Water distribution systems security enhancements through modeling: review and challenges

13th Computing and Control for the Water Industry Conference De Montfort University, Leicester, UK 2nd – 4th September 2015 Water distribution systems security enhancements through modeling: review and challenges Avi Ostfeld Faculty of Civil and Environmental Engineering, Technion – Israel Institute of Technology

Outline • Introduction • Review ofdrinking water distribution systems security modeling • Challenges fordrinking water distribution systems security modeling • Conclusions

Introduction • The events of 9/11 2001 in the US have brought to the foremost the world public awareness to possible terrorist attacks on water distribution systems causing the security of drinking water distribution systems to become a major concern around the globe • A drinking water distribution system is typically comprised of tanks, pipes, and pumps delivering treated water from treatment plants to consumers. Even a moderate system may contain hundreds of kilometers of pipes and numerous delivery points, making such a system inherently vulnerable

Water distribution systems problem classification Leakage Maintenance Aggregation Unsteady • Layout - connectivity • Design - sizing • Operation Reliability Deterministic/ stochastic Security Flow - Head # of Loadings System type Flow - Head - Quality Branched/looped, gravitational/pumping/storage

Introduction The threats on a water distribution system can be partitioned into three major groups according to the resulted means of their enhanced security: 1.A direct attack on main infrastructure (vertical assets): dams, treatment plants, storage reservoirs, pipelines, etc. Addressed through: improving the system's physical security (i.e., additional alarms, locks, fencing, surveillance cameras, guarding, etc.)

Introduction 2. A cyber attack disabling the functionality of the water utility SCADA (Supervisory Control and Data Acquisition) system, taking over control of key system components Addressed through:Software engineering - isolators between communication networks; Routers to restrict data transfer; Firewalls; anti-virus software, etc. BOTH THE PHYSICAL AND THE CYBER ATTACK THREATS HAVE NO DIRECT CONNECTION TO WATER SYSTEMS (e.g. an electrical system should be defended similarly)

Introduction 3. A deliberate chemical or biological contaminant injection at one of the system nodes • This is the most difficult threat to address, both because of the uncertainty of the type of the injected contaminant and its consequences, and as of the uncertainty of the location and injection time • In principle, a pollutant can be injected at any water distribution system connection (node) using a pump or a mobile pressurized tank. Although backflow preventers provide an obstacle to such actions, they do not exist at all connections, and at some might not be functional An online contaminant monitoring system (OCMS) should be considered (ASCE, 2004) as the major tool to reduce the likelihood of a deliberate contaminant intrusion ASCE (2004). "Guidelines for designing an online contaminant monitoring system.“ http://www.asce.org/static/1/wise.cfm#MonitoringSystem An OCMS should be designed to detect random contamination events and to provide information on the location of the contaminants within the system

Introduction An online contaminant monitoring/sensors system should act as the guard or “multiple eye” setting for defending the distribution system (horizontal asset) MOST IF NOT ALL MODELLING EFFORTS FOR ENHANCING THE SECURITY OF WATER DISTRIBUTION SYSTEMS THROUGH MODELLING ARE ASSOCIATED WITH SENSORS MANAGEMENT

Water distribution systems security – modeling map Online/real time decisions Offline/design decisions • Sensor placement • ------------- • Contaminant source identification • Event detection • Response • Response • Recovery • -------------

Sensor placement Problem definition: sensor locations for minimizing impacts Lee and Deininger (1992) were the first to address the problem of sensor placement by maximizing the coverage of the demands using an integer programming model Kessler et al. (1998) suggested the pollution matrix concept and a set covering graph algorithm for sensor's layout for one representative loading condition Ostfeld and Salomons (2004) extended Kessler et al. (1998) to multiple loadings and extended period simulations (EPS) using the pollution matrix concept tied into a genetic algorithm framework

Water Quality Modeling • Spurred by EPA research in 1980s • 1985-6: Six independent papers on steady-state water quality modeling • 1986: Three independent papers on dynamic water quality modeling Grayman, KEYNOTE, EWRI (2011)

