National Response Team Presentation: “Security Risk Assessment Methodologies: Community VAM 3/3/3 Presented By: Gloria E Chavez Sandia National Laboratories
Dec 25, 2015
National Response TeamPresentation:
“Security Risk Assessment Methodologies: Community VAM
3/3/3 Presented By: Gloria E ChavezSandia National Laboratories
Community Vulnerability Assessment Methodology (CVAMTM)
“Snapshot” of Community Process: today's message
Community Vulnerability Assessment Methodology (CVAMTM) process
Process is copyrighted / licensed to ensure appropriate use of training materials by qualified trainers and so resulting information is protected
Part of the “family” of center processes for infrastructure
Part of Center for Civil Force Protection Focus is on “planning” to allow appropriate
response and to mitigate consequences by identifying weaknesses in systems
Vulnerability Assessment (VA)…What Is It
Vulnerability assessment is• A systematic approach •Used to determine relative risk•Based upon the effectiveness of a protection system •Considering the consequences •Resulting from a likely threat
Community Vulnerability Assessment Methodology
• Builds on prior VAM / RAM development – nuclear sites, dams, water, chemical facilities, prisons/jails
• Goals• Useable by public safety personnel, emergency
planners, private industry employees – don'tneed to be a "techie"
• Useful -provides information which significantlycontributes to making security risk management decisions
Reasons for a Community VA include:
Identify vulnerabilities in a systematic way (minimize gaps) For important vulnerabilities, communities may be able to
request additional resources For significant identified vulnerabilities, community may
consider ways to mitigate – such as provide a backup for a vulnerable mission with no existing backup
Can use identified vulnerabilities to better plan future projects i.e., two communication routes (backup)
Can help prepare, in event of attack, to mitigate consequences
Helps communities make security decisions based on a process including risk assessment
Community may decide to improve response or an aspect of physical security
Scope of Analysis Screening Analysis Characterize a Community, critical
Facilities & Consequences Define the Threat and Likelihood of
Attack Review Physical Protection Systems Make Observations and
Recommendations
Community Vulnerability Assessment Process
End
Characterize Assets
Define Threats
Determine Consequences
Define Safeguards
Analyze System
Risks Acceptable
?
Proposed Upgrades/ Actions
Y
N
Site Specific Consequence Table, Prioritize Targets
Facility Characterization, ID Targets
Community Protection Goals: Defined Threat (DT)
Understand PPS: Detect, Delay, Response
Risks
Upgrade PPS, Mitigate Consequences
PlanningPlanning Screening, Team, Decisions/ Risks
System Effectiveness, Scenario Analysis
OtherAction
OtherAction
Cost Benefit
Analysis
?
R=PA*(1-PE)*C
CVAMTM process consists of Community Screening workshop
(optional) Training Course on VA Process-including VA on selected facilities Follow-up visit/assist on reporting
(optional)
Who is Involved in the Process?
Players for a community include decision makers in the community working with emergency management, police, risk management, fire departments, civic leaders, financial leadership, chamber of commerce, others
Process takes time and requires information about the community
Process requires difficult decisions (…what is an acceptable risk?)
CVAMTM Course We teach a Vulnerability Assessment Course,
not a Security Assessment Course The course, for a community, is an intense
week of: class material describing process Exercises, based on facilities in community, to
demonstrate the process
We also teach a “trainer course” for qualified trainers with backgrounds in training and community policing, or risk management
Community Screening - Definition: Selecting facilities of
most concern, using a documented process
Requires participation by decision makers in a community
Uses Consequence Analysis, determination of acceptable risk
First Step in Process
CVAMTM Screening: Consequence and Target Identification
Severity of Undesirable Consequences• Loss of human life
• Loss of revenue
• Loss of vital equipment
• Loss of vital capabilities
CVAMTM Community Characterization: Many elements
Government
Transportation
Emergency
Foreign Represented Governments
Recreational Venues
Special Classification
Communications
Power/Electric
Gas/Oil
Industry
Water
Banking/Financial
Education
Development of Defined Threat (DT) for a Community
List, collect and organize information for DT1. Use historical and current intelligence
data2. Threat policy may be specified by
community leaders or others3. Consider developing a range of
potential threats 4. Use a combination of above
Collect Threat Information National and international sources
Intelligence organizations Literature search, crime studies, analysis Professional organizations
Local sources Local police agencies Local professional organizations
Industry Security
City, county, state agencies
Lots of Weapon Options:Bushmaster(used in Virginia -$750)…web site
Discuss Adversaries:Adversary Types Overlap (collusion is possible), Insiders…
Extremist(Cause)
Terrorist(fear)
Criminal(Gain)
Extremist(Cause)
Terrorist(fear)
Criminal(Gain)
Extremist(Cause)
Terrorist(fear)
Criminal(Gain)
Extremist(Cause)
Terrorist(fear)
Criminal(Gain)
Criminal(Gain)
Criminal(Gain)
Criminal(Gain)
Criminal(Gain) Insiders
???
