National Academies Press: OpenBook

Assessment of the Bureau of Reclamation's Security Program (2008)

Chapter: Appendix C: Two Approaches to Risk Assessment for Dams

« Previous: Appendix B: Briefings to the Committee and Discussions
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 120
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 121
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 122
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 123
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 124
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 125
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 126
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 127
Suggested Citation:"Appendix C: Two Approaches to Risk Assessment for Dams." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 128

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Appendix C Two Approaches to Risk Assessment for Dams OCCURRENCE/VULNERABILITY/IMPORTANCE APPROACH T he risk assessment method described below is intended to identify in detail vulnerabilities of individual dams. In this step, components of the dam—intake towers, spillways, turbine generators—are considered, as are countermeasures to deter attack on and/or mitigate damage should an attack occur. Three factors are paramount in this risk assessment approach: • Occurrence (O), also referred to as the threat likelihood or threat rating (T), is the likelihood that terrorists will attack the dam under consideration. It includes target attractiveness, perceived level of security, access to the site, publicity accruing to the attacker, number of prior attempts to damage the dam, and other factors. It is in this factor that the risk assessment for terrorist hazard differs most from natural hazards, for unlike natural hazards such as earthquake and flood for which the history of independent events is well-documented, the history of terrorist events is brief. As a substitute for quantitative knowledge of recurrence intervals of earthquakes or floods, expressible in probabilistic terms, we must work with relative likelihood of occurrence. Input to this factor may come from intelligence sources. • Vulnerability (V) indicates how much the facility or population would be damaged or destroyed based on the structural response to a terrorist act. It is the likely damage resulting from various 120

APPENDIX C 121 terrorist threats (weapon type and location) and measures expected damage, outcome of the event, expected casualties and loss of use. Input to this factor typically comes from engineering analysis and expertise. • Importance (I), also referred to as the consequences (C) or asset value (A), is a characteristic of the facility, and is the same for any hazard. It indicates consequences to the region or nation in the event a dam is destroyed or out of service. Input to this factor comes from the Bureau, from the water and power districts, and from public safety officials. Following a well-established technology for natural hazards risk assessment, these factors are combined in the form of a triple product to calculate a quantitative risk index as follows: Risk = O × V × I This triple-product approach is described in Recommendations for Bridge and Tunnel Security (DOT, 2003), in The National Infrastructure Protec- tion Plan (DHS, 2006),and in Risk Analysis and Management for Critical Asset Protection (RAMCAP) (ASME/DHS, 2005), using the T, V, C approach. It is also described in Risk Assessment: A How-To Guide to Mitigate Poten- tial Terrorist Attacks Against Buildings (FEMA, 2005), using the T, V, A nomenclature. The following illustrates application of the risk formulation shown above. It is intended as a quantitative illustration only, with numerical fac- tors to show how the method works. The values assumed in the example do not apply to any particular dam. Figure C-1 illustrates a typical concrete gravity dam (Gravity Dam A) and its components. For each of the nine components, credible means of weapon delivery for attack are identified e.g., pedestrian, vehicleborne, and waterborne. The likelihood (O) of each threat occurring is assessed and quantified on a scale of 0 to 1 as a function of four variables: access to the dam component for the attack to be carried out; security at the dam component against the attack; attractiveness of the target for attack of this type; and ability of aggressor to carry out the attack against the dam component. The vulnerability (V) of each of the nine components identified to each identified attack type is quantified on a scale of 0 to 1 as a function of three variables: expected damage to the dam component if the attack occurs; expected closure of the dam if the attack occurs; and expected casualties if the attack occurs. Finally, the importance (I) of the dam is quantified on a scale of 0 to 1 as a function of eight variables: exposed population;

122 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Upstream Face Outlet System Spillways Powerhouse A Abutment B Powerhouse B Downstream Face Abutment A Powerhouse C FIGURE C-1  Hypothetical concrete gravity dam (Gravity Dam A) and its c ­ omponents. Figure C-1 b&w historical/symbolic importance; replacement value; importance to the regional economy; importance to the irrigation system; importance for power generation; importance to the transportation network; and annual revenue. For each dam component-threat pair, the risk is quantified as the triple product of O × V × I. The risk to Gravity Dam A as a whole is quan- tified as the sum of the individual component-threat pair risk values. This is illustrated in Figure C-2, showing hypothetical values for Gravity Dam A and how they can be used to compare the risk for several dams assessed with the same process. Quantifying risk in this manner allows for cost-benefit comparisons of alternative mitigation options. The benefit of each mitigation option is the reduction in the quantified risk for one or more dam component-threat pairs given the mitigation measures in place. For example, operational and electronic security measures reduce the likelihood of threat occurrence (O), while physical hardening reduces vulnerability (V), and changes in downstream exposed population can reduce or increase importance (I). Figure C-3 compares project costs and benefits for six mitigation alterna- tives at Gravity Dam A.

