VOLUME 9 ISSUE ISSN Association of State

Transcription

1 VOLUME 9 ISSUE ISSN Association of State Dam Safety Officials

2 Richard P. Kummerle, PE, PG, PP & Edward F. martella, PE INTRODUCTION As part of the effort to protect the nation s critical infrastructure network, many dam owners and operators prepare Security Vulnerability Assessments (SVAs) to identify threats to the dams for which they are responsible and provide recommendations to improve their security. These SVAs are often conducted using standardized checklist methodologies that do not comprehensively address all aspects of an SVA, resulting in inconsistent and incomplete security mitigation plans. Furthermore, these simplified or standardized methods often do not provide an adequate process to clearly prioritize security improvements based on the comparative cost benefits relative to potential consequences for the owner s dam, as well as operational concerns. Finally, these simplified methods do not readily permit development of a comprehensive and integrated Security Master Plan (SMP) that includes both short- and long-term goals, or allow for incorporation of the SMP into the dam owner s capital improvement programs. Conducting an SVA for a dam requires more than a general understanding of security and completion of standardized checklists. An integrated SVA requires an in-depth understanding of the design, engineering characteristics, and purpose of the dam system; the likelihood of an attack on the dam or its assets (for example, a reservoir or hydropower facility); the potential consequences of an attack, from a critical system loss to total dam failure; and, the potential impacts of security countermeasures on normal operations, reduction of security risks, and resiliency in the event of an attack. This paper will discuss the SVA process and its advantages over methodologies based on universal checklists. Terminology Risk: A quantitative value based on a complete vulnerability assessment of several variables including Design Basis Threats (DBTs), likelihood of attack, overall consequences and current security system effectiveness. Likelihood of attack: An estimated value based on available information on the potential for both the occurrence of an attack and its success. Threat: The US Department of Homeland Security (DHS) defines threat as a natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property. Threats to dams are determined through a qualitative approach based on known or plausible adversaries. Design Basis Threat: The final adversary attack scenarios are identified as Design Basis Threats (DBTs). A DBT also referred to as the threat spectrum is a comprehensive list of plausible threats that must be considered in developing security countermeasures and the Dam Security Master Plan. System effectiveness: Value assigned the current and proposed physical protection equipment. Consequences: A determination of the effect that a successful attack will have on the dam system and the region. Method of Operation: A term that may be used to describe how an attack may be carried out. ISSN Association of State Dam Safety Officials The Journal of Dam Safety Volume 9 ISSUE

