Assessment of the Bureau of Reclamation's Security Program (2008)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

2 Description of Reclamation’s Security Program T he Bureau of Reclamation (hereinafter Reclamation or BOR) is one of eight bureaus within the Department of the Interior (DOI). DOI’s Office of Law Enforcement, Security and Emergency Management (OLESEM) is responsible for providing leadership, policy guidance, and oversight for law enforcement, homeland security, emergency management, and information security to each of the bureaus. At Reclamation, the security program has several components: secu- rity, law enforcement, emergency management, and information and information technology (IT) security. All aspects of the security program are centrally managed through Reclamation’s offices in ­Denver, ­Colorado, and Washington, D.C. The Security, Safety, and Law Enforcement (SSLE) Office manages the security, law enforcement, and emergency manage- ment components, while the information and IT security component is under the purview of the chief information officer (CIO). The director of SSLE reports to the deputy commissioner for policy, administration, and budget, while the CIO reports to the director of administration (Figure 2.1). The director of SSLE and the CIO are expected to work closely together to ensure the security of the supervisory control and data analysis (SCADA) systems used to operate dams, power plants, and related infrastructure and of other IT systems. The others are the Bureau of Indian Affairs; Bureau of Land Management; Fish and Wildlife Service; Minerals and Management Service; National Park Service; Office of Surface Mining; and the U.S. Geological Survey. 29 

30 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Deputy Commissioner Policy, Administration, and Budget Director Director Director Director Safety, Security, and Program and Policy Administration Program and Budget Law Enforcement Services Chief Information Officer FIGURE 2.1  Reporting structures for SSLE and CIO. Figure 2.1 The centralized management structure for security contrasts with the way most other BOR functions are managed. Since 1994, BOR has delegated much of its authority for program management and imple- mentation to its 5 regional and 24 area offices (Figure 2.2). Authority formerly exercised from BOR central offices in Denver was delegated to lower organizational levels, and senior personnel positions at the central location were eliminated. At the same time, the Reclamation-wide direc- tives known as Instructions were withdrawn. Mandatory requirements that replace the Instructions have been and continue to be developed and published as policy and directives in the Reclamation Manual, a Web-based collection of policies and directions that is continuously updated and revised (NRC, 2006). Reclamation’s facilities are managed by the 24 area offices, with each of the five regional offices having full responsibility for operating and maintaining the assets in its region. In most but not all cases, this means that all the assets in a single watershed are operated and maintained by the same regional office. The exceptions include the Colorado, Canadian, and Rio Grande river basins, each of which needs an additional level of coordination (NRC, 2006). Reclamation also oversees operations and maintenance activities where the responsibilities for implementing operations and maintenance Available at http://www.usbr.gov/recman. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 31 Pacific Northwest (PN) Regional Office: Boise, Idaho Great Plains (GP) Regional Office: Billings, Montana Mid-Pacific (MP) Upper Colorado Regional Office: (UC) Sacramento, California Regional Office: Salt Lake City, Utah Lower Colorado (LC) Regional Office: Boulder City, Nevada FIGURE 2.2  Reclamation’s regions and regional offices. have been transferred to water and power authorities and other local Figure 2-2.eps beneficiary organizations. The SSLE Office, established in 2001, is in Denver. In addition to security, law enforcement, and program and emergency management, the SSLE is also responsible for the safety of dams program and the safety office. The committee was not asked to assess the safety of dams or the safety programs. The SSLE also has a three-person liaison office in Wash- ington, D.C., that serves as liaison with DOI and with Congress, OMB, and other organizations (Figure 2.3). BOR was first granted law enforcement authority in November 2001. P. L. 107-69 gave Reclamation law enforcement authority for ­misdemeanor- The Reclamation Extension Act of 1914 required the payment of operating and mainte- nance costs; recognized legally organized water users’ associations and irrigation districts; and authorized the transfer of project facilities operations and maintenance to water districts (BOR, 1972). 

