Skip Navigation

Fall 2008 Volume 41

Feature Articles

Every time a new employee is hired or a current employee moves to a different office, EMC Management Consultant Laurie Hoskins jumps into action. “These employees are literally inheriting someone else’s workstation,” comments Hoskins, whose primary responsibility for EMC and many of the company’s policyholders is to conduct ergonomic risk assessments. “The wrong type of chair, desks that are too tall or too short, computer monitors sitting at an uncomfortable angle, even the wrong type of mouse could result in costly work-related musculoskeletal disorders (WMSDs).”

Risk Assessment Comes First
Ergonomic risk assessments are the first step in reducing the incidence and severity of WMSDs. The assessment is basically an evaluation of the factors within a job that increase the chance of someone suffering an ergonomic injury. Hoskins and other members of EMC’s Risk Improvement Department are trained to evaluate the stresses on the muscles, bones and tendons of a worker’s body to determine if there is a risk of developing a work-related musculoskeletal disorder. If a risk is identified, recommendations for reducing the incidence and severity of WMSDs are suggested.

Simple Solutions Net Dramatic Results.
In most cases, recommendations that develop as a result of ergonomic risk assessments are fairly inexpensive and easy to implement. It could be as simple as a different computer mouse, raising the height of production tables, the use of personal protective equipment or making administrative changes to the job. But the impact of these recommendations on the health of employees and the financial well-being of a company can be significant.

Each year, 1.8 million workers have WMSDs related to ergonomic factors and 600,000 people miss some work because of them, according to a report from the Occupational Safety and Health Administration (OSHA). OSHA estimates that ergonomic injuries and illnesses cost employers $20 billion in workers’ compensation claims, or one-third of their total workers’ compensation costs. The Bureau of Labor Statistics reported that sprains and strains (many of which were considered ergonomic-related) and carpal tunnel syndrome or tendinitis accounted for 46% of all lost workday injuries.

When Should Ergonomic Risk Assessments Be Performed?
In addition to performing assessments when people are added or moved to a different workplace, EMC Management Consultant Laurie Hoskins recommends that employers consider assessments:

  • when an employee suffers a work-related musculoskeletal disorder (WMSD). This will reduce the likelihood of WMSDs affecting other workers performing a similar task.
  • when a new process is introduced or a existing process is modified.
  • when complaints or concerns about recurring aches and pains are raised by workers.

EMC loss control specialists are also called into action when companies move into new facilities. In those situations, EMC assists the company in selecting ergonomically-appropriate office equipment and customizing workstations for each employee.

What Types Of Organizations Need Ergonomic Risk Assessments?
Every work situation presents its own set of unique ergonomic challenges, and companies should make every effort to reduce those challenges. WMDSs don’t just happen in offices. For example, in response to a number of back injuries, Hoskins completed an ergonomic risk assessment in a school cafeteria and noticed kitchen workers were lifting heavy bowls of dough during the baking process. She recommended a lift table with a foot pedal. This single change was a primary factor in reducing the number of back injuries among kitchen workers.

Companies with mobile workers should also consider ergonomic risk assessments and training. According to Hoskins, people who work on computers in hotel rooms, vehicles or their homes develop some bad habits. Assessments and training will help these workers understand how simple adjustments like tiling monitors, propping keyboards and using adjustable ironing boards for work surfaces can reduce the likelihood of nagging aches and pains.

How Long Does It Take To Complete An Ergonomic Risk Assessments?
Most assessments on a single work stations can be completed in 15 to 30 minutes, depending on the complexity of that particular station. Ergonomic risk assessments in an industrial setting will require more time.

How Much Do Ergonomic Risk Assessments Cost?
Ergonomic risk assessments are provided at no additional cost to EMC policyholders.