3 WHAT S WRONG WITH A CHECKLIST? Standardized checklists are typically completed by personnel who are not trained security professionals. This process is reasonable for small, non-critical dams, but ill-advised for dams that serve critical functions or are classified as high- or significant-hazard-potential structures. The intent of these checklists is an accurate representation of the security posture of a specific dam; in practice, their use results in a substandard, one-size-fits-all product. Checklists that the authors have reviewed do not take into account Design Basis Threats (DBTs) that are developed as part of a detailed threat assessment based on a thorough review of local and world trends with potential threats against the project dam. Additionally, the checklists give credit for any physical protection system, regardless of its effectiveness. They also fail to account for various attack scenarios and timelines. The authors believe that the security analysis of critical dam structures must be accomplished only through utilization of an SVA Methodology that incorporates and fully addresses all basic elements of an effective security system, including deterrence, detection, delay and response. SVA METHODOLOGY Several methodologies can be used to determine risk. The industry standard to for calculating risk values is: Risk Equation R = P A x C x (1-P E ) Where: R = Risk associated with adversary attack (Risk values can range from 0.9 Very High to 0.1 Very Low) P A = Likelihood of attack (0.1 to 1.0) C = Consequences of an attack (0.1 to 0.9) 1 P E = Likelihood that the adversary attack will be successful, or likelihood that the security system will not be effective against the attack. Inversely proportional to the systems effectiveness, P E (0.1 to 0.9). THREAT ASSESSMENT DBTs for dams must be developed on a case-by-case basis. In order to provide a foundation for determining DBTs to be utilized within the risk assessment, a threat assessment is first performed. A DBT for a dam can be different than those for other assets associated with the dam structure. For most dams, there are no credible known threats; however, information obtained since the terrorist attacks of September 11, 2001 indicates that both international and domestic terrorists are interested in destroying critical dams within the US. Threat assessments should be performed on the basis of a widely accepted premise that the most likely form of a major attack against a dam would come from either a vehicle or person on the land side or the waterside. Adversaries could also attack in a group or multiple groups, primarily using explosives. Terrorists could be international or domestic individuals or groups, with varied motives, including ecological extremism, political ideology, etc. Although it would be virtually impossible to fully protect a dam from a coordinated effort to immobilize the embankment and associated systems via synchronized, multiple attacks on the structure and/or its associated facilities, specific improvements can reduce the probability of such occurrences and limit consequences should an attack be accomplished. Vulnerability assessments must also consider the likelihood of an attack by insiders (disgruntled employees) or vandals. Given inside technical knowledge of a dam and its assets, an insider could work in conjunction with an outside adversary rather than operating as a lone attacker. It is assumed that attacks by vandals would have a low consequence, while those by insiders would be more significant. Typically, countermeasures against a terrorist attack would also be effective against vandalism; the reverse is not true. Generally, the only effective countermeasure to meet the threat of an insider attack is deterrence. Deterrence in this case means that insiders fully realize the high probability of being detected and identified following an attack and that the master security plan clearly accounts for the prevention and monitoring of insider threats. The dam should always be assessed based on known or presumed capabilities of all potential adversaries. Security countermeasure recommendations should be developed based on their design basis threat or threat spectrum, with the assumption that the measures would be effective against lesser threats, including vandalism. A distinction must be made between acts of saboteurs and terrorists. Saboteurs conduct operations to meet specific requirements that improve the position of another entity for financial gain or military advantage. Death and wholesale destruction are not generally considered in their operational planning, although these may result from their acts. Generally, saboteurs conduct surgical operations, while terrorists have one goal in mind: to generate publicity for a cause. Thus, physical destruction of dam assets such as a small hydroelectric station or maintenance building would not be likely targets of terrorists; destruction of a dam with the resultant release of huge volumes of water would be. In the wake of September 11, 2001, the security of our nation s dams has, of necessity, come under closer scrutiny. Information obtained about terrorists reveals that they believe physical destruction of dams is possible and that they want to disable this critical component of our infrastructure. Officials in the US and Europe have uncovered plans to attack dams and related water infrastructure. Additional documents found in Afghanistan and intelligence gathered from surveillance have verified that these plots were being formulated. The ability to cause catastrophic destruction with dam failure has always been known to be a conceivable threat with disastrous consequences. DESIGN BASIS THREATS If there are no known credible threats against a specific dam or system, its operations, or employees, and there is no specific threat information, then its DBT should be estimated utilizing typical threats that would apply to dams of similar size, purpose, geographic area, etc., with respect to the specific dam being studied. As mentioned above, a DBT is a comprehensive list of plausible threats that must be considered in developing security countermeasures and the Dam Security Master Plan. 36 The Journal of Dam Safety Volume 9 ISSUE ISSN Association of State Dam Safety Officials

