A Consistent Approach for Vulnerability Assessment of Dams

21st Century Dam Design —
Advances and Adaptations
31st Annual USSD Conference
San Diego, California, April 11-15, 2011
Hosted by
Black & Veatch Corporation
GEI Consultants, Inc.
Kleinfelder, Inc.
MWH Americas, Inc.
Parsons Water and Infrastructure Inc.
URS Corporation
On the Cover
Artist's rendition of San Vicente Dam after completion of the dam raise project to increase local storage and provide
a more flexible conveyance system for use during emergencies such as earthquakes that could curtail the region’s
imported water supplies. The existing 220-foot-high dam, owned by the City of San Diego, will be raised by 117
feet to increase reservoir storage capacity by 152,000 acre-feet. The project will be the tallest dam raise in the
United States and tallest roller compacted concrete dam raise in the world.
U.S. Society on Dams
Vision
To be the nation's leading organization of professionals dedicated to advancing the role of dams
for the benefit of society.
Mission — USSD is dedicated to:
• Advancing the knowledge of dam engineering, construction, planning, operation,
performance, rehabilitation, decommissioning, maintenance, security and safety;
• Fostering dam technology for socially, environmentally and financially sustainable water
resources systems;
• Providing public awareness of the role of dams in the management of the nation's water
resources;
• Enhancing practices to meet current and future challenges on dams; and
• Representing the United States as an active member of the International Commission on
Large Dams (ICOLD).
The information contained in this publication regarding commercial projects or firms may not be used for
advertising or promotional purposes and may not be construed as an endorsement of any product or
from by the United States Society on Dams. USSD accepts no responsibility for the statements made
or the opinions expressed in this publication.
Copyright © 2011 U.S. Society on Dams
Printed in the United States of America
Library of Congress Control Number: 2011924673
ISBN 978-1-884575-52-5
U.S. Society on Dams
1616 Seventeenth Street, #483
Denver, CO 80202
Telephone: 303-628-5430
Fax: 303-628-5431
E-mail: [email protected]
Internet: www.ussdams.org
A CONSISTENT APPROACH FOR VULNERABILITY ASSESSMENT OF
DAMS
Yazmin Seda-Sanabria1
M. Anthony Fainberg 2
Enrique E. Matheu, PhD 3
ABSTRACT
This paper presents a consistent methodology for security vulnerability assessment of
dams. The quantification of vulnerability is based on the systematic characterization of
the different defensive layers protecting the facility and its critical components. This
characterization takes into account various possible attack modes (ground, water, cyber,
etc.) and considers the potential asymmetric configuration of the security measures with
respect to the different possible approaches (left bank vs. right bank, etc.). For any
selected attack scenario, the corresponding vulnerability is numerically defined as the
probability of a successful attack that is able to sequentially defeat each defensive layer
protecting the intended target. The probability of successful attack against each one of the
individual defensive layers is predetermined using a rigorous expert elicitation process.
The resulting methodology is easy to implement and facilitates the consistent comparison
of vulnerability assessment results across a large portfolio of dams.
INTRODUCTION
In 2005, the Institute for Defense Analyses (IDA) initiated the development of a
Common Risk Model (CRM) for evaluating and comparing risks associated with the
Nation’s critical infrastructure. Following the guidelines provided in the 2009 National
Infrastructure Protection Plan (NIPP), this model incorporates commonly used risk
metrics that are designed to be transparent, simple, mathematically justifiable, userfriendly, and also able to compare calculated risks to assets and systems both within and
across critical infrastructure sectors. Risks are considered from an “all-hazards”
perspective, which includes manmade and natural events. The CRM can be applied to
either of these, although to date it has been primarily focused on manmade threats.
Over the past year, a modified version of this model has been under development by IDA
in collaboration with the U.S. Army Corps of Engineers (USACE) and the U.S.
Department of Homeland Security (DHS). The modified model – Common Risk Model
for Dams (CRM-D) – takes into account the unique features of dams and navigation locks
and provides a systematic approach for evaluating and comparing risks to terrorist threats
across a large portfolio, such as the owned by USACE.
