Assessment of the Bureau of Reclamation's Security Program (2008)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Summary O ne lesson from the September 11, 2001, attacks on the World Trade Center and the Pentagon is that infrastructure built for beneficial purposes can become an instrument of mass destruction if it fails as the result of a malicious act. Dams and their related infrastructure are primarily built to control the flow of a river and mitigate flooding. The water impounded behind a dam can be used to generate power and to provide water for drinking, irrigation, commerce, industry, and recreation. However, if a dam fails, the water that would be unleashed has the energy and power to cause mass destruction downstream, killing and injuring people and destroying property, agriculture, industry, and local and regional economies. The significance of dams as vehicles of mass destruction has not gone unrecognized. Serbian forces attempted to blow up the Peruća dam in Croatia in 1993 during the Serbo-Croatian War. Hoover Dam was identi- fied as a potential target for enemy forces during World War II, and the sabotage of Glen Canyon Dam was fictionalized in the 1975 novel The Monkey Wrench Gang. A malicious act is defined as a willful act of destruction perpetrated by a determined individual or group of individuals, such as international terrorists, domestic extremists, or a disgruntled employee. In this report, a dam failure is defined as the uncontrolled release of water from a res- ervoir such that lives and properties downstream are threatened. Various mechanisms can cause a dam failure.  

 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM The U.S. Bureau of Reclamation (hereinafter Reclamation or BOR) is responsible for managing and operating some of this nation’s largest and most critical dams, including five national critical infrastructure (NCI) facilities: the Hoover, Grand Coulee, Folsom, Shasta, and Glen Canyon dams. Reclamation’s total inventory includes 249 facilities comprising 479 dams and dikes and related facilities. The importance of the water and power supplies provided by these facilities to the quality of life in 17 western states cannot be overstated. The failure of one or more of these dams as the result of a malicious act would come with little warning and time for evacuation. In the worst case, where a large dam is located above a major population center, the devastation in terms of lost lives and destruction of property, power and water supply facilities, and commerce could rival or exceed that in New Orleans after the levees failed following Hurricane Katrina. RECLAMATION’S SECURITY CHALLENGES Reclamation’s mission is to “manage, develop, and protect water and related resources in an environmentally and economically sound manner in the interest of the American public” (USBR, 2007). Major disruptions to its operations—the cutting off of water and power for days, weeks, or months—would have significant impacts on local and regional economies and on the lives of millions of people. Reclamation’s overall security challenge, then, is to ensure the physical integrity of its facilities and the reliability of its power and water supplies if faced with a terrorist or other malicious act. This challenge has multiple aspects, some of which involve balanc- ing security with other societal objectives. For instance, Reclamation must find ways to allow public access to its facilities and services while limiting access to some on-site areas. It must identify vulnerabilities in its facilities and find ways to mitigate them. When an incident occurs, Reclamation must be prepared to respond ­ rapidly and appropriately whether that facility is near a city or in a remote area. Reclamation must TheNational Infrastructure Protection Plan (NIPP) defines critical infrastructure as “ ­ assets, systems, and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters” (DHS, 2006, p. 103). Arizona, California, Colorado, Idaho, Kansas, Montana, Nebraska, Nevada, New Mexico, North Dakota, Oklahoma, Oregon, South Dakota, Texas, Utah, Washington, and ­Wyoming. 

SUMMARY  ensure that its staff, its operators, its con­tractors, and its stakeholders do not include individuals who present a security threat. Finally, Recla- mation must understand how risks and vulnerabilities might change in a world where new security threats are continually emerging. In the nearly 7 years since the 9/11 attacks, Reclamation has invested significant resources—staff time and expertise, outside expertise, techni- cal and physical measures, and funds—to establish and build a secu- rity program. It has completed threat and vulnerability assessments for most of its facilities; contracted for security guards and law enforce- ment officers; installed surveillance systems and physical barriers to protect against unauthorized intrusions; upgraded control systems; and conducted training exercises. Funding for these improvements has been primarily ­redirected to security from other Reclamation programs. R ­ eclamation is now at a point where it is appropriate to evaluate the results of these efforts and determine how best to move forward to develop a security program that is robust and sustainable. OVERVIEW OF THIS STUDY At the request of the U.S. Bureau of Reclamation, the National Research Council, through the Board on Infrastructure and the Con- structed Environment, appointed a multidisciplinary committee of 14 experts to assess Reclamation’s security program and determine its level of preparedness to deter, respond to, and recover from malicious acts to its physical infrastructure and to the people who use and manage it. The committee members have experience in government, academia, and the private sector and expertise in physical security, law enforce- ment, threat assessment and mitigation, risk analysis, dam safety, civil engineering, and emergency response (Appendix A). Operators: BOR dams and related facilities are operated either by BOR employees or by employees of the water districts to which BOR has transferred that authority. Contractors: individuals or companies hired to provide services (e.g., construction, main- tenance, protection) at BOR facilities. Some water districts operate and maintain BOR-owned dams and related facilities. They may also hire contractors to perform services. BOR some- times also calls these water districts contractors. Stakeholders: BOR stakeholders include the direct beneficiaries of its programs, such as users of irrigation, municipal, and industrial water, and consumers of power generated at BOR dams. The committee’s statement of task (as described in Chapter 1) and this study cover only the security program of the Bureau of Reclamation. Although there are many other owners and operators of large dams that must grapple with similar challenges and ways to address them, the committee could not expand its investigations beyond its given task. The com- mittee does believe, however, that a comprehensive review of the security of the nation’s dams would be of value. 