4 The Method of Operation (MOO) for each DBT should be primarily based on efforts to physically disrupt the dam and disable one or more of its critical functions, such water supply or power generation. In assessing the potential for a physical attack on a dam system, various methods and strategies should be considered: Vehicle bomb or other incendiary devices detonated on critical sections of dam access or maintenance roads, downstream embankments, abutments, etc.; Boat, diver or ROV (remote operated vehicle) attack with explosives used on upstream embankment or inlet structure; Attack on the embankment and inlet structures; Physical attach on dam operators to take over dam operations; Cyber attacks, including taking control of operation/scada facilities; Coercion of employees; and Airplane attack with explosives. (Aircraft tactics are not likely, but should be considered, especially for critical dams, even though development of effective and practical countermeasures would be extremely difficult and costly.) Attacks can occur 24/7. Daytime and nighttime threats are the same, but implementation of security protocols and procedures is generally more difficult at night. DAM BLAST DAMAGE A primary tactic to create a catastrophic dam failure is damage induced through the use of explosives. High explosives with considerable force that can be delivered with commercially available vehicles are a serious concern for any infrastructure. It is beyond the scope of this article to evaluate various explosive materials and their damage potential on dam structures; however, materials are commercially available that, in proper quantities and proportions, can be used to build high explosives. Blast Analysis for Earth Dams Blast-induced damage to earth dams can lead to dam failure through several failure modes: Overtopping may occur due to blasts causing crater depths at or below the water level. The effects are likely to be immediate and catastrophic. Cracking and/or piping due to blast disturbance depths within the water level. In this scenario, water seeps through the embankment, generating erosive forces that cause migration of soil, or piping. This progressive backward erosion results in concentrated leaks that enlarge seepage channels to the point of failure. The effects are typically not immediate, but potentially catastrophic. Cratering due to a void caused by displacement of soil or rock fill materials by the blast. ISSN Association of State Dam Safety Officials The Journal of Dam Safety VOLUME 9 ISSUE

5 Disturbance of soil or rock fill material due to blast vibrations. Can lessen the materials density, impacting strength, permeability, and other engineering properties. Cracking and/or fissuring may also occur. The authors propose that the disturbance depth, which is the depth to which the wave action can be expected to disturb the underlying bottom, is the most critical criteria when developing security protocols and countermeasures with respect to mitigation of a blastinduced failure. Blast ANALYSIS for Concrete Dams Unlike earth dams, dams constructed with reinforced concrete offer some degree of protection from overpressures due to explosives; however, an effective design to prevent major blast damage will require substantial reinforcing steel specifically, shear reinforcement adjacent to accessible areas. Such reinforcement is typically not present in reinforced concrete dam designs. Cratering of concrete dam structures due to blast overpressures is also a concern. What is known is that there exists little data for massive concrete reinforcement and its effect on cratering from surface detonation. 1 Research indicates that explosive-induced craters in unreinforced concrete are about 30 percent larger than those in reinforced concrete. The effect that reinforcing steel has in limiting crater sizes should be analyzed through blast analyses that concentrate on local damage. Depending on the accessibility to many portions of the concrete dam structure, numerous analyses will be necessary with various attack scenarios that incorporate a variety of explosive charge sizes. This can be daunting when the overall solution is to prevent access, especially with vehicles that could deliver sizable charges. A case in point is the bypass bridge has been constructed to remove vehicles off the access road along the crest of the Hoover Dam (Figure 1). Figure 1: Hoover Dam Bypass Bridge (Federal Highway Administration) 38 The Journal of Dam Safety VOLUME 9 ISSUE ISSN Association of State Dam Safety Officials

6 LIKELIHOOD OF ATTACK The likelihood of an attack (P A ) is estimated based on available information. P A values are generally categorized as: Very Low = 0.1 Medium = 0.5 Very High = 0.9 In the event of a credible threat against a specific dam, a P A of Very High (VH) is usually assumed. This means that the overall risk being calculated is a conditional risk that is, a risk to the public that an attack on the facility will likely occur. In absence of a credible threat, a dam s P A is established by considering previous experience with other dam systems of similar size, operations, function, and related factors. In this way, a qualitative P A value is derived for any combination of threat and undesired event. One must consider the likelihood of attack to the dam relative to consequences and costs when developing security recommendations. The likelihood of attack must also consider the threat assessment, as threats can vary for each dam. When considering the likelihood of an attack, historical events that were never anticipated or believed likely must be taken into account. For example, a coordinated attack by commercial aircraft should be considered a viable threat to dam security. Such an attack is unlikely, but history tells us that unlikely events do occur: No one foresaw the box cutter-aided hijackings of 9/11, the shoe bomber incident, or the destruction of the Alfred P. Murrah Federal Building in Oklahoma City by a vehicle packed with fertilizer and fuel oil. Although the likelihood of attack for most dams may be low, the consequences of a successful attack can be extremely high; the authors therefore believe that countermeasures to mitigate the possibility of attacks to dams are vital and cannot be dismissed, particularly during times of elevated or imminent national or state threat levels. In summary, when considering the likelihood of attack the following must be considered: Current Threats Historical threats Potential issues Similar critical infrastructure CONSEQUENCES Conducting a security vulnerability risk assessment includes evaluation of direct and indirect consequences of a successful attack ( C in the risk equation), along with the need for and costs and benefits of security countermeasures. Direct consequences are those that impair the dam physically or operationally. Indirect consequences are those that affect people, economies, and the environment. ISSN Association of State Dam Safety Officials The Journal of Dam Safety VOLUME 9 ISSUE