32 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Director SSLE Program Washington, Law Safety of and Security Safety* D.C., Enforcement Dams* Emergency Liaison Management FIGURE 2.3  Organization of SSLE Office. *Not reviewed in this study. Figure 2.3 level crimes such as theft or vandalism on or to its property and facilities. The legislation allows Reclamation to use law enforcement personnel from DOI or other federal agencies except the Department of Defense. It does not address issues of security or antiterrorism, nor does it allow Reclamation to directly hire law enforcement personnel. SSLE has a staff of approximately 48 full-time equivalent positions. Its annual site security budget has fluctuated, from about $54 million in FY 2003 to around $40 million currently. It contracts with private-sector firms for site security and for some tasks related to intelligence gathering and analysis and emergency support. SSLE works with OLESEM, the CIO, and BOR’s Technical Services Center (TSC) to plan and implement some aspects of the program. SSLE also works with water districts, local law enforcement, BOR stakeholders, and outside organizations, including the DHS, FEMA, the Federal Protective Service (FPS), and the Federal Bureau of Investigation (FBI). SECURITY SSLE’s security group provides technical expertise and is responsible for security assessments and risk management coordination, ­facility secu- rity and design improvements (e.g., closed-circuit TV cameras, fences, access control systems), personnel security (background checks), opera- SSLE also has a Safety of Dams and Emergency Management budget. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 33 tions security, and interagency coordination. The security group is headed by the chief security officer. Twelve additional staff positions are located in the Denver office, and one regional security officer (RSO) is assigned to and works from each of the five regional offices. The RSOs serve as a technical link between the Denver office and the regional and area offices. They are responsible for regional implementation of security directives, standards for identifying and safeguarding sensitive documents, and background investigations of personnel, among other duties. Additional support for risk assessments and for design and engineering ­ studies is provided by the TSC. Security Assessments and Risk Management Coordination With relatively limited resources and more than 450 dams that vary greatly in size, siting, amount of power and water delivered, distance from downstream population centers and size of those populations, relation­ship to local and regional economies, and the magnitude of the consequences of their failure, it is not possible (and may not even be desirable) for Reclamation to provide the same level of protection for all of its facilities. BOR has recognized the need for an approach that pays more attention to those dams and facilities that are more attractive targets and where the consequences of a successful attack would be the greatest and invests more resources in their protection. Although risk can be measured in a variety of ways, it is most c ­ ommonly assessed as a function of the probability of an event and the consequences of the event. A risk management program for a large inven- tory of facilities entails a screening process to identify those facilities in the inventory that require closer scrutiny, risk assessments to identify vulnerabilities of individual facilities and potential consequences of a failure, a process for quantifying and evaluating the costs and benefits of technologies and other risk mitigation measures, and decision analysis. The overall goal of a risk management program is to establish a transpar- ent and rational decision-making process that optimizes security across the entire facilities inventory. A risk management program for dams and other facilities should incorporate a screening process that uses a common basis for evaluating an inventory of facilities according to their security-related risk profiles. A screening process might begin with a review of security-related dam attributes such as “criticality” (how important the dam is to the organi- zation’s mission) and “vulnerability” (the likelihood that an attack will 

34 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Criticality Threshold Potentially High-Priority Dams Vulnerability Vulnerability Threshold Potentially High-Priority Dams (Criticality x Vulnerability) Threshold Criticality FIGURE 2.4  Notional results of screening by criticality and vulnerability to iden- tify dams that need to be given high priority. Figure 2.4 be successful). By assigning numerical values to these attributes (say, on a scale of 1 to 5), criticality and vulnerability scores can be calculated for each dam. Aggregate scores of many dams can then be plotted on a graph. This will facilitate identification and prioritization of dams with relatively high risk—that is, those with high criticality and high vulner- ability (Figure 2.4). A variety of ways to assess risk have been developed. Generally they are analytic, quantitative, and probabilistic. They should also be consistent with accepted practices and transparent. Risk assessment typi- cally starts by developing threat or security scenarios (e.g., use of a truck bomb) and then goes on to look at the potential consequences of a suc- cessful attack, to analyze vulnerability (e.g., measures in place to deny, deter, delay, respond to, or defeat the attackers), and to assess the threat (the likelihood or probability of attack from an adversary’s perspective). These elements are systematically considered to determine which assets Criticality might include population within inundation zones, the iconic status of the dam, economic consequences of interrupting power and water supplies, and the time r ­ equired to bring a damaged facility back on line. Vulnerability might include construction type, operational features, accessibility, security and emergency response capabilities, and previous threats. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 35 warrant the most protection, how this protection can be provided in a cost-effective manner, and how damage can be minimized in the event of a successful attack. Immediately after the 9/11 attacks, BOR staff with expertise in secu- rity, engineering, and dam operations and maintenance developed a process for screening Reclamation’s inventory of dams to identify those whose failure as the result of an act of terrorism would have the ­severest downstream consequences and the most critical impacts from loss of mission, such as providing water and power. A 10-tiered categorization process was used to assign priority for security risk assessments. Five facilities were designated national critical infrastructure (NCI) facilities. In early 2002, BOR contracted with the Defense Threat Reduction Agency (DTRA) to assess vulnerabilities at its NCI dams using the Balanced Survivability Assessment method. This method focuses on identifying vulnerabilities at a dam site that could be exploited by a well-trained team of terrorists and then identifying mitigation measures for those vulnerabilities. It does