A Consistent Approach for Vulnerability Assessment of Dams
Transcription
A Consistent Approach for Vulnerability Assessment of Dams
21st Century Dam Design — Advances and Adaptations 31st Annual USSD Conference San Diego, California, April 11-15, 2011 Hosted by Black & Veatch Corporation GEI Consultants, Inc. Kleinfelder, Inc. MWH Americas, Inc. Parsons Water and Infrastructure Inc. URS Corporation On the Cover Artist's rendition of San Vicente Dam after completion of the dam raise project to increase local storage and provide a more flexible conveyance system for use during emergencies such as earthquakes that could curtail the region’s imported water supplies. The existing 220-foot-high dam, owned by the City of San Diego, will be raised by 117 feet to increase reservoir storage capacity by 152,000 acre-feet. The project will be the tallest dam raise in the United States and tallest roller compacted concrete dam raise in the world. U.S. Society on Dams Vision To be the nation's leading organization of professionals dedicated to advancing the role of dams for the benefit of society. Mission — USSD is dedicated to: • Advancing the knowledge of dam engineering, construction, planning, operation, performance, rehabilitation, decommissioning, maintenance, security and safety; • Fostering dam technology for socially, environmentally and financially sustainable water resources systems; • Providing public awareness of the role of dams in the management of the nation's water resources; • Enhancing practices to meet current and future challenges on dams; and • Representing the United States as an active member of the International Commission on Large Dams (ICOLD). The information contained in this publication regarding commercial projects or firms may not be used for advertising or promotional purposes and may not be construed as an endorsement of any product or from by the United States Society on Dams. USSD accepts no responsibility for the statements made or the opinions expressed in this publication. Copyright © 2011 U.S. Society on Dams Printed in the United States of America Library of Congress Control Number: 2011924673 ISBN 978-1-884575-52-5 U.S. Society on Dams 1616 Seventeenth Street, #483 Denver, CO 80202 Telephone: 303-628-5430 Fax: 303-628-5431 E-mail: stephens@ussdams.org Internet: www.ussdams.org A CONSISTENT APPROACH FOR VULNERABILITY ASSESSMENT OF DAMS Yazmin Seda-Sanabria1 M. Anthony Fainberg 2 Enrique E. Matheu, PhD 3 ABSTRACT This paper presents a consistent methodology for security vulnerability assessment of dams. The quantification of vulnerability is based on the systematic characterization of the different defensive layers protecting the facility and its critical components. This characterization takes into account various possible attack modes (ground, water, cyber, etc.) and considers the potential asymmetric configuration of the security measures with respect to the different possible approaches (left bank vs. right bank, etc.). For any selected attack scenario, the corresponding vulnerability is numerically defined as the probability of a successful attack that is able to sequentially defeat each defensive layer protecting the intended target. The probability of successful attack against each one of the individual defensive layers is predetermined using a rigorous expert elicitation process. The resulting methodology is easy to implement and facilitates the consistent comparison of vulnerability assessment results across a large portfolio of dams. INTRODUCTION In 2005, the Institute for Defense Analyses (IDA) initiated the development of a Common Risk Model (CRM) for evaluating and comparing risks associated with the Nation’s critical infrastructure. Following the guidelines provided in the 2009 National Infrastructure Protection Plan (NIPP), this model incorporates commonly used risk metrics that are designed to be transparent, simple, mathematically justifiable, userfriendly, and also able to compare calculated risks to assets and systems both within and across critical infrastructure sectors. Risks are considered from an “all-hazards” perspective, which includes manmade and natural events. The CRM can be applied to either of these, although to date it has been primarily focused on manmade threats. Over the past year, a modified version of this model has been under development by IDA in collaboration with the U.S. Army Corps of Engineers (USACE) and the U.S. Department of Homeland Security (DHS). The modified model – Common Risk Model for Dams (CRM-D) – takes into account the unique features of dams and navigation locks and provides a systematic approach for evaluating and comparing risks to terrorist threats across a large portfolio, such as the owned by USACE. 