case, specific requirements for emergency situations should
from the laboratory and a step-by-step approach based on be included in the contracts. Wherever possible, analysis should
easy-to-operate technologies which can also be used by non-spe- be carried out by accredited laboratories, to ensure reliability and
cialised technicians. An efficient analytical strategy that can be comparability of results.
Feedback Water security plan

from Physical- (Teixeira et al., 2019)
Online monitoring consumers access Cybersecurity
and security incidents
authorities incidents
Pressure UV involved
Chlorine
absorbance:
254 nm Early detection
Flow system – abnorm
change in water al Alarm / threat warning
Turbidity Conductivity
Other
quality
pH
Dissolved
oxygen TOC
(Carmi, 2019) Collection of water samples
Rapid tests using

non-targeted Toxicity ATP
technologies
Chemical contamination Microbial contamination
Rapid tests Immunoassay-based systems

using targeted Portable GC/MS (ELISA, luciferase assay, colour, Sequencing technology PCR
technologies
fluorescences, etc.)
Targeted High-performance liquid ICP Atomic Ion Protein Sequen-

Immuno- Culturable Immuno-
technologies/ chromatography (LC) GC/MC LC/MS screening absorption chromatography ICP-MS PCR or amino cing
assay cells assay
“conventional” spectroscopy acid
laboratory
testing Organic Inorganic Virus and bacteria
Figure 9 – Diagram of possible analytical procedures in the event of unknown contaminants in the water supply
4.3 Data management and centralized tion, filtering, management and communication of data of diverse
origin and quality, to produce a reliable and stable data set that
systems can be fed into event detection algorithms. An even greater chal-
lenge is to provide easy, barrier-free access and control for utility
According to the US Environmental Protection Agency [41], the
staff, which often includes the sometimes complex training of ref-
current bottleneck is data management, validation, and sequential
erence baseline(s) of ‘normality’. The final detection of security
analysis, often inducing false alarms. Typically, regular data analysis
events itself is not considered to be a bottleneck in this context.
shows that the shortcomings are not on the sensor side, but more on
the installation, configuration, and maintenance side. Therefore, it is
recommended that utilities that have already invested in monitoring
infrastructure shift their focus from installing more equipment to 4.4 Spatial prediction for rapid event
making existing systems and data more reliable and more useful, and detection
with that, generate better security against physical and cyber risks.
Data management tasks can be allocated to either the local or The concept of spatial model (SM) is here intended as an addi-
the central systems. Both approaches have their pros and cons, tional security layer for water quality event detection whose tech-
and depend on many conditions, such as reliability and cost of nology is based on machine learning algorithms.
data communication systems, or availability of centralised data The traditional framework of water quality event detection is
management resources. based on a violation of regulation limits. However, this method
To this purpose, it is important that all tasks are undertaken for: ignores the fact that each site has specific characteristics: a site
– local sensor/station management; with an average turbidity of 0.2 nephelometric turbidity units
– data plausibility tests, validation and filtering; (NTU) that experiences a rapid change of turbidity to 0.6 NTU
– sequential data analysis and event detection; should get more attention than a site with a normal turbidity of
– central sensor and data management; 0.7 NTU, which faces an increase of the turbidity to 0.75 NTU.
– algorithm training, configuration and reporting. The challenge of adjusting limits to each site's quality parameter
Interfacing of sensors to a centralized data management system can be addressed by calculating each site's statistical limits. How-
(CDMS) is not absolutely necessary, but can greatly enhance sys- ever, in some cases, this approach may not be the solution [87].
tem performance. Additional information, by comparing sensor Sometimes a change in one site can be predicted based on a
data across locations, and integrating data sources from SCADA change in the upstream site.
and other data systems, can substantially increase system reliabil- In this regard, figure 11 shows one week of conductivity data
ity (figure 10). However, if not done properly, such additional data from two stations. The blue line is an upstream station, and the
can introduce noise and additional effort for ‘data cleaning’. orange line is the downstream station. As can be seen from the
There are several CDMS systems available but only a few of chart, changes in the downstream can be predicted based on a
them focus on security. However, the main challenge is the collec- change in the upstream.
SCADA System
IPC – Monitoring Station
water quality monitoring data
information
Sensor C
Sensor X
Sensor A
Sensor B
Station
………….
Sensor interfaces (analog, digital, div. protocols) CENTRAL DATA BASE
Sensor + station Standardised sensor and station data

management tool; Local real-time Real-time documentation; configuration
data and information data base & synchronisation
and information management
Standardised Protocol (TML)

standardisation; reference
web based user data base
interface Raw data Central raw data management
Data validation & Central clean data management

identification of sensor-related anomalies Validated data
Validated data Data validation + identification

training for identification of baseline of normal of sensor-related anomalies
water quality and composition
Real-time data analysis & Central data analysis

Local alarms
local identification of water-related central identification of water-related
anomalies (events) anomalies (events)
Events
SCADA System Centralised data warehouse

operations data (pumps, valves, service activities, Operations data & other operational data and information:
other logs, etc. ) LIMS; GIS; CIS; CMMS; public health data etc.
Figure 10 – Example of a centralized water data management system
560 560
540 540
526
520 520
505
500 500
480 480
460 460
440 440
2020/11/10 13 : 17 2020/11/11 11 : 22 2020/11/12 08 : 58 2020/11/13 06 : 18 2020/11/14 03 : 24 2020/11/15 12 : 03
Dates
Upstream station Downstream station
Figure 11 – Upstream vs. downstream stations
8,6
8,4
User limits
8,2
8,0
7,8 Spatial limits
7,6
SU
7,4
7,2
7,0
6,8
6,6
6,4
2020/10/10 14 : 54 2020/10/12 00 : 21 2020/10/13 10 : 00 2020/10/14 19 : 23 2020/10/16 04 : 57 2020/10/17 14 : 29
Actual Low limit User high limit

Predicted High limit User low limit
Figure 12 – Spatial prediction monitoring charts