Other Topics


If you are developing and implementing a workplace drug policy, a great place to start is with a new kit available from the Substance and Mental Health Services Administration. The kit contains nine pullout brochures, 13 fact sheets, a bumper sticker and posters. Topics include everything from educating employees to drug testing, training supervisors to creating an employee assistance program. The kit also offers resources and references as well as an implementation guide. To order a copy of the kit, call 877-726-4727 or visit


OSHA recently published its first letter of interpretation on the Personal Protective Equipment (PPE) Payment Standard. In the letter, OSHA confirms that employers have to pay for lineman belts and hooks used to comply with a safety standard. OSHA published the final rule of employer-paid PPE in November 2007. Under the rule, all PPE, with a few exceptions, must be provided at no cost to the employee. For details, visit


Employers confused about which recordkeeping, reporting or notice requirements apply to \ them may find assistance in a new internet tool from the Department of Labor. The newest “elaws” program — FirstStep Recordkeeping, Reporting and Notices — will make it easier for small business employers to determine which federal employment laws apply to their organizations. Learn more at

Who pays the price for fraudulent workers’ compensation claims? We all do. They not only lead to higher insurance premiums, but they translate into higher prices for goods and services because of production delays, retraining costs and equipment replacement purchases.

Workers’ compensation claimant fraud and medical fraud are significant contributors to our nation’s annual $30 billion insurance fraud problem. According to EMC Special Investigative Unit Manager Laurie Salz, these crimes range from people who fake an injury while on the job in order to collect workers’ compensation insurance, to organized criminal conspiracies by unethical physicians, attorneys and patients who submit false and exaggerated medical claims.

“Through our Partnership Against Insurance Crime program, EMC is leveraging the resources of policyholders, agents and our staff to deal head-on with the issues relating to all forms of insurance crime,” comments Salz. “As an employer, you are in a particularly advantageous position to help in the fight.”

Prescreen Potential Employees
Although the presence of several of the following conditions does not mean a potential or current employee is likely to be involved in a fraudulent claim, be aware of these red flags:

  • Substantial material misrepresentation on the employment application
  • Bad references
  • Positive drug test results
  • Criminal record
  • Unverified Social Security number
  • Nomadic with a history of short-term employment and financial difficulties

Watch For Warning Signs
While the following indicators are not proof of fraud, they are some conditions to watch for:

  • Employee warning signs — disgruntled, soon-to-retire or facing imminent firing or layoff; takes more time off than the claimed injury seems to warrant; changes physicians when a release for work has been issued; demands quick settlement payment
  • Accident warning signs — occurs at an odd hour; details are vague and contradictory; not promptly reported by the employee to the supervisor; no witnesses

Report Fraudulent Workers’ Compensation Claims
Once you believe you have detected workers’ compensation fraud, contact your local EMC branch office claims department or EMC’s Special Investigative Unit as soon as possible. Remember, only discuss the issue with EMC personnel and refer any other inquiries on the matter to the branch office or EMC’s Special Investigative Unit.

EMC’s Partnership Against Insurance Crime program

The Coalition Against Insurance Fraud, a national organization combating insurance fraud, recommends employers perform the following steps:

  • Publish your workers’ compensation policies and educate your employees about the cost and impact of workers’ compensation insurance on the business. Employees need to understand that their employer ultimately pays the costs of injuries.
  • Educate managers and supervisors on accident procedures and claim policies.
  • Take complaints about working conditions seriously, and do what you can to address them. Disgruntled employees are a major source of workers’ compensation fraud.
  • Take advantage of workplace safety training and awareness programs offered by your insurance carrier.*
  • Implement safety management and loss control programs. Perform periodic reviews of the injury risks involved in workplace activities. Correct safety problems immediately.
  • Display your insurer’s fraud hotline number.*
* EMC offers training, posters, brochures and a fraud hotline at no additional cost to policyholders.

Almost 50,000 people require hospital emergency room treatment every year in accidents associated with some of the nation’s four million swimming pools, according to the U.S. Consumer Product Safety Commission.

Although the summer months are coming to an end, the risks are just as prevalent at indoor pools. EMC loss control specialists encourage you to take the following precautions to reduce the likelihood of accidents, indoor and out.

  • Use nonslip materials where appropriate. Many severe injuries result from falling on slippery walkways and decks and falling from diving boards and ladders.
  • Use a licensed electrician. Electrical equipment should be installed in accordance with local safety codes. Faulty electrical installations could cause serious or fatal electric shock.
  • Mark water depths conspicuously. Use a safety float line where the bottom slope deepens.
  • Check the pool and equipment periodically. Cover all sharp edges and protruding bolts. Repair rickety or broken ladders and railings. Replace nonslip materials when they wear out.
  • Always provide competent adult supervision. Never allow children to swim alone or unsupervised. Even adults should never swim alone.
  • Keep rescue devices and first aid supplies near the pool. A floating shepherds crook is useful.
  • Keep area clean of electrical appliances. Appliances such as radios, CD players and laptops represent a potential electrical shock hazard.

