National Academies Press: OpenBook

Assessment of the Bureau of Reclamation's Security Program (2008)

Chapter: 3 Assessment of Reclamation's Security-Related Processes

« Previous: 2 Description of Reclamation's Security Program
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 50
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 51
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 52
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 53
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 54
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 55
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 56
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 57
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 58
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 59
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 60
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 61
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 62
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 63
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 64
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 65
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 66
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 67
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 68
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 69
Suggested Citation:"3 Assessment of Reclamation's Security-Related Processes." National Research Council. 2008. Assessment of the Bureau of Reclamation's Security Program. Washington, DC: The National Academies Press. doi: 10.17226/12463.
×
Page 70

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

3 Assessment of Reclamation’s Security-Related Processes T he committee was tasked to assess Reclamation’s security, law enforcement, and incident response processes and functions in order to determine whether it is appropriately structured and has the expertise required to protect its infrastructure and its people. A related task was assessing working relationships with other organizations having security and law enforcement functions, including other units in the Department of the Interior (DOI) and other federal, state, and local agencies. To address this task, the committee relied on briefings from and dis- cussions with personnel from the Security, Safety, and Law Enforcement (SSLE) Office, regional and area offices, regional special agents (RSAs), regional security officers (RSOs), facility operators, contractors, local law enforcement officers, site security guards, and water and power ­authority staff. The discussions took place in Denver and at various Reclamation sites. The committee also reviewed some classified and for official use only (FOUO) documents. The committee members’ experience and exper- tise in security, law enforcement, risk assessment, and engineering were important to the formulation of their findings. Chapter 3 first presents the committee’s observations and findings about Reclamation’s processes and functions for security assessments and risk management, personnel security, facility security, incident response, exercises and training, and intelligence gathering and dissemination. Observations and findings on working relationships follow. Chapter 3 concludes with a discussion of staff expertise. 50

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 51 Security Assessments and Risk Management Reclamation has developed a risk management program that incor- porates a screening procedure; development of threat scenarios; vulner- ability and risk assessments for individual facilities; a cost-benefit analysis for risk mitigation measures; and a decision analysis framework. The grouping of Reclamation’s facilities into categories that reflect relative risk and consequences (screening procedure) has been useful in assigning priority for mitigation projects and resource allocation. Sev- eral different methods, including Risk Assessment Methodology–Dams (RAM–D), Matrix Security Risk Assessment (MSRA), and a balanced sur- vivability assessment approach, have been used to conduct threat and vulnerability assessments; these methods are all accepted standards and are appropriate. Nonetheless, the committee identified areas where Rec- lamation could refine elements of its overall risk management program now or in the future, as described below. Risk Assessment Methods Since the 9/11 attacks, the field of risk and threat assessment has been evolving rapidly. New methods are being developed that focus on intentional malicious acts of destruction committed by human beings as opposed to risks posed by natural hazards. Recently, the Department of Homeland Security (DHS) reviewed more than 100 risk assessment m ­ ethods to try to identify those that could potentially be applied consis- tently across infrastructure sectors (e.g., transportation, dams, water sup- ply). Among those considered were the Strategic Homeland Infrastructure Assessment, Risk Analysis and Management for Critical Infrastructure Protection, Critical Asset and Portfolio Risk Analysis (CAPRA, described in Appendix C), Maritime Security Risk Analysis Method, and the Critical Infrastructure Common Risk Model. It is not yet clear whether a cross- sectoral approach can be effective or whether a generalized methodology will have to be customized for dams or supplemented by an alternative. Reclamation security managers should stay abreast of these developments and be ready to use risk assessment methodologies recommended by the DHS and methodologies that are customized to the specific requirements of dam security, such as RAM–D. New methods for analyzing the costs and benefits of mitigation mea- sures and prioritizing projects are also evolving. One such method is OVI (occurrence, vulnerability, importance), which is a framework for prioritization that ranks potential security projects and allows them to be compared to other projects under consideration. The framework was developed through the National Research Council’s (NRC’s) Transporta- tion Research Board and is being used by the Federal Highway Admin-

52 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM istration and the New York City Department of Transportation to make decisions about retrofit projects. The OVI method has built-in mechanisms and quantifying actions that allow for relative, not absolute, rankings of projects. An example of how this method might be used for dams is included in Appendix C. Finding: The risk management process that Reclamation has developed to assign priority for conducting threat and vulnerability assessments, security improvements, and resource allocation is appropriate. Elements of this process, however, need to be continually improved and refined as threats emerge, risk assessment methods evolve, and research-based information becomes available. Categorization of Facilities Since initially assigning its facilities to five categories—national criti- cal infrastructure (NCI), major mission critical (MMC), mission critical (MC), project essential (PE), and low risk—Reclamation has re­categorized some of them in response to new research and updated results from explosives tests. In the committee’s opinion, Reclamation should also consider refinements within the NCI category. In the course of the study, the committee visited each of the five NCI dams. Providing a robust level of security for each of them is essential, and the BOR has invested more resources in protecting these dams than other facilities, which is appropriate given their importance. However, the potential consequence of a security-related failure at Folsom Dam is an order of magnitude greater than it would be for the other four NCI sites, which makes Folsom the highest priority facility within the NCI category. Folsom Dam was built in 1956 for flood control in what was then a rural area. Over time, the surrounding area was developed and became a popular recreation site. Today, the facility includes the dam, a power plant, two reservoirs, and a series of embankments and levees. It sup- plies power and water to the city of Sacramento, California, and irrigation water to support a large agricultural industry. More than 700,000 people live downstream of the dam in developments located behind a series of dikes and levees, similar to the city of New Orleans, Louisiana. To date, the effort and resources expended to improve security at Folsom Dam have been substantial. A highway that traverses the dam has been closed, and a new bridge is being built to accommodate a new road alignment that will make the dam more secure. Trails along the tops of dikes and levees remain open to the public for walking, jogging, biking, and horseback riding.