 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM To accomplish its task, the committee met as a whole four times between January and November 2007. It received briefings from the staff of Reclamation’s Security, Safety, and Law Enforcement (SSLE) Office and program managers from the Office of the Chief Information Officer (CIO). Some of the briefings included information that was classified as secret or for official use only (FOUO). Groups of two or three committee members and NRC staff also visited Reclamation’s five regions, several area offices, and a number of dam sites, including the five national critical infrastructure facilities. They interviewed BOR’s area office managers, law enforcement and security personnel, and BOR contractors and operators and observed the customs and practices of Reclamation staff in the field. The committee also received briefings and held discussions with BOR senior executives and representatives of other federal agencies involved in dam security (Appendix B). The committee formulated its conclusions, findings, and recommen- dations based on previous reviews of Reclamation’s security program; information gathered through the briefings, site visits, and discussions; a review of reference materials and studies; and the committee members’ own expertise and experience. CONCLUSIONS The committee’s overall conclusion is that although the Bureau of Reclamation is better able today to protect its infrastructure and its people against malicious acts than it was 7 years ago, the security program is not yet mature, well-integrated, or appropriately supported at all levels of the organization. To date, Reclamation has focused on tactical issues: developing a risk management approach; establishing security plans for each facility; staffing a security and law enforcement office; and developing an intel- ligence gathering and analysis capability. Still missing are policies and operational guidance for effective responses to security-related incidents; performance measures to support continual improvement; and a method for disseminating lessons learned. Also missing are the full support and commitment of senior executives and managers at all levels of the organi- zation and adequate resources—staff, expertise, and funding—to develop a security program that is robust and sustainable. It is now time for Reclamation to take a more strategic approach to its security program. One of its highest priorities should be the develop- ment of a vision and a plan to provide a path forward. The vision should explicitly link the physical assurance of Reclamation’s facilities to its overall mission of providing water and power. The plan should address policy, programmatic, and resource issues and should have the support and commitment of all of Reclamation’s managers. 

SUMMARY  FINDINGS AND RECOMMENDATIONS The committee’s findings and recommendations follow. The recom- mendations are intentionally general to allow Reclamation and its SSLE Office some flexibility in determining what processes, tools, or policies will be used to address them. In some cases a recommendation relates to more than one finding. With the exception of the development of a vision and a plan for the security program, the committee has not presented its recommenda- tions in order of priority. However, some recommendations require action sooner than others because they will help to avoid undesirable outcomes and will yield both immediate and long-term benefits. These actions include the development of • An out-of-cycle process for security assessments; • Policy on the use of deadly force; • Response plans for security-related incidents; • A streamlined personal identity verification process; • Preproject planning for security-related projects; and • Procedures related to the sharing of intelligence-based information. A Risk Management Approach Finding 1: The risk management process that Reclamation has developed to assign priority for conducting threat and vulnerability assessments, security improvements, and resource allocation is appropriate. Elements of this process, however, need to be continually improved and refined as threats emerge, as risk assessment methods evolve, and as research-based information becomes available. Recommendation 1: Reclamation managers should monitor the new threat and risk assessment methods being developed by the Depart- ment of Homeland Security and others and use those methods that are most appropriate for dams and related infrastructure (Finding 1). Finding 2: Reclamation plans to conduct security assessments on a 3- to 6-year cycle even though security threats are continually emerging and must be continuously monitored. Recommendation 2: In addition to conducting security assessments on a 3- to 6-year cycle, Reclamation should institute a process and criteria for conducting out-of-cycle assessments as threats emerge and circum- stances warrant (Finding 2). 