Potential Agents Biological Chemical Radiological Explosive
• Reactor Fuel Pellets
These are Uranium Oxide Fuel Pellets made of highly compressed Uranium Oxide.They are from a "Slow-Poke" Ammonia-Cycle Nuclear Reactor and are slightly out of spec. Each is 10mm in diameter and 15mm long.
Uranium OxideReactor Fuel Pellet
( 10mm X 15mm )
16,000 cpm
Reactor Fuel Pellet: $100.00
•Uranium Ore - Super High Radiation Level
Want to Buy something Radioactive??…Go to the web…
Physical Protection Systems (PPS) Potential PPS objectives are:
Protect lives Protect property Prevent loss of services Other
PPS and their objectives will vary Consequence mitigation may be option
PPS includes detection, delay, response
Risk Equation:
• Equation is discussed and estimated values obtained for parameters, given existing community PPS
• What happens with upgrades?• Data is often poor or missing for
communities• Now What?…
R=PA*(1-PE)*C
Security is a ContinuumApproach: “Buy Cameras” “Manuals”
“Performance Tests,
Analysis, Computer Models
No
Security Expert
OpinionStandard
s &
Criteria
Systems
Engineering
Approach
Typical Application:
homes homes new construction nuclear facilities
low risk low - moderate moderate – highhigh consequence
risk facilities profile government
*Is risk acceptable*Is risk acceptable
*Cost options*Cost options*Operational trade-off*Operational trade-off
*CrimeCrime*CrimeCrime
*TerrorismTerrorism*TerrorismTerrorism
*Military ActionMilitary Action*Military ActionMilitary Action
*LiabilitiesLiabilities*LiabilitiesLiabilities
*ConsequencesConsequences*ConsequencesConsequences
How well areyou protected?
What’s important?Mission
What to protectagainst?
Decisions
How Much Is Enough?
Goal in Performing a Community VA:
Identify Where Vulnerabilities Are, And Then Decide How to Allocate Resources…
TerroristActs
Violence by criminals
Theft or vandalism
Likelihood Of Occurrence
$$$$ to Fix
$$ to Fix
$ to Fix
Resources = $$$$
Low
High
THREAT
Community Vulnerability Assessment Methodology
• Focus is on physical protection.• Considers physical protection systems (PPSs)
•Need to understand how to evaluate PPSs•But, probably not likely to implement effective
PPSs at community facilities due to cost.•More likely to use adverse consequence
reduction and mitigation measures (e.g.insurance, redundant capabilities, improved response)•or acceptance of risk.
CVAMTM Application To Date Miami-Dade, Florida Sterling Heights, Michigan Bismarck, ND Hennepin County, MN Norfolk, VA Rochester, NY Albuquerque, NM (Trainer Class)
We learned something new every time and incorporated improvements
What Have We Learned? Communities are surprised at identified
vulnerabilities Communities learn who in their own
community is a resource May choose to get redundancy (back-up 911
center or incident command center, or communications equipment, good blueprints)
Need to test procedures and response in many situations (off-hours, various scenarios)
Lots of requests for help from communities!
Caution for Communities!!!! Illegal intelligence gathering Operations Security Protect information...may have a
”blueprint for attack” Need to know Control release of information Document
What are our plans? Future community VA training… VA training program for law
enforcement academies More Trainer classes
Summary Community Vulnerability Assessments come
from applying nuclear security approaches The CVAM process is a systematic way to
assess vulnerabilities and make decisions based on risk
We have a community tested process Call me for more information and helpGloria ChavezPhone:505-845-8737Email: [email protected]
What is the appropriate response to a situation? Depends…