Original Article

An investigation into modern water distribution

network security: Risk and implications
Gurudeo Anand Tularam* and Mark Properjohn
School of Science Environment Engineering and Technology, Griffith University, Nathan, Queensland 4111,
Australia.
E-mail: a.tularam@Griffith.edu.au

*Corresponding author.

Abstract Water supply network security issues such as vandalism are of concern but have
received less than proper attention in the past. Clearly water infrastructure is recognised as
critical; the survival of a community depends on its ability to deliver fresh, clean drinking water
to its consumers. Recent security breaches in Australia and abroad have led us to consider the
issues of risk and consequence of deliberate attacks. However, securing water supply networks is
a complex problem; therefore it is necessary to study risks and develop appropriate management
strategies. This article reviews the characteristics of water supply systems and design traits that
make them susceptible. The range of potential threats are classified; biological/chemical and
physical that includes physical attack, cyber attack and hoaxes. Risk analysis methodologies to
assess the vulnerability are outlined, along with possible countermeasures that may minimise
threats. The review highlights the vulnerability of water supply systems to deliberate attacks
and sabotage and the need for a comprehensive and holistic approach to risk management and
countermeasures.
Security Journal (2011) 24, 283–301. doi:10.1057/sj.2010.4; published online 27 September 2010

Keywords: risk; security; water distribution; human security

Introduction

Human dependence on potable water is self-evident, for without it our survival is limited to
days (Hickman, 1999). It is an essential resource for life and good health, but a lack of water
for daily needs is a reality for one in three people around the world. Globally, fresh water
scarcity continues to intensify as cities and populations continue to grow; as does the need
for water in agriculture, industry and households (NHMRC and NRMMC, 2003). In fact
increasing scarcity, inequitable access and environmental degradation of water resources
continue to be causes of conflict around the world today. Human’s dependence on potable
water has led to water sources being considered and used as both targets and tools of deliber-
ate sabotage as far back as 2400 bce. The contamination of wells, reservoirs and other
drinking water sources of both military and civilian populations have been a prevalent threat,
and a time-honoured tradition in conflicts and war throughout history (Foran and Brosnan,

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
www.palgrave-journals.com/sj/
 Tularam and Properjohn

2000; Kornfeld, 2002; Meinhardt, 2005; Gleick, 2008). In this current age of global warming
concerns and an ever-increasing human population, scarcity and conflicts over the management
and distribution of drinking water supplies appear to be escalating.
There is no substitute for fresh drinking water, whether its lack is because of natural
scarcity, a physical supply interruption or deliberate contamination, a community of any
size that lacks adequate potable water will endure great hardship (Lancaster-Brooks, 2002;
Gleick, 2006, p. 482). A community’s reliance on potable water for the human welfare and
positive economic development makes potable water infrastructure systems a key asset to
the community and the nation. Modern societies depend on complex, interconnected water
infrastructure systems to provide reliable safe water supplies and to remove and treat waste-
water. It is this reliance on potable water, and the infrastructure used to deliver this resource,
that makes water an attractive and vulnerable target for a deliberate attack or sabotage
(Gleick, 2006; Khan et al, 2007). Deliberate disruption or destruction to a community’s
water supply can have significant economic and environmental impacts; create political and
social chaos, and cause mass illness or death (Chalecki, 2002; Meinhardt, 2005; Khan et al,
2007; Copeland and Cody, 2009).
Chalecki (2002) argues that criteria to assess the likelihood of sabotage can be devel-
oped by identifying the attributes of a resource that render it vulnerable; physical attributes
such as scarcity and prestige of the targeted resource, its physical location and vulnera-
bility to attack, and capacity for regeneration are regarded as key determinants. Potential
threats and attacks on water infrastructure systems are not new. In 1941, the US Federal
Bureau of Investigation Director J. Edgar Hoover wrote that water supply facilities offer
a particularly vulnerable point of attack because of the strategic position they occupy in
keeping the wheels of industry turning and in preserving the health and morale of the
populace (Copeland and Cody, 2009). Presently, the deliberate sabotage of water sup-
plies and infrastructure systems is not only seen as a viable threat, but a plausible one
(Lancaster-Brooks, 2002).
Traditionally, safe and sustainable fresh water may have been taken for granted by mod-
ern societies and their Governments, where the deliberate sabotage of fresh water sources
and infrastructure systems had not received a great deal of publicity as a viable threat (Lancaster-
Brooks, 2002). In more recent times, after the September 11 terrorist attacks in New York
in 2001, and with the growing concerns over the connections between environmental degra-
dation and scarcity of resources, the concern over the risks of the deliberate sabotage of
water resources has risen on the global list of worries and priorities (Gleick, 2008). Directly
after the 2001 attacks in New York, some of the first infrastructure assets to come under
US federal and state security reviews were water infrastructure systems (Kornfeld, 2002;
Apostolakis and Lemon, 2005; Gleick, 2008). Experts and policymakers have begun to
review the possibility of deliberate threats to modern water infrastructure systems and, ulti-
mately, human health and politics (Gleick, 2008).
This article reviews the literature on the vulnerability of potable water supplies and infra-
structure to vandalism and sabotage. The characteristics of water supply systems and design
traits that make them susceptible are first explored. A review is the conducted of the range
of potential threats and this is followed by a study of risk models and methodologies to
assess the vulnerability to water infrastructure. Finally, implications are made regarding
risks posed to water infrastructure, together with possible countermeasures that may mini-
mise such threats.

284 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

Vulnerability of Water Infrastructure Systems

The US President’s Commission on Critical infrastructure Protection identified water