 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM An Integrated Security Plan for Each Facility Finding 3: A robust facility security plan provides for defense in depth through an integrated system made up of obstacles that restrict access, surveillance and intrusion detection systems, and a rapid-response force. Although elements of a facility security plan were visible at most sites that the committee visited, the elements did not appear to be effectively integrated. Finding 4: At some sites, the committee could imagine threat scenarios, especially those involving insiders, that could not be countered effec- tively by the forces and fortifications in place. Too often facility security defenses appeared brittle and lacking in depth. If one line of facility security was neutralized, it was too likely that intruders could continue moving forward. Finding 5: Reclamation evaluated a very limited number of standard threat scenarios for its security assessments. Security-related intelligence has not been integrated into site-specific, realistic threat scenarios to the committee’s knowledge. Recommendation 3: Reclamation and the SSLE should review their facility security plans as a system, identify gaps in the integration of the various elements, develop a range of realistic, site-specific threat scenarios based on local conditions and intelligence from all available sources, and conduct both contingency planning and training exercises using these scenarios. A protocol for regular review and adjustment of scenarios should be adopted to assure that planning and training are aligned with current conditions (Findings 3, 4, 5). Finding 6: Because each Reclamation facility is in a different jurisdiction with different laws and a unique mix of local, county, state, and federal law enforcement entities, the interface between first responders and those that provide follow-up will vary. Facility security plans will therefore need to incorporate distinct arrangements for cooperation among the various responders during a security-related incident. Finding 7: Specific guidelines for command, control, and decision ­making at individual sites enable an effective response to a security-related inci- dent. At Reclamation, guidance for these responsibilities was unclear, and procedures were not well understood by staff. Finding 8: Training exercises are important to ensure that when person- nel from multiple government and law enforcement entities respond to 

SUMMARY  a security-related incident, all of the key players understand the proce- dures for command and control and for the transfer of authority as events unfold. Training exercises need to be designed to test site-specific, realistic scenarios and to be aligned with the responsibilities of the responders. Recommendation 4: Reclamation should ensure that all security and law enforcement entities that would respond to a security-related inci- dent at one of its facilities have a clear understanding of the lines of authority, roles, and responsibilities outlined in the response plan. The various security and law enforcement entities at each facility should train together to practice the actions each entity would be responsible for in a realistic scenario (Findings 6, 7, 8). Finding 9: Good communication is critical for an effective response to a security-related incident. The committee observed that some communica- tion equipment and technologies used by Reclamation and other federal, state, and local law enforcement and security organizations were not interoperable and would hinder communication among responders. Finding 10: Certain communication technologies used in rural areas are subject to failure caused by weather and related events and may not be reliable during a security-related incident. Recommendation 5: Reclamation should ensure that its personnel have the appropriate equipment and skills to communicate with all other entities expected to respond to a security-related incident. It should validate the effectiveness of the communication methods through appropriate exercises and simulations and work to standardize com- munication approaches (Findings 9, 10). Finding 11: The use of standard ammunition in some parts of some R ­ eclamation facilities could substantially compromise the integrity of criti- cal equipment. It was not clear if this was common knowledge throughout SSLE or among those security and law enforcement entities that would respond to a security-related incident. Recommendation 6: Reclamation should investigate how non­lethal weapons and new technologies can be used effectively during a response to a security-related incident (Finding 11). Finding 12: The committee observed design and installation flaws in sev- eral risk mitigation projects. The personnel at the relevant facilities clearly believed that such flaws could have been avoided if the SSLE staff had 

