Assessing risks is the first critical step in protecting a community's assets.
Recent London bombings reinforce many security experts' beliefs that another terrorist attack will occur in the United States. It is critical, then, that cities and counties are prepared to protect against and respond to such an attack, as well as criminal action or even a natural disaster. Preparedness includes exceptional planning, well-developed response plans and regular training.
The Department of Homeland Security (DHS) has numerous grants and funds to conduct assessments and help fund improvements. According to DHS, approximately $8 billion in grants were available in 2005. President Bush has requested to increase the amount to $10.5 billion in 2006.
DHS uses a formula for distributing the improvement funds based on several criteria, including threat, vulnerability, consequence and population. While the number of residents in a community is easy to determine, a risk, threat and vulnerability assessment is needed to evaluate the other criteria.
Assessments can be performed one of three ways: by qualified and well-trained in-house personnel, a qualified consultant, and in some cases, the National Guard, which has Critical Infrastructure Vulnerability Assessment Teams in certain areas of the country.
Choosing the assessment tool
Whether using an in-house team or a consultant, an assessment tool must be defined. Several assessment tools are available, including those that use a relative assessment methodology or a subjective methodology.
Generally, a relative methodology goes into greater depth, requires more time and is more expensive than a subjective methodology. A relative methodology also allows for local considerations, input from stakeholders and local variations and issues. A subjective methodology is simpler, uses a check sheet and asks questions such as, “Is there a fire extinguisher present?” Conversely, a relative methodology asks for more information, such as, “What type of fire will be fought? Is the extinguisher adequate for that type of fire? What type of training has been conducted to use the extinguisher? When was the last time training was conducted?”
Other methods exist, such as CARVER (Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability), which was developed by the U.S. Military to evaluate an enemy's infrastructure. The basic difference between it and a relative or subjective methodology is it generally only uses one person to evaluate the various elements at a facility. Therefore, the quality of the information could be limited based on the experience level of that individual.
Creating an assessment report
A quality risk, threat and vulnerability assessment incorporates a variety of information in a comprehensive report format. One report format, the Sandia Methodology, developed by Livermore, Calif.-based Sandia National Laboratories, consists of several detailed steps that encourage a comprehensive and holistic view of a facility or group of. The five steps used in the format are planning, threat assessment, facility characterization, system effectiveness and risk assessment.
Gather information on all operations and fully describe the people, processes, facilities and equipment. Also consider each facility's mission and determine the standard by which the facilities will be assessed.
- Threat assessment
Use intelligence,and open sources of information to define the actual or potential threat to one or more facilities or programs. A quality threat assessment considers historical information on past incidents, as well as current trends in crime. Good sources of information include professional service organizations, the Internet, public literature, law enforcement agencies, and Information Sharing and Analysis Centers, which were established by DHS. Analysts should consider specific attributes, such as if the facility has been previously targeted, and motivational and technical knowledge of past or potential attackers and their means to gather intelligence. That information will be used to create a Design Basis Threat (DBT), which becomes the standard for evaluating all facilities and a key assessment component.
- Facility characterization
Develop information about facilities, including their physical conditions, layout, boundaries, operations, policies and procedures. Goals and objectives for the assessment, as well as what to include in it are part of the step. In addition, the relationship between what the community owns, versus nearby facilities not owned by the local government (a power substation owned by a private utility, for example), must be determined. Next, single points of failure — low level events that can create a high level consequence — and their relative importance to the facility must be defined, identified at the site and confirmed. For example, autility's electric drivers turn the pumps that provide water to the community. If the power box that controls power distribution to the pumps is destroyed, the pumps stop operating, cutting off water supplies to hospitals, manufacturing and residences.
Facility characterization also assesses the consequence of the types of losses at a facility, including economic, time and public confidence, as well as deaths and illnesses. Losses can be further quantified as low, medium and high. A low loss is something that can be handled in a normal budget, a medium loss requires a reallocation of funds and a high loss requires outside assistance to survive.
- System effectiveness
Consider a facility's physical protection and operating systems. Protective systems include card readers, cameras, door sensors, motion detectors and many others. The primary functions of the protective systems are detection, delay and response. The elements of a protective system are equally important, with each one relying another. The system, for instance, should detect and assess an intruder, communicate an alarm to a response force and have enough barriers built into it (fences, locks, etc.) to delay the intruder from completing the action.
An effective system relies on people, processes, procedures and equipment working together to defeat the adversary. The results are measurable and can be evaluated through physical testing to determine their efficiency and effectiveness.
- Risk assessment
Using the DBTs, along with facility maps and the information gathered through facility characterization, the assessors should think like the adversary to determine the system's effectiveness and evaluate the facility's ability to withstand various threats. The assessor also should identify the weakest path into the facility to arrive at the single point of failure and should determine how the adversary could create a high-level consequence event.
The process is called adversary pathing, and is repeated for every threat and facility. It results in an estimate of the entire system's effectiveness for each scenario and identifies the protection system's vulnerabilities.
Once the risk analysis is completed, then management must determine the acceptable risks. If a certain risk is unacceptable, then upgrades must be considered to improve security and decrease the likelihood of a successful attack. The alternative is to create a plan to lessen the consequence after an event.
Despite the fact that not every terrorist act can be prevented, local government officials can act to lessen the threat levels in their communities. By methodically gathering information about people, policies, systems and facilities and then assessing potential threats and risks, local government leaders can make the best use of homeland security funds to protect their residents.
Jeffrey Slotnick is president of Tacoma, Wash.-based Setracon.