1
Program Manager, Critical Infrastructure Protection and Resilience Program, Office of Homeland
Security, U.S. Army Corps of Engineers, Headquarters, Washington, DC 20314.
2
Adjunct Research Staff Member, Strategy Forces, and Resources Division, Institute for Defense Analyses,
Alexandria, VA 22311.
3
Chief, Dams Sector Branch, Sector-Specific Agency Executive Management Office, Office of
Infrastructure Protection, U.S. Department of Homeland Security, Washington, DC 20528.
Vulnerability Assessment
1117
In general, the risk to any particular target is considered to be a function of three
parameters: threat – the likelihood of an attack being attempted against the target;
vulnerability – the susceptibility of the target to being compromised by the attack, given
that it is attempted; and consequences of the attack, if successful. Therefore, it can be
stated that:
R = f (T, V, C)
(1)
where R is risk, T is threat, V is vulnerability, and C is the consequences. A widely used
approach to risk definition takes the risk to be simply the product of these three:
R=TxVxC
(2)
Consequences considered for comparative risk assessments should take into account the
four consequence categories established by the NIPP: public health and safety (impacts
on human life and physical well-being); economic (direct and indirect economic losses);
psychological (effects on public morale and confidence in national economic and
political institutions); and governance/mission impact (effects on government or
industry’s ability to maintain order, deliver minimum essential public services, ensure
public health and safety, and carry out national security-related missions). As a
minimum, as established by the NIPP, consequence assessments should focus on the two
most fundamental impacts (human consequences and the most relevant direct economic
consequences). The CRM-D methodology currently considers lives lost and economic
losses as consequence metrics. However, the CRM-D approach can be expanded through
further analysis to include other impacts as well.
In the CRM-D methodology, threat and vulnerability are defined as probabilities, and
they conform to the mathematical rules governing probabilities. In particular, values for
threat and vulnerability range from zero to one, and can be combined multiplicatively. T,
the probability of a given type of attack within a specified timeframe (usually
conveniently taken to be a year) is defined as P(A) and V is defined as P(S|A), the
probability that a given type of attack against an asset or system will be successful, given
it is attempted.
R = P(A) x P(S|A) x C
(3)
Thus, the resulting risk can be interpreted as an expected loss, including lives lost and
economic impact. The approach is consistent with the risk metrics estimated by models
for natural disasters, accidents, and natural failure of manmade components in human
engineered systems. The numerical value of R will be less than the numerical value of C,
the consequences of the attack, because it is multiplied by two probability values, P(A)
and P(S|A), that are each less than one. One can also define a conditional risk, RC, to an
asset or system:
RC = V x C = P(S|A) x C
1118
(4)
21st Century Dam Design — Advances and Adaptations
Knowing conditional risks of assets can be useful to a decision maker, especially when
there are major uncertainties regarding the quantification of the threat parameter.
Intelligence and past data, which would be used to estimate P(A) are often limited, and
may even depend on conditional risk itself; a target that is perceived by attackers to have
a high conditional risk from the perspective of their goals and objectives may be more
likely to be attacked. Since P(S|A) is a probability, 0 ≤ P(S|A) ≤ 1 and it can only
diminish expected worst case consequences. As previously mentioned, the resulting risk
metric represent an “expected value of loss” and is a commonly used decision metric
derived in many risk formulations.
A portfolio-wide conditional risk analysis should identify the attack vectors that could
affect largest segments of the portfolio, or the facilities with the highest risk for specific
attack vectors. Determination of the conditional risk for these facilities can assist in asset
prioritization and inform decisions focused on the allocation of resources to improve the
security measures over many different facilities. Some portfolio analyses might focus
only on those facilities that pose the highest conditional risks – that is those facilities that
exceed a given conditional risk threshold established by the analyst or decision-maker.
However, from an overall risk perspective, the highest conditional risk facilities may not
be the highest overall risk facilities when the probability of a given type of attack, i.e.,
P(A), is considered.