For additional swimming pool safety tips and other pool safety materials, visit the Consumer Product Safety Commission at

Laurie Hoskins

When completing an ergonomic risk assessment in an office setting, EMC Management Consultant Laurie Hoskins stresses the importance of encouraging employees to use ergonomically-sound work habits. Some of these include the following tips:

  • Don’t bend your wrists while typing. Keep your wrists in a straight position, not flexed or bent.
  • Maintain good posture. Sit back in your chair, not on the edge. Keep your feet flat on the floor or use a footrest. Relax your shoulders.
  • Position your mouse next to, and the same height as, your keyboard. Keep it close to your body; try not to reach too far for your mouse.
  • Adjust your computer screen for your eyes. Give your eyes a break by looking away from the screen and focusing on a distant object.

For additional information on ergonomics, click here.

Source: American Association of Physical Medicine and Rehabilitation

In addition to jumping into action when a claim is filed, EMC works equally hard to reduce the likelihood of claims. Our Risk Improvement Department provides a broad range of exceptional loss control and loss prevention services that address a wide variety of needs — usually at no cost to our customers. You can learn more about the scope of services available in a brand new presentation — The Best in Loss Control.

This presentation, which is available online and on CD-ROM, provides specific information on how EMC’s loss control experts can help keep your property, drivers, employees and the public safe. The presentation also includes comments from EMC policyholders who have benefitted from the resources of EMC’s Risk Improvement Department. To view this presentation click here.

Insights Online


Tammy Swenson, EMC Loss Control Engineer

Reducing Crane Accidents
An annual average of 22 construction workers were killed in crane-related incidents from 1992 to 2006, according to The Center for Construction Research and Training. EMC Loss Control Engineer Tammy Swenson offers some tips to prevent additional fatalities.

It’s like saying motorcycles kill people. Motorcycles don’t kill people, but people make mistakes that cause accidents to happen, and then people get injured or killed while riding motorcycles. Cranes can be thought of in a similar manner. They are engineered pieces of equipment that have a specific purpose, and that purpose cannot be completed without the direct involvement of people. Every day cranes are transported, erected, used to make lifts, jumped up, dismantled and moved on to the next job. Unfortunately, when something goes wrong with a crane — be it a tower crane or a lighter capacity hydraulic crane — it is usually catastrophic. Casualties and property damage are almost always a given.

Cranes In The News
There have been several recent high profile cases involving tower cranes collapsing and causing fatalities and large amounts of property damage. Media attention has put crane safety under scrutiny as questions are asked about the cause of these crane failures and how they can be prevented in the future. While investigators and experts continue sorting out the details of these recent accidents, problems continue. Inspectors are being charged with taking bribes and other crimes; tower crane manufacturers are being questioned about the quality of their products; the public fears for its safety near jobsites; and OSHA is feeling the heat to update its crane standard in consideration of current technology.

What Went Wrong?
There are many potential causes of crane accidents. One of the most likely culprits is the breakneck speed at which construction projects currently move. Owners are demanding faster completion times, and contractors are feeling pressured to finish on time in order to make a profit. If they are able to finish ahead of the contracted schedule, they might even earn an incentive bonus. Manpower is stretched to the limit by long hours, and employees are working in highly congested areas, among several trades trying to complete their work simultaneously. It is not unusual to see a large project with two or more tower cranes running on the site and several smaller cranes working below them.

Another possible reason for crane accidents is the lack of qualified people onsite when equipment is erected, jumped or dismantled. Like many other industries, construction is experiencing a shortage of skilled, experienced labor. There may not be an adequate number of properly trained people available to perform the critical functions of crane work.

Rigging, for example, is one of the most important skills to have when working with a crane. The process of securing the load to the crane is often completed by people who aren’t properly trained to perform this function. The causes of the most recent tower crane collapses have been traced back to improperly rigging the crane in the jumping sequence. The mistake could have been the use of defective lifting straps that should have been removed from service by a competent person. It could have been that the components of the crane itself were not rigged properly when jumping the crane sections. Either way, the failure may have had nothing to do with the crane itself, but may in fact have been caused by the people and the rigging of the crane.