supply infrastructure as key infrastructures that constitute the lifelines of most modern civi-
lisations. The president further argued that economic prosperity and social well-being is
jeopardised when they are damaged, disrupted or unable to function at adequate capacity
(Qiao et al, 2005). In terms of accessibility, water infrastructure systems are vulnerable to
the threat of sabotage. In general, there are no stringent security measures at water supply
systems and most facilities are fenced to restrict their access to authorised personnel only,
but these can be easily breached (Haimes et al, 1998).
The water supply infrastructure is a collection of independent water supply systems,
each serving communities in a limited geographical area. Each water supply system is at
risk to the threat posed by potential sabotage. It is difficult to assess the risk to the infra-
structure with reference to the risk to a particular system, because systems vary in terms
of their scales, structures and configurations (Haimes et al, 1998). A modern community
water supply system generally has the following basic components: (1) source(s), such as
raw water from deep wells and/or surface sources such as lakes or rivers; (2) treatment,
where raw water is transported to a treatment plant to remove natural or man-made con-
taminants, ultimately producing drinking water; (3) storage, where drinking water is stored
in clear wells or reservoirs; (4) distribution, where drinking water is pumped into the com-
munity’s distribution system under pressure; and (5) wastewater collection and treatment
facilities. All of these systems and facilities must be operable 24 hours a day, 7 days a
week (Hickman, 1999; Clark and Deininger, 2000; Gilbert et al, 2003; Copeland and
Cody, 2009).
Modern water supply systems are complex and inter-connected offering numerous points
within a system that are vulnerable to sabotage; ranging from raw water sources, such as
reservoirs or rivers, the computer or cyber networks that govern the system, to the distribu-
tion networks and pumping stations, or even the water itself (Khan et al, 2001; Kornfeld,
2002; Lindhe et al, 2009; Meinhardt, 2009). Kornfeld (2002) states there are two areas of
vulnerability identified by experts: the upstream or pre-treatment water intake part of the
system; and the post-treatment storage and distribution network, which include the multi-
tude of pipelines that carry drinking water downstream from reservoirs and treatment
centres before delivering the water to homes and businesses. The threat of upstream or
pre-treatment contamination is limited by the large volumes of water which acts to dilute
toxic agents, and by the effects of filtering and disinfection at the water treatment plant
(Gilbert et al, 2003). The most likely vulnerability to deliberate sabotage or vandalism is the
post-treatment distribution network, downstream of the water treatment and disinfection
works (Khan et al, 2001; Gilbert et al, 2003). This article pays particular attention to the
vulnerability of the post-treatment distribution network.
The risk of sabotage or vandalism presents new and unfamiliar threats to the safety of
potable water supply systems. Saboteurs who seek to disable a community’s potable water
supply may consist of disillusioned individuals, criminals or individuals acting on behalf
of an organisation (Haimes et al, 1998). To carry out a successful attack, a saboteur would
have to dissect the water distribution system to identify and target ‘critical points’ in the
system, defined as geographical points that exhibit vulnerabilities in access and security
(Hickman, 1999; Apostolakis and Lemon, 2005). By design, there are selected portions of

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 285
 Tularam and Properjohn

a distribution system that offer several potential critical points, easily accessible to personnel,
which could be targeted for deliberate acts of sabotage (Meinhardt, 2009).
After the treatment stage of a modern water system, potable water is either pumped
directly into the distribution network or stored in unpressurised clear wells (a large, covered
storage facility) or other reservoirs. A water distribution system contains an interconnected
collection of sources, pipes and hydraulic control elements (for example, pumps, valves,
regulators, tanks) that deliver potable water to consumers in prescribed quantities and at
desired pressures. The potable water is then distributed to the end-user through transmission
pipelines to homes and businesses (Hickman, 1999; MacGillivray et al, 2006). Post-treated
clear wells and reservoirs provide disinfectant (typically chlorine) contact time and store
system water. They are unpressurised, usually passively defended, and directly feed potable
water into the distribution network. By design, clear wells are relatively easy targets for
sabotage and, therefore, are identified as critical points in the system (Hickman, 1999).
Distribution pipelines can be especially vulnerable to sabotage, as by design, they are
often exposed for long distances and offer numerous easily accessible ‘critical’ points to
the public (Gleick, 2006). A typical modern water distribution network is an underground
network of iron, concrete or PVC (plastic) pipes that transports potable water directly to the
consumers. Considerable high pressure makes it difficult, though not impossible, to inject
foreign material directly into pipelines, valve pits and other control points that offer access
to the water (Hickman, 1999). Pressure within a distribution network is maintained by
booster pumps and usually one or more water towers. These towers store potable water and
provide pressure in the system (known as ‘head’) by force of gravity. Similar to the clear
wells, water towers are critical points as they are usually not under pressure providing a high
mixing volume and direct access to potable water supplies. Importantly, the towers are often
only passively defended with fences and gates on the ladders (Hickman, 1999).
The chance that a saboteur will strike at post-treatment storage and distribution networks
is real but poorly understood by water managers and the public. These systems have long
been recognised as being potentially vulnerable to deliberate threats of sabotage by:
biological/chemical (B–C) contamination, physical disruption or destruction, and cyber
attack on the computerised control networks (Haimes et al, 1998; Danneels, 2001; Gleick,
2006; Copeland and Cody, 2009). B–C agents would be directed at the water itself to signifi-
cantly contaminate the supply so as to endanger the health of the community. Physical
threats, most likely referring to the use of explosives, would be directed against the physical
components and the control centres of a water supply system. Cyber threats refer to the
introduction of software viruses and erroneous information through computer networks
to compromise the regulation and control of water releases, and disrupt communications
(Haimes et al, 1998).
This article defines a deliberate threat as the potential sabotage of water distribution
networks involving the use of varying degrees of violence, force, deception, terror, intimi-
dation or technological means to unlawfully threaten water supplies (Grigg, 2003). Lindhe
et al (2009) stated that deliberate threats may be different but their consequences can be
categorised as: (1) quantity failure, that is no water is delivered to the consumer; and
(2) quality failure, that is water is delivered but does not comply with water quality stand-
ards. The experience base shows a number of hoaxes and minor incidents of attacks or
threats. Sabotage has been reported ranging from teenagers writing on water tanks, to
breaches in security at water treatment plants, and a relatively new threat of cyber attacks on

286 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

Supervisory Control and Data Acquisition (SCADA) systems. Even more serious are the
prospects of major B–C attacks against potable water systems. As among these potential
threats, it is the B–C contamination of water supplies that appears to be the greatest risks to
consumers of drinking water (Gilbert et al, 2003; Grigg, 2003).

Human-caused threats: B–C contamination

Throughout history, deliberate B–C attacks have ranged from the crude dumping of human
and animal cadavers into potable water supplies, to more sophisticated attacks involving
anthrax and cholera (Hickman, 1999; NHMRC and NRMMC, 2003). With modern advances
in technology, the mechanisms of dispersal of B–C agents have expanded significantly. Any
adversary with access to basic chemical, petrochemical, pharmaceutical, biotechnological
or related industry knowledge and provisions can produce a number of effective B–C weap-
ons (Hickman, 1999; Meinhardt, 2009).
Whether advanced technology or ancient warfare methods are used by saboteurs, covert
B–C contamination of water sources remains a potential threat to public health. In addition,
covert attacks on a human population with deliberate release of B–C agents may be difficult
to quickly and reliably identify in the environment (Meinhardt, 2009). The American postal
anthrax scare from October 2001 to February 2002 demonstrated how B–C weapons may be
used effectively to spread chaos among the millions and cripple a society and its engines of
commerce (Kornfeld, 2002). Similarly, another recent example is the 1995 Tokyo subway
attack in Japan caused by the Aum Shinrikyo (Supreme Truth) Doomsday Religious Cult.
On 20 March 1995, Aum used the chemical nerve agent Sarin on the Tokyo subway, killing
a dozen people and injuring almost 4000 others (Hickman, 1999; Kornfeld, 2002; Noah
et al, 2002). The critical points inherent in modern water distribution networks make
them particularly vulnerable to deliberate B–C contamination. The effectiveness of a B–C
attack is enhanced through deliberate introduction of a toxicant near the end use point, post-
treatment stage of a water distribution system (Clark and Deininger, 2000). Facilitating the
delivery of an effective dose of toxicant at the storage and distribution network stage of
a system has the potential to reach a very large population, requires a lower-level chronic
dose, and is exposed to lower-detection thresholds (Foran and Brosnan, 2000). Although
residual chlorine provides some protection, a suitable contaminant could move rapidly
through the network and has the potential to cause widespread outbreak of disease and ill-
ness among those exposed, resulting in a major public health crisis, costly economic impacts
and long-lasting psychological effects (Clark and Deininger, 2000; Qiao et al, 2005;
Copeland and Cody, 2009).
Although much is known about chemical and biological agents dispersed in air, almost
nothing is known about these agents in potable water (Clark and Deininger, 2000). Hickman
(1999) states that compared to aerial attack (inhalation or skin contact), effective doses are
easier to obtain in water (less dilution than air and directly ingested by the target airmen),
and in many cases the materials are more stable (protected from ultraviolet and temperature
extremes, although exposed to chlorine). In the event of intentional contamination of water
with a B–C agent that is colourless, odourless, tasteless and not detectable by other human
senses, environmental detection of the agent may present many challenges. Water supplies
contaminated with B–C agents that do not cause any obvious change in the appearance or