1 Program Manager, Critical Infrastructure Protection and Resilience Program, Office of Homeland Security, U.S. Army Corps of Engineers, Headquarters, Washington, DC 20314. 2 Adjunct Research Staff Member, Strategy Forces, and Resources Division, Institute for Defense Analyses, Alexandria, VA 22311. 3 Chief, Dams Sector Branch, Sector-Specific Agency Executive Management Office, Office of Infrastructure Protection, U.S. Department of Homeland Security, Washington, DC 20528. Vulnerability Assessment 1117 In general, the risk to any particular target is considered to be a function of three parameters: threat – the likelihood of an attack being attempted against the target; vulnerability – the susceptibility of the target to being compromised by the attack, given that it is attempted; and consequences of the attack, if successful. Therefore, it can be stated that: R = f (T, V, C) (1) where R is risk, T is threat, V is vulnerability, and C is the consequences. A widely used approach to risk definition takes the risk to be simply the product of these three: R=TxVxC (2) Consequences considered for comparative risk assessments should take into account the four consequence categories established by the NIPP: public health and safety (impacts on human life and physical well-being); economic (direct and indirect economic losses); psychological (effects on public morale and confidence in national economic and political institutions); and governance/mission impact (effects on government or industry’s ability to maintain order, deliver minimum essential public services, ensure public health and safety, and carry out national security-related missions). As a minimum, as established by the NIPP, consequence assessments should focus on the two most fundamental impacts (human consequences and the most relevant direct economic consequences). The CRM-D methodology currently considers lives lost and economic losses as consequence metrics. However, the CRM-D approach can be expanded through further analysis to include other impacts as well. In the CRM-D methodology, threat and vulnerability are defined as probabilities, and they conform to the mathematical rules governing probabilities. In particular, values for threat and vulnerability range from zero to one, and can be combined multiplicatively. T, the probability of a given type of attack within a specified timeframe (usually conveniently taken to be a year) is defined as P(A) and V is defined as P(S|A), the probability that a given type of attack against an asset or system will be successful, given it is attempted. R = P(A) x P(S|A) x C (3) Thus, the resulting risk can be interpreted as an expected loss, including lives lost and economic impact. The approach is consistent with the risk metrics estimated by models for natural disasters, accidents, and natural failure of manmade components in human engineered systems. The numerical value of R will be less than the numerical value of C, the consequences of the attack, because it is multiplied by two probability values, P(A) and P(S|A), that are each less than one. One can also define a conditional risk, RC, to an asset or system: RC = V x C = P(S|A) x C 1118 (4) 21st Century Dam Design — Advances and Adaptations Knowing conditional risks of assets can be useful to a decision maker, especially when there are major uncertainties regarding the quantification of the threat parameter. Intelligence and past data, which would be used to estimate P(A) are often limited, and may even depend on conditional risk itself; a target that is perceived by attackers to have a high conditional risk from the perspective of their goals and objectives may be more likely to be attacked. Since P(S|A) is a probability, 0 ≤ P(S|A) ≤ 1 and it can only diminish expected worst case consequences. As previously mentioned, the resulting risk metric represent an “expected value of loss” and is a commonly used decision metric derived in many risk formulations. A portfolio-wide conditional risk analysis should identify the attack vectors that could affect largest segments of the portfolio, or the facilities with the highest risk for specific attack vectors. Determination of the conditional risk for these facilities can assist in asset prioritization and inform decisions focused on the allocation of resources to improve the security measures over many different facilities. Some portfolio analyses might focus only on those facilities that pose the highest conditional