Could spies and terrorists be casing the gates and lurking inside the electronic bowels of San Diego's South Bay International Wastewater Treatment Plant, preparing to strike at the drop of a keystroke?
That's at least a possibility, based on findings contained in a heavily redacted audit of the facility's physical and electronic security by the U.S. State Department's Office of Inspector General, dated this September but only recently made public.
The document reviews a litany of what auditors said are long running security shortcomings at the plant, operated by the United States section of the International Boundary and Water Commission, a joint agency of the U.S. and Mexico.
In addition to the San Diego facility, the U.S. government administers the Nogales International Wastewater Treatment Plant on the Arizona-Mexico border on behalf of the commission.
The government’s prime contractor in San Diego is French water giant Veolia, and its subsidiary, Veolia Water North American Operating Services, Inc., which has been a contributor to San Diego’s GOP Lincoln Club. Over the years, operator errors have been responsible for sewage spills at the facility. The company’s five-year contract expires in 2015.
Previous government auditing had discovered gaps of security at the South Bay plant, according to the State Department report, some of which have since been patched.
According to the audit — originally marked "Sensitive but Unclassified" — the inspector general found that operators had made "physical protection improvements" to the facility's data processing rooms "by installing new locks...to prevent unauthorized access," but that "other security deficiencies" remained.
Without physical and environmental protection controls...assets are not receiving the organized attention required to prevent unauthorized access or destruction, which could affect...operations and result in an environmental incident.
Perimeter protection also appears to have been problematic.
According to the report, the San Diego plant "had five gates: Gates 1, 2, and 5 provided access to the facility, and Gates 3 and 4 provided access between the United States and Mexico." The rest of the audit's approximately page-long discussion of apparent vulnerabilities and how they had been handled was redacted by the government prior to public release.
In addition, the audit found, "access cards and remote controls lacked chain of custody and could not provide accountability for personnel who accessed the facility."
The inspector general's office said it had "requested documentation demonstrating chain of custody for access cards and remote controls, but no documentation was provided."
A subsequent passage regarding the situation was redacted. Plant management said it had corrected the problem subject to Inspector General office review, according to the document.
Another issue involved lack of security checks of plant workers. Management, the report said, "had not properly performed background screening for employees and contractors prior to granting them access to information systems and physical assets.”
Auditors "identified 13 of 14 Area Operation Managers or Assistant Area Operation Managers that did not have a Background Investigation performed." That issue was also subsequently resolved, subject to final review, according to the audit.
Despite the reported progress, the audit signed by acting Inspector General Harold W. Geisel called out “remaining areas in which improvements could be made, including the system inventory, risk management program, configuration management, security awareness and role-based training, plans of actions and milestones, remote access, continuous monitoring, contingency planning, oversight of contractor systems, personnel security, and physical and environmental protection.”