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 287
 Tularam and Properjohn

physical characteristics of water to patients or water consumers are difficult to detect

(Meinhardt, 2009). The first evidence of sabotage is likely to be a flood of sick or dying at
the emergency room, and by the time water is recognised as the source, identification and
quantification of the agent could take days if not weeks (Hickman, 1999; Meinhardt, 2009).
Another problem in dealing with deliberate contamination of a water system is the complex
water movement within a system (Clark and Deininger, 2000). Flow patterns in distribution
systems can be highly variable and can have a significant impact on the way contaminants
are dispersed within a network. Flow patterns, therefore, make it difficult to predict where
a given parcel of water will be at a given time (Clark and Deininger, 2000). While some
experts believe that risks to water systems actually are small, concern and heightened aware-
ness of potential problems are apparent (Copeland and Cody, 2009).
There are many factors that make potential B–C contamination of water infrastructure
systems rather difficult to accomplish. The amount of material needed to deliberately con-
taminate a water source is large and generally exceeds what small or individual saboteurs
could easily acquire, produce or transport (Copeland and Cody, 2009). Most biological
pathogens cannot survive in water and most chemicals require very large volumes to con-
taminate a water system to any significant degree. Many contaminants are also broken down
over time by sunlight and other natural processes (Gleick, 2006). Furthermore, many patho-
gens and chemicals are vulnerable to the kinds of water treatment used to destroy biological
pathogens and reduce the concentration of harmful chemicals through chlorination, filtra-
tion, ultraviolet radiation, ozonation and many other common treatment approaches (Gleick,
2006).
However, contaminants introduced into a post-treated distribution system would be less
susceptible to dilution and would reside in the system for shorter times, diminishing the
effects of disinfectants and chemical decomposition and oxidation (Clark and Deininger,
2000). As well as the above factors complicating deliberate contamination of post-treated
water, to effectively contaminate potable water supplies to enable sufficient harm or illness,
B–C agents must be: (1) weaponised, meaning it can be produced and disseminated in large
enough quantities to cause desired effect; (2) infectious or toxic from drinking water;
(3) appropriate for water dissemination, in that it must be viable, dissolvable, stable and
transportable in water; and (4) chlorine resistance, where it must maintain its effectiveness
in water long enough to reach and affect humans and it must not be negated by standard
water treatment systems likely to be in place (Hickman, 1999; Gleick, 2006; Copeland and
Cody, 2009).
Most toxins can be neutralised by effective filtration or inactivated by keeping a certain
concentration of disinfectant in the water such as chlorine (Clark and Deininger, 2000).
Chlorine residuals in the distribution system are assumed to be protective. There are, how-
ever, natural micro-organisms that are highly resistant to chlorine and can survive water
the treatment process to cause sickness and death among water consumers. For less than
US$10 000, such biological organisms can be cultured and grown in a laboratory with ease
by anyone with gear no more sophisticated than a home brewing kit, with relatively little
personal risk (Hickman, 1999; Clark and Deininger, 2000; Gleick, 2006).
There are two prevalent microscopic bacterial species that survive the chlorination treat-
ment in water plants and both carry waterborne diseases that cause illness when consumed
in treated water. The first is Cryptosporidiosis (Crypto) which is a diarrheal disease caused
by the microscopic parasite Cryptosporidium. The other is Giardiasis, an intestinal illness

288 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

that includes diarrhoea and vomiting caused by the microscopic parasite Giardia (Clark and
Deininger, 2000; Kornfeld, 2002). Both of these parasites are resistant to chlorination and
there is concern that micro-organisms with similar resistance could be introduced deliber-
ately into water systems and cause illness before remedial action could be taken (Clark and
Deininger, 2000). The April 1993 Milwaukee Cryptosporidium outbreak in United States
killed over a hundred people, affected the health of over 400 000 more and cost $37 million
in lost wages and productivity. Although disinfection of public drinking water supplies has
greatly reduced the incidence of infectious waterborne disease, that outbreak, completely
unrelated to terrorism, gives some sense of the vulnerability of modern potable water sys-
tems to similar undetected, intentionally caused, contamination events (Fox and Lytle, 1996;
Chalecki, 2002; Kornfeld, 2002; Meinhardt, 2005; Gleick, 2006).
As both Giardia and Cryptosporidium are resistant to chlorination, dumping large
amounts of these microscopic parasites into drinking water sources could cause hundreds
or thousands of people to suffer gastrointestinal illnesses. Such an attack would most likely
go undetected, since these parasites are typically not tested for by water utilities. All it
would take is dumping contaminated faces, infected carcasses or isolated microbes into a
drinking water source (Kornfeld, 2002). Adding to the plethora of available agents that may
act as effective contaminants, several chemical agents have been identified as a credible
threat against water supply and distribution systems (Berger and Stevenson, 1955; Hickman,
1999; Clark and Deininger, 2000).
The world has an abundance of dangerous industrial chemicals, hazardous materials,
pesticides, fungicides, used in society daily. Most of these chemical agents are legal to
obtain, and relatively easy to produce in significant quantities at low to moderate cost, with
many undetectable by human senses as they are colourless, odourless and tasteless (Haimes
et al, 1998; Hickman, 1999; Meinhardt, 2009). Commercial chemicals, such as industrial
and agricultural compounds, are commonly produced, distributed and used throughout the
world. It is their availability and ease of production that make commercial chemicals the
most likely agent used to contaminate potable water supplies (Gleick, 2006). Of particular
concern are the organophosphate pesticides, rodenticides and herbicides used to kill insects,
rodents and plants (Gleick, 2006). Many of these are acutely toxic and capable of incapaci-
tating or killing humans in doses obtainable by deliberate water system contamination
(Hickman, 1999; Gleick, 2006). Inorganic under certain conditions, chemicals such as metal
salts, acids and other substances also offer a wide variety of options to the potential sabo-
teur. Several of these inorganic chemicals are widely available and act as potential threats
to water systems, including various forms of arsenic and cyanide, both of which are soluble
in water and can be lethal. Cyanide, particularly sodium cyanide, is an odourless white salt
which is stable, highly soluble in water and certainly lethal in relatively low doses. It is
also readily available on the worldwide open and black markets because of use in the mining
and metals industry. Other noticeable threats to post-treatment potable water supplies
include fluoride, cadmium and mercury (Hickman, 1999; Beaglehole et al, 2004; Gleick,
2006).
The array of potential chemical agents that may be used for a deliberate attack on water
supplies and infrastructure is expansive (Meinhardt, 2009). Commercial products contain
low concentrations of active ingredient, but a determined adversary could easily acquire
pure active ingredients in the open or black markets (Hickman, 1999). There are other
threats to water distribution systems other than B–C contamination that may not have a

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 289
 Tularam and Properjohn

potentially broad impact but are a pertinent threat nonetheless (Gilbert et al, 2003). Human-
caused threats, such as the use of explosives to physically attack and disable water infra-
structure, or hoaxes that act to spread terror among those relying on the water infrastructure,
can be equally as damaging.