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 53 On-site security is provided by professional law enforcement offi- cers from the Sacramento County sheriff’s department under a contract with Reclamation. The police officers have received specialized security- related training under this contract. Some of the funds for this contractual arrangement were diverted from Folsom’s operations and maintenance accounts to security. The contract will be in effect for 5 years, but it is not known if this arrangement will continue beyond that time. At Folsom, large construction projects, including a new spillway project being built by the U.S. Army Corps of Engineers (USACE), will be under way for the next 10-15 years. Reclamation will need to clear hundreds of contract workers through the personal identity verification (PIV) process. Finding: Folsom Dam requires special consideration within the NCI clas- sification owing to the magnitude of the potential consequences of a s ­ ecurity-related failure. The level of resources required for effective secu- rity is greater at Folsom than elsewhere. Development of Threat Scenarios The information provided to the committee indicates that only a handful of standard threat scenarios (e.g., truck bombs, an airplane hitting a dam, the use of underwater explosives) have been assessed for individ- ual facilities. It is easy to imagine many other plausible threat ­scenarios— multiple, simultaneous attacks, attacks by small bands of heavily armed individuals, or the use of insiders (through physical coercion or collabora- tion)—that could be evaluated for individual facilities or groups of facili- ties connected through SCADA systems. Even more scenarios could be developed by considering the capabilities (as opposed to the intentions) of various extremist groups. However, given the size and geographic separa- tion of Reclamation’s critical facilities, the dynamic threat environment, and Reclamation’s limited resources, it is not feasible or even desirable for Reclamation to evaluate an unreasonably large number of scenarios for all of its critical facilities. On the other hand, developing any single threat scenario risks pursuing a consensus-based, most-likely scenario to the exclusion of other threats that may be less likely but more consequen- tial if they are realized. In the absence of realistic and site-specific threat scenarios, risk assessment programs can become bureaucratic exercises. Further, because no one knows which specific threats should be defended against at each facility, strategies for the allocation of resources become less effective. Reclamation has invested in establishing and sustaining an i ­ ntelligence-gathering unit. This unit has been notified of and recorded more than 1,130 suspicious incidents at Reclamation facilities since Sep-

54 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM tember 2001. To the committee’s knowledge, no intelligence-based infor- mation was incorporated into the risk management process to develop realistic threat scenarios that could be used to assess vulnerabilities for specific individual facilities. In the committee’s opinion, doing so would better prepare Reclamation to defend those facilities. Having a more robust range of plausible, site-specific scenarios would also allow a more strategic approach to the allocation of resources. It might also suggest changes in the categorization of some dams, modi- fications of risk mitigation projects, and a reprioritization of projects. In the end, failure to develop and evaluate more robust, site-specific threat scenarios could leave Reclamation unprepared for preventing, deterring, or responding to a malicious act. The committee encourages SSLE staff to build on the information it has collected and consult with the various intelligence groups, such as the FBI, and other specialists to create realistic, site-specific threat scenarios for evaluation. In addition, SSLE should ask regional, area office, and facility operations staff for their input. For example, facility operators and others might role-play a group of terrorists and suggest how they would go about compromising a facility. In the committee’s opinion, the incorpo- ration of intelligence-based information into threat scenario development should improve Reclamation’s capacity to protect its facilities and lever- age the resources it has already invested in security. Finding: Reclamation evaluated a very limited number of standard threat scenarios for its security assessments. Security-related intelligence has not been integrated into site-specific, realistic threat scenarios to the commit- tee’s knowledge. Cycle for Security Assessments The importance of conducting recurring security assessments is well understood by SSLE staff and most of the field personnel with whom the committee spoke. Reclamation plans to pattern the frequency of security assessments on the cycle used in the safety of dams program. The benefit of having a fixed schedule or cycle for conducting such assessments is that the assessments usually get done. However, the committee is concerned that if Reclamation adheres too strictly to a set timetable for assessments of security-related vulnerabilities, it risks missing some important changes and will not be able to address them in a timely way. Dam safety issues, such as aging facilities, wear and tear on equip- ment, seismic design, and the like, are usually identified in a relatively static environment, and mitigation projects are then planned and sched- uled for implementation. Security threats, in contrast, are continually