7 Potential consequences of complete or partial dam failures are varied and vast, involving: loss of life; loss of water supply; loss of flood control; loss of recreational opportunities; fiscal impacts, including the costs of repairing the dam and impacted property, cleanup, and loss of tourism revenue; environmental impacts; and transportation impacts, including loss of major systems such as interstates and railroads, secondary and local roads, as well as loss of access for evacuation, emergency response, and utility operation and maintenance. In a progressive failure, the degree of loss of life and assets depends on the rate of failure and evacuation time. A sudden catastrophic failure may cause major loss of life and assets, with damage costs into the billions. In summary: Consequence (C) refers to impacts of a successful attack, including: direct and indirect consequences; short- and long-term consequences; loss of the asset (in this case, the dam system); and subsequent impacts to dependent assets. SECURITY SYSTEM EFFECTIVENESS As part of any risk assessment, the effectiveness of existing physical security systems must be considered as a baseline for development of a master security plan. System Effectiveness refers to existing physical security, including the operator s security policies and procedures to prevent a successful attack. An effective system addresses deterrence, detection, delay, and response. Deterrence: a visibly present, robust security system, which may include access controls and restrictions, signage, security patrols, stationary guards, and control points. Detection: measures include closed circuit television (CCTV) for close and distance monitoring; screening, inspecting, or search procedures for vehicles and visitors; and security patrols. Delay: the time period between detection and an effective security response. Maximized through fencing, barriers, and check points (Figure 2 2 ). Response: addressing the consequences of an attack. Includes a well-planned emergency response plan (ERP) that involves both the operator s security forces and local law enforcement (LLE). Communication systems should include mobile, central dispatch and emergency operations. PHYSICAL SECURITY CONSIDERATIONS Physical security countermeasures utilized for dams are typically the same as those employed at other critical assets. Comprehensive countermeasures include standard physical security systems and detection systems such as: access controls including guard checkpoints; closed circuit television (CCTV); intrusion detection systems; remote radar; sonar; thermal imaging; cyber security; lighting vehicle barriers; and security policies and procedures and communication plans. The following sections detail two of these types of security detection systems: Lighting and Barriers. Lighting In most cases, additional lighting along an access road or at accessible locations will provide an additional magnitude of deterrence as well as increase the effectiveness of CCTVs to monitor unsecured locations. Lighting must be designed for compliance with local lighting ordinances. Increased lighting can also assist in monitoring unusual vehicle movements near or on dam structures by clearly illuminating vehicle license plates. Since surveillance is a key tool for terrorists, the ability of CCTVs to clearly depict license plate numbers can assist local law enforcement with identification. Barriers Figure 2: Example of Adversary Path and Delay (Sandia Laboratories) Land Barriers Recommendations for vehicle barriers are site-specific; however, the following general concepts should be considered for each project dam. Public access to dams and reservoirs is a common security issue. At facilities where access is open and utilized, strategic placement of 40 The Journal of Dam Safety Volume 9 ISSUE ISSN Association of State Dam Safety Officials