1991 EPA-AwwaRF Workshop • 43 participants • Review state-of-art • Define research agenda • Applications of Water Quality Models • Theoretical Aspects and Numerical Analysis • Calibration of Water Quality Models • Water Utility Perspective • Chemical/Physical/Biological Aspects • Implications of Water Quality Modeling Grayman, KEYNOTE, EWRI (2011)

ROSSMAN HART UBER SHAMIR CLARK HOWARD WOOD GRAYMAN KROON SARIKELLE ORMSBEE WALSKI OSTFELD FOWLER DEININGER MALES CHUN CESARIO Grayman, KEYNOTE, EWRI (2011)

van Bloemen Waanders et al, 2005 Mixing at Nodes Fowler and Jones, 1991 Grayman, KEYNOTE, EWRI (2011)

Locating Monitoring Stations in Distribution Systems Deininger (1991) Grayman, KEYNOTE, EWRI (2011)

Sensor placement Problem definition: sensor locations for minimizing impacts Lee and Deininger (1992) were the first to address the problem of sensor placement by maximizing the coverage of the demands using an integer programming model Kessler et al. (1998) suggested the pollution matrix concept and a set covering graph algorithm for sensor's layout for one representative loading condition Ostfeld and Salomons (2004) extended Kessler et al. (1998) to multiple loadings and extended period simulations (EPS) using the pollution matrix concept tied into a genetic algorithm framework

Sensor placement Woo et al. (2001) developed a sensor location design model by linking EPANET (USEPA, 2002) with an integer programming scheme Berry et al. (2006) presented a mixed-integer linear programming (MILP) formulation for sensor placement showing that the MILP formulation is mathematically equivalent to the p-median facility location problem Propato (2006) introduced a MILP model to identify sensor location with the ability to incorporate different design objectives

Sensor placement Watson et al. (2004) were the first to introduce a multiobjective formulation to sensor placement by employing a MILP formulation over a range of design objectives The multiobjective nature of the sensor placement problem became evident and extended at the Battle of the Water Sensor Networks (BWSN)2006 at the 8th Water Distribution Systems Analysis (WDSA) symposium in Cincinnati, Ohio

Sensor placement BWSN 2006 8th WDSA, Cincinnati (Ostfeld et al., 2008): The sensor placement problem is inherently a multiobjective problem as the impacts compete against the detection likelihood The impact was measured through: the expected time of detection (Z1), the expected population affected prior to detection (Z2), the expected contaminated water demand prior to detection (Z3), and the detection likelihood (Z4)

Network 1 Network 2 Ostfeld et al. (2008) Sensor placement

Sensor placement Example: Network 1, five sensors Sensors Z1 Z2 Z3 Z4 14 Teams

Sensor placement Example: Network 1, five sensors Map of the different team solutions

Sensor placement The U. S. Environmental Protection Agency (EPA), Sandia National Laboratories (SNL), Argonne National Laboratory (ANL), and the University of Cincinnati developed the Threat Ensemble Vulnerability Assessment and Sensor Placement Optimization Tool (TEVA-SPOT) (USEPA, 2008a and 2008b) TEVA-SPOT utilizes MILP, the p-median methodology (Mirchandani and Francis, 1990) and heuristics for sensor placement The modeling process in TEVA-SPOT includes (1) sensor characteristic definitions, (2) definition of the design basis threat, (3) selection of impact measures for design, (4) planning utility response to sensor detection, and (5) identification of feasible sensor locations TEVA-SPOT can be freely downloaded and is probably the most advanced available toolkit for sensors placement

Sensor placement

Contaminant source identification Problem definition: given a contaminant detection at one or more sensor stations – identify the injection characteristics: (1) location, (2) starting time, (3) intensity (mass/time), and (4) duration Islam at al. (1997), Shang et al. (2002), Laird at al. (2005), Sanctis et al. (2010) used backtracking algorithms for solving the inverse problem of contamination source identification Preis and Ostfeld (2006), Liu et al. (2008), Zechman and Ranjithan (2009) employed genetic algorithm frameworks for contaminant source identification Preis and Ostfeld (2006) used a MT-GA approach, logistic regression and local search (Liu et al., 2008), cluster analysis and Bayesian networks (Perelman and Ostfeld, 2010)