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 55 emerging and must be continuously monitored. For that reason, the risk to a facility from a malicious act is variable. Risk changes based on the availability and quality of intelligence information, the national threat condition, seasonal variations in reservoir conditions, the encroachment of habitation, status of the facility’s maintenance, changes to the physical surroundings and facility configuration, availability and quality of secu- rity response forces, and even political pressures to compromise security- driven rules and decisions—for instance, commuters (who are also voters) might press for the reopening of roads across dams. In short, many different factors can alter a facility’s risk profile much more frequently than every 3 to 6 years. Thus the long gap between assessments not only risks failing to address significant changes in a timely way, but it also signals a management attitude that is inconsistent with the professed desire to establish a security culture within the organi- zation. It would be better to have a less prescriptive approach that would allow security managers to conduct out-of-cycle assessments for special reasons or specific facilities. Finding: Reclamation plans to conduct security assessments on a 3- to 6-year cycle even though security threats are continually emerging and must be continuously monitored. PERSONNEL SECURITY When security precautions are viewed as a system, the terrorist’s potential use of insiders—through physical coercion or by collaboration— to override security components and seize control of a facility is a serious threat. Threats are also posed by disgruntled insiders who independently are capable of controlling elements of a dam’s operations. An insider could be a Reclamation or water and power authority employee, or one of the many contractors who have regular access to some Reclamation facilities. Although Reclamation managers and personnel acknowledged the threat posed by insiders, the committee was not convinced that this pos- sibility had been fully appreciated or that effective measures to prevent or respond to it had been fully developed. For example, at one NCI site it was reported that contract workers had cut holes in fences so that they could bypass security checkpoints. It was also reported that dynamite had been found on the site, apparently left by a contract worker. Providing a full-time escort service for uncleared contractors using government employees or guards is expensive and can be problematic. Although contractors are required to undergo the PIV process, it is not clear whether PIVs are used routinely and consistently across the BOR

56 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM regions. As currently conducted, the PIV screening process increases the time it takes to complete projects and increases their overall costs, which may, in turn, be a disincentive to use the PIV process at some Reclama- tion sites. As of July 2008, the Reclamation Manual did not contain Reclamation- wide guidance on site access procedures for contractors. In the absence of such guidance, some area offices had developed their own procedures. At one NCI site, the area office had developed an identification and badge system that limited access to certain areas or zones of the facility to cleared individuals. The field personnel were concerned that SSLE would eventually develop guidance on its own without consulting the area offices and that by so doing, would not take advantage of the ­lessons learned from field experience. They were also concerned that when a policy was issued, they would have to institute a new system, even if the process in place was effective. With numerous construction projects under way, plans and drawings for Reclamation facilities and projects are used by staff and contractors daily. The committee reviewed the Reclamation Manual and found it did not include guidance on safeguarding plans or limiting the number of copies in circulation. Finding: Reclamation has not adequately addressed threats posed by insiders—Reclamation staff, facility operators, contractors—to override physical security components and take control of dam operations. Finding: Reclamation-wide guidance on site access procedures for con- tractors and on safeguarding plans and drawings for construction projects has not been issued. In the absence of such guidance, some area offices have developed their own procedures. FACILITY SECURITY PLANS A robust facility security plan should include an integrated system with obstacles that restrict access, surveillance and intrusion detection systems, and a rapid-response force. Typically, a plan will provide defense in depth by layering security zones. For example, Zone 1, furthest from the facility, might be fenced and posted with No Trespassing signs or have security guards at key access points. Zone 2 might have intrusion detection devices and a warning system that notifies anyone entering that he or she is in a secure area. The innermost zone might have additional security features and a warning that deadly force is authorized against intruders. The rapid-response force needs to be able to act on the infor- mation provided by intrusion detection devices and to be able to use

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 57 the extra time afforded by obstacles to defeat an intruder before serious damage is done. The military has long understood that passive obstacles may delay but cannot prevent a determined opponent from gaining access to a restricted area or zone. Hence the need for a rapid-response force to confront intruders. Security plans for individual Reclamation facilities typically incorpo- rate access control and camera surveillance, among other things. Some plans also incorporate on-site security guards or law enforcement per­ sonnel who could respond to an incident. With few exceptions, however, such as the Hoover and Grand Coulee dams, Reclamation relies on local law enforcement entities to respond to incidents. Although some elements of a facility security plan were visible at most sites the committee visited, there was little evidence that separate elements had been integrated to provide for a robust prevention, deter- rence, and response capability. At some sites, the committee was struck by the lack of depth: If one line of physical security was neutralized, it was too likely that intruders could continue to move forward. The com- mittee observed security gates and fencing that could be driven through by a relatively heavy truck and buildings and facilities that could be entered by scaling down nearby rock faces or by jumping fences to access unmonitored windows. Although the committee observed some control of vehicular access across the tops of dams, ranging from total prohibition to random inspec- tions of vehicles, there were sites where traffic flowed unrestricted. In part the different approaches were based on the identified level of risk. How- ever, the connection between the level of risk and the mitigation measures in place was not always evident. For example, at one of the NCI sites, the road crossing the dam had been closed to all but local traffic. However, several miles away the road across another dam with an interdependent control facility was open to all vehicular traffic, making both dams vulner- able to a malicious act. Finding: A robust facility security plan provides for defense in depth through an integrated system made up of obstacles that restrict access, surveillance and intrusion detection systems, and a rapid-response force. Although elements of a facility security plan were visible at most sites that the committee visited, the elements did not appear to be effectively integrated. Finding: At some sites the committee could imagine threat scenarios, especially those involving insiders, that could not be countered effec- tively by the forces and fortifications in place. Too often facility security defenses appeared brittle and lacking in depth. If one line of facility