Portfolio analyses using conditional risk as the decision metric can be appropriate in
cases where P(A) has not been estimated or cannot be estimated in a timely way, or in
cases where resources to provide security improvements have already been allocated. In
the latter case, the decision is how to prioritize assets or facilities for purposes of deciding
the order of implementing the improvements. When conditional risk is used in this way
(that is without the benefit of formal P(A) estimates) the tacit assumption by the analyst
or decision-maker is that all attack vectors are equally likely4. This paper discusses how
the CRM-D can be used in the calculation of conditional risk as part of systematic
portfolio-wide prioritization for dams.
FUNDAMENTAL CONCEPTS: COMMON RISK MODEL FOR DAMS
In the original CRM approach, assets or facilities were represented as simple, point
targets. To evaluate the conditional risk of an asset, a simple, conceptual model of
layered defenses is considered to define the protection of a given target: a National
(Layer 1) defense layer (e.g. National measures such as air defense against potential
terrorist activities), a local (Layer 2) defense layer (e.g. local law enforcement), and a
target (Layer 3) defense layer (e.g. security measures such as fences, protective barriers,
or guards deployed by owners/operators). For a critical infrastructure asset to be
successfully attacked, each of these defensive layers would need to be successfully
4
Risk estimates provide a basis for rank ordering elements of the portfolio and making pair wise ratio
comparisons among them (e.g., Dam A has twice the risk of Dam B). The assumption that all attack vectors
are equally likely preserves rank ordering and pair wise ratio comparisons when overall risk and
conditional risk results are compared. Or, said slightly differently, no new decision information is added by
P(A) when attack vectors are considered to be all equally likely.
Vulnerability Assessment
1119
breached. Figure 1 shows a conceptual depiction of layered defenses used in the CRM
methodology.
PB3|B2,B1
Conditional Probability of
Successfully Penetrating Layer 3 (Event
B3), given than B1 and B2 take place.
PB2|B1
Target
Conditional Probability of
Successfully Penetrating Layer 2
(Event B2), given that B1 takes place.
Layer 3
PB1
Layer 2
Probability of Successfully
Penetrating Layer 1 (Event B1)
Layer 1
Figure 1. Conceptual Model of Layered Defenses
After examining this figure, the probability that the attack will be successful in reaching
the target, considering it being attempted (also known as the vulnerability or P(S|A)), can
be determined using the following expression:
(5)
P(S|A) = PB1 x PB2|B1 x PB3|B2,B1
Dam and their components are larger and more complex facilities than those found in
other sectors. However, the fundamental core concepts of the CRM approach still apply
and have remained unchanged in the adapted CRM-D methodology. Figure 2 depicts an
example of layered defenses that can be found at a typical dam.
Defensive Layer 1
(Outer Perimeter):
• Access Control
• Personnel Barrier
• Vehicle Barrier
Defensive Layer 2:
• Hardened Structure
• Surveillance System
• Access Control
• Personnel Barrier
Figure 2. Dams and Layered Defenses
1120
21st Century Dam Design — Advances and Adaptations
To assess the vulnerability of a target with respect to a given attack vector, each
defensive layer is analyzed based on a common set of defensive attributes (e.g. fences,
guards, surveillance). The combination of these attributes – referred to as the “Layer
Defensive Configuration” (LDC) – is used to characterize the layer. These combinations
represent the typical defensive configurations that can be found in dams.
A defensive configuration questionnaire is filled for each layer to elicit information that
assists in characterizing the presence of defensive attributes. The responses to the
questionnaire collect key data defining general physical layout, access routes, asset
security posture, and corresponding defensive attributes. Table 1 summarizes the
potential LDC’s associated to a land-based defensive layer.
Table 1. Layer Defensive Configurations (LDC) – Land
LDC
A
B
C
D
E
F
G
H
O
Attribute
Access
Control
Personnel
Barrier
Vehicle
Barrier
Guard
Force
Surveillance
System
For each potential LDC and for a given attack vector, expert elicitation techniques are
used to estimate the corresponding P(S|A) values (between 0.0 and 1.0). As part of the
CRM-D development, a representative set of attack vectors has been defined, which
includes 18 land-based attacks, 4 water-side attacks, 4 airborne attacks, and 3 cyber
attacks.
