Two New Methodologies Can Help Owners Improve Security Of Nation's Dams And Power Systems

The IFIP includes representatives of the FBI, U.S. Army Corps of Engineers, Bonneville Power Administration, U.S. Bureau of Reclamation, Sandia National Laboratories, Lawrence Livermore National Laboratory, Southwestern Power Administration, Western Area Power Administration, and others.

The two new processes, called RAM-DSM for "Risk Assessment Methodology for Dams" and RAM-TSM for "Risk Assessment Methodology for Transmission," takes owners, operators, and security managers of dams and transmission systems through a magnifying-glass examination of each facility's unique situation - its potential adversaries, vulnerabilities, consequences of attack, and existing security measures - then provides cost-benefit analyses of possible security upgrades.

The methodologies are based on many of the formal risk-assessment tools and techniques used by Sandia to protect U.S. nuclear weapons facilities. Sandia is a Department of Energy (DOE) research and development lab with expertise in the physical security of national facilities and infrastructures.

"This is much more than a checklist," says Rudy Matalucci, Sandia RAM-D and RAM-T project leader. "It begins with the events you don't want to happen, identifies who might want to do it and what their resources are, and quantifies how much risk reduction you get with each given upgrade. It is a way to help facility owners make decisions about how to balance the need for security with other considerations."

In simplest terms, RAM-D and RAM-T include characterization of a facility; evaluation of the consequences if the facility is attacked; definition of potential adversaries and their motives and resources; quantification of risk; detailed analysis of a facility's vulnerabilities; and cost-benefit analysis of possible upgrades.

Dam operators might use RAM-D, for instance, to determine where to place sensors, cameras, or lights, or whether to invest in walls, barriers, higher fences, better doors, extra training, or improved policies.

The methodology includes worksheets for evaluating existing security features, equations for calculating risk, and a proprietary fault-tree analysis tool for identifying vulnerabilities. Each methodology is contained on a compact disk and in two inch-thick manuals. To develop RAM-D and RAM-T, IFIP conducted trial assessments on four actual dams and a major regional transmission system.

It is the first scientifically verified security assessment process for key elements of U.S. water and power supply infrastructures. IFIP's work was inspired by two Presidential Decision Directives issued in May 1998 encouraging federal agencies to find new ways to deter and prevent terrorist attacks on US information systems, facilities, and infrastructures.