58 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM security was neutralized, it was too likely that intruders could continue moving forward. Security Project Design The design of security mitigation projects such as surveillance sys- tems, access control, and the hardening of doors, walls, and windows is the responsibility of SSLE’s security group, with technical support from the TSC. During the site visits, the committee observed several projects with design and/or installation flaws. At one site, retractable bollards installed in front of earthen structures and sensitive areas were unreliable because they relied on solar power; there were plans to fix this problem. At another site, some but not all walls and doors around an operations control room had been hardened, but an intruder could bypass the more secure doors and access the control room through a regular door. At the same facility, the staff kept the hardened doors to the control room open because conduits for electrical wires were left exposed in a room with no fire suppression system, creating a life safety hazard. Personnel at this facility clearly felt that such mistakes could have been avoided if SSLE staff had consulted with them before the project was installed. In a third instance, the design and installation of relatively simple projects was delayed because the TSC staff in Denver had other design priorities. Reclamation’s field personnel believed local contractors could have designed and installed a comparable project faster and at no greater cost. Whether or not the field personnel were correct in their assessments, these discussions were indicative of the general tension between the SSLE and field personnel. The tension is fed by a lack of communication and collaboration between the Denver- based staff and the regional and area offices. Finding: The committee observed design and installation flaws in several risk mitigation projects. The personnel at the relevant facilities clearly believed that such flaws could have been avoided if the SSLE staff had sought their input during the planning process, before the projects were designed and installed. Incident Response A security-related incident at a BOR facility will require a response by appropriately trained and equipped security and law enforcement personnel. Reclamation depends heavily on a variety of local, state, and non-BOR law enforcement entities, as well as private security guards, for both routine security and as first responders to a malicious act.

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 59 The decentralization of U.S. law enforcement means that each Recla- mation facility is located in a different jurisdiction with different laws and a unique mix of local, county, state, and federal law enforcement entities often having different communication modalities, equipment, and capa- bilities. Thus the interface between initial responders and the local law enforcement entities that provide follow-up to a security-related incident may differ substantially from site to site. When developing response plans for its facilities, Reclamation should therefore take into account differ- ences in federal, state, and local laws, including those relating to the use of deadly force. The responsible parties for each facility should develop effective arrangements for working together in a crisis; such arrangements should provide for clear lines of communication and equipment that is interoperable and reliable. Finding: Because each Reclamation facility is in a different jurisdiction with different laws and a unique mix of local, county, state, and federal law enforcement entities, the interface between first responders and those that provide follow-up will vary. Facility security plans will therefore need to incorporate distinct arrangements for cooperation among the various responders during a security-related incident. Chain of Command In the course of its site visits, the committee asked Reclamation per- sonnel and other participants about the chain of command and the pro- cess for transferring authority among responders during a security-related incident. A common reply was that every potential responder had been trained in the National Incident Management System (NIMS), which is the model for a sound response to terrorism and many other incidents. This faith in NIMS may be naive, however, because the NIMS handbook clearly states that “NIMS is not an operational incident management . . . plan” (8-07 DRAFT p. 3). When pressed for additional information on how NIMS would be implemented in specific incidents at specific locations, respondents typi- cally referred to a chain of command order specifying that the most senior person on the scene would be in charge until relieved by someone of higher rank. However, who such people might be, where they might work (e.g., in a local, state, or federal agency), and what sorts of expertise they might possess were not well understood. The committee concluded that the coordination and transfer of authority among responders to a security-related incident could be extremely challenging. The committee is also concerned about the highly variable and con- voluted procedures for making decisions in a security-related crisis. With

60 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM multiple agencies and jurisdictions involved, the command-and-control function is critical. However, when questioned, Reclamation field person- nel were generally unable to describe accurately and with confidence the specific command-and-control arrangements that would be in force. There was agreement that the manager of the facility or the area office would initially be the senior Reclamation person on the scene, but it was not well understood what the relationship might be between federal staff and local law enforcement. How (or even if) the regional director, the SSLE director, or the RSAs would take part in command, control, and decision making was also not clear. This lack of clarity in roles and responsibilities would be exacerbated, in accord with NIMS, if other federal agencies were called in to help. Following a number of investigations into the problems and circum- stances surrounding damage to New Orleans in the aftermath of Hurri­cane Katrina, the American Society of Civil Engineers (ASCE), at the invitation of USACE, undertook an independent investigation of what went wrong. In its summary, ASCE listed 10 “calls to action.” Number 6 was, “Put someone in charge.” ASCE added to this, saying that “no complex pro- gram or system can be successful without good leadership, management, and someone in charge” (ASCE, 2007, p. 79). Reclamation needs to heed this advice. The response plan for each facility should clearly describe the evolution of the chain of command and the transfer of leadership respon- sibility during a security-related incident. Response plans should also say who should be in charge during each phase of the response—that is, who would be the senior person on the scene initially and as events unfold. Finding: Specific guidelines for command, control, and decision making at individual sites enable an effective response to a security-related inci- dent. At Reclamation, guidance for those responsibilities was unclear, and procedures were not well understood by staff. Communication During a Response Communication is critical for an effective response to a security-related incident, but it can be difficult even when responders share a language, equipment, and technologies. If personnel from multiple law enforcement entities are using equipment that is not interoperable or if they are com- municating on different channels, the flow of critical information about the incident and the response will be hindered. The committee observed that some communication equipment and technologies used by Reclamation personnel and contractors were not interoperable with those used by local law enforcement and other responders and that different radio frequen- cies and channels were used. This situation suggests that BOR should

