In August of 2001, just weeks before Sept. 11, Sandia National Laboratories of Albuquerque, N.M., announced the completion of two risk assessment methodologies addressing hydroelectric dams and electrical transmission systems, components of the nation's infrastructure that could be vulnerable to attack.
Since Sept. 11, Sandia has released at least 25 licenses to non-government agencies interested in applying these methodologies, entitled RAM-D and RAM-T, acronyms for Risk Assessment Methodology for Dams and Risk Assessment Methodology for Transmission systems.
The methodologies are the result of a 1997 presidential directive establishing the Interagency Forum for Infrastructure Protection (IFIP) as a resource through which owners and operators of federal infrastructure could share information about security. One of IFIP's first acts was to ask Sandia, an IFIP member, to develop an approach to improving infrastructure security.
Each product comes in the form of a manual with about 100 separate worksheets covering various components of dams and transmission systems.
"The manuals enable you to conduct your own risk analyses," says Rudy Matalucci of the Sandia technical staff and the project manager for RAM-D and RAM-T.
"A team or an individual can complete about 90 percent of the worksheets in the office," says Matalucci. "The rest of the worksheets will probably require a site survey."
Matalucci estimates that assessing the risk of an average-size dam could take between four and six weeks, depending on the size of the team assigned to the project. Large icon dams like those owned by the federal government would take longer.
The RAM process begins by screening the dam or transmission system. Does this piece of infrastructure really require a risk assessment? Probably not. According to Matalucci only 40 to 50 percent of the nation's 75,000 dams require a full-blown risk assessment. A dam in the middle of nowhere that would lead to no loss of life if attacked probably doesn't need an assessment.
Citing security concerns, Matalucci declines to specify what the worksheets cover. In general, he says, they focus on fault-trees or logic diagrams of the critical components that enable dams and transmission systems to function. The fault-tree components of a dam, for example, include a dam structure and a spillway gate. A transmission system's fault-tree includes power lines, substations, converter stations, and control stations. "A fault somewhere in the logic diagram will take a system down," Matalucci says.
The assessment concludes by assigning numerical values to three risk concepts: the likelihood of an attack, the consequences of an attack, and the system's effectiveness. "Assigning these values is very subjective," Matalucci says.
The scaling process begins by applying the terms high, medium, and low to each of the risk concepts.
Next the methodology converts the high, medium, and low risk assessments into numbers on a scale that runs from 0.1 to 0.9, with low being in the range of 0.1 to 0.2 and high above 0.7.
Interpreting the results also requires judgment. "What's the difference between 0.125 and 0.2?" asks Matalucci. "In both cases the risk is low, and thinking about the difference between the two isn't meaningful."
The methodology will yield a risk assessment for management to consider. Suppose a report assesses a risk at 0.65, toward the high end of the medium risk range. Management may decide that such a risk is not high enough to address with an expensive security program, says Matalucci. On the other hand, management may conclude that a risk of 0.6 is too high and ask the evaluation team for a strategy and a budget that reduces the risk.
Another option supported by the methodology is called consequence mitigation. In adopting this option, management might decide not to spend on reducing risk. Instead, spending would go into an early warning system. In this case, an attack on a dam would activate an early warning system and facilitate evacuation downstream, focusing on saving lives instead of saving the dam.
Finally, the RAM system provides worksheets that evaluate the effect of security spending on risk. This enables users to determine how an expenditure of, say, $200,000 on security will affect the risk assessment. "You might find that $200,000 reduces your risk from medium to low," Matalucci says. "Then again, you may begin with a medium risk and find that spending $200,000 doesn't substantially change the risk. In the first case, security makes sense, but not in the second case."