not include a threat assessment or an assessment of potential consequences. In the same time period, four private contractors and one semi­public agency were hired to perform Risk Assessment Methodology–Dams (RAM–D) assessments for the next 50 facilities on the priority list. RAM–D is a qualitative assessment of probability of attack, consequences, and security system effectiveness developed by an interagency committee in consultation with the Department of Energy’s Sandia National Laborato- ries. In late 2002 and early 2003, all of the recommendations for improve- ments resulting from the 55 assessments were reviewed and evaluated by a security advisory team (SAT) comprising staff from SSLE and BOR’s regional and area offices and outside experts from the U.S. Army Corps of Engineers (USACE) and Sandia National Laboratories. The SAT evaluated the recommendations based on the extent to which they could potentially reduce risk and the feasibility of implementing them. Decision documents were then prepared for each of the 55 facilities evaluated and presented to the SSLE director, to the relevant regional directors and area office managers, and to the deputy commissioner and the commissioner for their approval, with the concurrence of DOI’s assistant secretary for water and science. The procedure is intended to ensure that recommendations have been critically evaluated, are cost effective, and reduce risk and that risk management strategies are consistently applied across Reclamation (OMB, 2007). From mid-2003 to early 2006, the next 225 facilities were evaluated by Reclamation staff using the Matrix Security Risk Assessment (MSRA) methodology, which is a qualitative evaluation of threats, vulnerabilities, and consequences. The SAT reviewed and evaluated the assessments, 

36 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM prepared decision documents, and sent them forward for concurrence by the SSLE director and the respective regional directors and area office managers. As of June 2004, the 10 tiers of facilities had been recombined into 5 categories: NCI, major mission critical (MMC), mission critical (MC), p ­ roject essential (PE), and low risk. MMC facilities are defined as facilities that are characterized by large, multipurpose features and high down- stream hazards and that are so vital to the nation that their incapacita- tion or destruction would have a debilitating effect on national security, regional economic security, and/or regional public health or safety. MC facilities are defined much like MMC facilities except that they are mod- erately large and their downstream impacts would be more moderate. PE facilities are Reclamation facilities that are essential to a particular project and the locale and whose incapacitation or destruction would have a significant impact on local economic security, public health, or safety, or any combination thereof. Low-risk facilities, which might include small office buildings and project support facilities, are defined as those whose loss would not be a substantial loss to the public or BOR. Over time, as more information on the vulnerability of specific types of dams becomes available through research and testing, some dams have been recategorized. The SSLE plans to conduct comprehensive security reviews (CSRs) for all 178 critical facilities every 6 years. Periodic security reviews (PSRs) are to be conducted by the regional offices 3 years after a CSR is conducted. In a few cases, risk assessments at BOR dams have been conducted by outside agencies, including the California Department of Homeland S ­ ecurity and the California National Guard. However, these assessments were not always made available to Reclamation or the appropriate area offices. Facility Security and Design Improvement Projects One outcome of the risk management process is the identification and prioritization of facility security and design improvement projects intended to mitigate vulnerabilities. Such projects involve access control systems; perimeter, vehicle, and boat barriers; closed circuit TV monitor- ing systems; intrusion detection and alarm systems; lighting; security control centers; and guard/response personnel. Some projects resulted in closing roads traversing dams or limiting access to them and ­rerouting traffic to existing or new roads. At least two new bridges are being built in conjunction with highway realignments to move traffic off critical dams. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 37 Reclamation has identified specific upgrades required at individual facilities and prioritized them according to the criticality of the facility, project feasibility, and the degree to which the project will mitigate risk. As funding becomes available, the projects are designed and implemented by the security group with support from the TSC. During the site visits, committee members were told that some water and power authorities that operate BOR facilities had paid directly for security upgrades, including security guards. In one case the water and power authority collaborated with BOR staff to identify security improve- ments and then installed the improvements at its own expense. However, security upgrades by water and power authorities are not necessarily coordinated with the SSLE or the field offices. Nor do all water and power authorities have the resources to implement such upgrades. Personnel Security Homeland Security Presidential Directive 12 (HSPD-12), issued in August 2004, requires that a policy be developed for standardizing the identification procedure for federal employees and contractors. This requirement is intended to eliminate the wide variation in quality and security of forms of identification for gaining access to secure federal facilities. Federal agencies must develop and deploy for their contract personnel and employees a personal identity verification (PIV) credential that is secure, reliable, and interoperable at all federal agencies. At BOR, the PIV process is used for conducting background checks on all BOR employees and the hundreds of contract workers who are active in new construction, operations, and maintenance projects at the various facilities. To comply with the PIV requirement, the security group has one staff position in Denver and the regional security offi- cers to process and adjudicate background investigations and reinves- tigations, issue and verify national security clearances, and maintain personnel files and databases. During one of the site visits, BOR staff reported that it can take as long as 6-8 months to complete the PIV pro- cess for one individual. Given this time lag, the field offices have had to make accommoda- tions for contractors so they can complete their jobs. For example, at one of the NCI sites, an escort is provided for workers for up to 180 days or until the project or the PIV process has been completed. At another NCI site, it was estimated that contractors may lose an hour or so of produc­ tivity per day per worker owing to the time it takes for identity verifica- tion and search procedures when entering or exiting some of the zones at the site. Such costs are probably passed along to BOR in the form of higher bids for projects. 