risks – that is those facilities that exceed a given conditional risk threshold established by the analyst or decision-maker. However, from an overall risk perspective, the highest conditional risk facilities may not be the highest overall risk facilities when the probability of a given type of attack, i.e., P(A), is considered. Portfolio analyses using conditional risk as the decision metric can be appropriate in cases where P(A) has not been estimated or cannot be estimated in a timely way, or in cases where resources to provide security improvements have already been allocated. In the latter case, the decision is how to prioritize assets or facilities for purposes of deciding the order of implementing the improvements. When conditional risk is used in this way (that is without the benefit of formal P(A) estimates) the tacit assumption by the analyst or decision-maker is that all attack vectors are equally likely4. This paper discusses how the CRM-D can be used in the calculation of conditional risk as part of systematic portfolio-wide prioritization for dams. FUNDAMENTAL CONCEPTS: COMMON RISK MODEL FOR DAMS In the original CRM approach, assets or facilities were represented as simple, point targets. To evaluate the conditional risk of an asset, a simple, conceptual model of layered defenses is considered to define the protection of a given target: a National (Layer 1) defense layer (e.g. National measures such as air defense against potential terrorist activities), a local (Layer 2) defense layer (e.g. local law enforcement), and a target (Layer 3) defense layer (e.g. security measures such as fences, protective barriers, or guards deployed by owners/operators). For a critical infrastructure asset to be successfully attacked, each of these defensive layers would need to be successfully 4 Risk estimates provide a basis for rank ordering elements of the portfolio and making pair wise ratio comparisons among them (e.g., Dam A has twice the risk of Dam B). The assumption that all attack vectors are equally likely preserves rank ordering and pair wise ratio comparisons when overall risk and conditional risk results are compared. Or, said slightly differently, no new decision information is added by P(A) when attack vectors are considered to be all equally likely. Vulnerability Assessment 1119 breached. Figure 1 shows a conceptual depiction of layered defenses used in the CRM methodology. PB3|B2,B1 Conditional Probability of Successfully Penetrating Layer 3 (Event B3), given than B1 and B2 take place. PB2|B1 Target Conditional Probability of Successfully Penetrating Layer 2 (Event B2), given that B1 takes place. Layer 3 PB1 Layer 2 Probability of Successfully Penetrating Layer 1 (Event B1) Layer 1 Figure 1. Conceptual Model of Layered Defenses After examining this figure, the probability that the attack will be successful in reaching the target, considering it being attempted (also known as the vulnerability or P(S|A)), can be determined using the following expression: (5) P(S|A) = PB1 x PB2|B1 x PB3|B2,B1 Dam and their components are larger and more complex facilities than those found in other sectors. However, the fundamental core concepts of the CRM approach still apply and have remained unchanged in the adapted CRM-D methodology. Figure 2 depicts an example of layered defenses that can be found at a typical dam. Defensive Layer 1 (Outer Perimeter): • Access Control • Personnel Barrier • Vehicle Barrier Defensive Layer 2: • Hardened Structure • Surveillance System • Access Control • Personnel Barrier Figure 2. Dams and Layered Defenses 1120 21st Century Dam Design — Advances and Adaptations To assess the vulnerability of a target with respect to a given attack vector, each defensive layer is analyzed based on a common set of defensive attributes (e.g. fences, guards, surveillance). The combination of these attributes – referred to as the “Layer Defensive Configuration” (LDC) – is used to characterize the layer. These combinations represent the typical defensive configurations that can be found in dams. A defensive configuration questionnaire is filled for each layer to elicit information that assists in characterizing the presence of defensive attributes. The responses to the questionnaire collect key data defining general physical layout, access routes, asset security posture, and corresponding defensive attributes. Table 1 summarizes the potential LDC’s associated to a land-based defensive layer. Table 1. Layer Defensive Configurations (LDC) – Land LDC A B C D E F G H O Attribute Access Control Personnel Barrier Vehicle Barrier Guard Force Surveillance