National Response Team Presentation: “Security Risk Assessment Methodologies: Community VAM 3/3/3 Presented By: Gloria E Chavez Sandia National Laboratories.

National Response TeamPresentation:

“Security Risk Assessment Methodologies: Community VAM

3/3/3 Presented By: Gloria E ChavezSandia National Laboratories

Community Vulnerability Assessment Methodology (CVAMTM)

“Snapshot” of Community Process: today's message

Community Vulnerability Assessment Methodology (CVAMTM) process

Process is copyrighted / licensed to ensure appropriate use of training materials by qualified trainers and so resulting information is protected

Part of the “family” of center processes for infrastructure

Part of Center for Civil Force Protection Focus is on “planning” to allow appropriate

response and to mitigate consequences by identifying weaknesses in systems

Vulnerability Assessment (VA)…What Is It

Vulnerability assessment is• A systematic approach •Used to determine relative risk•Based upon the effectiveness of a protection system •Considering the consequences •Resulting from a likely threat

Community Vulnerability Assessment Methodology

• Builds on prior VAM / RAM development – nuclear sites, dams, water, chemical facilities, prisons/jails

• Goals• Useable by public safety personnel, emergency

planners, private industry employees – don'tneed to be a "techie"

• Useful -provides information which significantlycontributes to making security risk management decisions

Reasons for a Community VA include:

Identify vulnerabilities in a systematic way (minimize gaps) For important vulnerabilities, communities may be able to

request additional resources For significant identified vulnerabilities, community may

consider ways to mitigate – such as provide a backup for a vulnerable mission with no existing backup

Can use identified vulnerabilities to better plan future projects i.e., two communication routes (backup)

Can help prepare, in event of attack, to mitigate consequences

Helps communities make security decisions based on a process including risk assessment

Community may decide to improve response or an aspect of physical security

Scope of Analysis Screening Analysis Characterize a Community, critical

Facilities & Consequences Define the Threat and Likelihood of

Attack Review Physical Protection Systems Make Observations and

Recommendations

Community Vulnerability Assessment Process

End

Characterize Assets

Define Threats

Determine Consequences

Define Safeguards

Analyze System

Risks Acceptable

?

Proposed Upgrades/ Actions

Y

N

Site Specific Consequence Table, Prioritize Targets

Facility Characterization, ID Targets

Community Protection Goals: Defined Threat (DT)

Understand PPS: Detect, Delay, Response

Risks

Upgrade PPS, Mitigate Consequences

PlanningPlanning Screening, Team, Decisions/ Risks

System Effectiveness, Scenario Analysis

OtherAction

OtherAction

Cost Benefit

Analysis

?

R=PA*(1-PE)*C

CVAMTM process consists of Community Screening workshop

(optional) Training Course on VA Process-including VA on selected facilities Follow-up visit/assist on reporting

(optional)

Who is Involved in the Process?

Players for a community include decision makers in the community working with emergency management, police, risk management, fire departments, civic leaders, financial leadership, chamber of commerce, others

Process takes time and requires information about the community

Process requires difficult decisions (…what is an acceptable risk?)

CVAMTM Course We teach a Vulnerability Assessment Course,

not a Security Assessment Course The course, for a community, is an intense

week of: class material describing process Exercises, based on facilities in community, to

demonstrate the process

We also teach a “trainer course” for qualified trainers with backgrounds in training and community policing, or risk management

Community Screening - Definition: Selecting facilities of

most concern, using a documented process

Requires participation by decision makers in a community

Uses Consequence Analysis, determination of acceptable risk

First Step in Process

CVAMTM Screening: Consequence and Target Identification

Severity of Undesirable Consequences• Loss of human life

• Loss of revenue

• Loss of vital equipment

• Loss of vital capabilities

CVAMTM Community Characterization: Many elements

Government

Transportation

Emergency

Foreign Represented Governments

Recreational Venues

Special Classification

Communications

Power/Electric

Gas/Oil

Industry

Water

Banking/Financial

Education

Development of Defined Threat (DT) for a Community

List, collect and organize information for DT1. Use historical and current intelligence

data2. Threat policy may be specified by

community leaders or others3. Consider developing a range of

potential threats 4. Use a combination of above

Collect Threat Information National and international sources

Intelligence organizations Literature search, crime studies, analysis Professional organizations