8 Figure 4: Jersey Barriers Secondary Debris (U.S. Air Force) Figure 3: Fence Penetration / Double Cable Barriers (U.S. Army) multiple vehicle barriers is recommended. In some cases, barriers are required to prevent unauthorized access to the dam structure. Vehicle barriers can be passive or active. Passive barriers are used against stationary or moving Vehicle Borne Improvised Explosive Devices (VBIEDs) and should be designed to prevent secondary debris after a blast (Figure 4 3 ). Examples are: anchored fences utilizing aircraft cables (Figure 3 4 ) ISSN Association of State Dam Safety Officials The Journal of Dam Safety VOLUME 9 ISSUE

9 concrete walls (permanent or jersey barriers ) bollards (individual or continuous) terrain (ditches, berms, landscape elements, etc.) Active barriers are used at vehicle access control points. Gates, traffic arms and cable beams, retractable bollards, hydraulic plates or wedges, and nets with vertical support are examples of active barriers. Considerations for these barriers include staffing, operation, maintenance, location, aesthetics, and location. Questions to Ask Regarding Proper Placement and Operations of Active Barriers Staffing and Operation Is the security checkpoint staffed? When unstaffed, will the barrier achieve its original design function? If unstaffed, how can the barrier be maintained to prevent unauthorized entry? If unstaffed, how will the barrier be opened? How quickly must the barrier be opened or closed? Is there a need for back up barrier that can be closed quickly? How will the barrier(s) impact guards and operational staff? What environmental conditions (snow, ice, etc.) could impact operation? Placement Where should the barrier(s) be placed? Can the barrier be placed in the engineered/structural section of dam? Maintenance What are the barrier s maintenance requirements? Aesthetics and Local Impacts What are the potential impacts of the barrier on public safety? Are barrier aesthetics in accordance with local ordinances? Effectiveness Can the barrier withstand anticipated design weight and speed of an attack vehicle? What is the expected response time of local law enforcement? Waterside Barriers While vehicle barriers are in place at many dams, waterside barriers are less common. Waterside barriers are systems or technologies designed to protect critical assets from attack by swimmers or water vessels. While all are designed to stop intruders, some rely on detection and interception while others are designed to incapacitate aggressors. 42 The Journal of Dam Safety VOLUME 9 ISSUE ISSN Association of State Dam Safety Officials

10 An example of a subsurface technology is the netting deployed by the US Navy as countermeasures against potential threats from submarines and divers. Regardless of the type of barrier, signage systems warning boaters of the presence of waterside security mitigation measures should be carefully planned and put into place. Finally, to ensure the effectiveness of waterside barriers, periodic inspections and maintenance is essential, as barriers are typically subject to wind, waves, currents, ice, fatigue damage, and corrosion. Figure 5: Examples of Waterside Barriers Selection of waterside barriers involves identification and assessment of potential waterborne threats as well as considerations for effectiveness, installation, maintenance, replacement, cost, aesthetics, and public safety. Anticipated DBTs will determine if a surface or subsurface barrier system or technology should be implemented. The designer should also consider the use of force protection policies, which are actions taken to prevent or mitigate hostile actions against assets with waterside barriers. A barrier s effectiveness will be largely determined by its detection and assessment capabilities, proper security staffing and wellfunctioning equipment, stand-off points (that is, allowances for maintaining an effective stand-off distance in the event of an attack using explosives causing blast overpressures), and ability to withstand attack. Design criteria for barrier systems and technology must take into account boat size and speed. (The US Navy has a five-level rating system for barrier design based on size and speed.) Other considerations include access inside the barrier system for operation and maintenance of the dam s facilities, such as required inspections for upstream embankments and inlet structures. Because many barrier systems include detection devices, staff must be trained to make quick decisions about the intent of a possible intruder. Therefore, training should stress strict adherence to standard operating procedures and policies. Once trained operators gain insight as to why it is important to engage with proactive security measures, therefore they become better able to define their roles in deterring, detecting, and defending their facilities from terrorist activities. Water Barrier Technologies Water barrier technologies are those designed to stop fast moving boats moving towards the dam structure. These systems may be on or under the water surface, and typically consist of interconnected floating elements and anchored composite netting. ISSN Association of State Dam Safety Officials SUMMARY OF SVA PROCESS When conducting a security vulnerability assessment with respect to dams and their related structures and facilities, one must consider the following elements necessary for an effective and applicable SVA for the project dam: Existing physical security Existing risk levels Design base threat(s) including Vehicle bombs (land & water) Physical attack on dam facility critical assets Cyber attack on key operating systems Consequences (short and long term, local and regional) Loss of water supply Loss of life Loss of flood control Loss of recreation Environmental impacts Loss of local and regional transportation (cars and trains) Fiscal impact Cost to repair dam Lost tourism revenue Emergency response team effectiveness Likelihood of attack (based on DBTs) Implement recommendations to prevent and/or minimize a successful attack Must consider unlikely attack possibilities It has been determined for most dams that the likelihood of an attack will be low, but clearly still possible The likelihood of obtaining large explosive charges is lower than the likelihood of obtaining the smaller charge weights Even though the likelihood of attack is low, the consequence of a successful attack on larger dams is extremely high Physical security protection effectiveness Balanced security of the dam with operational goals is fundamental Eliminate access to critical structures or restrict size of vehicles The Journal of Dam Safety Volume 9 ISSUE