14.00 12.00 10.00 Facility Risk Score 8.00 Gravity Dam B Buttress Dam A Gravity Dam A Buttress Dam B Arch Dam A FIGURE C-2  Quantification of risk for the hypothetical Gravity Dam A compared with the risks for other hypothetical dams. 123 Figure C-2

124 12.00 10.00 8.00 Facility Risk Score 6.00 Pre- Powerhouse Powerhouse Outlet Upstream Powerhouse Abutments Mitigation A B System Face C A&B FIGURE C-3  Cost and benefit (reduction in risk) of six mitigation actions at hypothetical Gravity Dam A. Figure C-3

APPENDIX C 125 CRITICAL ASSET AND PORTFOLIO RISK ANALYSIS APPROACH An alternative approach is the Critical Asset and Portfolio Risk A ­ nalysis (CAPRA) methodology, applied at the level of individual dams (Figure C-4). CAPRA was developed for the Department of Homeland Security and the Maryland Emergency Management Agency and has been used by the U.S. Army Corps of Engineers for the risk analysis of dams, office buildings, bridges, sports arenas, and regional protection. It is based on RAMCAP of ASME (2005) and is described by McGill et al. (2007) and Ayyub et al. (2007). Similar to the OVI method, it surveys the dam’s critical elements and couples them with knowledge of the consequences of disruption; physi- cal and security vulnerabilities to a wide range of threats; and attractive- ness, providing insight into actions an owner can take to reduce risk to a particular dam. CAPRA results are usually provided in the form of loss exceedance curves. The primary benefit of expressing results in this way is consistency with the way results obtained for natural hazards are cur- rently expressed, enabling an all-hazards assessment. According to the CAPRA methodology, risk is quantified and man- aged for critical infrastructure and key resource protection at two levels— the asset level and the portfolio level, including regional studies. An asset in this context is anything of value to its owner, such as a monument, vehicle, or facility. • At the asset level, a survey of an asset’s mission-critical elements coupled with knowledge of the consequences of disruption, physical and security vulnerabilities to a wide range of hazards and threats, and asset attractiveness provides insight into actions an asset owner can take to reduce an asset’s overall risk exposure. • The total risk associated with a portfolio or system of assets (such as those associated with a region, a jurisdiction, or an infrastructure sector) can be assessed in order to compare investment alternatives that aim to reduce overall portfolio risk. A portfolio in this sense is a collection of assets with common attributes or linkages. Regional analysis, for example, would define a portfolio top-down by first identifying the critical functions and services of the region and then assigning membership to regional assets that contribute directly to these mission areas. In contrast, a portfolio can be built bottom-up by first defining a set of assets, then examining how they relate to one another. In both the top-down and bottom-up cases, knowledge of the physical, geographic, cyber, and logical interdependencies among assets is important for assessing the potential for cascading consequences initiated by a hazard event.

126 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Asset or Facility Mission Analysis Portfolio Analysis Asset or Scenario Scenario Facility Characteristics Threat Scenarios Portfolio Characteristics Threat Scenarios Identification Identification Maximum Possible Loss Maximum Possible Loss, , Consequences - Loss Results from Mission Analysis Consequences Portfolio Loss Given Physical Vulnerabilities Loss Given Success Loss Given Success Physical Vulnerabilities Mitigation Capabilities and Criticality (e.g.,., $ ( e $ loss from successful attack) .g ) - Internal External Internal/External / and Criticality Success Success Dependencies (e.g., $ loss from successful attack ( e ., $ loss from successful attack) .g ) (with Interdependence ) Interdependence) NO NO Are Are Screening Criteria for Mission Loss Consequences STOP Screening Criteria for Portfolio Loss Consequences STOP Significant? Significant ? Significant? Significant ? YES YES Security Security Probability of Probability of Probability of Success Security Probability of Adversary Success Adversary Success Adversary Success Countermeasures Vulnerabilities (probability of a successful attack) ( ) from Mission Analysis Vulnerabilities (probability of aa successful attack p ( robability of successful attack) ) Adversary Perceptions Threat Asset and Scenario Asset and Scenario Adversary Perceptions Threat Asset and Scenario Asset and Scenario Attractiveness Attractiveness Attractiveness Attractiveness Hazard Data Likelihood (number ofof attacks per year (number attacks per year)) Hazard Data Likelihood (number ofof attacks per year (number attacks per year)) Decision Options: Options : Countermeasures & & Benefit /Cost Risk Profiles Risk Profiles Decision Options: Options : Benefit /Cost Risk Profiles by Risk Profiles by Countermeasures & & Portfolio Mitigations Analysis (e.g., $ per year) (e ., $ .g Mitigations Analysis (e.g., $$per year)) (e .g per year ., Risk Informed Risk Informed Decisions Decisions (a) For an Asset (b) For a Portfolio and a Region FIGURE C-4  Critical Asset and Portfolio Risk Analysis (CAPRA). SOURCE: Ayyub et. al. (2007). Figure C-4 CAPRA is a phased process (Figure C-5) that systematically identifies hazard and threat scenarios that are relevant to the region or asset of inter- est; assesses the losses associated with each of these scenarios, allowing for consequence-based screening; assigns a probability of success; assesses the annual occurrence rate for each scenario; and provides results suitable for benefit-cost analysis. CAPRA produces actionable risk assessments that inform a stake- holder of potential risks through custom-tailored risk communication reports and offers suggestions on what to do about them. These sugges- tions can help to identify alternative risk mitigation strategies and evalu- ate them for their cost-effectiveness, affordability, and ability to meet risk reduction objectives. The phases may be described as follows: • Scenario identification. Characterizes the missions applicable to an asset, portfolio, or region and identifies hazard and threat scenarios that could cause significant regional losses should they occur. For natural hazards, this phase considers the estimated annual rate