System For each potential LDC and for a given attack vector, expert elicitation techniques are used to estimate the corresponding P(S|A) values (between 0.0 and 1.0). As part of the CRM-D development, a representative set of attack vectors has been defined, which includes 18 land-based attacks, 4 water-side attacks, 4 airborne attacks, and 3 cyber attacks. It is relevant to note that the subject-matter experts involved in the elicitation process leading to these values not only share significant real-world operational experience in defeating these type of target defenses, but also have contributed in the design of defenses that can more effectively defeat enemy attacks. Vulnerability Assessment 1121 Table 2. P(S|A) Values for Land Attack Vectors LDC Attack Vector A B C D E F G H O Sedan 0.10 0.20 0.30 0.50 0.70 0.80 0.90 1.00 1.00 Cargo Van 0.10 0.20 0.30 0.50 0.70 0.80 0.90 1.00 1.00 … … … … … … … … … 1-Person Assault Team 0.20 0.30 0.50 0.90 0.60 0.80 0.80 0.90 1.00 4-Person Assault Team 0.50 0.70 0.90 0.90 .0.90 1.00 1.00 1.00 1.00 … … … … … … … … … … … A matrix of P(S|A) values is created and presented in table format, which provides the probability of success of each attack vector against each layer defensive configuration. Table 2 illustrates a matrix representation of the P(S|A) values corresponding to land attack vectors and corresponding LDCs. Values of P(S|A) have been estimated for every combination of attack vectors and layer defensive configurations considered in the CRMD methodology. The probability that a specific type of attack would be successful in reaching a given target is measured by the probability that each of the layers encountered along the path of attack is successfully penetrated. Therefore, as shown by Equation 5, the vulnerability P(S|A) of a target can be estimated as the product of the corresponding vulnerabilities of each of the defensive layers protecting it5. Considering a specific attack scenario (i.e., combination of a specific attack vector and a given target), the total P(S|A) is calculated as the product of the P(S|A) for each of the layers that are successfully penetrated by the attack vector under consideration, which can be expressed as: P(S|A) (Target, Attack Vector) = P(S|A) (Layer 1, Attack Vector) x P(S|A) (Layer 2, Attack Vector) x P(S|A) (Layer 3, Attack Vector) (6) where defensive layers 1, 2, and 3 must be sequentially defeated to reach the intended target. In addition to static defensive layers, the defensive posture of some facilities may include response and onsite reaction forces (in addition to the guard force) and external response forces. Each one of these forces can be considered as an additional personnel-based layer 5 This assumes independence among the probability estimates thus simplifying the calculation. More generally, as shown in Figure 5, the probability of penetrating a layer is conditionally dependent on the successful penetration of all previously penetrated layers. It follows that the number of possible combinations of the sequences of layer penetrations is quite large. Planned refinements for the CRM-D will permit users to estimate the overall P(S|A) using conditional probabilities. 1122 21st Century Dam Design — Advances and Adaptations of defense for the entire facility that augments or complements the static (physical) defensive layers. In the case of external response forces, the provision is added that these must arrive to counter the attack in less time than it is required for the adversary to successfully carry out the assault. Additional estimates have also been included as part of the model to describe the probability of a given attack vector defeating those response and reaction forces. Therefore, for every attack scenario (i.e., combination of a specific attack vector and a given target), the CRM-D methodology provides a systematic approach to estimates the corresponding probability of successful attack. Additional attack vectors and layer defensive configurations can be incorporated as needed. More rigorous methods (e.g., event trees, Monte Carlo simulations) are being used to refine and validate the probability of success estimates currently established. STRUCTURING THE ANALYSIS Identification of Critical Components A typical project contains several critical assets that can be considered potential targets. These may include impoundment sections, lock gates, powerhouses, spillway gates, intake structures, control rooms, and visitor centers, among others. The CRM-D analysis estimates the vulnerabilities for each of the potential targets identified within a given