Human-caused threats: Physical attacks and hoaxes

The traditional form of water-related sabotage usually involves physical attacks on water
infrastructure that aim to destroy or disrupt a water system’s components via the use of
explosives; specifically water supply dams and distribution pipelines (Haimes et al, 1998;
Gleick, 2006). Qiao et al (2005) considers physical attacks to be a more likely than contami-
nant attacks given that explosive materials are readily available and require a lower level of
expertise compared to the development and deployment of contaminants.
Most modern municipal water systems are built with redundancy, the ability of certain
components of a system to assume the functions of failed components without adversely
affecting the system’s performance. There are also backup systems that reduce vulnerability
to physical attacks even though many supply systems still exhibit critical points (Haimes
et al, 1998; Gleick, 2006). Physical attack scenarios generally target distribution pipelines,
pumping stations, water tanks and other structural facilities in an attempt to alter the system
by destroying or degrading part of the network (Haimes et al, 1998; Qiao et al, 2005). Since
water flow is governed by the nonlinear hydraulic laws, the destruction of a well-selected
set of network components can easily cause far-reaching infeasibilities resulting in severe
disruptions to a community’s water service (Qiao et al, 2005).
Distribution networks are designed to deliver potable water under pressure to the
community and supply most of the water for fire-fighting purposes. Loss of water or a sub-
stantial loss of pressure could disable fire-fighting capability, interrupt service and disrupt
public confidence. Sabotaging pumps that maintain flow and pressure by way of explosives,
for example, could cause long-term disruption to a community’s water supply (Clark and
Deininger, 2000). The sabotage of a water pipeline in Baghdad in 2003 is a recent example
of the destruction that can result from a coordinated physical attack. A rocket-propelled
grenade hit an open-air section of a pipeline linking the Sabah Missan pumping station with
the eastern Baghdad district of Rasafa. Streets in parts of northern Baghdad were reported
to have flooded after the breach and around 300 000 persons were deprived of running water
(Australian Broadcasting Commission, 2003). A more modern concern for water infrastruc-
ture systems, however, is the use of remote computers to physically attack valves, pumps
and chemical processing equipment though computer-based controls (Gleick, 2006). A saboteur
hacking into a SCADA system could potentially gain control over the automated operations
of potable water facilities, where water supplies or quality could be seriously compromised
(Gleick, 2006).
SCADA systems are a process control systems that are used to monitor and control
chemical, physical or transport processes, continuously collecting field data from many
points, as well as monitoring and controlling objects such as switches, valves, temperature
of a component and the pressure of a pipe (Qiao et al, 2005; Wang and Yu, 2007). These
monitoring capabilities are often required by corporate personnel through remote access,
thus, encourages many utilities to establish connections to the SCADA system to enable

290 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

engineers to monitor and control the system via the corporate network. These connections
are often implemented without addressing security risks or concerns, as security strategies
for utility corporate network infrastructures rarely account for the fact that access to these
systems might allow unauthorised access and control of SCADA systems (Khan et al, 2007).
As a result, many of the SCADA networks used by water agencies to collect data from sen-
sors and control equipment may be susceptible to cyber-attack (Gleick, 2006). Cyber-attacks
on SCADA systems aim to corrupt data and damage computers, with the potential to affect
an entire infrastructure network, and could result in theft or corruption of information, or
denial and disruption of service (Qiao et al, 2005; Copeland and Cody, 2009). Complicating
matters, are that SCADA system operation and system information are subjected to poten-
tial attacks from anywhere in the Internet world, where an unauthorised operator of the
system could send commands to a device, for example, to shut down an automation process
in a factory (Wang and Yu, 2007). One of the first the first documented cases of cyber-
terrorism in the water industry occurred in Queensland, Australia. On 23 April 2000, police
arrested a man for using a computer and radio transmitter to take control of the Maroochy
Shire wastewater system and release sewage into parks, rivers and property (Gleick,
2006).
It is also important to note that attacks that do not injure or affect large numbers of
people may still have important political repercussions. Any real threat that exposes vul-
nerability affects public perception, reduces public confidence in water supplies and may
force inappropriate political responses. Hoaxes that usually do not involve any loss of life
or breaches in security, can have an impact beyond their actual value (Franz and Zajtchuk,
2002; Grigg, 2003; Gleick, 2006). Any attempt at sabotage, whether it is physical attack
on water infrastructure, contamination of water supply, cyber-attack on SCADA systems
or a hoax, have repercussions that destroys a community’s sense of safety and normality
(Gleick, 2006, p. 483).

Implications for Water Security

It is apparent in most countries with modern water infrastructure that many have taken
access to high-quality drinking water for granted, without serious thought to the security of
supplies (Leder et al, 2002).
Achieving sustainable water management remains a major worldwide challenge for the
twenty-first century. Water utility owners and managers must deal with: water security in
a changing climate, where climate change and population growth indicate a water deficit
for many global cities; the energy costs and greenhouse emissions of water supply options,
with climate change firmly on the global and local political agenda; and aging water infra-
structure (CSIRO, 2009b). As agriculture, industry and urban populations continue to
compete for water resources many cities and towns now face serious challenges in meet-
ing their current and future water demands (Leder et al, 2002; National Water Commission,
2009).
In South East Queensland (SEQ) Australia, the need for improved water management
has never been greater. As one of the fastest growing regions in Australia, where the popula-
tion expected to grow from 2.7 million in 2006 to at least 4 million by 2026, pressures on
water demands and supplies are escalating. In addition to population growth concerns, SEQ

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 291
 Tularam and Properjohn

is considered to be one of the regions in Australia most likely to be impacted by climate

change with possible implications for water supply. Faced with an increasing demand in
water consumption, aging water infrastructure and an increasingly variable climate, the
security of potable water supplies has now become a major priority and concern (National
Water Commission, 2009). This is not an unusual case, many cities and town across the
globe mirror the same emerging issues with ever increasing populations and demands on
potable water supplies and infrastructure. Water supplies and infrastructure that deliver this
precious resource are now more critical than ever, as a timely deliberate strike on a commu-
nity’s water supply could have devastating consequences.
To defend all water infrastructure resources against potential saboteurs is a difficult task,
if not impossible. Modern water treatment systems cover acres of often-vulnerable real
estate and distribution pipelines with numerous of access points are simply too big to cost-
effectively protect against intrusion. To protect these systems would require resources that
are mostly unavailable and probably never will be, thus, it becomes necessary to plan an
adequate and efficient response to these acts of sabotage (Danneels, 2001; Lancaster-Brooks,
2002; CSIRO, 2009a). Traditional security measures such as increased physical security
(for example, guards and fences) can help, but these measures constitute neither a complete
or cost-effective solution. New tools are essential to not only manage the performance of
these systems, but to plan for secure and reliable systems in the face of deliberate threats.
Water utility managers and operators now have to consider risk, or the probability of unu-
sual events and their consequences when planning for safe and reliable water supplies
(Danneels, 2001; Grigg, 2003; CSIRO, 2009a).