Furthermore, once the change has occurred, and the system is used – at least in large water utilities – for the development of opti-
stable, it is possible to predict the downstream value based on the mal design of sensor networks, verification of valve locations, stress
upstream value by implementing the spatial model, following testing the system performance under scenarios of attack and, very
three steps. importantly, for training of the different groups of stakeholders [51].
1. Initially, the user is requested to define as many as possible In case of an emergency, a quick and effective response is deci-
pairs of stations. sive with respect to the impact on the population, and in very
severe cases, also with respect to the number of casualties. As
2. For each pair, the system (the SM) learns the delay time
already mentioned in previous sections, this requires the optimal
between each pair of stations based on water quality changes that
preparedness not only of the technical facilities but also of the
travel along the pipes.
human factor consisting of all stakeholders involved in the deci-
3. Once delay time between two stations is estimated, the sys- sion and response process. Hydraulic simulations models and dig-
tem automatically builds a prediction model that predicts the value ital twins proved to be useful for both: the planning of the system
at the downstream station based on the delay time and the origin's and the training of the technical staff and also as operational tools
value. The results of such a prediction model can be seen in for managing an emergency [88].
figure 12. For that purpose, the digital twin runs online simulations in near
The blue line is the actual value at the downstream station. The real time. The simulation model is continuously updated with sensor
green line is the predicted value as obtained from the relevant pair data from the physical network. This guarantees that the simulations
of the spatial model. The upper and lower grey lines are the confi- represent the current hydraulic state of the real network as accu-
dence intervals of the prediction model. These confidence limits rately as possible. Based on the continuous real-time simulations,
give the 99% accuracy estimation for the predicted value. Once the additional ‘look-ahead’ and ‘what-if’ scenarios could be run for esti-
actual value violates one of the two confidence limits, some mating the future spread of contamination, and checking the effec-
change to the water quality has occurred between the upstream tiveness of countermeasures such as closing of isolation valves.
and downstream stations. The permanent storage of simulation results, i.e. flow velocities
It should also be noted that the ratio between the big blue verti- in this context, also enables the implementation of particle back-
cal arrow (upper user limit – lower user limit) and the small blue tracking methods that run in reverse time and enable the calcula-
vertical arrow gives an estimation of how much time the spatial tion of possible locations of an unknown source of contamination
model gains for the decision-makers before a change in the water (figure 13).
quality turns into an emergency situation. The addition of a spatial Although the technical requirements exist, and the interaction of
model with an event detection algorithm would lead to a better existing tools is mostly automatized, implementations of such sys-
solution to manage a WSecP. tems are very rare. Possible reasons may be missing or poor data,
required financial investments and the fact that running and maintain-
ing the described tools is still demanding. Indeed, a minimum require-
4.5 Operational response and water ment for a model is to be calibrated for hydraulic and water quality.
system performance However, new calibration methodologies such as ‘inverse model
solver’ could be very helpful in some cases [89] [90], where instal-
Criteria such as the shortest possible time to detect the event, and lation of high frequency pressure sensors every 5 to 10 km –
minimizing the volume of contaminated water supplied can be sup- depending on the precision wanted – would allow a calibration for
ported by computational simulations [67]. In particular, they are real-time use.
Instances
• online simulator
• sensor backtracking
• source identification
• look ahead simulator
Red: source candidates

Yellow: current spread
Cyan : look ahead spread
Sen
ensso
en sor
os
Sensors
Isolation
Iso
olation
on
o n valve
valves
v s
Figure 13 – Example showing the results of online source identification after alarm
Moreover, design and calibration of a hydraulic and water quality

model is proportional to the size of the network and its complexity. 5. WSecP from design
About 10 months could be necessary to elaborate a model for
real-time use for a small system, with up to 24 months for large sys-
to implementation
tem (several thousand kilometres). Regular updating of the model
and maintenance of the pressure sensors would also be necessary.
and revision
For small networks, lacking accurate and reliable data to pre-
cisely calibrate a model, a SCADA coupled with a denser water 5.1 Lifecycle
quality sensors fleet could be an alternative solution.
The previous sections of this paper provide the framework upon
It is important that these enhanced tools are included in the daily which the WSecP can be built, such as methodologies, technolo-
operation, so that it will be easier to justify both the financial gies, system components and best practices. Figure 14 depicts the
investment and the training effort of the users. Moreover, the lifecycle of a WSecP, from the design of the plan to its implemen-
effectiveness of risk reduction measures to increase the system’s tation, review and dissemination. The transversal element to all
resilience can also be assessed. This allows study of the perfor- stages is an adequate communication system, fundamental to the
mance of the system and of the efficiency of response actions, success of the process after a malicious event.
such as isolation of the contaminant and flushing [91] [92]. This
can be further supported by performance indicators – related to
quantity or quality – or deployed in case of very rare events and
emergency situations that have never been seen.
Design
To remember
– Sensor placement is key for ensuring drinking water secu-

rity and should be based on water utilities’ vulnerabilities in
the network.
– Rapid detection of contaminants in a water supply system
should be encompassed by standardised sampling capabilities Communicate
Imple
and procedures where basic field analyses are performed

vise
in-house.
Re
me
– Regular data analysis shows that the shortcomings are not

nt
on the sensor side, but more on the installation, configuration,

and maintenance.
– Spatial prediction of water contamination can gain more
time for decision-making before it turns into an emergency.
– Evaluation of water distribution system performance can
support checking the effectiveness of response actions, increa-
sing system resilience.
Figure 14 – Water security plan lifecycle
• Risk assessment, threat evaluation, scenario preparation

and implementation of security measures;
• Identification of suspicious activity indicators;
• Awareness-raising, training and exercices.
Phase I – Planning
and preparation
• Event detection;
• Record of anomalous occurrences;
• Online water quality and operational monitoring;
• Consumer complaints, public health and surveillance
by authorities (enhanced security monitoring);
Phase II – Protection – • Sampling and laboratory analysis;
Event detection • Summary of event detection.
and confirmation
• Emergency response planning;

• Communication;
• Response measures;
• Event management flowchart after confirmation.
Phase III – Response –
Event management
• Preparedness for rehabilitation;

• Remedial and rehabilitation planning;
• Contaminated system survey;
• Risk assessment and rehabilitation objectives;