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 61 make sure that its staff, operators, and ­ contractors have the appropriate equipment to communicate with the local law enforcement groups that would respond at each site or it should work toward some standardized Reclamation-wide communication modes. ­Reclamation-wide protocols for radio communications during an incident are also needed. The committee also heard about single-point failures of communi- cation systems that could affect incident response. For example, in one instance, lightning struck an electrical tower and knocked out power to a large area, including a Reclamation facility. No replacement transformer was available locally. Reclamation staff were called out to guard their facil- ities until a generator could be found, shipped, and made operational. In some rural or remote areas, cell phone coverage is limited. Micro- wave and satellite phones may be the primary means of communication and for the operation of SCADA systems. If these systems are rendered inoperable, there is no backup communication technology. This is espe- cially problematic where centralized SCADA systems control a group of dams and the loss of one antenna site can disable connectivity to several other sites. In one region, actions were taken to mitigate the risk of SCADA system failure, but it is not clear whether other regions have taken similar mitigation actions. Finding: Good communication is critical for an effective response to a security-related incident. The committee observed that some communica- tion equipment and technologies used by Reclamation and other federal, state, and local law enforcement and security organizations were not interoperable and would hinder communication among responders. Finding: Certain communication technologies used in rural and remote areas are subject to failure caused by weather and related events and may not be reliable during a security-related incident. Use of Deadly Force The circumstances under which security and law enforcement per- sonnel are permitted to employ deadly force is a major concern. Legally binding guidance on how and when deadly force is appropriate for a security-related incident appears to be inconsistent, nonexistent, or ambiguous because of the overlap of legal jurisdictions, uncertainty over the divide between security and law enforcement, the absence of opera- tional guidance, and no clear chain of command. In the United States, the standard for the use of deadly force by police officers (what in military terms is referred to as rules of engagement) to enforce the law is clear: Officers may use it to (1) protect themselves and

62 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM innocent bystanders from imminent threats of serious injury or death (often referred to as the defense-of-life rule) or (2) apprehend fleeing suspects when they have probable cause to believe that the suspect has committed a crime involving the infliction or threatened infliction of seri- ous injury (often referred to as the violent-fleeing-felon rule). Federal (as opposed to local) law enforcement policies for the use of deadly force essentially limit federal officers to the defense-of-life rule. Discussions with Reclamation law enforcement officers and contract security personnel indicated that the individuals who are authorized to carry firearms have a sound understanding of the defense-of-life rule. What is not clear, however, is how this rule might apply in security-related incidents. For example, committee members described to field personnel a scenario involving a vehicle- or watercraft-borne improvised explosive device (IED) attack that might substantially damage either a dam or some attendant facility. BOR law enforcement and security personnel believed the officers on the scene would not be authorized to use deadly force to stop the vessel because the threat was to property, not people. This opin- ion about the appropriateness of deadly force is consistent with standard law enforcement training. However, it might not be appropriate for deal- ing with terrorist attacks or other security-related incidents. Although a Reclamation law enforcement or security officer cannot be certain of the explosive yield of any specific vehicle- or water-borne IED (or, for that matter, whether a suspicious vehicle or watercraft is actually undertaking an attack), large explosives may well be able to injure or kill people who are a substantial distance from the point of detonation. In addition, Reclamation security and law enforcement personnel cannot know with certainty whether an attack would damage the facility to the point where lives would be endangered. If a dam were to fail, for exam- ple, the lives of all individuals in the inundation plain below it would be threatened. Considerations of this sort are not typically contemplated when police and security trainers instruct officers about deadly force deci- sion making, but it struck the committee that they should be in the case of armed Reclamation law enforcement and security personnel. Finding: The objectives and operating procedures for law enforcement are different from those for security. The legislation giving Reclamation law enforcement authority does not address issues of antiterrorism or security, nor does it permit Reclamation to hire its own law enforcement personnel. Finding: The distinction between law enforcement and security within Reclamation is not clear, and the resulting ambiguity has raised issues regarding the use of deadly force during a security-related incident.