Risk Management for Water Infrastructure Systems

The theoretical definition of risk, in terms of deliberate threat analysis is the probability of
a future attack and the consequence of that attack, presented as the conceptual equation
(Grigg, 2003; Gleick, 2006):

Risk=probability of an event × consequence of an event (1)

R= p × c

Water system managers are under enormous pressure to reduce the risk of sabotage and
improve the security of water supply infrastructure, to provide wholesome, affordable and
safe drinking water that has the trust of customers (Danneels, 2001; Pollard et al, 2004;
MacGillivray et al, 2006). The identification of risk to water utilities covers many threats
that may be classified as: security risks, natural disaster risks and business risks, including
health and safety (Grigg, 2003; Gleick, 2006). In this article, the focus is on the security
risks related to the operational stage of water supply systems. The water supply system is
defined as everything from the point of collection of water to the consumer, including:
catchments, and groundwater systems; source waters; storage reservoirs and intakes; treat-
ment systems; service reservoirs and distribution systems; consumers. Water quality can be
affected at each of these points and because they are all interconnected an integrated man-
agement approach is essential (NHMRC and NRMMC, 2003).

292 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

There is no simple way in which one can estimate the true risk of water-related sabotage.
However, there is evidence of numerous examples of actual and planned attacks on water
systems in the past and this suggests that the risks are real (Grigg, 2003; Gleick, 2006). The
United States and the world community more generally realized from the 2001 New York
terrorist attacks that attacks on infrastructure can and ought to be anticipated (Grigg, 2003).
History suggests a more active pre-emptive type of security approach is needed in water
infrastructure security. Reducing vulnerability and improving water security presents many
difficulties mainly because of the open and broadly dispersed nature of distribution networks
and minimal real-time monitoring capabilities. In addition, the under-protected nature of
information, SCADA systems, and the lack of integration between water delivery systems
further compound difficulties (Danneels, 2001).
It is clear that resource managers and security officials will have to consider changes in
the approach to fresh water supply, treatment and delivery to provide the most efficient
and economical approach to water supply safety, security and reliability (Danneels, 2001;
Chalecki, 2002). The owners and operators of water supply systems need to understand
vulnerabilities throughout their systems and be aware of measures that should be taken to
reduce those vulnerabilities and ultimately the overall risk. Indeed a ready with a well-tested
emergency response plan should be available (Lancaster-Brooks, 2002; Gleick, 2006). For
such a plan to be successful, an enhanced cooperation among a multidisciplinary team of
health-care providers, public health and water utility practitioners, law enforcement profes-
sionals and community leaders is required in order to mitigate the potential likelihood or
impact of an attack (Chalecki, 2002; Meinhardt, 2009).
The most effective means of assuring drinking water quality and the protection of public-
health is through adoption of a preventive management approach that encompasses all steps
in water production from catchment to consumer (NHMRC and NRMMC, 2003). Assessment
of the water supply system is an essential prerequisite for subsequent steps in which effec-
tive strategies for prevention and control of hazards are planned and implemented. This
includes understanding of

• characteristics of the water system;

• hazards may arise;
• how these hazards create risks; and
• processes and practices that affect drinking water quality (NHMRC and NRMMC,
2003).

Delivering the above objectives in the context of an increasingly demanding consumer and
regulatory environment, under constraints imposed by aging infrastructure and the trend
toward financial self-sufficiency, is rather challenging (Pollard et al, 2004; MacGillivray et al,
2006; Lindhe et al, 2009). Furthermore, protecting complex and interconnected water infra-
structure systems create major technical challenges because they are interconnected across
systems, spread out geographically, and often have overlapping ownership and responsibility
in private organisations and local, state and national government (Apostolakis and Lemon,
2005). Most societies have limited resources and can ill afford to use them on measures that
have not been demonstrated to be effective. In the Australian water industry, risk management
is increasingly being used as a means of assuring drinking water quality by strengthening the
focus on more preventive approaches (NHMRC and NRMMC, 2003).

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 293
 Tularam and Properjohn

QUALITATIVE QUANTITATIVE MANAGEMENT

MANAGEMENT MANAGEMENT FOCUS

Risk
Identification Risk Monitoring

Target Secure
Risk Analysis Environment

Risk Assessment Risk Resolution

Figure 1: Risk management cycle.

Source: Adapted from Eloff et al (1993).

Eloff et al (1993) provide an outline of risk management as a continuous cyclic proc-

ess, as shown in Figure 1, initiated in the risk identification stage. Risk identification is the
process of defining infrastructure assets, boundaries and/or liabilities. It also includes the
identification of threats and vulnerabilities. Risk analysis then calculates the impact of an
undesired event on specific systems and the consequence and impact of that event, through
various quantitative, qualitative or a combination of quantitative and qualitative tech-
niques. Risk assessment calculates individual risk factors determined during risk analysis,
so as to calculate a risk measurement for each area. Finally, risk monitoring ensures not
only the effective and timely implementation and continual operation of appropriate
countermeasures (Eloff et al, 1993; Danneels, 2001; Grigg, 2003; MacGillivray et al,
2006).
The transition to the risk management philosophy within the water utility sector is now
reflected in recent revisions to the World Health Organization (WHO) Guidelines for
Drinking Water Quality. This revision places an emphasis on the development and imple-
mentation of ‘water safety plans’ for water quality management, which includes the applica-
tion of risk methodologies as a basis for prioritising risk management measures within the
water supply chain from catchment to tap (Beaglehole et al, 2004; MacGillivray et al, 2006).
Clearly, quantitative tools for risk analysis are needed. There is now a growing interest in
quantitative methods for risk management that help identify, screen and prioritise effective
measures for managing vulnerabilities within water supply systems (Apostolakis and
Lemon, 2005; Michaud and Apostolakis, 2006; Lindhe et al, 2009).
The reduction of risk is an area of high priority for water system managers. This process
of risk assessment maybe made easier by judging risk based upon past actual and planned
attacks on water systems. Through these observations it may be understand where water
sources are most vulnerable. It is then the job of system managers to plan strategies for the
prevention and control of hazards from water a source to its consumer. Understanding and
managing risks is a cyclical process, which involves constant re-evaluation and monitoring

294 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

of risk throughout time. This process maybe quantitatively analysed in order to assess risk
to water systems.