• Remedial and rehabilitation plan;
Phase IV – Remediation • Public communication;
and recovery – Return • Remedial and rehabilitation implementation;
to normality • Return to normality;
• Post-event actions.
Figure 15 – Phases of a water security plan
The WSecP design includes a general characterization and a duced by a water utility inevitably highlights weaknesses which
detailed description of the system and all its components, includ- are extremely sensitive and need careful management by the util-
ing its redundancies in terms of water supply alternatives. ity. This may also apply to certain sections of utility’s security plan,
It also incorporates an identification of threats to the system and and therefore the utility needs to apply appropriate measures over
its vulnerabilities, the constitution of an internal team, and all the the WSecP it produces, such as making the sensitive parts availa-
external entities that should be part of the plan, allocating roles ble only to trusted individuals within the organization on a ‘need to
and responsibilities to all. Finally, the risk assessment culminates know’ basis.
in the identification of the most likely risk scenarios for intentional Moreover, this would reduce the impact of ‘insider’ threats [94]
water contamination, cyber attacks, or weaponized disinformation and it applies to cyber threats to control systems [95] and the
campaigns [93]. spread of fake information for profit-driven intentions [96]. It is rec-
Risk management provides detailed guidance to operators on ommended that care is also taken with any electronic storage or
the creation and implementation of a WSecP in order to reduce communication of such sensitive sections of the WSecP, including
and revise periodically the above-mentioned risks to drinking within the utility’s own systems.
water infrastructure, as an essential part of the WSecP lifecycle. However, some elements of the security plan need to be widely
Water security planning consists of four phases, as shown in available to the staff of the utility and key external stakeholders,
figure 15. although disclosure should be subject to careful evaluation of
Although the likelihood of a malicious attack on water infrastruc- which entities, and to what degree.
ture remains relatively low, the consequences could be very Therefore, it is recommended that a security plan should be
severe. It is therefore essential that the security plan is constantly formed of two parts: one part available to all relevant staff within
reviewed and updated so that the planned security and response the utility organization and to external partners, and a controlled
measures can be validated against actual events wherever possi- separate annex for the sensitive sections, restricted to only those
ble. that need to know. Advice on the security of sensitive information
WSecP disclosure should also be considered, especially when it should be available through local law enforcement or security
concerns sensitive information. Indeed, the risk assessment pro- authorities.
Example : some criteria should be established in the WSecP for – outsourced technical services;
its dissemination to new employees, perhaps requiring prior evalua- – no monitoring equipment and no resources for maintenance;
tion and vetting. – no digital infrastructure;
– long standing ‘other problems’, ‘other priorities’, etc.
This process links with training and awareness raising actions
mentioned in previous sections. Therefore, the implementation of a WSecP for small utilities
must be realistically tailored to an acceptable level, in line with the
WHO and its WSP concept [38]. The main focus is not to further
5.2 Pilot project invest in infrastructure, but to assess the possible points of vulner-
ability, and add security as an important aspect to the general
To accompany the guidance for the production of the WSecP in tasks list. Even if the utility manager or political leaders want to
drinking water systems, a test-bed is being developed for its imple- implement the security aspect, it may not be advisable to inde-
mentation in the field. This initiative, proposed by the ERNCIP TG pendently invest in a WSecP. Instead, it might be better to collabo-
Water, aims to engage different utilities from different countries rate with neighbouring utilities, and develop a security strategy by
and diverse water security awareness and concerns. As a basis for ‘joint effort’ in a regional network of utilities.
this pilot project, the development of a WSecP implementation In many European countries, such networks or associations or
manual has been considered. This is intended as a practical and ‘utility neighbourhoods’ already exist, in various formats, and
operational support document to water utilities, as well as assis- could be used as ‘organisation templates’.
tance to operators in the implementation process.
Furthermore, many of the security tasks, including emergency
The implementation manual aims to include all key aspects and response, can be better managed from a central location/data cen-
elements mentioned in the previous chapters, with each section of tre, maintaining professional capacity at one location only, to serve
the supporting document comprising: several small utilities in the network. The operation of monitoring
– a check-sheet that provides a guide through each section and infrastructure, the necessary IT infrastructure, the daily operation
enables each completed task to be recorded; of all that, and the design, training and auditing of the security
– a narrative explaining ‘the what and the why’ for the material plan can be done more efficiently from a central location. In this
in that section; way, fixed costs can be shared and at the same time, the quality
– tools to help complete the critical components of that section. and sustainability of the implementation can be compared
between partnering utilities. Overall, enhanced security would only
Each section of the WSecP implementation manual is being be one result of such an initiative, but general operations efficiency
designed to be ‘independent and autonomous’ so it can be com- and resilience, as well as improved general water quality and
pleted on its own using the checklist, narrative and tools for that increased safety against all kinds of threats would be important
section, while the other sections can be completed in parallel, or outcomes as well.
subsequently. It is intended that all components of the supporting
document to the implementation of the WSecP are completed, i.e.
all check-sheets and tools completed for every section.
6.2 Regulatory framework
The lessons learned from the pilot project should form the basis
for defining the next step, which is the implementation of plans for The regulators have an important role in defining the regulatory
preparing for, preventing and responding to malicious attacks in frameworks for the regulated services providers, which must be
the daily routines of normal operation of the drinking water service adequate to the stage of development of the sector. At the same
providers. In this way, a culture of physical infrastructure protec- time, these frameworks should also allow for gradual and continu-
tion will grow within organizations, leading to a cycle of continuous improvement of the sector and its players [97].
ous improvement in resilience.
Indeed, the regulatory framework must be ‘one step ahead’ of
the general activity of the regulated services, and therefore must
To remember anticipate the gradual implementation of tools and methodologies
that guarantee the provision of the services on a continuous basis,
without impairing its quality. Regulators should act as ‘driving
– An adequate communication system is transversal to all
forces’ for the development of an appropriate regulatory frame-
WSecP phases, although sensitive information must only be
work that, in addition to the safety of the drinking water, also
disseminated to trusted parties.
ensures the security of the infrastructures associated with these
– The development of a test-bed is essential for implemen- services [98].
ting the WSecP in the field, leading to continuous improve-
ments. Consequently, the main question is how to identify the best
strategy to develop the most appropriate regulatory framework for
drinking water distribution systems and security aspects. Consider-
ing that the main goal is the physical and cyber protection of the
infrastructures associated with distribution networks, namely
6. Reflections against malicious or terrorist attacks, the regulators and intelli-
gence services will need to cooperate. This cooperation will allow
and recommendations regulators to include the real dimension of the threat, assessed by
the intelligence services, into the proportional definition of a regu-
for water security latory framework. Cooperation will give the intelligence services a
deeper knowledge of the specificities of drinking water supply ser-
vices and associated infrastructures.
6.1 Small water utilities This collaboration between regulators and intelligence services
should gradually be extended to drinking water providers, through
For a small utility, capabilities and resources are often limited, developing the technical capabilities of their staff, and the imple-
so the implementation of a WSecP could prove to be a demanding mentation of pilot projects, as previously mentioned. In this way,
task. Typical conditions for small utilities are: the procedures foreseen in the elaborated plans can be evaluated,
– no technical staff (often, one town official is responsible for all as can the communication capabilities between the different enti-
public infrastructure); ties involved in pilot projects (regulators, intelligence services,
security forces, service providers, health authorities, emergency However, some costs and planning resources depend on local
services, among others). conditions, such as urban or rural situations, size of the water net-
works, etc. They may also depend on the maturity of the water ser-
The definition, implementation and analysis of the results of dif-
vice (i.e. availability of data, analytical tools and equipment).
ferent types of pilot projects must be coordinated by the regula-
tors, in partnership with the intelligence services in order to adopt Thus, it is important to understand that all systems, technologies
relevant threat characteristics, and to establish the foundations for and approaches bring many operational benefits, such as better
the definition of the regulatory framework that should be gradually knowledge and management of the distribution system, allowing
applied to the entire sector. improvement of leaks and management of customer complaints,
and must not be considered as limited only to the WSecP.
Once the regulator considers there is enough information and
knowledge, the regulatory framework should be reinforced and
revised accordingly. A reasonable period should be established for To remember
its implementation, and the measures and procedures must be
adapted to the current level of the service providers. – To overcome limited capabilities and resources, water utili-
Indeed, it is essential that the defined regulatory framework ties’ networks could be used as organization templates, com-
takes into account the investment capacities of the service provid- bining forces for implementing the WSecP.
ers, and their existing human and technical resources – especially – Regulatory frameworks must provide relevant economic
limited for small water utilities – providing low, medium and and technical options to water utilities without compromising
high-cost solutions, without compromising the minimum level of the minimum level of protection.
protection.
– All systems, technologies and approaches bring operatio-
Therefore, the regulator assumes an important role in creating nal and management benefits and must not be considered as
the regulatory framework for which its ability to coordinate and limited only for the WSecP.
articulate with intelligence services, service providers and other
entities relevant to this process is crucial.
6.3 Practical experiences with