38 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM LAW ENFORCEMENT SSLE’s Law Enforcement Office is responsible for the following: • Enforcing federal laws and regulations; • Conducting investigations; • Gathering, analyzing, and disseminating intelligence; • Conducting threat assessments; • Conducting law enforcement training; and • Conducting security and law enforcement exercises. Within Reclamation, law enforcement’s primary goal is to assure the security for Reclamation resources and facilities, and the safety of employees and the visiting public. Working strategically and in close partnership with security personnel, assigned law enforcement person- nel identify and investigate potential threats and implement effec­tive security and response procedures. Coordination with other law enforce- ment, ­ security, and intelligence agencies and organizations is crucial. (BOR, 2005, p. 12) The law enforcement administrator (LEA) is responsible for promul- gating policy, procedures, and standards for Reclamation’s law enforce- ment authority. The LEA oversees a staff of 12, including 6 regional special agents (RSAs). One RSA is assigned to each region and one to the Grand Coulee Dam. The RSAs are assigned to BOR through an interagency agreement with DOI’s Bureau of Land Management (BLM). BLM pro- vides administrative oversight for the agents, while SSLE oversees their day-to-day operations. Additional support for intelligence gathering and dissemination is provided by private-sector contractors (Figure 2.5). The RSAs have multiple responsibilities. They serve as the primary law enforcement resource for the regional directors, area office managers, and field personnel. They gather and analyze security-related information for Reclamation’s facilities, projects, and properties, and they conduct threat assessments as part of the risk management process. RSAs serve as liaisons to federal, state, tribal, and local law enforcement and oversee contracts and cooperative agreements for law enforcement assistance. Law enforcement officers are authorized to carry firearms within the perimeter of a BOR project or on BOR lands and to make arrests, execute warrants, and conduct investigations. Investigations may pertain to violations of federal law, serious misconduct (or allegations thereof) by Reclamation staff, or administrative issues. However, an RSA or other Reclamation officer can conduct an investigation only if the federal law enforcement agency (typically the U.S. Marshals Service or the FBI) 

COMMISSIONER DEPUTY COMMISSIONER DEPUTY COMMISSIONER Policy, Administration Budget Policy, Administration,&and Budget Director SSLE Law Enforcement Law Enforcement Law Enforcement Administrator Program Specialist Contract RSA PN Region Intelligence Section Investigators/Analysts SA Grand Coulee Threat Management Lead Investigator RSA LC Region Intel Specialist Info/Data Intel Analyst Intel Analyst Investigators (FT) Specialist Intel Specialist RSA UC Region (Part Time) RSA GP Region RSA MP Region FIGURE 2.5  Organization of SSLE’s law enforcement group. SA, Special Agent. 39 Figure 2.5 

40 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM having investigative jurisdiction decides not to investigate an alleged offense. Some Reclamation facilities have contracts with private-sector firms to provide site security guards. The primary responsibility of site security guards is to protect people and property by controlling access to facilities and by deterring individuals who might consider attacking them. They are not law enforcement officers and must call on federal or local law enforcement personnel when a criminal act is suspected. Some site secu- rity guards are authorized to carry guns, but others are not. In the law enforcement profession, the police play four roles in their organization and the community: crime fighting, partnership, preven- tion, and problem-oriented policing or problem solving. Crime fighting involves answering calls, investigating crimes, and making arrests. Part- nership involves interaction with peers and colleagues, external police agencies, and the community. To establish partnerships, police must first develop the respect, trust, and support of the people and organizations they work with. They build on this foundation through active engage- ment with their peers, external agencies, and the community. If trust and support are nonexistent, then partnerships fail. Prevention involves pro- active police work—anticipating problems of disorder and then deterring them. Problem-oriented policing or problem solving includes a thought process whereby police identify specific problems, analyze their compo- nent parts, provide adequate responses to those problems, and then assess how well they did in solving them. This process is intended to identify the root causes of crimes and intervene before they get out of control. It can also be used to prioritize the types of crimes and problems that may exist within an area or jurisdiction and develop strategies to address them. At Reclamation, the crime-fighting role has been contracted out to local law enforcement with minimal oversight by the RSAs. Because their jurisdictions are so vast, the RSAs do not have the time or the resources to deal with crime. For the most part they receive information from BOR personnel or local law enforcement about incidents at or near dams in their region and they relay that information to the LEA in Denver. Partnerships have been formed throughout the regions with local law enforcement, National Park Service rangers and Fish and Wildlife ­rangers, contractors, and private security firms, among others. Some of the partner- ships are based on informal relationships, while others are made through memoranda of understanding (MOUs). Partnerships to share intelligence- related information have also been established through the FBI’s Joint Terrorism Task Forces (JTTFs), discussed later in this chapter. The task of prevention is primarily carried out by the RSAs at the NCIs through facility security measures, education, and training. ­Problem- o ­ riented policing or problem solving has been used sparingly by Reclama- 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 41 tion. The committee did not see much evidence of problem identification or analysis, targeted responses, or evaluations of their work. Reclamation is working to improve the reporting of