Most contractors who use tower cranes use them according to OSHA standards. However, some are even going above and beyond what is required due to the inherent dangers of using cranes. The problems occur when shortcuts are taken and people gamble with safety. Tight schedules combined with high complacency create a recipe for disaster. Tower cranes may be jumped on a weekend when there is less supervision and exposure on the site. The jumping, erecting or dismantling may be done with only an operator and a handful of unqualified helpers. Inspections may or may not occur, or they may not be done properly. All of these risky behaviors contribute to the likelihood of accidents.

Crane Safety Today
There is no room for error when erecting and dismantling cranes or jumping a tower crane. There are several precautions you can take if you own, operate or subcontract cranes on your site:

  • Prequalify the contractors you use.
  • Find out what types of cranes are being used, what condition they are in and how often they are inspected.
  • Ask about, and verify, the knowledge and experience of the personnel who will be operating, erecting, jumping or dismantling the cranes.
  • Determine the condition of the rigging that will be used and whether or not employees are properly trained.

All of these things can be done before a crane arrives on-site.

Although there is talk of OSHA updating its current Crane & Derrick standard, why wait? Take a proactive stance on policies and procedures for your cranes and try to prevent an accident that is almost guaranteed to result in loss of life or property.

  • Train your personnel in proper rigging equipment and techniques, as well as correct signaling methods.
  • Demand that operators are NCCCO (National Commission for the Certification of Crane Operators) certified on the type of crane they will be operating. A squirt stick hydraulic crane and a tower crane are completely different animals, and good training should reflect that.
  • Type-specific instruction should be given and the skills successfully demonstrated before operation begins.

Best Practices From The Weitz Company
I recently spoke with Tim Dawson, safety manager for The Weitz Company in Des Moines, Iowa. I asked him what they were doing specifically with tower crane safety in light of recent high-profile accidents. While The Weitz Company has always had standards in place for crane operations, Tim informed me they have substantially upgraded their information to include very specific safety policies and procedures for using tower cranes on their sites. During the jumping operation of one of their tower cranes, they are requiring a representative from the crane manufacturer be onsite to oversee the procedure. They then require that representative to recertify the crane once the jump has been completed. Training and certification of the operators is also a requirement. Specifically, they want an operator who is using a tower crane to be certified to do so. They have added more crane inspections to the schedules by supplementing their own inspections with outside inspectors. Their tower cranes are inspected by a third party 90 days after the initial set up and then annually thereafter. They feel it is a priority to update their standards to ensure the safety and health of their employees instead of waiting for regulatory changes.

All types of cranes, including tower cranes, are engineering marvels that serve a great purpose in the construction industry. They seem to have developed a bad reputation because of the high-profile accidents that have recently occurred. However, if they are erected, jumped, dismantled, used and maintained properly by skilled personnel they can be used with minimal risk to people and property, ensuring they remain at the forefront of successful construction projects.

Six Crane Safety Tips
The following recommendations from the Center for Construction and Training support what Tammy Swenson has to say about crane safety:

  1. Crane operators should be certified by a nationally-accredited crane operator training organization, such as the National Commission for the Certification of Crane Operators (NCCCO).
  2. Riggers who attach loads to cranes and signalpersons who audibly and visibly direct where the crane operator places the load should be certified.
  3. Crane inspectors also should be certified, and should have the same degree of qualifications as crane operators.
  4. Cranes must be inspected thoroughly by a certified inspector after being assembled or modified, such as “jumping” a tower crane.
  5. Only trained workers should assemble, modify or dismantle cranes, and they should remain under the supervision of that person meeting both the definitions of a qualified and competent person.
  6. Crane loads should not be allowed to pass over street traffic. If rerouting is not possible, streets should be closed during the work.

Managing Construction Noise
Exposure to loud noises at construction sites can cause irreversible hearing damage and workplace accidents. You can’t eliminate the noise, but The European Agency for Safety and Health at Work offers some recommendations on how to manage it.

Walk on any construction site and what do you hear? The pounding of impact tools like concrete breakers. Explosions from blasting. The barrage of pneumatically powered equipment. The rumble of internal combustion engines. These and the many other noises to which workers are exposed can result in numerous problems, including irreversible hearing damage and accidents caused when noise levels are so extreme that workers cannot hear warnings and alarms. The European Agency for Safety and Health at Work offers the following tips for managing the noise.