7. Conclusions
implementation For security-related events, intentional threats can happen at
almost any point in the system, and are hardly predictable. There-
Several technologies and methodologies have been mentioned

fore, the WSecP provides a valuable support to water operators for
as building blocks on which the WSecP should be based. Their
assessing existing and potential risks, preventing intentional con-
implementation and usage need investment, time and expertise.
tamination due to physical and/or cyber attacks, minimizing expo-
For instance, several requirements must be considered for acquir-
sure time and concentration as well as improving detection
ing real-time data, such as:
probability and capabilities. The development of such capabilities
– solution is online; can better support an effective response to emergency situations
– if the digital twin approach is selected, hydraulic and quality following a malicious event to drinking water infrastructure, which
calibrations must be very accurate; endangers the health of communities and businesses of intercon-
– if the spatial model approach is selected, artificial intelli- nected services. In addition, the WSecP includes elements for the
gence/algorithms are necessary for an accurate interpretation of preparation of a recovery plan so that the drinking water system
the data; can return to normality as soon as possible.
– in both cases, sensors calibration and maintenance are essen- Some challenges still remain to be tackled by water utilities and
tial. operators, especially on the implementation side, where the inte-
gration of safety and security aspects in the daily operation should
The integration of the data from diverse sensors, algorithms and
be fostered, optimizing the allocation of resources.
models is a complex task requiring special competences and
expertise. Including the calibration of the system, between 12 to 24 Overall, the WSecP represents a dynamic tool for increasing a
months could be necessary, depending on the number of sensors, utility’s resilience, addressing different security requirements
complexity of the network, and reliability of the algorithms. based on the utility’s size, geographical location and available
resources. It proposes an overarching guidance to building a water
Moreover, the effort to manage the system and data (event security system which encompasses private and public partner-
detection) must not be underestimated. For a large network, typi- ship, raising awareness across all players involved in ensuring
cally 1 to 5 operational events/sensor/week have to be managed security, from local to national and supra-national level.
(depending of quality of algorithms and variation of water quality
in the system). Complex events may require between 0.5 and
4 hours to be analysed. Such expertise is rarely available in small
water utilities and not cost-effective for a small network. A solution
could be to mutualise such skills at a more global level – for 8. Glossary
instance regional – or to entrust some tasks to specialized opera-
tors. Rapid event detection
In this regard, different kinds of expertise will be necessary Rapid identification and quantification of ‘unknown’ chemical
which is often not available to small water services. For example, and biological contaminations in drinking water which help event
the implementation of technological solutions by a large urban detection as well as damage prevention and/or mitigation (i.e. fol-
water utility could take three years. The first year would be dedi- lowing an incident) in water supply systems.
cated to studies (sensor placements, IT developments, etc.), the
second year would consist of the technical implementation (sen- On-line contamination monitoring
sors, hydraulic models, algorithms, etc.) while the third year would The use of innovative techniques (probes, sensors, etc.) and ena-
be for final calibration, interpretation of the data according to the bling technologies for online measurement of water quality as well
local specificities and training whose overall cost may vary signifi- as monitoring of performance requirements in drinking water dis-
cantly for complex networks. tribution networks.
CDMS (central data management system) achieve efficiency, quality output and uniformity of performance,
while reducing miscommunication and failure to comply with
A centralized database is stored at a single location such as a industry regulations.
mainframe computer and it is used by organisations to store all
their information. SCADA (supervisory control and data acquisition)
SOP (standard operating procedure) It is a control system architecture comprising computers, net-
worked data communications and graphical user interfaces (GUI)
It is a set of step-by-step instructions compiled by an organisa- for high-level process supervisory management, while also com-
tion to help workers carry out routine operations. It aims to prising other peripheral devices.
F
U
R
Water security plan T
H
Towards a more resilient drinking water E
infrastructure R
I
by Montserrat BATLLE RIBAS
Senior Innovation Specialist
Adasa Sistemas, Barcelona, Spain
N
Thomas BERNARD F
Group Manager
Fraunhofer IOSB, Karlsruhe, Germany O
Eyal BRILL
Owner
Decision Makers Ltd, Shoam, Israel
R
Maria Rosario COELHO M
Head of Laboratory
A
Aguas do Algarve, Faro, Portugal

Maria Fátima COIMBRA
Executive Advisor
T
Jochen DEUERLEIN I
Associate Director
3S Consult GmbH, Office Karlsruhe, Germany O
Peter GATTINESI
Advisor on water infrastructure and security
United Kingdom
N
Philipp HOHENBLUM
Senior Water Expert
Pierre PIERONNE
National water quality expert
Technical Division, SUEZ Water France, Paris, France
Jordi RAICH
2 - 2022
European project manager