project. As previously described, this is accomplished by considering the sequence of defensive layers protecting the targeted asset and estimating the corresponding P(S|A) for each of these layers. Identification of Defensive Layers Visualizing the physical defensive layers at a given project is a first step in considering how these layers are configured at a project and how they interrelate with and reinforce each other. There are several generic types of configurations among layers; these configurations are briefly discussed and illustrated below. As illustrations, this section will discuss land defensive layers that protect assets from attack vectors that carry attackers and their equipment over land access routes. Attackers using these routes must breach one or more land defensive layers. In analogy to land-based defenses and attacks, the CRM-D methodology naturally considers water defensive layers to counter waterborne attack vectors. Land access routes may limit or prohibit certain attack vectors from occurring (e.g., unimproved roads might prohibit a large truck from using a specific access route). Nested Layers: In the simplest configuration of defensive layers, each nested layer is entirely within another layer, as shown in Figure 3 (i.e., 2 nested layers inside the outer perimeter). Nested layers are relatively simple to analyze: to get to a layer, an attacker must breach the next outer defensive layer in the sequence. It should be noted that concrete buildings and/or hardened structures constitute their own layer defense, as depicted in this figure. Layer 3 is nested, that is, entirely contained within Layer 2 and Layer 1, respectively. Vulnerability Assessment 1123 Figure 3. Example of sequentially nested layers (Layer 2 and Layer 3) contained within the outer perimeter (Layer 1), and Layer 3 is entirely contained within Layer 2. Independent Layers: In other cases, layers may be independent. For example, as shown in Figure 4, within a particular project, assets may have individual layers of defense nested within the perimeter defense, but these layers remain separate from each other and do not provide mutual support. Each independent layer may have the perimeter layer defense as the next outer layer that must be breached to reach the target. Figure 4. The outer perimeter (Layer 1) contains three independent defensive layers: one around the switchyard (Layer 2), one around the control room (Layer 3), and one around the spillway gates (Layer 4). Sequenced Layers: A more complicated arrangement of defensive layers consists of sequenced layers: to reach some layers, it is necessary to cross another layer entirely – 1124 21st Century Dam Design — Advances and Adaptations enter it and then leave it. For such layers, we assume that it is only breached once, since most physical defenses are designed to defeat external attacks. However, traverse times within the layer should be estimated. A generic configuration showing the potential sequenced nature of defensive layers is illustrated in Figure 5. The solid red lines depict physical fences. The sketch in this example identifies defensive layers (Layers 1, 2, 3, 4, and 5). Figure 5. Example of Sequenced Layers The Importance of Attack Paths In addition to using a sketch like the one shown in Figure 5, consideration needs to be given to the potential paths that land attacks will require to reach any other intended target within the project. Paths can be described from both the left bank and the right bank, since the defensive layers that must be breached may not be symmetrically configured. Figure 6, shows an example of attack paths for ground attack vectors on the spillway section. It is identical to Figure 5 except for the addition of attack paths shown in yellow arrows. From the right bank, a ground attack must breach Layer 1, Layer 5, and Layer 3. From the left bank, a land attack must breach Layers 1, Layer 2, and Layer 3. Clearly, it is essential to specify the attack vector and the attack path to a given asset in order to determine the number of defensive layers to be penetrated to reach the targeted asset. The overall vulnerability to each attack vector will be a function of the sequence of defensive layers that needs to be breached. Vulnerability Assessment 1125 Figure 6. Asymmetrical Land Attack Paths from the Left and Right Banks Treating Reaction and Response Forces as Defensive Layers Onsite reaction and/or external response forces may form an integral part of the facility security posture and may be capable of responding to terrorist attacks and other emergencies. In the CRM-D