It is relevant to note that the subject-matter experts involved in the elicitation process
leading to these values not only share significant real-world operational experience in
defeating these type of target defenses, but also have contributed in the design of
defenses that can more effectively defeat enemy attacks.
Vulnerability Assessment
1121
Table 2. P(S|A) Values for Land Attack Vectors
LDC
Attack
Vector
A
B
C
D
E
F
G
H
O
Sedan
0.10
0.20
0.30
0.50
0.70
0.80
0.90
1.00
1.00
Cargo Van
0.10
0.20
0.30
0.50
0.70
0.80
0.90
1.00
1.00
…
…
…
…
…
…
…
…
…
1-Person
Assault Team
0.20
0.30
0.50
0.90
0.60
0.80
0.80
0.90
1.00
4-Person
Assault Team
0.50
0.70
0.90
0.90
.0.90
1.00
1.00
1.00
1.00
…
…
…
…
…
…
…
…
…
…
…
A matrix of P(S|A) values is created and presented in table format, which provides the
probability of success of each attack vector against each layer defensive configuration.
Table 2 illustrates a matrix representation of the P(S|A) values corresponding to land
attack vectors and corresponding LDCs. Values of P(S|A) have been estimated for every
combination of attack vectors and layer defensive configurations considered in the CRMD methodology.
The probability that a specific type of attack would be successful in reaching a given
target is measured by the probability that each of the layers encountered along the path of
attack is successfully penetrated. Therefore, as shown by Equation 5, the vulnerability
P(S|A) of a target can be estimated as the product of the corresponding vulnerabilities of
each of the defensive layers protecting it5. Considering a specific attack scenario (i.e.,
combination of a specific attack vector and a given target), the total P(S|A) is calculated
as the product of the P(S|A) for each of the layers that are successfully penetrated by the
attack vector under consideration, which can be expressed as:
P(S|A) (Target, Attack Vector) = P(S|A) (Layer 1, Attack Vector) x P(S|A) (Layer 2, Attack Vector)
x P(S|A) (Layer 3, Attack Vector)
(6)
where defensive layers 1, 2, and 3 must be sequentially defeated to reach the intended
target.
In addition to static defensive layers, the defensive posture of some facilities may include
response and onsite reaction forces (in addition to the guard force) and external response
forces. Each one of these forces can be considered as an additional personnel-based layer
5
This assumes independence among the probability estimates thus simplifying the calculation. More
generally, as shown in Figure 5, the probability of penetrating a layer is conditionally dependent on the
successful penetration of all previously penetrated layers. It follows that the number of possible
combinations of the sequences of layer penetrations is quite large. Planned refinements for the CRM-D will
permit users to estimate the overall P(S|A) using conditional probabilities.
1122
21st Century Dam Design — Advances and Adaptations
of defense for the entire facility that augments or complements the static (physical)
defensive layers. In the case of external response forces, the provision is added that these
must arrive to counter the attack in less time than it is required for the adversary to
successfully carry out the assault. Additional estimates have also been included as part of
the model to describe the probability of a given attack vector defeating those response
and reaction forces.
Therefore, for every attack scenario (i.e., combination of a specific attack vector and a
given target), the CRM-D methodology provides a systematic approach to estimates the
corresponding probability of successful attack. Additional attack vectors and layer
defensive configurations can be incorporated as needed. More rigorous methods (e.g.,
event trees, Monte Carlo simulations) are being used to refine and validate the probability
of success estimates currently established.
STRUCTURING THE ANALYSIS
Identification of Critical Components
A typical project contains several critical assets that can be considered potential targets.
These may include impoundment sections, lock gates, powerhouses, spillway gates,
intake structures, control rooms, and visitor centers, among others. The CRM-D analysis
estimates the vulnerabilities for each of the potential targets identified within a given
project. As previously described, this is accomplished by considering the sequence of
defensive layers protecting the targeted asset and estimating the corresponding P(S|A) for
each of these layers.