crime and security-related incidents and to implement DOI’s Incident Management and Reporting System. Security Incident Response In the event of a security breach or actual attack on a BOR facility, appropriately trained and equipped security and/or law enforcement personnel must respond. With a few exceptions, that response will come first from local law enforcement entities. DOI policy is that response activities should be managed at the lowest possible organizational level. According to the National Incident Management System (NIMS), the secretary of Homeland Security will coordinate a field response to a t ­ errorist attack or other emergency only if (1) a federal department or agency acting under its own authority has asked the secretary for assis- tance; (2) the resources of state and local authorities are overwhelmed and federal assistance has been requested by the appropriate state and local authorities; (3) more than one federal department or agency has become substantially involved in responding to the incident; or (4) the secretary has been directed by the President to assume responsibility for managing the domestic incident (EOP, 2003a, p.1). Facility and area office staff, which may include on-site law enforce- ment or site security guards, are responsible for identifying suspicious activity or an actual breach of security at a facility, for notifying the regional office and other appropriate responders (i.e., local law enforce- ment), and for securing the premises until backup arrives, typically in the form of local law enforcement. If a facility was damaged such that people downstream were threat- ened, BOR personnel would notify the appropriate local authorities, who would notify their constituencies and begin evacuation. In an actual inci- dent, the area office manager would probably, at least for a time, be the public face of Reclamation, answering questions from the media and others. Hoover Dam is Reclamation’s only facility with an on-site, in-house police department, which includes a tactical team that could theoretically respond quickly to an evolving situation. At Grand Coulee Dam, the tacti- cal response capabilities lie with members of the security force that guards the facility. At Folsom Dam, any initial tactical response would come from the Sacramento County sheriff’s department, the parent agency of the contract deputies who provide on-site security for the installation. At Shasta and Glen Canyon dams, the initial response would come from local county sheriff’s offices. 

42 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Less robust response capabilities are available at other BOR facilities. Dams on the lower Colorado River south of Hoover Dam, for example, employ small armed cadres of private security guards. In other cases, the responding force might be rangers from the National Park Service or the U.S. Fish and Wildlife Service. For Reclamation, then, the interface between the initial responders and the law enforcement entities who follow up will be substantially different at each facility. Thus, Reclamation area office and regional per- sonnel, police from other federal agencies, and the local law enforcement personnel who are expected to respond to a terrorist or other malicious act must make appropriate arrangements for working together in a ­security- related incident. First responders, including local law enforcement, typically use a standardized incident management system called the Incident Command System (ICS) to manage resources and provide unity of command during a crisis. Incident action plans are used to communicate the objectives of operational and support activities. Security and Law Enforcement Exercises Security and law enforcement exercises are conducted to allow an organization’s decision makers, personnel, and partners who would respond to a security-related incident to identify limitations and problems in existing response plans and correct them in advance of an event. Exer- cises bring together people who might not otherwise be acquainted and help them develop working relationships. They can be used to improve response plans, improve the quality and capacity of the response, and build relationships. The last-mentioned is especially important because in a crisis it will be the personal and working relationships among the responders that will determine the success or failure of the response, not the written plan. FEMA’s National Preparedness Directorate has established a Home- land Security Exercise and Evaluation Program (HSEEP) that constitutes a national standard for all such exercises. HSEEP is a capability- and p ­ erformance-based program that provides a standard methodology and terminology for the design, development, conduct, evaluation, and improvement of training exercises (HSEEP, 2007). Exercises can take several forms—tabletop, functional, full scale—that vary in purpose, format, and resources required. Tabletop exercises are intended to stimulate discussion of the various issues surrounding a hypothetical situation. They simulate a security-related emergency situ- ation in a stress-free, informal environment. The focus is on training, decision making, coordination, and communication roles, procedures, 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 43 and responsibilities. The exercise itself may be aimed at facilitating an understanding of concepts, identifying strengths or shortfalls, and/or achieving a change in attitude (HSEEP, 2007). A security-related scenario is developed. Staff from all levels of an organization such as Reclamation, representatives of its partners, and staff from other federal, state, and local responders gather around a table to discuss what might happen in the context of the scenario. They discuss any problems that arise and identify changes needed for a more effective response. Tabletop exercises require a modest commitment of funds and personnel time and expertise and can be effective in improving response plans and procedures. However because they lack realism and the pressures of real-time decision making and action, they are not a true test of response capability (HSEEP, 2007) The objective of a functional exercise is to test and evaluate the effec- tiveness of one or more specific functions in real time. A functional exercise is characterized by the simulated deployment of resources and personnel, rapid problem solving, and a