Risk analysis models

There are several quantitative risk analysis methodologies adopted to assess the risk to
water systems that ensure the completion of comprehensive and comparable risk manage-
ment (Danneels, 2001). The purpose of risk analysis methodologies is to evaluate the prob-
ability of future attacks on certain parts of the water systems and the consequences of that
potential attack on the system. Risk analysis is an important component in the compilation
of an information security policy for an organisation. It should address all aspects of infor-
mation security, and the step-by-step refinement of a policy to define a protection plan for
implementation. Addressing these risks requires limiting the vulnerability of water resources
and systems through selective and focused efforts of protection and detection (Grigg, 2003).
Risk analysis for human-caused threats follows the process used in natural hazards analysis,
with differences being in the nature of threats and protective systems. The systems used to
analyse the threat to infrastructure and plan and design appear to be more resilient and reli-
able systems (Lindhe et al, 2009).
Most risk management methods, however, are in limited use by water utilities, as risk
in water infrastructure systems is more complex and far-reaching than current methods
can handle (Pollard et al, 2004). More comprehensive approaches are needed, as in a com-
plex and interconnected system; that is, protective strategies must anticipate ‘multiple
hazards’ and ‘multiple barriers’ (Grigg, 2003). Multiple hazards arise from the various
critical points within a system, and the multitude of weaponised agents that pose a risk to
water infrastructure and water quality; where as multiple barriers suggest the complex
nature of water infrastructure systems in terms of ownership, and responsibility in private
organisations and local, state and national government. The deliverables of undertaking a
risk analysis are:

• the detection of vulnerabilities;

• the likelihood of threats; and
• the development of countermeasures and quantitative methods that allocate security
resources to water systems that maximise resilience to intentional attacks (Eloff et al,
1993; Qiao et al, 2005).

In the context of this article, risk analysis methodologies are used to identify the vulnerabil-
ity of the operational phase of a water supply system; for example, the risk of failure of a
process component, or the risk of exceeding a particular water quality standard (Pollard
et al, 2004). The effectiveness of preventive measures is highly dependent upon the design
and implementation of associated process control programs. To consistently achieve a high-
quality water supply it is essential to have effective control over the processes and activities
that govern drinking water quality (NHMRC and NRMMC, 2003). Implementing these
methodologies will identify vulnerabilities and a spectrum of short-term improvements that
can be implemented either to increase protection and system effectiveness, or to reduce
consequences, or potentially do both (Danneels, 2001).

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 295
 Tularam and Properjohn

A methodology for risk analysis has been developed by Sandia National Laboratories,
known as Risk Assessment Methodology for Water Utilities. This methodology allows
utilities to conduct a detailed assessment of their system vulnerabilities and to develop
measures to reduce the risks and mitigate the consequences of sabotage via the following
three steps:

1. determine how well the system detects a problem, which involves surveying all security
and monitoring features;
2. measure delay capabilities in order to determine how well a system can stop undesired
events; and
3. measure the capacity of private guard forces and local, state, and federal authorities to
respond to an event (MacGillivray et al, 2006).

The National Health and Medical Research Council incorporated several risk analysis
techniques within a single quality management system. It is the body responsible for
issuing drinking-water guidelines to Australian water utilities, and in its ‘Framework for
Management of Drinking Water Quality’ advocated the application of a hazard analysis
critical control points (HACCP) methodology; namely, the determination of critical con-
trol points (CCP) where risks to water quality and the associated hazards are identified
and plotted on a simple risk matrix. Risks deemed significant are evaluated further for
their CCP. Here the managers can identify the critical limits, monitoring systems and
corrective actions for each CCP (NHMRC and NRMMC, 2003; Pollard et al, 2004;
MacGillivray et al, 2006). Both NHMRC and NRMMC (2003) mention that HACCP
was not designed to be a comprehensive management system but rather intended to be an
add-on to existing good management practices; thus, its scope and application are lim-
ited in several important areas. Furthermore, while HACCP is aligned quite readily to
the treatment component of water supply systems, its application may not transfer as
easily to the important areas of catchment and distribution systems. There is now a shift
toward focusing more on hazard and uncertainty than on risk and probability. Hazard is
understood to be the potential effect of a situation, process or product, where as risk
refers to the actual chance of something happening, taking account of real behaviour or
exposure (Durodie, 2005).
Scenario-based methodologies have been developed to manage the safety of complex
systems, and have also been used to identify research needs. Such a methodology is known
as probabilistic risk assessment (PRA) or the quantitative risk assessment (QRA). This has
traditionally been used in complex, well-defined technological systems. PRA/QRA’s pri-
mary purpose is to screen and rank a wide range of potential attack scenarios leading to
selected undesired end states, using the frequencies of challenging events, and the probabili-
ties of failures of protective systems (Apostolakis and Lemon, 2005; Michaud and
Apostolakis, 2006). In such an approach, the overall risk is derived from the outcomes of
numerous individual scenarios, each weighted by the probability that that scenario will
occur (Latourrette and Willis, 2007). Considering the effect of the effort on the overall risk
of sabotage posed by ‘multiple hazards’ and ‘multiple barriers’ this type of analysis pro-
vides a more comprehensive picture of the threat, and includes both more likely but lower
consequence attack scenarios as well as low probability, catastrophic attack scenarios
(Latourrette and Willis, 2007).

296 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

In the case of a system comprising a large number of components, failure may occur
because of various failure combinations involving one or more components. This relation-
ship between component and system failure can be represented in a fault tree. Fault tree
analysis (FTA) is a risk estimation tool with the ability to model interactions between events.
A FTA is a logical and structured process that identifies potential causes of systems failure
and estimates the mean failure rate and downtime. A fault tree illustrates the interactions
between different events using logic gates, and shows how the events may lead to system
failure. The conventional FTA based on probabilistic approach has been used extensively in
the past. The method considers the entire supply system, from source to tap taking water
quantity and quality aspects into consideration (Suresh et al, 1995; Lindhe et al, 2009).
However, it is often difficult to accurately estimate failure rates or probabilities of individual
components or failure events (Lindhe et al, 2009).
Risk analysis models are used to evaluate the probability of future attacks on components
of water systems and the consequences of these attacks. A comprehensive risk analysis
should quantitatively understand the risk factors, their intermediate/final impacts on cost
and the actions to mitigate their impact (Rogers and Louis, 2007). However, the incorpora-
tion of such models into risk analysis has been limited in its abilities, because of the com-
plex nature of risks. The HACCP methodologies of analysis offer methods to determine
CCP, though fall short in terms of depth of application when applied to complex water sys-
tems. Alternative approaches involve the evaluation of the probability of effects of multiple
hazards and multiple barriers through PRAs and Grey Relational Analysis. These take into
account the varying points of vulnerability or water infrastructure, as well as the different
jurisdictions under which a water system may fall. This form of modelling allows risk
to evaluate through a ranking of vulnerabilities though may also fall short when it comes to
evaluation of the capacity for interaction between complex water system components. To
further model interaction effects in terms of system failure and component interaction, the
FTA may be used. These models and methodologies contribute, to varying degrees, to eval-
uating risk. Risk analysis is but one part of the overall solution to managing risk. Other
countermeasures are available to managers and operators that are valuable in countering the
threat of water-related sabotage (Gleick, 2006).