Tip One: Eliminate Noise
Where possible, the production of noise should be eliminated. This can be achieved by changing the construction or work method. Where elimination is not possible, the noise should be controlled.

Tip Two: Control Noise At Its Source

  • Use a machine with lower noise emissions
  • Avoid metal-on-metal impacts
  • Use damping to reduce noise or isolate vibrating parts
  • Carry out preventive maintenance to reduce noise generated by worn parts

Tip Three: Work With Other Contractors On The Job Site

  • Isolate noisy procedures and restrict access to those areas
  • Interrupt the path of airborne noise through the use of noise enclosures and barriers
  • Use absorptive materials to reduce reflected sound
  • Interrupt the path of airborne noise through the use of noise enclosures and barriers
  • Control ground-born noise and vibration by using floating slab measures
  • Organize work so that the time spent in noisy areas is limited
  • Plan to have noisy work done at a time when as few workers as possible will be exposed

Tip Four: Use Personal Hearing Protection As A Last Resort

  • When required, personal hearing protection must be worn and its use enforced
  • Personal hearing protection should be suitable for the job as well as the type and level of noise, and compatible with other protective equipment
  • Workers should have the choice of suitable hearing protection, so they can find the most comfortable option
  • Provide training on the use, storage and maintenance of personal hearing protection

Tip Five: Involve Workers
On-site workers often know about particular noise problems and possible solutions. Consult with them during the assessment procedure and discussions on how to implement control measures.

Local Governments

The Hazards Of Overhead Power Lines
EMC loss control experts encourage you to follow the recommendations of OSHA and the National Institute for Occupation Safety and Health to avoid electrocution from unintentional contact with overhead power lines.

Electrocutions from contact with overhead power lines result in 128 work-related fatalities on an average year basis. According to the National Institute for Occupational Safety and Health (NIOSH), many of these fatalities can be prevented through awareness of the hazard and the implementation of safety procedures. EMC loss control specialists recommend the following tips from OSHA to help employers, employees and others identify potential risks when working under and around power lines:

  • Develop and implement written safety programs to help workers recognize and control the hazards of contact with overhead power lines.
  • Conduct initial and daily surveys of the worksite, and implement control measures and training to address hazards at the site.
  • Don’t operate equipment around overhead power lines unless you are authorized and trained to do so.
  • If an object (scaffolds, crane, etc.) must be moved in the area of overhead power lines, appoint a competent worker whose sole responsibility is to observe the clearance between the power lines and the object. Warn others if the minimum distance is not maintained.
  • Never touch an overhead line if it has been brought down by machinery or has fallen.
  • Never assume lines are dead.
  • When a machine is in contact with an overhead line, do not allow anyone to come near or touch the machine. Stay away from the machine and summon outside assistance.
  • Never touch a person who is in contact with a live power line.
  • Be trained in cardiopulmonary resuscitation (CPR).
  • If you are in a vehicle that comes in contact with an overhead power line, don’t leave the vehicle. As long as you stay inside and avoid touching metal on the vehicle, you may avoid an electrical hazard. If you need to get out to summon help or because of fire, jump out without touching any wires or the machine, keep your feet together and hop to safety.
  • When mechanical equipment is being operated near overhead power lines, employees standing on the ground may not touch the equipment unless it is positioned so that the required clearance cannot be violated even at the maximum reach of the equipment.
  • When working near overhead power lines, the use of nonconductive wooden or fiberglass ladders is recommended. Aluminum ladders and metal scaffolds or frames are dangerous conductors of electricity.
  • Avoid storing materials under or near overhead power lines.

Want To Learn More?
The National Institute for Occupation Safety and Health offers the following online resources for preventing electrocutions from contact with overhead power lines:

According to NIOSH Director John Howard, M.D., the basic precautions — awareness and good planning — can be applied to virtually any of these NIOSH resources for preventing electrocution from contact with overhead power lines.

Water Security Is A Growing Concern
International and national organizations are issuing guidelines to help you protect the security of drinking water. EMC loss control specialists review the elements of a vulnerability assessment for your community’s water system.