Identification of Defensive Layers
Visualizing the physical defensive layers at a given project is a first step in considering
how these layers are configured at a project and how they interrelate with and reinforce
each other. There are several generic types of configurations among layers; these
configurations are briefly discussed and illustrated below. As illustrations, this section
will discuss land defensive layers that protect assets from attack vectors that carry
attackers and their equipment over land access routes. Attackers using these routes must
breach one or more land defensive layers. In analogy to land-based defenses and attacks,
the CRM-D methodology naturally considers water defensive layers to counter waterborne attack vectors. Land access routes may limit or prohibit certain attack vectors from
occurring (e.g., unimproved roads might prohibit a large truck from using a specific
access route).
Nested Layers: In the simplest configuration of defensive layers, each nested layer is
entirely within another layer, as shown in Figure 3 (i.e., 2 nested layers inside the outer
perimeter). Nested layers are relatively simple to analyze: to get to a layer, an attacker
must breach the next outer defensive layer in the sequence. It should be noted that
concrete buildings and/or hardened structures constitute their own layer defense, as
depicted in this figure. Layer 3 is nested, that is, entirely contained within Layer 2 and
Layer 1, respectively.
Vulnerability Assessment
1123
Figure 3. Example of sequentially nested layers (Layer 2 and Layer 3) contained within
the outer perimeter (Layer 1), and Layer 3 is entirely contained within Layer 2.
Independent Layers: In other cases, layers may be independent. For example, as shown in
Figure 4, within a particular project, assets may have individual layers of defense nested
within the perimeter defense, but these layers remain separate from each other and do not
provide mutual support. Each independent layer may have the perimeter layer defense as
the next outer layer that must be breached to reach the target.
Figure 4. The outer perimeter (Layer 1) contains three independent defensive layers: one
around the switchyard (Layer 2), one around the control room (Layer 3), and one around
the spillway gates (Layer 4).
Sequenced Layers: A more complicated arrangement of defensive layers consists of
sequenced layers: to reach some layers, it is necessary to cross another layer entirely –
1124
21st Century Dam Design — Advances and Adaptations
enter it and then leave it. For such layers, we assume that it is only breached once, since
most physical defenses are designed to defeat external attacks. However, traverse times
within the layer should be estimated. A generic configuration showing the potential
sequenced nature of defensive layers is illustrated in Figure 5. The solid red lines depict
physical fences. The sketch in this example identifies defensive layers (Layers 1, 2, 3, 4,
and 5).
Figure 5. Example of Sequenced Layers
The Importance of Attack Paths
In addition to using a sketch like the one shown in Figure 5, consideration needs to be
given to the potential paths that land attacks will require to reach any other intended
target within the project. Paths can be described from both the left bank and the right
bank, since the defensive layers that must be breached may not be symmetrically
configured.
Figure 6, shows an example of attack paths for ground attack vectors on the spillway
section. It is identical to Figure 5 except for the addition of attack paths shown in yellow
arrows. From the right bank, a ground attack must breach Layer 1, Layer 5, and Layer 3.
From the left bank, a land attack must breach Layers 1, Layer 2, and Layer 3. Clearly, it
is essential to specify the attack vector and the attack path to a given asset in order to
determine the number of defensive layers to be penetrated to reach the targeted asset. The
overall vulnerability to each attack vector will be a function of the sequence of defensive
layers that needs to be breached.
Vulnerability Assessment
1125
Figure 6. Asymmetrical Land Attack Paths from the Left and Right Banks
Treating Reaction and Response Forces as Defensive Layers
Onsite reaction and/or external response forces may form an integral part of the facility
security posture and may be capable of responding to terrorist attacks and other
emergencies. In the CRM-D methodology, these forces are treated as additional layers of
defense that protect all vital components of the project and that must be defeated for the
attack to succeed. Each force will have its own set of P(S|A) estimates for each attack
vector. The corresponding P(S|A) estimates have been developed based on standard
capability levels.