Luís SIMAS
Senior Adviser
Quality Department, ERSAR, Lisbon, Portugal
Doc. EP 4 244
Rui TEIXEIRA
Head of Division
Water Division and Sanitation, Municipality of Barreiro, Barreiro, Portugal
Rita UGARELLI
Chief Scientist
Andreas WEINGARTNER
CEO
© by Editions TI. All rights reserved Doc. EP 4 244 – 1
F WATER SECURITY PLAN _____________________________________________________________________________________________________________

U
R Monica CARDARILLI
T Project Officer
H and Georgios GIANNOPOULOS

Team Leader
E European Commission, Joint Research Centre, Ispra (VA), Italy
R
Bibliographical sources
I [1] European Commission. – Directive 2000/60/ AND OF THE COUNCIL on the resilience of [28] COLLIER (S.) and LAKOFF (A.). – The vulne-
EC of the european parliament and of the critical entities. COM/2020/829 final (2020). rability of vital systems : How « critical
N [2]
council. Off. J. Eur. Communities (2000).
European Commission. – Guidance docu-
[16] PANT (R.), THACKER (S.), HALL (J.W.),
ALDERSON (D.) and BARR (S.). – Critical in-
infrastructure » became a security problem.
Polit. Secur. Homel. Crit. infrastructure, risk
Secur., p. 40-62 (2008).
F ment n° 2 – Identification of water bodies
(2003).
frastructure impact assessment due to flood
exposure. J. Flood Risk Manag., vol. 11, n° 1,
p. 22-33 (2018).
[29] YUSTA (J.M.), CORREA (G.J.) and LACAL-
ARÁNTEGUI (R.). – Methodologies and appli-
[3] European Commission. – Monitoring under
O [4]
the water framework directive (2003).
European Commission. – Common imple-
[17] CHANG (S.E.). – Socioeconomic impacts of
infrastructure disruptions. In Oxford re-
cations for critical infrastructure protection :
State-of-the-art. Energy Policy, vol. 39, n° 10,
p. 6100-6119 (2011).
mentation strategy for the water framework search encyclopedia of natural hazard
R directive (2000/60/EC). Guidance document
n° 15, Guidance on Groundwater Monito-
science (2016).
[18] WILSON (G.), WILSON (T.M.), DELIGNE (N.I.)
[30] BAGGETT (R.K.) and SIMPKINS (B.K.). – Ho-
meland security and critical infrastructure
ring, Technical Report-002-2007, may 2007. protection. ABC-CLIO (2018).
M [5] European Commission. – Common imple-
mentation strategy for the WFD. Guidance
and COLE (J.W.). – Volcanic hazard impacts
to critical infrastructure : a review. J. Volca-
nol. Geotherm. Res., vol. 286, p. 148-182
[31] WHO. – Water safety plan manual : step-by-
step risk management for drinking-water
suppliers. WHO Libr. (2009).
A Doc, n° 21, vol. 428, may 2000. (2014).
[6] WFD-CIS. – Guidance document n° 35 : WFD [32] HOHENBLUM (P.). – Chemical and biological
[19] De BRUIJNE (M.) and van EETEN (M.). – Sys- risks in the water sector – A thematic area in
reporting. Common Implement. Strateg. tems that should have failed : critical in-
T [7]
WFD, Guid. Doc., n° 35 (2016).
European Comission. – Common implemen-
frastructure protection in an institutionally
fragmented environment. J. contingencies
the european commission’s Erncip. In Water
Contamination Emergencies, p. 330-333
(2013).
Cris. Manag., vol. 15, n° 1, p. 18-29 (2007).
I tation strategy for the water framework di-
rective (2000/60/EC). Public Participation in
relation to the Water Framework Directive
[20] European Commission. – Proposal for a DI-
RECTIVE OF THE EUROPEAN PARLIAMENT
[33] RAICH (J.). – Review of sensors to monitor
water quality. Eur. Ref. Netw. Crit. Infrastruct.
Prot. Proj. (2013).
O [8]
(2003).
European Commission. – Guidance docu-
ment n° 1. Implementation Challenge of the
AND OF THE COUNCIL on measures for a
high common level of cybersecurity across
the Union, repealing Directive (EU) 2016/
[34] TEIXEIRA (P.), CARMI (R.), RAICH (O.),
GATTINESI (J.) and HOHENBLUM (P.). – Gui-
N [9]
Water Framework Directive (2003).
BÉNÉDICTE (W.). – Eaux destinées à la
1148. COM(2020), 823 Final (2020).
[21] GONÇALVES (M.). – A security intelligence
dance on the production of a water security
plan for drinking water supply (2019).
[35] van der GAAG (B.), TANCHOU (V.), RAICH
consommation humaine. Risques sanitaires, approach for risk management in drinking
contrôle et réglementation. Tech. l’ingénieur (J.), PITCHERS (R.), HOHENBLUM (P.) and
water supply systems : The view of a natio-
Eau propriétés, Qual. Val. d’usage, base WEINGARTNER (A.). – Proposals for a gui-
nal security intelligence service (2020).
documentaire : TIB506DUO [W 2 002], Aug. dance related to a water security plan to pro-
2017. [22] HASSANZADEH (A.) et al. – A review of cy- tect drinking water ERNCIP thematic group
bersecurity incidents in the water sector. J. chemical and biological (CB) risks to drinking
[10] QUEVAUVILLER (P.) and VARGAS (E.). – Pro- Environ. Eng., vol. 146, n° 5, p. 3120003 water (2016).
tection des eaux souterraines. Cadre tech- (2020).
nique de la législation européenne. Tech. [36] WEINGARTNER (A.) and RAICH-MONTIU
l’ingénieur Anal. dans l’environnement eau [23] BARAK (I.). – Critical infrastructure under (J.). – Proposal for a water security plan to
air [P 4 220], nov. 2017. attack : lessons from a honeypot. Netw. Se- improve the detection of threats in the distri-
cur., vol. 2020, n° 9, p. 16-17 (2020). bution network affecting drinking water qua-
[11] JEAN-MARC (B.). – Outils économiques pour lity (2015).
la gestion de l’eau. Tech. l’ingénieur Eau pro- [24] KOZIK (R.) and CHORAS (M.). – Current cyber
priétés, Qual. Val. d’usage, base documen- security threats and challenges in critical in- [37] DORO-ON (A.). – Risk assessment for water
taire : TIB506DUO [W 2 100], dec. 2020. frastructures protection. In 2013 Second In- infrastructure safety and security. CRC Press
ternational Conference on Informatics and (2011).
[12] SYLVIE (B.) and PIERRE (M.). – Oxydation et
Applications (ICIA), p. 93-97 (2013). [38] WHO. – Water safety plan : a field guide to
réduction appliquées au traitement de l’eau.
Principes généraux. Tech. l’ingénieur Procé- improving drinking-water safety in small
[25] The New Work Times. – Dangerous stuff :
dés Trait. des eaux potables, Ind. urbaines, communities (2014).
hackers tried to poison water supply of flo-
base documentaire : TIB318DUO [W 2 700], rida town (2021). [39] World Health Organization. – Global status
Aug. 2008. report on water safety plans (2017).
[26] REHAK (D.), SENOVSKY (P.) and SLIVKOVA
[13] The European Parliament and the Council of (S.). – Resilience of critical infrastructure ele- [40] WHO. – WSP for small water supplies at a
the European Union. – Directive (EU) 2020/ ments and its main factors. Systems, vol. 6, glance water safety portal, p. 7 (2016).
2184, EU (revised) drinking water directive. n° 2, p. 21 (2018). [41] US EPA. – Summary of implementation ap-
Off. J. Eur. Communities, vol. 2019, p. 1-62, proaches and lessons learned from the water
dec. 2020. [27] BROWN (G.G.), CARLYLE (W.M.), SAL-
MERÓN (J.) and WOOD (K.). – Analyzing the security initiative contamination warning
[14] WHO – EU. – Drinking water parameter coo- vulnerability of critical infrastructure to at- system pilots, oct. 2015.
peration project, p 1-228 (2017). tack and planning defenses. In Emerging [42] BIGO (D.). – Internal and external aspects of
[15] European Commission. – Proposal for a DI- Theory, Methods, and Applications, Informs, security. Eur. Secur., vol. 15, n° 4, p. 385-404,
RECTIVE OF THE EUROPEAN PARLIAMENT p. 102-123 (2005). dec. 2006.
Doc. EP 4 244 – 2 © by Editions TI. All rights reserved