 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM sought their input during the planning process, before the projects were designed and installed. Recommendation 7: Reclamation should establish an effective pre- p ­ roject planning process to improve the design of risk mitigation projects, avoid rework, use available resources more effectively, and improve working relationships. The SSLE should ensure that represen- tatives from the area offices and facility operators are involved early in the process when decisions are made about project scope and imple- mentation strategy (Finding 12). POLICIES AND OPERATIONAL GUIDANCE FOR KEY ASPECTS OF THE PROGRAM Finding 13: The distinction between law enforcement and security within Reclamation is not clear, and the resulting ambiguity has raised issues regarding the use of deadly force during a security-related incident. Recommendation 8: Reclamation and the SSLE should work with local law enforcement entities to expedite the development of clear, legally binding guidance on the use of deadly force. The guidance should clearly address how the defense-of-life rule might apply in specific types of security-related incidents (Finding 13). Finding 14: Reclamation has not adequately addressed threats posed by insiders—Reclamation staff, facility operators, contractors—to override physical security components and take control of dam operations. Recommendation 9: Reclamation should determine if there are ways to streamline the personal identity verification process for employees and contractors while ensuring that the process remains effective in identi- fying those who might pose a threat to security. Criteria and a program for conducting periodic security reviews for key Reclamation personnel should also be developed (Finding 14). Finding 15: Reclamation-wide guidance on site access procedures for contractors and on safeguarding plans and drawings for construction projects has not been issued. In the absence of such guidance, some area offices have developed their own procedures. Recommendation 10: Reclamation and the SSLE should move expedi- tiously to develop policies for site access for contractors and for the safeguarding of project plans and drawings. Policies should be for- 

SUMMARY  mulated in close collaboration with area and regional managers and should be flexible enough to distinguish among different situations (Finding 15). Finding 16: The objectives and operating procedures for law enforcement are different from those for security. The legislation giving Reclamation law enforcement authority does not address issues of antiterrorism or security, nor does it permit Reclamation to directly hire its own law enforcement personnel. Recommendation 11: Reclamation’s senior executives and security man- agers should identify the gaps in their authority for creating an effective security program and, if necessary, seek authorizing legislation that will allow implementation of a more robust program (Finding 16). A COLLABORATIVE OPERATING ENVIRONMENT Finding 17: With its largely decentralized organizational structure and heavy reliance on partnerships and contractors, Reclamation is funda- mentally dependent on collaboration within and among organizations to achieve its mission. Imposing a centralized security program on a culture that is accustomed to distributed program management and authority has resulted in tensions and ineffective working relationships between the SSLE staff in Denver and the staff of regional and area offices. Finding 18: Sound working relationships are based on effective communi- cations and trust. Managerial actions and the behavior of SSLE’s Denver- based staff have in some cases created distrust among the regional and area office staff that is damaging to internal working relationships and that limits the effectiveness of the security program. Recommendation 12: SSLE managers should recognize and respect the importance that regional and area staff attach to their working rela- tionships with their operators, contractors, and local law enforcement personnel. SSLE should work through the regional directors and area office managers when developing risk-mitigation projects and other activities that require the input of local law enforcement personnel, operators, and other stakeholders. SSLE should also intensify its efforts to communicate the goals, methods, priorities, and budget constraints of the security program through face-to-face meetings with regional and area office managers. To be effective, communication should routinely be two way (Findings 17, 18). 

10 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Finding 19: An inflexible commitment to the need-to-know doctrine inhibits the sharing of intelligence-based information among SSLE staff in Denver, the regional special agents, and the area office personnel who might be in the best position to deter some threats and who would be the first responders to an incident. Recommendation 13: SSLE staff should endeavor to find ways to ­better inform senior managers and field personnel about potential threats to facilities based on security-related intelligence. They should also communicate the constraints under which they operate, especially the restrictions on dissemination of intelligence-based information (Find- ing 19). Finding 20: Field personnel and others who have reported potentially valuable information about suspicious activities to the SSLE in Denver only rarely receive feedback on how or if the information was used. As a consequence, some field personnel view security-related communication as a one-way street and are reluctant to report information about suspi- cious activities since their effort appears to have no effect. Recommendation 14: When security-related information is collected at the local level and forwarded to the Denver office, the SSLE should provide feedback on the disposition of that information. It should at least acknowledge receipt of the information and encourage continued reporting of suspicious activities (Finding 20). Finding 21: Although the SSLE’s Denver-based staff may have the techni- cal skills to carry out their job responsibilities, they have not in general dis- played the communication, negotiation, and team-building skills needed for the sound working relationships that are critical to Reclamation. Recommendation 15: Reclamation should provide the SSLE staff with additional training in communication, negotiation, and team-building skills (Finding 21). Senior Management Support and Commitment Finding 22: Creating an effective security program and a culture of secu- rity requires the dedicated support and commitment of Reclamation’s managers at all levels of the organization. Currently, such support and commitment are uneven. Some managers clearly understand the link between Reclamation’s mission and security, and they are spearheading efforts to implement effective security procedures and programs. Others 