Since response forces reside outside the immediate geographical area of the project, a
determination needs to be made, regarding whether they can respond in time to engage
the attacker within the time the attack is expected to unfold. The attack time is estimated
using the number of layers that need to be breached to get to the target asset and the
distances between those layers. The time to penetrate each layer depends on the attack
vector and has been estimated for each layer defensive configuration. The estimated time
for attackers to traverse distances between layers is project-specific and geometry
dependent.
CONCLUSIONS
A relatively simple and transparent vulnerability assessment methodology, originally
developed for other sectors of the Nation’s critical infrastructure, has been modified to
apply more specifically to the unique characteristics of dams – the large size of projects,
their distances from response forces, and their complexity – each project contains
1126
21st Century Dam Design — Advances and Adaptations
multiple critical assets. The use of generic security configurations to characterize the
defenses of critical components within a facility allows rapid and simple assessments of
vulnerabilities. When combined with available estimates of the consequences of failure or
disruption, a conditional risk value for each component, as well as the entire facility, may
be calculated. Current plans are to apply this methodology at a selected number of
USACE dams and incorporate some additional refinements as a result of this initial
application. Additional enhancements will include more detailed estimation of the P(S|A)
values using numerical simulation techniques as an extended step beyond the expert
elicitation estimates currently available.
REFERENCES
Coe, Andrew J., Olson, Pamela J., “Integrating Components of Consequences for the
National Comparative Risk Assessment,” Institute for Defense Analyses, IDA Document
D-3311, September 2006.
Hecker, Edward J., Seda-Sanabria, Yazmin, Matheu, Enrique E., Morgeson, J. Darrell,
and Fainberg, M. Anthony, “Application of a Conditional Risk Assessment Methodology
for Prioritization of Critical Infrastructure,” Wiley Handbook of Science and Technology
for Homeland Security, 2009.
Morgeson, J. Darrell, Coe, Andrew J., Utgoff, Victor A., “Review of Risk Assessment
Methodologies for the Department of Homeland Security,” Institute for Defense
Analysis, IDA Document D-3117, April 2005.
Morgeson, J. Darrell, Seda-Sanabria, Yazmin, Fainberg, M. Anthony, and Matheu,
Enrique E., “Application of the Common Risk Model to the Dams Sector: Conditional
Risk Analysis and Security Configurations,” Second Annual National Dam Security
Forum, 2009 Association of State Dam Safety Officials Annual Conference.
Morgeson, J. Darrell, Dechant, Jason A., Fainberg, M. Anthony, Shaw, Alan H., Keheler,
Michael J., McCrohan, Kevin F., Goodman, David R., Schenher, Geoffrey, and Conley,
John L., “The Common Risk Model for Dams: Estimating the Probability of Success and
Conditional Risk,” Volume I, Institute for Defense Analysis, IDA Paper P-4564, January
2010.
Morgeson, J. Darrell, Dechant, Jason A., Fainberg, M. Anthony, Shaw, Alan H., Keheler,
Michael J., McCrohan, Kevin F., Goodman, David R., Schenher, Geoffrey, and Conley,
John L., “The Common Risk Model for Dams: Estimating the Probability of Success and
Conditional Risk,” Volume II (For Official Use Only), Institute for Defense Analysis,
IDA Paper P-4564, January 2010.
Morgeson, J. Darrell, Shaw, Alan H., Utgoff, Victor A., “Information in Support of
National Comparative Risk Assessment: Determining Probability of Success Given an
Attack,” Institute for Defense Analysis, IDA Document D-3442, September 2007.
Vulnerability Assessment
1127
Morgeson, J. Darrell, Utgoff, Victor A., Fainberg, Anthony, Keleher, Michael, “National
Comparative Risk Assessment Pilot Project,” Institute for Defense Analysis, IDA
Document D-3309, September 2006.
Simpson, William R., Meeson, Reginald N., “National Comparative Risk Assessment
Pilot Project Cyber Intrusion Analysis – Process Control System,” Institute for Defense
Analysis, IDA Paper P-4226, June 2007.
U.S. Department of Homeland Security, National Infrastructure Protection Plan, 2009.
1128
21st Century Dam Design — Advances and Adaptations