Sean McKenna, seated right, works with Kate Klise, standing, and Dave Hart, left, on the CANARY Event Detection Software, which is open source software developed by Sandia in partnership with the Environmental Protection Agency to enhance the detection of terrorist attacks or natural contaminants to public drinking water systems. The projected image shows what a utility operator might see, including a map locating a sensor that has detected contamination, a graph (top) that shows a measurement of water quality at the sensor and another graph showing the operator the probability that the water has been contaminated. Photo: Randy Montoya
are used to drinking from the kitchen tap without fear of harm, even
though water utilities might be vulnerable to terrorist attacks or
thanks to CANARY Event Detection Software—an open-source software
developed by Sandia National Laboratories in partnership with the
Environmental Protection Agency (EPA)—public water systems can be
protected through enhanced detection of such threats.
are excited about it because it’s free and because we’ve shown that it
works really well. We would love to have more utilities using it,” says
Regan Murray, acting associate division director of the EPA’s Water
Infrastructure Protection Division at the National Homeland Security
software tells utility operators within minutes whether something is
wrong with their water, giving them time to warn and protect the public.
And it’s improving water quality by giving utility managers more
comprehensive real-time data about changes in their water.
is being used in Cincinnati and Singapore, and Philadelphia is testing
the software system. A number of other U.S. utilities also are
evaluating CANARY for future use.
McKenna, the Sandia researcher who led the team that developed CANARY,
says people began to pay attention to the security of the nation’s water
systems after 9/11.
and Murray say CANARY could have lessened the impact of the nation’s
largest public water contamination. In 1993, a cryptosporidiosis
outbreak in Milwaukee hastened the deaths of dozens of citizens, made
more than 400,000 residents ill and cost more than $96 million in
medical expenses and lost productivity, according to reports about the
“If you don’t have a detection system, the way you find out about these things is when people get sick,” Murray says.
a national security laboratory, had worked on water security before the
9/11 attacks. So when the EPA was looking for help early in the last
decade to better monitor water utilities, they contacted Sandia.
Sandia-developed, risk-assessment methodology for water focused on
physical security of the utility infrastructure, but did not address
detection and assessment of the impact of contamination within the water
itself. CANARY was designed to meet that need for better assessment,
which runs on a desktop computer, can be customized for individual
water utilities, working with existing sensors and software, McKenna
some utilities monitor their water using real-time sensors, many still
send operators out once a week to take samples, said David Hart, the
lead Sandia software developer for CANARY.
Compared to weekly samples, CANARY works at lightning speed.
the start of an event—when a contaminant reaches the first sensor—to an event alarm would be 20 to 40 minutes, depending on how the utility
has CANARY configured,” McKenna says.
challenge for any contamination detection system is reducing the number
of false alarms and making data meaningful amidst a “noisy” background
of information caused by the environment and the utility infrastructure
researchers used specially designed numerical algorithms to analyze
data coming from multiple sensors and differentiate between natural
variability and unusual patterns that indicate a problem. For example,
the Multivariate-Nearest Neighbor algorithm groups data into clusters
based on time and distance, explained Kate Klise, a numerical analyst at
Sandia. When new data is received, CANARY decides whether it’s close
enough to a known cluster to be considered normal or whether it’s far
enough away to be deemed anomalous. In the latter case, CANARY alerts
the utility operator, Klise says.
computer program uses a moving 1.5- to two-day window of past data to
detect abnormal events by comparing predicted water characteristics with
current observations. But a single outlier won’t trigger the alarm,
which helps to avoid costly and inefficient false alarms. CANARY
aggregates information over multiple 2- to 5-minute time steps to build
evidence that water quality has undergone a significant change, McKenna
taken techniques from different fields and put those together in a way
they haven’t been put together before; certainly the application of
those techniques to water quality monitoring hasn’t been done before,”
CANARY also provides information about gradual changes in the water, McKenna says.
unintended benefit of the software is that when utility operators
better understood the data being sent by their sensors, they could make
changes to the management of the water systems to improve its overall
quality, McKenna says.
we found from utilities we work with is that a better managed system is
more secure, and a more secure system is better managed,” McKenna says.
Seah, director of the Technology and Water Quality Office at the Public
Utilities Board (PUB), Singapore’s national water authority, wrote in a
letter supporting CANARY that the software provided a “quantum leap” in
the utility’s practice.
In the past, Seah wrote, the utility depended on preset limits of three water characteristics to determine water quality.
the implementation of CANARY, relative changes in the patterns of these
three parameters can be used to uncover water quality events, even if
each individual parameter lies within the alarm limits,” Seah wrote. “This dramatically improves PUB’s ability to respond to water quality
changes, and allows PUB to arrest poor quality water before [it reaches] the consumers.”
more versions of the software are installed at water utilities,
researchers are working on new application areas for CANARY, such as
computer network traffic logs and geophysical log analysis used by
petroleum drillers to analyze rocks at different depths.