11 Inspection and detection of vehicles Necessity for force protection Choice of barriers Adequate monitoring Illumination levels Alert and notification communication planning Response times from local law enforcement and/or owner s security Blast analysis criteria Limiting criteria will establish the upper and lower limits for the blast analysis and essentially prevent an immediate catastrophic failure of the dam. Determine depth of disturbance for potential piping failure Footnotes 1 Kiger, Dr. Sam A., Woodson, Dr. Stanley C.; Explosion Effects and Structural Design for Blast, Feb Garcia, Mary Lyn; Design and Evaluation of Physical Protection Systems, Albuquerque, Butterworth Heinemann, p US Air Force, Vehicle Bomb Mitigation Guide, July 1, US Army Corps of Engineers, Protective Design Center, Cable Barrier Details for Fence Design, Edward F. Martella, PE Vice President of Homeland Security and Public Safety Services Tectonic Engineering and Surveying Consultants, PC 8639 Mayland Drive, Suite 102 Richmond, VA [email protected] Mr. Martella has more than 30 years of professional engineering experience and has conducted security vulnerability assessments and prepared emergency response and security enhancement plans for municipalities and government agencies nationwide and overseas. He is certified by Sandia National Laboratories in several vulnerability assessment technologies and is a certified trainer of the RAM-C and VAM-CF Vulnerability Assessment Methodologies. Mr. Martella is a licensed Professional Engineer in fourteen states. He holds certificates from FEMA s Emergency Management Institute, the Department of Defense USACE Protective Design Center, and Sandia National Laboratories Center for Civil Force Protection. Richard P. Kummerle, PE, PG, PP Chairman of the Board / Managing Principal Tectonic Engineering and Surveying Consultants, PC 70 Pleasant Hill Road Mountainville, NY [email protected] Richard P. Kummerle, PE, PG, PP is one of two founding partners of Tectonic Engineering & Surveying Consultants, PC and has over 30 years experience in the fields of dam safety, telecommunications, planning, civil, geotechnical and environmental engineering, security/public safety, emergency management, critical infrastructure, and project/construction management. His experience includes all aspects of planning and engineering, including preparation of studies, reports, planning analysis and design, construction documents and specifications, claims analysis, construction supervision/resident engineering, meeting facilitator, public presentations, training programs, and project management. He has worked on dam design, power generation, industrial, telecommunications, transportation, commercial, municipal, infrastructure, residential, and homeland security projects. As founding owner and managing principal, Mr. Kummerle is responsible for overall management of the firm and supervision of the Public Safety/Homeland Security Group, as well as municipal and telecommunications services. 44 The Journal of Dam Safety Volume 9 ISSUE ISSN Association of State Dam Safety Officials