Response Problem definition:Once a contamination warning system has detected the presence of a contaminant in a water distribution system, a variety of response actions must be examined for implementing the most effective consequence management strategy, including public notifications and operational changes (e.g., valve closures and flushing) Potential utility response actions to help mitigate the economic and public health impacts of a contamination release are required Preis and Ostfeld (2008) and Baranowski and LeBoeuf (2008) suggested a genetic algorithm framework for consequence management response, Poulin et al. (2008) developed a heuristic methodology for contaminant containment, Haxton and Walski (2009) compared two hydrant flushing responses as a hydraulic response

Recovery Problem definition: recovery addresses long term strategies for returning the system to normal operation post a microbial or a chemical contamination event Very few studies addressed this problem (Ostfeld and Salomons, 2014; Salomons and Ostfeld, 2015) Ostfeld A. and Salomons E. (2014). "Optimal disinfection of water distribution networks following a contamination event." 16th Water Distribution Systems Analysis Conference, 14-17 July 2014, Bari, Italy, Procedia Engineering, Vol. 89, 2014, pp. 168-172, http://dx.doi.org/10.1016/j.proeng.2014.11.173 Salomons E. and Ostfeld A. (2015). "A multi-objective approach for minimizing water network disinfection time and disinfectant quantity." 13th international CCWI conference (CCWI2015), 2-4 September 2015, Leicester, UK, in Procedia Engineering, Vol. 119, 2015, pp. 347-351, http://dx.doi.org/10.1016/j.proeng.2015.08.894

Number of offline decision modeling publications

Event detection Event detection systems (started 2006) build on available water quality sensors which measure common/ordinary water quality parameters such as, free chlorine, total organic carbon, electrical conductivity, oxidation-reduction potential, and pH These parameters are known to vary considerably over time in water distribution systems due to different circumstances such as changes in the operations of tanks, pumps, and valves, and daily and seasonal changes in the source and finished water quality, as well as fluctuations in demands The assumption is that a contaminant present in the system will cause detectable changes in these water quality parameters (i.e., at one or multiple sensors, simple or complex) Event detection methodologies try to capture those changes and distinguish between normal variations in water quality and changes in water quality triggered by the presence of contaminants Change of concept from Early Warning Systems (EWS) [2001-2005] to Contamination Warning Systems (CWS) [2006 and later]

Event detection The most known event detection system is CANARY which is part of the TEVA project of US EPA and Sandia National Laboratories which can be freely downloaded There are in addition a few commercial systems, such as GUARDIAN BLUE (HACH), TOXControl (microLAN), and more

Response Same problem as for the offline/design decisions for possible scenarios Response in real time needs an adaptive mechanism to accommodate for real time operation modifications as of consumers response Limited modeling studiesare available for this purpose

Challenges LOCAL GLOBAL

Sensor placement Almost all sensors placement models assume a well calibrated hydraulic and water quality model availability YET IN REALITY, AT MOST INSTANCES, THIS IS NOT THE CASE

II One demand loading directed connectivity Sensor placement In reality I Undirected connectivity Current models: Full hydraulic model assumption THE PROBLEM, HOWEVER, REMINS THE SAME: WHERE TO PLACE SENSORS TO MINIMIZE IMPACTS

Recovery Recovery, post a contamination event is an unsolved open systems modelling problem Guidelines are vague and are associated with a single pipeline Depending on the nature of the contamination, the recovery process may include flushing, absorption by surfactants, oxidation and/or disinfection

Kiryat Motzkin, Israel, 2011 • E. Coli detected in water samples • Effected 47,000 residents • 8 days without potable water • Treatment: flushing WDSA 2014, Bary, Italy, 14-17 July

Elk River, US-WV, 2014 • Chemical spill (4-Methylcyclohexanemethanol) • Effected >300,000 residents • 6 days without potable water • Tens hospitalized • Treatment: flushing and Carbon WDSA 2014, Bary, Italy, 14-17 July

Alert Event Detection model ? Normal operation Event detection Multiple sensors for spatial event detection Node 119 Node 207 Main objective: reduce false positives

Challenges LOCAL GLOBAL

Water distribution systems security enhancements through modeling: review and challenges