Consequence Security Hazard Risk Informed Scenario Benefit/Cost and Criticality Vulnerability Likelihood Decisions Identification Analysis Assessment Assessment Assessment FIGURE C-5  Phases of the CAPRA process. Figure C-5 127

128 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM of occurrence and screens out infrequent scenarios. For security threats, this phase identifies relevant scenarios based on the inherent susceptibilities of a region’s mission and lifeline services to a wide spectrum of threat types. The product of this phase is a complete set of hazard and threat scenarios relevant to the region under study. • Consequence and criticality. Assesses the loss potential for each scenario identified for the region by considering the maximum credible loss, fragility of the target elements, effectiveness of mitigation strategies, and effectiveness of consequence-mitigation measures to respond to and recover from the loss. These assessments of potential loss are used to screen scenarios and identify those that warrant further analysis. • Security vulnerability. Assesses the effectiveness of measures to deny, detect, delay, respond to, and defeat an adversary determined to cause harm to a region. This phase estimates the probability of an adversary’s success for each threat scenario—which combined with loss—yields an estimate of conditional risk. This phase applies only to security threats; for natural hazards, the probability of adversary success is set to a default value of one. • Hazard likelihood. Assesses scenario “attractiveness” from the adversary’s point of view. The results from this phase provide estimates of the annual rate of occurrence for each threat scenario. For natural hazards, the results from this phase yield an annual rate of occurrence for a hazard affecting the asset. • Benefit-cost analysis. Compares the cost of countermeasures and consequence mitigation with the benefit in terms of risk mitigation. The results of this analysis are used to inform resource allocation decisions. REFERENCES ASME/DHS (American Society of Mechanical Engineers/U.S. Department of Homeland Security). 2005. Risk Analysis and Management for Critical Asset Protection (RAMCAP). Washington, D.C. Ayyub, B.M., W.L. McGill, and M. Kaminsky. 2007. Critical Asset and Portfolio Risk Analy- sis for Homeland Security: An All-Hazards Framework. International Journal of Risk Analysis. Vol. 27. No. 3. pp. 789-801. DHS (U.S. Department of Homeland Security). 2006. National Infrastructure Protection Plan, Washington, D.C. DOT (U.S. Department of Transportation).2003. Recommendations for Bridge and Tunnel Security. Blue Ribbon Panel on Bridge and Tunnel Security. FEMA (Federal Emergency Management Agency). 2005. Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings. FEMA 452, Washington, D.C. McGill, W.L., B.M. Ayyub, and M. Kaminsky.2007. A Quantitative Asset Level Risk Assess- ment and Management Framework for Critical Asset Protection. . International Journal of Risk Analysis. Vol. 27. No. 3.

Assessment of the Bureau of Reclamation's Security Program Get This Book
×
Buy Paperback | $48.00 Buy Ebook | $38.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The water impounded behind a dam can be used to generate power and to provide water for drinking, irrigation, commerce, industry, and recreation. However, if a dam fails, the water that would be unleashed has the energy and power to cause mass destruction downstream, killing and injuring people and destroying property, agriculture, industry, and local and regional economies.

The U.S. Bureau of Reclamation (Reclamation) is responsible for managing and operating some of this nation's largest and most critical dams. The failure of one or more of these dams as the result of a malicious act would come with little warning and a limited time for evacuation.

In the years since the 9/11 attacks, Reclamation has invested significant resources to establish and build a security program. Reclamation is now ready to evaluate the results of these efforts and determine how best to move forward to develop a security program that is robust and sustainable.

This book assesses Reclamation's security program and determines its level of preparedness to deter, respond to, and recover from malicious acts to its physical infrastructure and to the people who use and manage it.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!