F
U
[43] ERIKSSON (J.) and RHINARD (M.). – The in- 3rd Meeting of the Community of Users on [79] SCHRIKS (M.), HERINGA (M.B.), van der
R
ternal-external security nexus : Notes on an
emerging research agenda. Coop. Confl.,
vol. 44, n° 3, p. 243-267 (2009).
[64] ELIADES (D.G.), KYRIAKOU (M.) and
Secure, Safe, and Resilient Societies (2019). KOOI (M.M.E.), De VOOGT (P.) and van
WEZEL (A.P.). – ‘Toxicological relevance of
emerging contaminants for drinking water
T
POLYCARPOU (M.M.). – Sensor placement in
[44] https://www.gov.uk/government/news/novi-
chok-nerve-agent-use-in-salisbury-uk-go-
water distribution systems using the S-
PLACE Toolkit. Procedia Eng., vol. 70, p. 602-
quality. Water Res., vol. 44, n° 2, p. 461-476
(2010). H
vernment-response 611 (2014). [80] KRISHNAN (K.), PATERSON (J.) and
[45] THEOCHARIDOU (M.) and GIANNOPOULOS
(G.). – Risk assessment methodologies for
[65] LIU (S.) and AUCKENTHALER (P.). – Optimal
sensor placement for event detection and
WILLIAMS (D.T.). – Health risk assessment of
drinking water contaminants in Canada : the
E
applicability of mixture risk assessment me-
critical infrastructure protection. Part II : A
new approach, jan. 2015.
[46] GIANNOPOULOS (G.), FILIPPINI (R.) and
source identification in water distribution
networks. J. Water Supply Res. Technol.,
vol. 63, n° 1, p. 51-57 (2014).
thods. Regul. Toxicol. Pharmacol., vol. 26,
n° 2, p. 179-187 (1997).
R
SCHIMMER (M.). – Risk assessment metho- [81] SAYESS (R.), EYRING (A.M.) and RECKHOW
[66] van THIENEN (P.). – Alternative strategies for (D.A.). – Source and drinking water organic
dologies for critical infrastructure protection. optimal water quality sensor placement in
Part I : A state of the art (2012). and total iodine and correlation with water
drinking water distribution networks (2014).
[47] GIANNOPOULOS (G.), DORNEANU (B.) and
JONKEREN (O.). – Risk assessment metho-
[67] BERRY (J.), BOMAN (E.), RIESEN (L.A.),
HART (W.E.), PHILLIPS (C.A.) and WATSON
quality parameters. Water Res., vol. 190,
p. 116686 (2021). I
dology for critical infrastructure protection. [82] NAPACHO (Z.A.) and MANYELE (S.V.). –
JRC, Scientific Policy Rep. (2013).
[48] GALBUSERA (L.), THEOCHARIDOU (M.),
(J.-P.). – User’s Manual TEVA-SPOT toolkit.
Version 2.5.2., p. 79, sept. 2012.
Quality assessment of drinking water in Te-
meke District (part II) : Characterization of N
[68] MURRAY (R.), HAXTON (T.), JANKE (R.), chemical parameters. African J. Environ. Sci.
CASAJUS-VALLES (A.), MARIN-FERRER
(M.), POLJANSEK (K.) and GIANNOPOULOS
(G.). – National risk assessments in the EU :
HART (W.E.), BERRY (J.) and PHILLIPS (C.). –
Sensor network design for drinking water
Technol., vol. 4, n° 11, p. 775-789 (2010).
[83] ADEDOJA (O.S.), HAMAM (Y.), KHALAF (B.)
F
contamination warning systems. US Envi-
reflections and recommendations (2019).
[49] De JAGER (A.) et al. – Recommendations for
ron. Prot. Agency Natl. Homel. Secur. Res.
Center, Cincinnati (2010).
and SADIKU (R.). – Towards development of
an optimization model to identify contamina-
tion source in a water distribution network.
O
national risk assessment for disaster risk ma-
nagement in EU (2019).
[50] POLJANŠEK (K.) et al. – Recommendations
[69] HART (W.E.) and MURRAY (R.). – Review of
sensor placement strategies for contamina-
tion warning systems in drinking water dis-
Water, vol. 10, n° 5, p. 579 (2018).
[84] CAPODAGLIO (A.G.). – In-stream detection of R
waterborne priority pollutants, and applica-
for national risk assessment for disaster risk
management in EU (2019).
[51] NIKOLOPOULOS (D.), MORAITIS (G.),
tribution systems. J. Water Resour. Plan. Ma-
nag., vol. 136, n° 6, p. 611-619 (2010).
tions in drinking water contaminant warning
systems. Water Sci. Technol. Water Supply, M
[70] VASEASHTA (A.), BRAMAN (E.), SUSMANN vol. 17, n° 3, p. 707-725 (2017).
BOUZIOTAS (D.), LYKOU (A.), KARAVOKI-
A
(P.), DEKHTYAR (Y.) and PEROVICHA (K.). – [85] VRACHIMIS (S.G.), LIFSHITZ (R.), ELIADES
ROS (G.) and MAKROPOULOS (C.). – Cyber-
Sensors for water safety and security. Surf. (D.G.), POLYCARPOU (M.M.) and OSTFELD
physical stress-testing platform for water
Eng. Appl. Electrochem., vol. 48, n° 5, p. 478- (A.). – Active contamination detection in wa-
distribution networks. J. Environ. Eng.,
vol. 146, n° 7, p. 4020061 (2020).
486 (2012).
[71] COIMBRA (M.F.), COELHO (M.R.) and
ter-distribution systems. J. Water Resour.