highly stressful environment (HSEEP, 2007). The focus of a functional exercise could be public notification and warn- ing systems, decision-making processes, communication and coordination procedures, or the allocation of resources and personnel. Such exercises are carefully scripted, planned, and sequenced to simulate a real-life situ- ation. During the exercise, personnel involved in policy, coordination, and operations for the chosen function practice their response in a realistic way. Problems and issues that come up during the response are identi- fied, and methods for resolving them are suggested. Functional exercises require a greater investment of resources and time than tabletop exercises, but they also provide a more realistic test of response capabilities. One variation on a functional exercise that can provide valuable information about preparedness is “red teaming.” FEMA defines a red team as a group of subject-matter experts with various disciplinary back- grounds that provides, in effect, an independent peer review of plans and processes. A red team acts as the adversary’s advocate, and par- ticipants knowledgeably role-play the adversary in a controlled, realistic, interactive ­manner during operations planning, training, and exercising (HSEEP, 2007, p. B-26). Red teams can be used in prevention-focused functional exercises that concentrate on exercising the plans, policies, procedures, agreements, networks, and staffs of law enforcement agencies with counter­terrorism missions, such as SSLE’s LEA. A full-scale exercise is designed to challenge the entire response sys- tem in a highly realistic and stressful environment. It is a multiagency, multijurisdictional activity involving the actual deployment of resources in a coordinated response as if a real incident had occurred (HSEEP, 2007). Typically the exercise would take place at a facility and would employ simulated attacks and victims. To the extent possible, the actual equipment 

44 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM and personnel who would be involved in a response participate in the field exercise. All decisions and actions by the participants occur in real time and generate real responses and consequences for other ­ players. In this way, all functions and relationships required for a response can be tested and evaluated. Typically, a formal after-action report identifying problems and recommending solutions is produced and disseminated to the appropriate parties, including managers, throughout the organization. Full-scale exercises require a significant investment of time and resources if they are to be useful. It may, for example, take a year or ­longer to develop a detailed exercise package with a carefully thought-out set of objectives, a well-planned and simulated scenario, a logistics plan, and the elements to be covered in the after-action report. The exercise itself will require significant amounts of staff time. Funding will be needed for planning and follow-up and for travel expenses to bring off-site personnel to the site of the exercise. Reclamation has conducted tabletop and functional exercises at some of its critical facilities. Full-scale exercises have been conducted at Grand Coulee, Flaming Gorge, and Hoover dams. The SSLE plans to hold addi- tional exercises as time and funds permit. Exercises have also been con- ducted by local governments. In these cases, Reclamation’s area offices did not always receive a summary of the results or the final report. To the committee’s knowledge, SSLE’s LEA has not held any red-teaming, prevention-focused functional exercises. Intelligence Gathering, Analysis, and Dissemination Federal initiatives to consolidate and centralize control over numer- ous components of the national intelligence apparatus speak clearly of the critical importance of intelligence to security. Reclamation recognized this and created an intelligence element within the law enforcement compo- nent of SSLE (see Figure 2.5). Intelligence procedures include maintaining a database of intelligence, incidents, and international visitors (OMB, 2007). The LEA compiles and analyzes numbers, types, and patterns of incident reports to assist law enforcement and security officers in the protection of Reclamation’s facilities and people. It provides classified intelligence briefings to senior management as well as intelligence and officer safety information to area and field offices, as appropriate. The Denver headquarters intelligence group receives intelligence- related information from the Interagency Forum on Infrastructure Pro- Intelligence incidents include bomb threats, burglaries/thefts, criminal activities, cyber- attacks, overflights of facilities, suspected surveillance, suspicious activities, trespassing, vandalism, and weapons. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 45 tection, DOI’s Watch Office, the FBI, and state agencies, including the Arizona Counter Terrorism Information Center, the Colorado Information Analysis Center, and the Nevada Emergency Operations and Notification Network. Other sources of information include daily or weekly bulletins and alerts, publications, television, and the Internet. The intelligence group also works with Reclamation’s international affairs office to ensure that appropriate background checks are conducted for international groups who visit Reclamation facilities and that facility personnel are notified of such visits and given a list of cleared individuals (OMB, 2007). The RSAs receive security-related information from the Denver office and through the FBI’s JTTFs, which operate in every part of the country where there is an FBI office. In the Great Plains region, for example, 12 to 14 JTTFs are operating. The RSAs attend JTTF meetings as time and resources permit, and the JTTFs inform the RSAs of any security-related developments. The RSAs also receive information from the LEA, on-site BOR personnel, local law enforcement agencies, the county sheriff, other partners, and the local community. The RSA may communicate such information to the LEA and the FBI. Developing intelligence through collaborations and liaisons requires good internal and external working relationships, partnerships, and an effective communications system. For example, at one site, the man­agers of a nearby boat rental business observed some customers behaving suspiciously. The business managers reported