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 63 A related concern involves the types of ammunition in use. One aspect of this has to do with the fragility of equipment inside facilities. Discussions with selected SSLE personnel indicated that the use of stan- dard ammunition in specific portions of a facility could substantially com- promise the integrity of critical equipment. It was not clear, however, that this was common knowledge throughout the SSLE or among the various on-site security and law enforcement entities at BOR facilities. Nor was it clear that the various secondary and tertiary responders in local, state, and federal law enforcement agencies were aware of this issue. Discus- sions with one person in the SSLE disclosed that members of at least one responding entity were aware of the issue and understood that frangible bullets would be superior to standard ammunition should they need to mount a counterterror operation in specific areas of the facility. Finding: The use of standard ammunition in some parts of some Recla- mation facilities could substantially compromise the integrity of critical equipment. It was not clear if this was common knowledge throughout SSLE or among those security and law enforcement entities that would respond to a security-related incident. EXERCISES AND TRAINING As noted in Chapter 2, tabletop, functional, and full-scale exercises are an important training tool and method for identifying problems or limitations in response plans and processes and fixing them in advance of a security-related event. Reclamation routinely conducts tabletop and functional exercises in conjunction with its safety of dams and emergency management programs. It is not clear how many such exercises have been conducted for security-related processes and functions. Three full-scale exercises specifically related to a security incident have been conducted since the 9/11 attacks. The committee’s understand- ing is that owing to limited resources the only Reclamation field staff who participated in these exercises were the regional and area office managers responsible for the specific facility where the exercise was being con- ducted. One of the most important products of a full-scale exercise is an after-action report that can be used to improve processes not only at the particular facility but at other facilities as well. Such reports could be par- ticularly useful to regional and area office directors who did not partici- pate in the exercise. They could compare the findings in the report to their own procedures and, if similar problems had been identified, proactively fix those problems at their facility. This might be an especially important capability for area office managers who would be responsible for the ini- tial response to a security-related incident at their facilities. By disseminat-

64 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM ing the after-action report to a broader audience, the resources invested in full-scale exercises can be leveraged to improve security throughout Reclamation. However, several area office managers reported they had never seen the after-action reports for the Grand Coulee or Flaming Gorge exercises. Because such reports may contain some sensitive information, procedures will be required to ensure that when the reports are not in direct use, they are kept in a secure place and not left in plain view. As noted in Chapter 2, full-scale exercises require a substantial invest- ment of time, expertise, and resources. The committee was told of an instance in which the FBI approached one of the area offices about con- ducting an exercise at a Reclamation dam using FBI funding. However, the proposal was not approved by the SSLE. While the committee rec- ognizes that there may be many reasons for such a decision, it is also important for the SSLE to take advantage of opportunities to leverage its resources and improve its preparedness. If a similar opportunity should arise in the future, the SSLE should give it careful consideration and make a concerted effort to collaborate with the outside entity. If an arrangement cannot be worked out, the reasons for this should be clearly communi- cated to field staff. The various security and law enforcement entities at each critical f ­ acility should also train appropriately for the specific challenges they would be likely to face in the event of a malicious act. Some facilities appeared to have matched training to the threat environment, while o ­ thers had not. At one facility, for example, the members of the tactical response group understood that their primary mission in the event of a major incident would be to secure the facility and then wait for backup support to arrive; the group was to take action only in extreme circum- stances. Despite this understanding, they trained regularly for hostage rescue scenarios but had yet to do a site survey of the interior of the facility to familiarize themselves with its layout, something that would be tremendously useful if an incident were to occur inside the facility. The use of red teams to test Reclamation’s preparedness, especially as it relates to the counterintelligence function of the law enforcement administrator, should be seriously considered by senior management at Reclamation. Finding: Training exercises are important to ensure that when per­sonnel from multiple government and law enforcement entities respond to a security-related incident, all of the key players understand the pro- cedures for command and control and for the transfer of authority as events unfold. Training exercises need to be designed to test site-­specific, realistic scenarios and to be aligned with the responsibilities of the responders.

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 65 Intelligence Gathering and Dissemination A culture within intelligence communities resists the sharing of infor- mation, limiting access to those whom it deems need to know. An inflex- ible commitment to the need-to-know doctrine appears to be inhibiting intelligence sharing between the SSLE and Reclamation’s field personnel, who would be the first to respond to suspicious activity or a malicious act at their facility. Security-related information for Reclamation’s facilities comes from a number of sources, including the FBI, SSLE’s LEA, operations person- nel, local law enforcement, and sometimes the community at large (say, the manager of a boat rental business). Gathering information from many sources and analyzing it to determine if an action is needed requires good internal and external working relationships and partnerships and effec- tive communication systems. Within Reclamation’s security structure, the LEA in Denver is the cen- tral point for collecting security-related information, which it inputs into a database of security-related incidents. The RSAs serve as liaisons between Denver headquarters, their regional and area offices, facility personnel, and local law enforcement. Although the RSAs meet with intelligence counterparts in the field through the JTTFs and perhaps others, there are restrictions on the information the RSAs can convey to other BOR oper- ating personnel, including the RSOs, at the various facilities. Use of the database is also restricted. The rationale for restricting the dissemination of classified information is clear: Some area offices are not equipped to receive or handle classified information and some operating personnel do not have the appropri- ate security clearances. However, much of the information on suspicious activities or incidents is not classified; rather, it is deemed “sensitive,” a more ambiguous characterization. Although an RSA is expected to relay sensitive information to the LEA in Denver, sensitive information gathered and analyzed by the LEA is not consistently shared with an RSA even if the information originates in his or her region at the local level. It appears that the LEA only rarely shares intelligence-based information across regions. Thus the RSA in Region A may never formally hear about an incident in Region B even if the information might be helpful in identifying similar incidents or patterns of activity in Region A. Incidents and reports on the activities of suspect individuals or representatives of suspect groups often are not passed on to neighboring facility managers, again on the basis of the information’s sensitivity and inflexible need-to-know limitations. This lack of communication and restricted information sharing frustrates con- scientious operating officials, who feel they are being denied information that would allow them to meet their security-related responsibilities. The holding back of information by the SSLE also undercuts the authority and