Plan. Manag., vol. 146, n° 4, p. 4020014
T
[52] Project W-Net4.0 (2020).
https://www.wnet40.de
[53] STOP-IT project
BATLLE RIBAS (M.). – Review of technolo-
gies for the rapid detection of chemical and
biological contaminants in drinking water
[86] ZULKIFLI (S.N.), RAHIM (H.A.) and LAU
(W.-J.). – Detection of contaminants in wa-
I
stop-it-project.eu
[54] MAKROPOULOS (C.) et al. – Risk analysis
(2020).
[72] SmartwaterforEurope
ter supply : a review on state-of-the-art mo-
nitoring technologies and their applica-
tions. Sensors Actuators B Chem., vol. 255,
O
and evaluation toolkit (2019). https://sw4eu.com
[55] WEINGARTNER (A.) and ENGERLAND (B.). –
Innovative sensors and software for water
[73] van den BROEKE (J.), BRANDT (A.),
p. 2657-2689 (2018).
[87] AMIT (B.) and BRILL (E.). – New approach for
N
WEINGARTNER (A.) and HOFSTÄDTER (F.). – estimation of detention time and prediction
quality monitoring and event detection sys-
Monitoring of organic micro contaminants in of quality in water networks. Water Qual.
tems. In IWA conference (2016)
drinking water using a submersible UV/vis Res. J., vol. 53, n° 2, p. 72-85 (2018).
[56] WHO. – WHO water safety plan - Core mo- spectrophotometer. In Security of Water
dules Supply Systems : From Source to Tap, Sprin- [88] BERNARD (T.) et al. – SAFEWATER–innova-
https://wsportal.org. ger, p. 19-29 (2006). tive tools for the detection and mitigation of
CBRN related contamination events of
[57] LANGERGRABER (G.), van den BROEKE (J.), [74] STOREY (M.V.), van der GAAG (B.) and drinking water. Procedia Eng., vol. 119,
LETTL (W.) and WEINGARTNER (A.). – Real- BURNS (B.P.). – Advances in on-line drinking p. 352-359 (2015).
time detection of possible harmful events water quality monitoring and early warning
using UV/vis spectrometry. Spectrosc. Eur., systems. Water Res., vol. 45, n° 2, p. 741-747 [89] JARRIGE (P.-A.) and GANCEL (G.). – Inverse
vol. 18, n° 4, p. 19-22 (2006). (2011). problem solving in water distribution
[58] The Water Research Foundation. – Enhanced networks. CCWI 2011 Proc. (2011).
[75] HALL (J.) et al. – On-Line water quality pa-
water quality monitoring during a large pu- rameters as indicators of distribution system [90] MIRATS-TUR (J.M.), JARRIGE (P.-A.),
blic event to detect possible contamination contamination. Journal-American Water MESEGUER (J.) and CEMBRANO (G.). – Leak
(2019). Work. Assoc., vol. 99, n° 1, p. 66-77 (2007). detection and localization using models :
[59] PANGULURI (S.), MEINERS (G.), HALL (J.) field results. Procedia Eng., vol. 70, p. 1157-
[76] UPADHYAY (D.) and SAMPALLI (S.). – 1165 (2014).
and SZABO (J.). – Distribution system water
SCADA (Supervisory Control and Data Ac-
quality monitoring : sensor technology eva- [91] ALFONSO (L.), JONOSKI (A.) and
quisition) systems : vulnerability assessment
luation methodology and results. Environ. SOLOMATINE (D.). – Multiobjective optimi-
and security recommendations. Comput. Se-
Prot. Agency, p. 1-60 (2009). zation of operational responses for contami-
cur., vol. 89, p. 101666 (2020).
[60] WHO. – Auditing water safety plans (2016). nant flushing in water distribution networks.
[77] WHO. – A global overview of national regu- J. Water Resour. Plan. Manag., vol. 136, n° 1,
[61] Water quality surveillance and response. lations and standards for drinking-water qua- p. 48-58 (2010).
[62] PUIG (V.), OCAMPO-MARTÍNEZ (C.), PÉREZ lity. Verordnung über die Qual. t von Wasser
[92] POULIN (A.), MAILHOT (A.), PERICHE (N.),
(R.), CEMBRANO (G.), QUEVEDO (J.) and für den Menschl. Gebrauch (Trinkwasserve-
DELORME (L.) and VILLENEUVE (J.-P.). –
ESCOBET (T.). – Real-time monitoring and rordnung -TrinkwV 2001), p. 100 (2018).
Planning unidirectional flushing operations
operational control of drinking-water sys- [78] World Health Organization. – Developing as a response to drinking water distribution
tems. Springer (2017). drinking water regulations and standards. system contamination. J. Water Resour.
[63] WEINGARTNER (A.). – Drinking water secu- General guidance with a special focus on Plan. Manag., vol. 136, n° 6, p. 647-657
rity monitoring from source to consumer. In countries with limited resources (2018). (2010).
© by Editions TI. All rights reserved Doc. EP 4 244 – 3
F WATER SECURITY PLAN _____________________________________________________________________________________________________________