Improving the security of our nation’s drinking water and wastewater infrastructures has become a top priority since the events of 9/11. Significant actions are underway to assess and reduce vulnerabilities to potential terrorist attacks; to plan for and practice response to emergencies and incidents; and to develop new security technologies to detect and monitor contaminants and prevent security breaches. Last year, for example, the Water Environment Federation released its Guidelines for the Physical Security of Wastewater/Stormwater Utilities. Most recently, the International Organization for Standardization issued its Guidelines for the Management of Drinking Water Utilities Under Crisis Conditions. According to EMC loss control specialists, a crucial element of any water security program is a vulnerability assessment. Following is some basic information from the Environmental Protection Agency about these assessments.

What Is The Purpose Of Vulnerability Assessments?
Vulnerability assessments help water systems evaluate susceptibility to potential threats and identify corrective actions that can reduce or mitigate the risk of serious consequences from adversarial actions (e.g., vandalism, insider sabotage, terrorist attack). Such an assessment for a water system takes into account the vulnerability of the water supply (both ground and surface water), transmission, treatment and distribution systems. It also considers risks posed to the surrounding community related to attacks on the water system. An effective vulnerability assessment serves as a guide to the water utility by providing a prioritized plan for security upgrades, modifications of operational procedures, and/or policy changes to mitigate the risks and vulnerabilities to the utility’s critical assets. The vulnerability assessment provides a framework for developing risk reduction options and associated costs. Water systems should review their vulnerability assessments periodically to account for changing threats or additions to the system to ensure that security objectives are being met. Preferably, a vulnerability assessment is “performance-based,” meaning that it evaluates the risk to the water system based on the effectiveness (performance) of existing and planned measures to counteract adversarial actions.

What Are The Basic Elements Of Vulnerability Assessments?
The following are common elements of vulnerability assessments. These elements are conceptual in nature and not intended to serve as a detailed methodology:

  • Characterization of the water system, including its mission and objectives
  • Identification and prioritization of adverse consequences to avoid
  • Determination of critical assets that might be subject to malevolent acts that could result in undesired consequences
  • Assessment of the likelihood (qualitative probability) of such malevolent acts from adversaries
  • Evaluation of existing countermeasures
  • Analysis of current risk and development of a prioritized plan for risk reduction

The vulnerability assessment process will range in complexity based on the design and operation of the water system itself. The nature and extent of the vulnerability assessment will differ among systems based on a number of factors, including system size, potential population affected, source water, treatment complexity, system infrastructure and other factors. Security and safety evaluations also vary based on knowledge and types of threats, available security technologies, and applicable local, state and federal regulations.

What Are Some Points To Consider In A Vulnerability Assessment?
The manner in which the vulnerability assessment is performed is determined by each individual water utility. It will be helpful to remember throughout the assessment process that the ultimate goal is twofold — to safeguard public health and safety and to reduce the potential for disruption of a reliable supply of pressurized water.