66 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM credibility of the RSAs and makes it unnecessarily difficult for the RSAs to build trust and good working relationships with Reclamation field person- nel and local officials. Effective intelligence gathering requires that people at the local level (Reclamation personnel, water and power authority staff, law enforce- ment, and the public) be alert to suspicious activities and behaviors and that they have a means to communicate that information to the RSAs or other Reclamation personnel. The SSLE is posting signs that encourage people who see something to say something and provides an 800 number to call and an e-mail address. A Reclamation-wide policy on reporting suspicious activity has been drafted but has not yet been issued. The committee repeatedly heard that operations personnel who have forwarded information of potential intelligence value to an RSA or the LEA seem only rarely to be later told if the information they pro- vided had been useful, and if so, how? Consequently, operations per- sonnel view communication with SSLE in Denver as a one-way street. Some quietly admit that they no longer bother to report on or forward information about suspicious activities since doing so appears to be of no avail. This attitude, which is due to the lack of feedback, could mean that a threat to Reclamation facilities is not identified in time to take preventive action. Finding: An inflexible commitment to the need-to-know doctrine inhibits the sharing of intelligence-based information among SSLE staff in ­Denver, the regional special agents, and the area office personnel who might be in the best position to deter some threats and who would be the first responders to an incident. Finding: Field personnel and others who have reported potentially valu- able information about suspicious activities to the SSLE in Denver only rarely receive feedback on how or even if the information was used. As a consequence, some field personnel view security-related communication as a one-way street and are reluctant to report information about suspi- cious activities since their effort appears to have no effect. WORKING RELATIONSHIPS With a largely decentralized organizational structure and a heavy reliance on partnerships and contractors, Reclamation is fundamentally dependent on internal and external collaboration to achieve its mission of delivering power and water in an environmentally sound manner. Collaborative working relationships, in turn, are based on effective com- munications and trust.

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 67 Effective communication involves transmitting information in a man- ner that evokes understanding. It requires more than a good presentation or a dynamic messenger; effectiveness has to do with the quality of the message, the credibility of the information, and the deliberations that ensue. Effective communication within an organization involves manag- ing the flow of information among the various working groups and part- ners to ensure that those who need to know and who can best act on the information are brought in to the process at a sufficiently early stage to provide insights that can produce a better outcome or a better response. Typically, the more open the process, the more likely it is that errors in fact or in methodology will be uncovered. Classified information may not, of course, be freely shared and is an exception to an open flow of informa- tion (NRC, 2004). Trust is important to the success of working relationships. Building trust is a complex process because it is difficult to establish and easy to destroy. Although many positive transactions are required to build trust, a single instance of poor communication can be interpreted as deception, and the hard-won trust is lost (NRC, 2004). Since 1994, many of the BOR’s functions have been decentralized and directed by regional and area office managers (NRC, 2006). A decentral- ized organizational structure is not optimal for establishing a security program. A centralized approach to threat and risk assessment, policy guidance, and intelligence analysis is more suitable. If the security pro- gram and a culture of security are to become embedded at Reclamation, good working relationships, effective communications, and trust must first be developed within the organization. Because the security program is relatively new and has not yet been fully integrated into the culture and mind-set of BOR personnel, many of them view it as necessary but do not welcome it. Owing partly to its centralized structure, the SSLE and its personnel are viewed from the field as bureaucratic, generally uncommunicative, and outside Reclamation norms and traditions. Some directors and managers at the regional and area offices resist surrendering their delegated authority, which collides with efforts to implement Reclamation-wide security policies, plans, and programs. The tension between SSLE and the field organizations obstructs the development of a more robust security program and culture. The sources of this internal tension go beyond SSLE’s organizational structure to include managerial actions and staff behavior. As noted pre- viously, when designing and implementing security-related measures, the SSLE appears to have acted unilaterally with little or no input from field personnel. The lack of interaction during the planning stage of these projects has led to design flaws that might have been avoided if field personnel had been consulted. In addition, it signals that SSLE does not