SUMMARY 11 regard security as an unwelcome intrusion into other activities and resent the redirection of resources from other activities to security. Finding 23: Building commitment and support for the security program is primarily the responsibility of Reclamation’s senior executives—the com- missioner, deputy commissioners, and regional directors and the director and program managers of the SSLE Office. Recommendation 16: Reclamation’s senior executives and SSLE person- nel should clearly communicate the critical link between security and Reclamation’s mission. Management must guard against sending the wrong signals to field personnel: that terrorism “can’t happen here [in rural America]”; that field personnel and operators no longer need to be vigilant; or that threats no longer exist because some steps have been taken to improve the security of facilities (Findings 22, 23). Adequate Resources Finding 24: The resources—number of staff, expertise, funding—­currently available for Reclamation’s security program are not sufficient to operate and sustain an effective program. Finding 25: Folsom Dam requires special consideration within the national critical infrastructure classification owing to the magnitude of the potential consequences of a security-related failure. The level of resources required for effective security is greater at Folsom than elsewhere. Recommendation 17: High-level attention should be given to deter- mining how to provide additional resources to support a more robust security program without compromising other activities that are critical to Reclamation’s mission (Findings 24, 25). Finding 26: Security improvements benefit the public at large and are not limited to a specific set of stakeholders. Reclamation’s proposal to make some security-related costs fully reimbursable creates tension with its stakeholders. The safety of dams program, in which reimbursable project costs are split between Reclamation and its stakeholders, may serve as a model for developing criteria, a process, and a cost-sharing percentage for reimbursing the costs of some security-related operations and main- tenance activities. Recommendation 18: Where stakeholder reimbursements are sought for security-related operations and maintenance activities, the ratio that is 

12 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM used for the safety of dams program—85 percent federal funding and 15 percent stakeholder funding—should be considered as the starting point (Finding 26). Performance Measurement Finding 27: Reclamation has developed some performance measures for evaluating the risk mitigation component of its site security program. Additional measures are needed to evaluate processes related to deter- rence of and response to security-related incidents. Recommendation 19: Reclamation should establish a set of performance measures for its security program elements to encourage continual improvement. Where appropriate, it should use measures developed by other federal programs that are active in law enforcement and intelli- gence gathering. Performance outcomes should be measurable, achiev- able, and consistent (Finding 27). A Method for Disseminating Lessons Learned Finding 28: Lessons-learned processes can be useful for sharing experi- ence-based information in an organization and for continually improving organizational processes, knowledge, and standards. Sources of lessons learned include after-action reports from training exercises, other forms of simulation, and other organizations. Finding 29: Reclamation’s security program does not appear to have a for- mal lessons-learned program in place. Where after-action reports ­followed major exercises, they were not disseminated to all the regions or the area offices that could have benefited from knowing the exercise results. Recommendation 20: In the short term, SSLE should distribute after- action reports to the appropriate staff at all area and regional offices to leverage the knowledge gained from training exercises. The field staff should ensure that the documents are kept secure. In the longer term, Reclamation should develop a process and a database for capturing and disseminating lessons learned by looking to other organizations and agen- cies that have successful lessons-learned approaches (Findings 28, 29). A Vision and a Long-Term Plan Finding 30: Among their other objectives, organizational mission and vision statements, plans, and goals are meant to inspire and motivate 

SUMMARY 13 employees and stakeholders. Typically, they are driven by an organi- zation’s senior executives and reflect their priorities and values. Infra­ structure security does not appear explicitly in Reclamation’s mission and vision statements, plans, or goals. The failure to mention it conveys the idea that infrastructure security does not have the support and commit- ment of senior management, nor has it been given priority. Finding 31: Reclamation does not appear to have a plan for a security program that is robust, mature, and sustainable. When asked about their goals for the security program, senior managers focused on tactical issues. Strategic issues, such as how security is to be embedded in Reclamation’s culture and how regional security coordination is to be improved, were not mentioned. Recommendation 21: Where appropriate, Reclamation’s leadership should emphasize in its policy statements the link between security and the achievement of Reclamation’s mission. A plan for sustaining an effective security program should be developed. Such a plan should include a vision, goals, and objectives, and strategies for accomplishing them (Findings 30 and 31). References Department of Homeland Security (DHS). 2006. National Infrastructure Protection Plan. W ­ ashington, D.C.: DHS. More information available at www.dhs.gov/nipp. U.S. Bureau of Reclamation (BOR). 2007. “Mission statement.” Available at www.usbr.gov/ main/about/mission.html.