  • Characterization of the water system, including its mission and objectives — What are the important missions of the system to be assessed? Define the highest priority services provided by the utility. Identify the utility’s customers. What are the most important facilities, processes and assets of the system for achieving the mission objectives and avoiding undesired consequences? In assessing those assets that are critical, consider critical customers, dependence on other infrastructures (e.g., electricity, transportation, other water utilities), contractual obligations, single points of failure (e.g., critical aqueducts, transmission systems, aquifers), chemical hazards and other aspects of the utility’s operations, or availability of other utility capabilities that may increase or decrease the criticality of specific facilities, processes and assets.
  • Identification and prioritization of adverse consequences to avoid — Take into account the impacts that could substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water or otherwise present significant public health concerns to the surrounding community. Water systems should use the vulnerability assessment process to determine how to reduce risks associated with the consequences of significant concern. Ranges of consequences or impacts for each of these events should be identified and defined. Risk reduction recommendations at the conclusion of the vulnerability assessment should strive to prevent or reduce each of these consequences.
  • Determination of critical assets that might be subject to malevolent acts that could result in undesired consequence — Consider the operation of critical facilities, assets and/or processes and assess what an adversary could do to disrupt these operations. Such acts may include physical damage to or destruction of critical assets, contamination of water, intentional release of stored chemicals, interruption of electricity or other infrastructure interdependencies.
  • Assessment of the likelihood(qualitative probability) of such malevolent acts from adversaries (e.g., terrorists, vandals) — Determine the possible modes of attack that might result in consequences of significant concern based on the critical assets of the water system. The objective of this step of the assessment is to move beyond what is merely possible and determine the likelihood of a particular attack scenario. This is a very difficult task as there is often insufficient information to determine the likelihood of a particular event with any degree of certainty. The threats (the kind of adversary and the mode of attack) selected for consideration during a vulnerability assessment will dictate, to a great extent, the risk reduction measures that should be designed to counter the threat(s).
  • Evaluation of existing countermeasures — What capabilities does the system currently employ for detection, delay and response? What cyber-protection system features does the utility have in place? Assess what protective measures are in place for the SCADA and business-related computer information. What security policies and procedures exist, and what is the compliance record for them?
  • Analysis of current risk and development of a prioritized plan for risk reduction — Information gathered on threat, critical assets, water utility operations, consequences and existing countermeasures should be analyzed to determine the current level of risk. The utility should then determine whether current risks are acceptable or risk reduction measures should be pursued. Recommended actions should measurably reduce risks by reducing vulnerabilities and/or consequences through improved deterrence, delay, detection and/or response capabilities or by improving operational policies or procedures. Selection of specific risk reduction actions should be completed prior to considering the cost of the recommended action(s). Generally, strategies for reducing vulnerabilities fall into three broad categories: sound business practices, system upgrades and security upgrades.

Petroleum Marketers

Propane Tanks Used To Make Crystal Meth
Propane tanks that have been used in the illegal manufacture of methamphetamines could cause injury or death. Learn more about the problem and how to spot these dangerous tanks.

The National Propane Gas Association (NPGA) reports that propane tanks that have been used to store anhydrous ammonia in the illegal manufacture of methamphetamines are turning up at cylinder exchanges and refilling stations across the country. These tanks present a real danger to you and your customers. A safety alert issued by NPGA notes that ammonia deteriorates the valve and could result in a dangerous expulsion of the valve from the tank, which could cause injury or death.

How can you tell if a tank on your premises was used to manufacture meth? A blue-green stain on the brass portion of the valve is an indication the tank has been used to store anhydrous ammonia, as is the scent of ammonia on or near the tank. If you suspect a tank has been used to store anhydrous ammonia, try not to move it and restrict access to the area. If the tank must be moved, point the valve away from yourself and others. Contact your local fire department for instructions on how to properly dispose of the tank.

Fuel Theft Is On The Rise
EMC loss control specialists offer some tips on reducing fuel theft — an expensive and potentially dangerous criminal activity.

Fuel thefts are on the rise nationally, with most occurring in urban areas and along the interstate systems during peak travel times. In 2006, 122 million dollars of fuel was stolen from the pumps. In searching for some loss control tips station owners could use, EMC loss control specialists came across these helpful tips from the Indiana State Police:

  • Require prepayment or pay at the pumps.
  • Have a good surveillance system that utilizes multiple cameras, is well maintained and continuously records.
  • Greet customers through an intercom system — this lets them know they are being watched.
  • Station an attendant on the fuel islands, as a visible deterrent — personal customer service is a good deterrent.
  • Remove obstructive material from the station windows.
  • Offer a reward of free fuel to those who turn in gas thieves.
  • If you have a theft of fuel, get as much information as possible about the vehicle and the occupant(s) and then call police. Be a good witness and don’t go after the thieves yourself.

Remember, be vigilant and don’t be an easy target for fuel theft.


Playground Safety
An estimated 200,000 children are treated in emergency rooms each year for injuries related to playground equipment. Use the online checklist to increase the safety of your playground.

Use this checklist to increase the safety of your local community playground:

  • Make sure surfaces around playground equipment have at least 12 inches of wood chips, mulch, sand or pea gravel, or have mats made of safety-tested rubber or rubber-like materials.
  • Check that protective surfacing extends at least 6 feet in all directions from any play equipment. For swings, be sure surfacing extends, in back and front, twice the height of the suspension bar.
  • Make sure play structures more than 30 inches high are spaced at least 9 feet apart.
  • Check for dangerous hardware, like open “S” hooks or protruding bolt ends.
  • Make sure spaces that could trap children, such as openings in guardrails or between ladder rungs, measure less than 3.5 inches or more than 9 inches.
  • Check for sharp points or edges in equipment.
  • Look out for tripping hazards, like exposed concrete footings, tree stumps and rocks.
  • Make sure elevated surfaces, like platforms and ramps, have guardrails to prevent falls.
  • Check playgrounds regularly to see that equipment and surfacing are in good condition.