Countermeasures

There are several countermeasures water utilities can take to reduce the vulnerability of the
system against deliberate sabotage. The physical countermeasures include:

• employing security technologies such as installing real-time monitoring equipment;

• improving redundancy so that in the event of partial destruction would still be operational
at some minimal level;
• enhancing SCADA security; and
• limiting public access (Clark and Deininger, 2000).

Federal, state and local governments can protect water resources in situ through more
intensive and focused monitoring efforts, in conjunction with increased environmental data
gathering, a sort of ‘early-warning’ system to identify future risks (Chalecki, 2002).

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 297
 Tularam and Properjohn

Perhaps the most fundamental action that can be taken to protect water systems is to limit
or deny physical access to vulnerable points. Sometimes this may be as easy as locking
gates or buildings, or reducing public access to sensitive locations (Gleick, 2006). The
points of vulnerability in distribution systems should be identified and steps taken to reduce
the vulnerability at these points. Steps may be as simple as securing hydrants or other entry
points to the distribution system, or installing improved security around treatment and stor-
age facilities (Foran and Brosnan, 2000).
Awareness training can also improve water security by educating water utility owners
and operators on the importance of protecting the water infrastructure and to initiate steps to
implement and accomplish this protection (Danneels, 2001). Overall, a balanced approach
is necessary to ensure that the security of the entire system is enhanced so that weak links
are not exploited (Danneels, 2001). These and many other simple steps may significantly
reduce system vulnerability. Indeed, as Early Warning Systems (EWS) are developed and
as their costs decrease, they will be available to all communities, regardless of size and
resources (Foran and Brosnan, 2000).
Chemical countermeasures may act as a second line of defence, such as maintaining
chlorine residuals in the distribution system (Clark and Deininger, 2000). EWS can help to
identify contamination events early enough to permit an effective response. Continuous
monitoring reduces the likelihood that contamination events will be missed. The develop-
ment of standard monitoring systems would reduce cost, permit sharing among users and
facilitate repair and replacement (Gleick, 2006). The goal of an EWS is to reliably identify
contamination events in distribution systems in time to allow an effective local response to
prevent exposure. Moreover, an EWS must detect a contamination event in a time frame
that allows the implementation of an effective response thus reducing or avoiding entirely
adverse impacts from an event (Foran and Brosnan, 2000).
A key component to the success of any response will be the advance preparation of a
process or plan that provides guidelines for all appropriate stakeholders; such as water users,
emergency responders and law enforcement agencies, water utility staff and community
leaders as well as the local media. Such a plan should be considered a part of comprehensive
emergency planning for a variety of threats to public health, both waterborne and non-
waterborne (Gleick, 2006). This type of proactive planning for water security will ensure
the safety of most water supply systems, and most importantly, make the water infrastruc-
ture an unattractive target for saboteurs (Clark and Deininger, 2000; Danneels, 2001).

Conclusion

As water resources around the world grow scarce from environmental degradation, climate
change and population growth; water supply systems are becoming increasingly valuable to
communities. Human’s reliance on water and the disparity and conflict arising from unequitable
resource distribution and access makes water supply systems prime targets for deliberate
threats of vandalism and sabotage. This article sought to address the inherent vulnerabilities
and critical points inherent in a water supply system.
The analysis shows that there are a number of critical points, particularly within the dis-
tribution network of a water supply system that are vulnerable to biological/chemical and
physical sabotage. The myriad of exposed distribution pipelines, pumps, hydrants and water

298 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

towers that are often passively defended offer easily accessible critical points to potential
saboteurs. It would seem a well-organised attack or sabotage on the distribution network
could well impair critical water and related infrastructure, and expose potentially thousands
of people to illness or even death.
It is clear that water utility managers and operators have to consider risk, or the probabil-
ity of unusual events and their consequences when planning for safe and reliable water sup-
plies. However, to defend all water infrastructure and supply systems against deliberate
threats and sabotage is simply not possible owing to their complex, interconnected and geo-
graphically sparse nature. It seems that traditional security measures can help, but these
measures constitute neither a complete nor a cost-effective solution. New tools to manage
the performance of these systems and plan for secure and reliable systems in the face of
deliberate threats are essential. The most effective means of assuring water security is
through adoption of a preventive risk management approach that encompasses all steps in
water production from catchment to consumer.
Most risk management methods, however, are in limited use by water utilities, as risk in
water infrastructure systems is more complex and far-reaching than current methods can
handle. These management systems do not always provide a good fit to the specific require-
ments of water supply system management. More comprehensive approaches are needed to
anticipate ‘multiple hazards’ and ‘multiple barriers’.
Clearly, the best defence against sabotage is pre-emptive planning for security of water
infrastructure and distribution networks to establish public confidence in water management
systems, rapid and effective water quality monitoring, and strong and effective information
dissemination (Gleick, 2006). A holistic approach is needed where the public is also involved
in water management systems security, as the water infrastructure is a part of the commu-
nity. Public reliance, rapid and effective water quality monitoring, and strong and effective
information dissemination are critical to the success of water security. Apart from risk man-
agement methodologies, there are a number of countermeasures available to the managers
and operators in countering the threat of water-related to vandalism and sabotage.

References

Apostolakis, G.E. and Lemon, D.M. (2005) A screening methodology for the identification and ranking of infra-
structure vulnerabilities due to terrorism. Risk Analysis 25(2): 361–376.
Australian Broadcasting Commission. (2003) Sabotage deprives 300 000 Iraqis of water: ICRC (online) ABC News.
17 August, http://www.abc.net.au/news/stories/2003/08/17/926250.htm, accessed 12 December 2009.
Beaglehole, R., Irwin, A. and Prentice, T. (2004) The World Health Report 2004: Changing History. Geneva:
World Health Orgnization.
Berger, B. and Stevenson, A. (1955) Feasibility of biological warfare against public water supplies. Journal of
American Water Works Association (JAWWA) 47(2): 101–110.
Chalecki, E.L. (2002) A new vigilance: Identifying and reducing the risks of environmental terrorism. Global
Environmental Politics 2(1): 46–64.
Clark, R.M. and Deininger, R.A. (2000) Protecting the nation’s critical infrastructure: The vulnerability of US
water supply systems. Journal of Contingencies and Crisis Management 8(2): 73–80.
Copeland, C. and Cody, B. (2009) Terrorism and security issues facing the water infrastructure sector.
Washington, DC: Congressional Research Service. 25 April 2005, http://www.fas.org/sgp/crs/terror/RL32189
.pdf, accessed 10 December 2009.
CSIRO. (2009a) Urban water: Infrastructure technologies. 3 April, http://www.csiro.au/science/Infrastructure-
Technologies.html, accessed 8 December 2009.