methodology, these forces are treated as additional layers of defense that protect all vital components of the project and that must be defeated for the attack to succeed. Each force will have its own set of P(S|A) estimates for each attack vector. The corresponding P(S|A) estimates have been developed based on standard capability levels. Since response forces reside outside the immediate geographical area of the project, a determination needs to be made, regarding whether they can respond in time to engage the attacker within the time the attack is expected to unfold. The attack time is estimated using the number of layers that need to be breached to get to the target asset and the distances between those layers. The time to penetrate each layer depends on the attack vector and has been estimated for each layer defensive configuration. The estimated time for attackers to traverse distances between layers is project-specific and geometry dependent. CONCLUSIONS A relatively simple and transparent vulnerability assessment methodology, originally developed for other sectors of the Nation’s critical infrastructure, has been modified to apply more specifically to the unique characteristics of dams – the large size of projects, their distances from response forces, and their complexity – each project contains 1126 21st Century Dam Design — Advances and Adaptations multiple critical assets. The use of generic security configurations to characterize the defenses of critical components within a facility allows rapid and simple assessments of vulnerabilities. When combined with available estimates of the consequences of failure or disruption, a conditional risk value for each component, as well as the entire facility, may be calculated. Current plans are to apply this methodology at a selected number of USACE dams and incorporate some additional refinements as a result of this initial application. Additional enhancements will include more detailed estimation of the P(S|A) values using numerical simulation techniques as an extended step beyond the expert elicitation estimates currently available. REFERENCES Coe, Andrew J., Olson, Pamela J., “Integrating Components of Consequences for the National Comparative Risk Assessment,” Institute for Defense Analyses, IDA Document D-3311, September 2006. Hecker, Edward J., Seda-Sanabria, Yazmin, Matheu, Enrique E., Morgeson, J. Darrell, and Fainberg, M. Anthony, “Application of a Conditional Risk Assessment Methodology for Prioritization of Critical Infrastructure,” Wiley Handbook of Science and Technology for Homeland Security, 2009. Morgeson, J. Darrell, Coe, Andrew J., Utgoff, Victor A., “Review of Risk Assessment Methodologies for the Department of Homeland Security,” Institute for Defense Analysis, IDA Document D-3117, April 2005. Morgeson, J. Darrell, Seda-Sanabria, Yazmin, Fainberg, M. Anthony, and Matheu, Enrique E., “Application of the Common Risk Model to the Dams Sector: Conditional Risk Analysis and Security Configurations,” Second Annual National Dam Security Forum, 2009 Association of State Dam Safety Officials Annual Conference. Morgeson, J. Darrell, Dechant, Jason A., Fainberg, M. Anthony, Shaw, Alan H., Keheler, Michael J., McCrohan, Kevin F., Goodman, David R., Schenher, Geoffrey, and Conley, John L., “The Common Risk Model for Dams: Estimating the Probability of Success and Conditional Risk,” Volume I, Institute for Defense Analysis, IDA Paper P-4564, January 2010. Morgeson, J. Darrell, Dechant, Jason A., Fainberg, M. Anthony, Shaw, Alan H., Keheler, Michael J., McCrohan, Kevin F., Goodman, David R., Schenher, Geoffrey, and Conley, John L., “The Common Risk Model for Dams: Estimating the Probability of Success and Conditional Risk,” Volume II (For Official Use Only), Institute for Defense Analysis, IDA Paper P-4564, January 2010. Morgeson, J. Darrell, Shaw, Alan H., Utgoff, Victor A., “Information in Support of National Comparative Risk Assessment: Determining Probability of Success Given an Attack,” Institute for Defense Analysis, IDA Document D-3442, September 2007. Vulnerability Assessment 1127 Morgeson, J. Darrell, Utgoff, Victor A., Fainberg, Anthony, Keleher, Michael, “National Comparative Risk Assessment Pilot Project,” Institute for Defense Analysis, IDA Document D-3309, September 2006. Simpson, William R., Meeson, Reginald N., “National Comparative Risk Assessment Pilot Project Cyber Intrusion Analysis – Process Control System,” Institute for Defense Analysis, IDA Paper P-4226, June 2007. U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2009. 1128 21st Century Dam Design — Advances and Adaptations