Securing wastewater facilities from accidental and intentional harm: A cost-benefit analysis

It has been widely reported that industrial control systems underpinning critical infrastructures ranging from power plants to oil refineries are vulnerable to cyber attacks. A slew of countermeasures have been proposed to secure these systems, but their adoption has been disappointingly slow according to many experts. Operators have been reluctant to spend large sums of money to protect against threats that have only rarely materialized as attacks. But many security countermeasures are dual-use, in that they help protect against service failures caused by hackers and by accidents. In many critical infrastructure sectors, accidents caused by equipment failures and nature occur regularly, and investments for detecting and possibly preventing accidents and attacks could be more easily justified than investments for detecting and preventing attacks alone. This paper presents a cost-benefit analysis for adopting security countermeasures that reduce the incidence of sewer overflows in wastewater facilities. The paper estimates the expected annual losses at wastewater facilities due to large overflows exceeding 10,000 gallons using publicly-available data on overflows, cleanup costs, property damage and regulatory fines. Also, it estimates the costs of adopting security countermeasures in wastewater facilities in eight large U.S. cities. The results of the analysis indicate that, in many cases, even a modest 20% reduction in large overflows can render the adoption of countermeasures cost-effective.