Local sources Local police agencies Local professional organizations

Industry Security

City, county, state agencies

Lots of Weapon Options:Bushmaster(used in Virginia -$750)…web site

Discuss Adversaries:Adversary Types Overlap (collusion is possible), Insiders…

Extremist(Cause)

Terrorist(fear)

Criminal(Gain)

Extremist(Cause)

Terrorist(fear)

Criminal(Gain)

Extremist(Cause)

Terrorist(fear)

Criminal(Gain)

Extremist(Cause)

Terrorist(fear)

Criminal(Gain)

Criminal(Gain)

Criminal(Gain)

Criminal(Gain)

Criminal(Gain) Insiders

???

Potential Agents Biological Chemical Radiological Explosive

• Reactor Fuel Pellets

These are Uranium Oxide Fuel Pellets made of highly compressed Uranium Oxide.They are from a "Slow-Poke" Ammonia-Cycle Nuclear Reactor and are slightly out of spec. Each is 10mm in diameter and 15mm long.

Uranium OxideReactor Fuel Pellet

( 10mm X 15mm )

    16,000 cpm

Reactor Fuel Pellet: $100.00

•Uranium Ore - Super High Radiation Level

Want to Buy something Radioactive??…Go to the web…

Physical Protection Systems (PPS) Potential PPS objectives are:

Protect lives Protect property Prevent loss of services Other

PPS and their objectives will vary Consequence mitigation may be option

PPS includes detection, delay, response

Risk Equation:

• Equation is discussed and estimated values obtained for parameters, given existing community PPS

• What happens with upgrades?• Data is often poor or missing for

communities• Now What?…

R=PA*(1-PE)*C

Security is a ContinuumApproach: “Buy Cameras” “Manuals”

“Performance Tests,

Analysis, Computer Models

No

Security Expert

OpinionStandard

s &

Criteria

Systems

Engineering

Approach

Typical Application:

homes homes new construction nuclear facilities

low risk low - moderate moderate – highhigh consequence

risk facilities profile government

*Is risk acceptable*Is risk acceptable

*Cost options*Cost options*Operational trade-off*Operational trade-off

*CrimeCrime*CrimeCrime

*TerrorismTerrorism*TerrorismTerrorism

*Military ActionMilitary Action*Military ActionMilitary Action

*LiabilitiesLiabilities*LiabilitiesLiabilities

*ConsequencesConsequences*ConsequencesConsequences

How well areyou protected?

What’s important?Mission

What to protectagainst?

Decisions

How Much Is Enough?

Goal in Performing a Community VA:

Identify Where Vulnerabilities Are, And Then Decide How to Allocate Resources…

TerroristActs

Violence by criminals

Theft or vandalism

Likelihood Of Occurrence

$$$$ to Fix

$$ to Fix

$ to Fix

Resources = $$$$

Low

High

THREAT

Community Vulnerability Assessment Methodology

• Focus is on physical protection.• Considers physical protection systems (PPSs)

•Need to understand how to evaluate PPSs•But, probably not likely to implement effective

PPSs at community facilities due to cost.•More likely to use adverse consequence

reduction and mitigation measures (e.g.insurance, redundant capabilities, improved response)•or acceptance of risk.

CVAMTM Application To Date Miami-Dade, Florida Sterling Heights, Michigan Bismarck, ND Hennepin County, MN Norfolk, VA Rochester, NY Albuquerque, NM (Trainer Class)

We learned something new every time and incorporated improvements

What Have We Learned? Communities are surprised at identified

vulnerabilities Communities learn who in their own

community is a resource May choose to get redundancy (back-up 911

center or incident command center, or communications equipment, good blueprints)

Need to test procedures and response in many situations (off-hours, various scenarios)

Lots of requests for help from communities!

Caution for Communities!!!! Illegal intelligence gathering Operations Security Protect information...may have a

”blueprint for attack” Need to know Control release of information Document

What are our plans? Future community VA training… VA training program for law

enforcement academies More Trainer classes

Summary Community Vulnerability Assessments come

from applying nuclear security approaches The CVAM process is a systematic way to

assess vulnerabilities and make decisions based on risk

We have a community tested process Call me for more information and helpGloria ChavezPhone:505-845-8737Email: [email protected]

What is the appropriate response to a situation? Depends…