this behavior to the local National Park Service ranger, who in turn reported it to the RSA. At another site, when a suspicious package was found on a dam, the RSA was not able to contact the appropriate FBI office directly and had to leave a voice-mail message on the phone. The RSA alerted the county sheriff, who blocked access to the site from the road and the reservoir. In some cases, if the RSA receives intelligence deemed “sensitive” from the FBI or others, he or she may be restricted in passing that infor- mation along to others, including a facility’s operators, managers, or even the RSO. Such restrictions may be counterproductive to the extent that the field staff in the best position to prevent or deter a security-related incident are not given the information that would help them to do so. INCIDENT RESPONSE MANAGEMENT Reclamation’s emergency management program was established in conjunction with the safety of dams program. The emergency manage- ment program is intended to provide for the safety of the public and to protect environmental resources from incidents at its facilities by (1) taking reasonable and prudent actions necessary to ensure timely notification of such incidents to potentially affected jurisdictions so that the public can 

46 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM be warned and evacuated and (2) defining what the program needs to allow its line managers to be self-regulatory, to be responsive to public safety, and to satisfy legal requirements during operations or emergency incidents at its facilities. It is not within Reclamation’s legislative authority or responsibility to warn directly or to evacuate the public in the event of a safety-related dam failure or the threat of a failure. The underlying premise is that if a dam is in danger of failing due to torrential rains, a design flaw, or other safety- related event, there will be sufficient time to notify local authorities and to evacuate people before downstream flooding occurs. This procedure does not take into account a dam failure caused by a malicious act in which there may be little or no advance warning of downstream flooding. SSLE’s Program and Emergency Management Office (PEMO) is responsible for centralized fund management for site security, emergency management, IT project management for SSLE, congressional and audit liaison, policy, and special projects. The office has eight staff members, including the program chief. Additional support for emergency manage- ment is provided by a private-sector contractor and the TSC. Reclamation’s emergency management functions are conducted in accord with DOI policy, which covers the Continuity of Operations Plan (COOP), the National Security Emergency Preparedness (NSEP), the coor- dination of emergency incidents, and the National Response Plan (NRP) coordination. PEMO is responsible for Reclamation’s compliance with these policies. It coordinates its activities through the designated emer- gency manager and COOP manager in each region. Individual area offices develop COOP plans so that Reclamation can continue to carry out its essential functions during an emergency. SSLE provides training and technical support and oversees regional COOP activities. An emergency operations center (EOC) is maintained in Denver to provide coordination and enhance communications during periods of high threat or actual emergency situations. Reclamation also supports the DOI COOP by providing an alternative operating site in Denver. Reclamation has developed emergency action plans (EAPs) for many years as part of its safety of dams program. The plans are updated annu- ally and exercised every 3 years. PEMO coordinates a variety of emer- gency communication capabilities, both unclassified and classified. It also provides 24-hour duty officers, an Emergency Notification System Department of the Interior, Departmental Manual, Part 900, Emergency Management Pro- gram, Chapters 1-5. Available at http://elips.doi.gov/app_dm/act_getfiles.cfm?relnum=3693. Last accessed November 14, 2007. 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 47 for Reclamation employees, and an interface to the DOI’s Watch Office in Washington, D.C. Under the National Response Plan, Reclamation is the executive agent for the DOI for Emergency Support Function for Public Works and Engi- neering and supports the Natural and Cultural Resources and Historic Preservation function. In 2005, BOR supported the response and recovery efforts for Hurricanes Katrina, Rita, and Wilma. INFORMATION AND INFORMATION TECHNOLOGY SECURITY Reclamation’s Information Technology (IT) Security and Management Program was formally established in 2000, one year before the SSLE. Responsibility for information and IT security resides with the Office of the Chief Information Officer (CIO). The program is guided by five objectives: • Ensure the safety of personnel and the public; • Protect the federal investment; • Take all reasonable precautions to prevent IT vulnerabilities from adversely affecting the mission; • Ensure the integrity of IT services to authorized project benefi- ciaries by determining acceptable risk levels and conducting periodic IT system audits to ensure compliance; and • Provide for timely delivery of services via IT. Reclamation’s IT Division treats SCADA systems security much like computer security using IT legislation, regulations, and other guidance to establish the baseline. SCADA systems primarily involve (1) water and water treatment control systems to monitor levels, flows, salinity, t ­ urbidity, dissolved gases, and the like and (2) electric power generation control systems to monitor the condition of generators, transformers, motors, switches, breakers, and hydraulic and hydromechanical cooling systems. A number of physical and personnel security measures have been implemented to protect these systems from cyberattacks. The IT Division establishes background check requirements for key personnel and coordinates access to its systems with the BOR’s human resources office, the SSLE, and facility operations. Security is indepen- dently tested and operation is authorized by management officials based The Watch Office is administered by OLESEM. It is responsible for coordination of law enforcement, emergency management, and security requirements placed on DOI after 9/11, among other things. It operates 24 hours per day, 7 days per week. 