U
R [93] WANIEK (M.), RAMAN (G.), ALSHEBLI (B.), National Threat Assessment Ctr Washington [96] LAZER (D.M.J.) and al. – The science of fake
T PENG (J.C.-H.) and RAHWAN (T.). – Traffic

networks are vulnerable to disinformation at-
tacks. arXiv Prepr. arXiv2003.03723 (2020).
Dc (2005).
[95] CLARK (R.M.), PANGULURI (S.), NELSON
news. Science (80), vol. 359, n° 6380, p. 1094
LP-1096, mar. 2018.
(T.D.) and WYMAN (R.P.). – Protecting [97] WHO. – How regulation can be used to pro-
H [94] KEENEY (M.), KOWALSKI (E.), CAPPELLI (D.),
MOORE (A), SHIMEALL (T.) and ROGERS
drinking water utilities from cyberthreats. J.
Am. Water Work. Assoc., vol. 109, n° INL/
tect public health in relation to drinking-wa-
ter. Optim. Regul. Fram. safe clean Drink.,
(S.). – Insider threat study : computer system JOU-16-39302 (2017). p. 1-4 (2011).
E sabotage in critical infrastructure sectors. [98] WHO. – International Network of Drinking-
Water Regulators.
R
Further reading from our database
ROIG (B.). – Mesure sur site pour l’analyse rapide QUEVAUVILLER (P.) and VARGAS (E.). – Protection BAIG (S.) and MOUCHET (P.). – Oxydation et réduc-
I de la qualité des eaux. [P 3 900] (2007).
POLESELLO (S.) and QUEVAUVILLER (P.). – Tech-

des eaux souterraines. Cadre technique de la lé-
gislation européenne. [P 4 220] (2017).
tion appliquées au traitement de l’eau. Prin-
cipes généraux. [W 2 700] (2017).
WELTE (B.). – Eaux destinées à la consommation
N niques analytiques pour les polluants émer-
gents. [P 4 240] (2018).
humaine. Risques sanitaires, contrôle et régle-
mentation. [W 2 002] (2017).
ELSKENS (M). – Analyse des eaux résiduaires. Me- BERLAND (J.M.). – Outils économiques pour la
F sure de la pollution. [P 4 200] (2010). gestion de l’eau. [W 2 100] (2020).
O Regulation
R European Commission, “Directive 2000/60/EC of the European Parliament
and of the Council”, Off. J. Eur. Communities, 2000.
European Commission, “Proposal for a Directive of the European Parlia-
ment and of the Council on the resilience of Critical Entities”, COM/2020/829
final, 2020.
M The European Parliament and the Council of the European Union, “Direc-
tive (EU) 2020/2184, EU (revised) Drinking Water Directive”, Off. J. Eur. Com-
munities, vol. 2019, p. 1-62, dec. 2020.
European Commission, “Proposal for a Directive of the European Parlia-
ment and of the Council on measures for a high common level of Cyberse-
A curity across the Union, repealing Directive (EU) 2016/1148”, COM(2020) 823
final, 2020.
T Directory
I Suppliers, Laboratories, Consultants (partial list) Authorities, Research departements, Research centres
(partial list)
ADASA, Barcelona, Spain
O https://www.adasasystems.com/
https://www.umweltbundesamt.at/
https://www.adp.pt/pt/
N Aguas do Algarve, Faro, Portugal
https://www.aguasdoalgarve.pt/
European Commission, Joint Research Centre (JRC), Ispra, Italy
https://ec.europa.eu/jrc/en
Fraunhofer Institute of Optronics, System Technologies and Image Exploita-
tion (IOSB), Karlsruhe, Germany
Decision Makers Ltd, Shoam, Israel https://www.iosb.fraunhofer.de/
https://www.decisionmakersltd.com/
https://www.sintef.no/en/community/#/
https://www.s-can.at/
SUEZ Water France, Paris, France Water and Waste Services Regulation Authority (ERSAR), Lisbon, Portugal
https://www.suez.fr http://www.ersar.pt/pt
3S Consult GmbH, Office Karlsruhe, Germany Water Division and Sanitation, Municipality of Barreiro, Barreiro, Portugal
https://www.3sconsult.de/ https://www.cm-barreiro.pt/
Doc. EP 4 244 – 4 © by Editions TI. All rights reserved

43 Manual Psa Oms 2022

Uploaded by

Copyright:

Available Formats

43 Manual Psa Oms 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

43 Manual Psa Oms 2022

Uploaded by

Copyright:

Available Formats

Ce document a ete delivre pour le compte de 7200106152 - editions ti // caroline JULLIN // 90.66.42.

Water security plan

by Montserrat BATLLE RIBAS

Maria Fátima COIMBRA

© by Editions TI. All rights reserved EP 4 244 – 1

WATER SECURITY PLAN _____________________________________________________________________________________________________________

1. Drinking water security framework ................................................ EP 4 244 - 2

1. Drinking water security mentation at EU level. To achieve this, a Common Implementa-

EP 4 244 – 2 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

In this paper, Security is defined as the ideal state of

in order to take protective measures and increase their

© by Editions TI. All rights reserved EP 4 244 – 3

WATER SECURITY PLAN _____________________________________________________________________________________________________________

(based on past incidents, information by national authorities,

EP 4 244 – 4 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

physical attack, including poisoning, and assessment of the sever-

© by Editions TI. All rights reserved EP 4 244 – 5

WATER SECURITY PLAN _____________________________________________________________________________________________________________

Module 2 Describe the water supply system

Module 3 Identify hazards and hazardous

– The value of security is fully understood by utility managers

EP 4 244 – 6 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

© by Editions TI. All rights reserved EP 4 244 – 7

WATER SECURITY PLAN _____________________________________________________________________________________________________________

Contamination Risk Points Overlapping Contamination Risk with Vulnerability

Biggest harm potential:

Car Factory Amusement

Biggest harm potential:

Figure 5 – Sensor placement for a Water SECURITY Plan – Focus on vulnerability

EP 4 244 – 8 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

Figure 6 – Real time detection sensor network

© by Editions TI. All rights reserved EP 4 244 – 9

WATER SECURITY PLAN _____________________________________________________________________________________________________________

indicators. Whenever possible, microbial on-line monitoring should

EP 4 244 – 10 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

Feedback Water security plan

Rapid tests using

Chemical contamination Microbial contamination

Rapid tests Immunoassay-based systems

Targeted High-performance liquid ICP Atomic Ion Protein Sequen-

© by Editions TI. All rights reserved EP 4 244 – 11

WATER SECURITY PLAN _____________________________________________________________________________________________________________

Sensor interfaces (analog, digital, div. protocols) CENTRAL DATA BASE

Sensor + station Standardised sensor and station data

Standardised Protocol (TML)

Data validation & Central clean data management

Validated data Data validation + identification

Real-time data analysis & Central data analysis

SCADA System Centralised data warehouse

Figure 10 – Example of a centralized water data management system

Figure 11 – Upstream vs. downstream stations

EP 4 244 – 12 © by Editions TI. All rights reserved

______________________________________________________________________________________________________________ WATER SECURITY PLAN

7,8 Spatial limits

Actual Low limit User high limit