68 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM want or value input from the regional or area offices, which leads to a ­ nimosity and distrust. The restricted sharing of intelligence-based infor- mation from SSLE’s Denver headquarters to and across regions and the lack of feedback when field-based information is sent up the line to SSLE also damages working relationships and, more important, Reclamation’s ability to respond to security-related threats. Reclamation’s regional, area, and local managers have developed and depend on a network of working relationships with local security and law enforcement entities, with water and power districts, and others. In some instances, SSLE staff have bypassed regional and area offices and interacted directly with law enforcement and with the water and power districts. The regional and field managers are concerned that such actions jeopardize the relationships that their staffs have nurtured and undercut their credibility with their partners. The end result, again, is tension and distrust between regional and area office managers and the SSLE. As noted in Chapter 1, to improve security Reclamation must also partner with the USACE, the Department of Energy, state departments of transportation, and other organizations to mitigate vulnerabilities of facilities that are interdependent with Reclamation facilities but not under Reclamation’s direct control. The sharing of information—for example, the risk assessments conducted by California state agencies for some of Reclamation’s dams—would also improve security. Partnering with these outside organizations requires good working relationships based on trust and communication. Finding: With its largely decentralized organizational structure and heavy reliance on partnerships and contractors, Reclamation is fundamentally dependent on collaboration within and among organizations to achieve its mission. Imposing a centralized security program on a culture that is accustomed to distributed program management and authority has resulted in tensions and ineffective working relationships between the SSLE staff in Denver and the staff of regional and area offices. Finding: Sound working relationships are based on effective communica- tions and trust. Managerial actions and the behavior of SSLE’s Denver- based staff have in some cases created distrust among the regional and area office staff that is damaging to internal working relationships and limits the effectiveness of the security program. EXPERTISE Immediately after the 9/11 attacks, as Reclamation was creating the SSLE, positions were primarily filled by transferring people from other sec-

ASSESSMENT OF RECLAMATION’S SECURITY-RELATED PROCESSES 69 tions in Reclamation and the DOI who may not have had much ­security- related experience. In the years since, Reclamation has made an effort to recruit personnel with security and law enforcement backgrounds and to upgrade the organization’s overall security-related knowledge, skills, and abilities. Recruiting people with the required competencies is not an easy task. Attracting younger workers to the federal government can be difficult, because recent college graduates do not view the federal government as an employer of choice (PPS, 2006). More experienced law enforcement officials or personnel with security-related backgrounds may be attracted by the federal government’s benefits package and relative job security. However, the federal hiring process is cumbersome, confusing, and slow, and many who do apply for positions drop out of the process to take other jobs (MSPB, 2004). The challenge of recruiting new people to fill positions in Reclamation is further exacerbated by the high cost of living in areas like Sacramento, California, and the remoteness of many facili- ties. One of the earlier reviews of Reclamation’s security program noted that the Department of Energy’s pay scale was significantly higher for some similar positions. In addition, for some security or law enforcement positions there is no obvious career ladder with the possibility of future promotions, increased salary, and more complex assignments. When recruiting new staff is problematic, the training of current staff becomes especially important to ensure that the appropriate skills are present in the organization. Staff with engineering or law enforcement expertise can be singled out to receive specialized training in security- related issues, practices, and procedures. Because Reclamation relies on good working relationships with inter- nal staff and outside partners for effective operations, SSLE staff in par- ticular need good communication, negotiation, and team-building skills. Training current staff in these skills could help to improve internal and external working relationships and the overall effectiveness of the secu- rity program. When recruiting new personnel, special emphasis should be given to these skills in job descriptions and during the interview process. Finding: Although the SSLE’s Denver-based staff may have the technical skills necessary to carry out their job responsibilities, they have not in general displayed the communication, negotiation, and team-­building skills needed for the sound working relationships that are critical to Reclamation.

70 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM REFERENCES American Society of Civil Engineers (ASCE). 2007. The New Orleans Hurricane Protection System: What Went Wrong and Why. Reston, Va.: ASCE. Merit Systems Protection Boards (MSPB). 2004. Managing Federal Recruitment: Issues, Insights, and Illustrations. Washington, D.C.: MSPB. National Research Council (NRC). 2006. Managing Construction and Infrastructure in the 21st Century Bureau of Reclamation. Washington, D.C.: The National Academies Press, pp. 4-5. NRC. 2004. Investments in Federal Facilities: Asset Management Strategies for the 21st Century. Washington, D.C.: The National Academies Press. Partnership for Public Service (PPS). 2006. Back to School: Rethinking Federal Recruiting on College Campuses. Washington, D.C.: PPS.

Next: 4 Future Plans »
Assessment of the Bureau of Reclamation's Security Program Get This Book
×
Buy Paperback | $48.00 Buy Ebook | $38.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The water impounded behind a dam can be used to generate power and to provide water for drinking, irrigation, commerce, industry, and recreation. However, if a dam fails, the water that would be unleashed has the energy and power to cause mass destruction downstream, killing and injuring people and destroying property, agriculture, industry, and local and regional economies.

The U.S. Bureau of Reclamation (Reclamation) is responsible for managing and operating some of this nation's largest and most critical dams. The failure of one or more of these dams as the result of a malicious act would come with little warning and a limited time for evacuation.

In the years since the 9/11 attacks, Reclamation has invested significant resources to establish and build a security program. Reclamation is now ready to evaluate the results of these efforts and determine how best to move forward to develop a security program that is robust and sustainable.

This book assesses Reclamation's security program and determines its level of preparedness to deter, respond to, and recover from malicious acts to its physical infrastructure and to the people who use and manage it.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!