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 299
 Tularam and Properjohn

CSIRO. (2009b) Urban water: Addressing Australia’s urban water challenges. 10 February, http://www.csiro
.au/science/Urban-Water.html, accessed 8 December 2009.
Danneels, J.J. (2001) Protecting Water Supply Systems from Terrorists. Committee Holding Hearing: House
Science Committees. Livermore, CA: N. Laboratories, Sandia Corporation.
Durodie, B. (2005) The Concept of Risk. Nuffield Trust Global Programme on Health, Foreign Policy and
Security. Swindon, UK: Risk Case Studies.
Eloff, J.H.P., Labuschagne, L. and Badenhorst, K.P. (1993) A comparative framework for risk analysis methods.
Computers & Security 12(6): 597–603.
Foran, J.A. and Brosnan, T.M. (2000) Early warning systems for hazardous biological agents in potable water.
Environmental Health Perspectives 108(10): 993–996.
Fox, K.R. and Lytle, D.A. (1996) Milwaukee’s crypto outbreak: Investigation and recommendations. Journal of
American Water Works Association (JAWWA) 88(9): 87–94.
Franz, D.R. and Zajtchuk, R. (2002) Biological terrorism: Understanding the threat, preparation, and medical
response. Disease-a-Month 48(8): 489–564.
Gilbert, P.H. et al (2003) Infrastructure issues for cities – Countering terrorist threat. Journal of Infrastructure
Systems 9(1): 44–54.
Gleick, P.H. (2006) Water and terrorism. Water Policy 8: 481–503.
Gleick, P.H. (2008) Water: Threats and opportunities, recommendations for the next president, background
material. 9 October, http://www.pacinst.org/publications/essays_and_opinion/presidential_recommendations/
background.pdf, accessed 2 November 2009.
Grigg, N.S. (2003) Water utility security: Multiple hazards and multiple barriers. Journal of Infrastructure Systems
9(2): 81–88.
Haimes, Y.Y., Matalas, N.C., Lambert, J.H., Jackson, B.A. and Fellows, J.F.R. (1998) Reducing vulnerability of
water supply systems to attack. Journal of Infrastructure Systems 4(4): 164–177.
Hickman, D.C. (1999) A Chemical and Biological Warfare Threat: USAF Water Systems at Risk. Alabama:
US Air Force Counterproliferation Center, Air War College, Air University, Maxwell Air Force Base. Future
Warfare Series No. 3; September.
Khan, A.S., Swerdlow, D.L. and Juranek, D.D. (2001) Precautions against biological and chemical terrorism
directed at food and water supplies. Public Health Reports 116(1): 3–14.
Khan, S., Pirzada, A.A. and Portmann, M. (2007) Robust communications using wireless mesh networks for
safeguarding water infrastructures. Recent advances in security technology. Proceedings of the 2007 RNSA
Security Technology Conference. Melbourne: Australian Homeland Security Research Centre.
Kornfeld, I.E. (2002) Terror in the water: Threats to drinking water and infrastructure. Widener Law Symposium
Journal 9: 439–484.
Lancaster-Brooks, R. (2002) Water terrorism: An overview of water & wastewater security problems and solutions.
February, http://www.homelandsecurity.org/newjournal/articles/lancaster-brooks.htm, accessed 25 November
2009.
Latourrette, T. and Willis, H.H. (2007) Using Probabilistic Terrorism Risk Modelling for Regulatory Benefit-
Cost Analysis: Application to the Western Hemisphere Travel Initiative Implemented in the Land Environ-
ment. Santa Monica, CA: Centre for Risk Management and Policy, Rand Corporation. Rand Working Paper
WR-487-IEC.
Leder, K., Sinclair, M.I. and McNeil, J.J. (2002) Water and the environment: A natural resource or a limited
luxury? The Medical Journal of Australia 177(11/12): 609–613.
Lindhe, A., Rosen, L., Norberg, T., Pettersson, T.J.R., Ström, J. and Bondelind, M. (2009) Fault tree
analysis for integrated and probabilistic risk analysis of drinking water systems. Water Research 43(6):
1641–1653.
MacGillivray, B.H., Hamilton, P.D., Strutt, J.E. and Pollard, S.J.T. (2006) Risk analysis strategies in the water
utility sector: An inventory of applications for better and more credible decision making. Critical Reviews in
Environmental Science and Technology 36(2): 85–139.
Meinhardt, P.L. (2005) Water and bioterrorism: Preparing for the potential threat to US water supplies and public
health. Annual Review of Public Health 26: 213–237.
Meinhardt, P.L. (2009) Physician preparedness for acts of water terrorism. 29 June, http://www.waterhealthconnection
.org/bt/index.asp, accessed 5 December 2009.
Michaud, D. and Apostolakis, G.E. (2006) Methodology for ranking the elements of water-supply networks.
Journal of Infrastructure Systems 12(4): 230–242.

300 © 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301
 An investigation into modern water distribution network security

National Health and Medical Research Council (NHMRC) and the Natural Resource Management Ministerial
Council (NRMMC). (2003) National water quality management strategy: Australian drinking water guidelines
6, 2004. 10–11 April, http://www.nhmrc.gov.au/_files_nhmrc/file/publications/synopses/adwg_11_06.pdf, accessed
3 December 2009.
National Water Commission. (2009) Supply risks. 26 July, http://www.nwc.gov.au/www/html/239-supply-risks
.asp, accessed 17 December 2009.
Noah, D.L., Huebner, K.D., Darling, R.G. and Waeckerle, J.F. (2002) The history and threat of biological warfare
and terrorism. Emergency Medicine Clinics of North America 20(2): 255–271.
Pollard, S.J.T., Strutt, J.E., Macgillivray, B.H., Hamilton, P.D. and Hrudey, S.E. (2004) Risk analysis and manage-
ment in the water utility sector, a review of drivers, tools and techniques. Process Safety and Environmental
Protection 82(B6): 1–10.
Qiao, J., Jeong, D., Lawley, M., Richard, J.P., Abraham, D.M. and Yih, Y. (2005) Allocating security resources to
a water supply network. IIE Transactions 39(1): 95–109.
Rogers, J.W. and Louis, G.E. (2007) Risk and opportunity in upgrading the US drinking water infrastructure
system. Journal of Environmental Management 87: 26–36.
Suresh, P.V., Babar, A.K. and Venkat, R. (1995) Uncertainty in fault tree analysis: A fuzzy approach. Fuzzy Sets
and Systems 83(2): 135–141.
Wang, J. and Yu, X. (2007) Security strategies for SCADA systems. Recent advances in security technology.
Proceedings of the 2007 RNSA Security Technology Conference. Melbourne: Australian Homeland Security
Research Centre.

© 2011 Macmillan Publishers Ltd. 0955–1662 Security Journal Vol. 24, 4, 283–301 301
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.