48 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM on acceptable levels of risk. Information security criteria developed by the National Institute for Standards and Technology provide the baseline. SCADA systems associated with power plants are not always under the control of BOR. For example, some power companies control electric- ity generation while BOR controls the water flow. Good working rela- tionships among the various operators are critical for coordination on a routine basis and during a security-related incident. RESOURCES AND FUNDING Before the 9/11 attacks, Reclamation’s budget for security-related activities was about $1.35 million per year. After that, Congress gave Reclamation supplemental funding to make immediate security-related upgrades to its facilities. However, Reclamation has primarily funded the security program by redirecting resources from other programs, including dam safety and facilities maintenance (Table 2.1). This approach to fund- ing security has created internal tensions and resentment and may hurt the other programs over the long term. By law,10 the costs incurred by Reclamation to construct, operate, and maintain project facilities for the purpose of providing benefits to project beneficiaries (such as irrigation, municipal, and industrial water users and consumers of power generated at BOR facilities) may be either non­ reimbursable or reimbursable by those beneficiaries. Nonreimbursable costs are fully paid by the government. Reimbursable costs are recovered in full or in part from project beneficiaries in the form of annual repay- ments, sales of water and power, or advanced funding. For example, under the safety of dams program, the costs of some safety-related items are split between BOR (85 percent) and beneficiaries (15 percent). To supplement security-related funding and reduce pressures on other programs, Reclamation has sought to make some security-related activities, especially site security guards, fully reimbursable, thereby shift- ing the funding responsibility to water and power authorities and other beneficiaries. Reclamation currently devotes approximately $20-$21 mil- lion of its $50 million budget to paying for security guards. In its FY 2005 Conference Report, Congress instructed Reclamation not to seek reimbursement and to submit a report explaining the planned $30,259,000 in FY 2002 and $25 million in FY 2003. 10The Reclamation Project Act of 1939 provided authority for project costs to be allocated between reimbursable and nonreimbursable purposes, authorized a ceiling on charges to irri­ gators based on an ability-to-pay concept, and provided authority for the secretary to defer repayment obligations under certain circumstances. The act also provided for reimbursable project costs associated with irrigation or municipal and industrial purposes to be recovered through repayment or water service contracts (NRC, 2006). 

DESCRIPTION OF RECLAMATION’S SECURITY PROGRAM 49 TABLE 2.1  Reclamation’s Security Program Funding (thousands of dollars) FY FY FY FY FY FY FY 2007   2001 2002 2003 2004 2005 2006 Requested Site security 1,043 1,755 28,440 28,583 43,216 40,000 39,600 enacted budget Site security 30,259 25,000 supplemental Site security 1,043 32,014 53,440 28,583 43,216 40,000 39,600 subtotal Emergency 309 330 334 450 451 1,360 1,346 management subtotal   Total 1,352 32,344 53,774 29,033 43,667 41,360 40,460 expenditures. In FY 2006 Reclamation again proposed reimbursement of some costs. The FY 2006 Conference Report instructed Reclamation to col- lect $10 million in reimbursement instead of the $16.3 million that would otherwise have been reimbursed and requested another report. In FY 2007 Reclamation’s budget request includes full reimbursement for guard and patrol costs. The issue remains under discussion in 2008. REFERENCES Bureau of Reclamation (BOR). 1972. Federal Reclamation and Related Laws Annotated, Volumes I-III. Washington, D.C.: Bureau of Reclamation. BOR. 2005. Security Program. Washington, D.C.: Bureau of Reclamation. Homeland Security Exercise and Evaluation Program (HSEEP). 2007. Volume 1: HSEEP Over- view and Exercise Program Management. Available at https//:hseep.dhs.gov/­support/ VolumeI.pdf. National Research Council (NRC). 2006. Managing Construction and Infrastructure in the 21st Century Bureau of Reclamation. Washington, D.C.: The National Academies Press. Office of Management and Budget (OMB). 2007. Program Assessment. Bureau of ­ eclamation—Site Security. Available at www.whitehouse.gov/omb/expectmore/­ R summary/10003701.2005.html.