Improving School Security
One-third of public school districts need improvements in the security of their information technology systems. Learn more about how to improve your school’s security.

Although schools throughout the nation have taken large strides at improving physical security, the CDW-Government 2008 School Safety Index noted that schools have taken a step back when it comes to IT security. Among some of the survey findings:

  • More than half of districts are using network access control to protect data and ensure that only authorized users access their networks and that only approved applications are used. However, budget restraints, lack of staff resources and the need for more IT tools cancelled out districts’ efforts to improve cyber-security.
  • Though the majority of school districts have taken steps to authenticate users on their computer networks, the survey found that 16% of districts still use general log-ons rather than unique user names and passwords.
  • Of all school districts surveyed, 14% reported at least one IT security breach within the last 12 months, a 5% increase over the previous year.

Today’s networked environment brings tremendous value to our students and employees, yet it has also created significant risks — from identity theft to distribution of inappropriate content. According to Gartner Group, an information technology consulting company, 70% of security incidents that cause loss to enterprises — rather than mere annoyance — involve insiders. Yet, most security tools to date, such as firewalls and intrusion prevention, have focused on external threats.

Extrusion Prevention Defends Against Internal Threats
Given these realities, how should school districts deal with internal threats? The answer lies in extrusion prevention—the process of stopping data leakage. Extrusion prevention protects digital assets, prevents the leaking of sensitive information (such as unique attributes about students and employees), and thwarts network misuse (such as illegal peer-to-peer file sharing). In short, extrusion prevention helps school systems guard against significant losses and liabilities.

As any technologist knows, the human factor can often make or break a successful technology deployment. Deploying an extrusion prevention system (EPS) is no different — it isn’t simply a technology change, but a cultural shift as well. Following are clear steps to a successful implementation:

  • The Amnesty Period (time period: 60-90 days): During the initial deployment of an EPS, communication is essential. Remind educators, students and administrators of the policies in places and make them aware of the new technology being deployed, the benefits it provides and the penalties for policy violations. Because this is a culture change and policy change, prepare yourself for numerous and lengthy discussions around accountability and enforcement with your human resources, legal and/or employee relations departments, not to mention your union. Keep in mind you will probably need to reassess your policies, and in some cases, you might have to change job descriptions. Although penalties aren’t assessed in this phase, simply through education you will already be to deter violations and increase security.
  • Phase 1: The Action Period (time period: 3-9 months): This is when large-scale rollout occurs. Amnesty is removed, all violations are identified, with the most egregious made public, and offenders are punished. The punishment for students should be part of the student code of conduct. The punishment for employees should be part of your employee code of ethics. Remember, prior to deploying an EPS, even the best IT organization can only speculate about violations. With an EPS, you have digital evidence you can take to leadership to deal with violations such as inappropriate instant messaging content or sending out sensitive employee or student information in a manner that could lead to identity theft. During this phase, the IT department works closely with human resources and/or employee relations in training their staff on the use of the tool and refining the filters used to capture information.
  • Phase 2: The Automation Period (time period: 9 months and beyond): Phase 2 marks the period when you’ve fully tested the system for your environment, you’ve finalized and implemented policies, and you’ve put in place automatic policy enforcement and the ability to take action. At this point the EPS is much like a closed-circuit televisions system. But instead of having cameras programmed to automatically call the local authorities if someone is in a hallway in your school in the middle of the night, an EPS lets you know when there’s data where it shouldn’t be and automatically takes action. During this phase, the tool will be firmly in the hands of your human resources and/or employee relations department, who monitor incidents and take actions based on policy. The technology department plays a supportive role in the background. The goal: to prevent the IT department from playing the “police” role and ensure its focus remains on supporting teaching and learning with technology.

[Note: Some of the information in this article is courtesy of Charles Thompson, CIO of the Orange County Public Schools, the 11th largest public school system in the nation.]