Securing Against Infrastructure Terrorism
Lawrence T. Papay
The two words in the title of this paper that are particularly important are “infrastructure” and “securing” or “security.” Each will be examined in turn.
What is infrastructure? Infrastructure includes all of the things we find around us on a day-to-day basis—buildings, roads, and highways as well as systems for water supply, sewage, electric power, oil, gas and communications. Attacks against a particular society will differ based on the level of technology employed by that society. In a rural society, the threat is generally of a more personal nature, since the attack is on a local level. In contrast, what we saw on September 11, 2001, was a highly visible terrorist act, perpetrated on a technologically advanced society with a degree of sophistication (commercial airliners used as “cruise missiles”), that was commensurate with the nature of the target.
Now, let us examine security. First, although science and technology will not solve all problems related to terrorism against the components making up a modern regional or national infrastructure, it can help in prevention, mitigation, and restoration if an attack or attacks are attempted or carried out. In other words, science and technology will help to reduce the threat of terrorism, but it cannot eliminate it. Unfortunately, terrorism has become a fact of life. Whenever there are dissatisfied people who are willing to give up their own lives or do not value human life, it will be difficult to eliminate the threat of terrorist attacks.
A specific point where science and technology can help is in the area of intelligence, by providing information about the potential for an act of terrorism to be conducted. For example, what is being done to sort through open-air communications—both e-mail and voice wireless—is rather startling both in quantity and in degree of sophistication. There are programs, such as Trailblazer at the National Security Agency, that look for keywords and matches. Some of the recent terrorism alerts have been based on information gathered through these programs.
There is another aspect that inexorably links infrastructure and security. The more sophisticated, complicated, or technologically evolved the infrastructure, that is, the more fragile it is, the more difficult it is to secure against terrorism and the greater the
need for science and technology solutions. The latter was the particular challenge that we were confronted with at the National Academies in producing the report entitled Making the Nation Safer.50 What can and should be done incrementally as society becomes more and more complex, sophisticated, and interdependent? How do you establish layers of protection because of increased vulnerability?
This paper will look at vulnerabilities, cost-effective science and technology strategies to affect the threat of attack, the various steps we would encounter if an attack were carried out, and possible areas of collaboration between India and the United States. For simplicity, science and technology strategies will be defined in terms of three steps in the process: prevention, mitigation, and restoration of physical infrastructure.
First, we need to define what constitutes vulnerabilities: how should vulnerabilities be characterized and assessed? Similarly, how should the effectiveness of the terrorist’s weapons be characterized and assessed?
Scale plays an important part in this analysis. On a local level, for example, at the village level, vulnerability is tied to the local community and the people who live there. Terrorist threats are played out locally, and vulnerability is measured in those terms. Straightforward and basic means of attack, such as bombs, rocket-propelled grenades, and gunmen, are used. In a more urban environment, more complex and sophisticated methods of delivery must be examined. Obviously, these methods require ways of defending against them. Urban terrorist threats are larger and more catastrophic in potential, but strangely enough, less personal in nature.
In a rural village, for example, cyberattacks are not a threat, so vulnerability is very low or nonexistent. This would be true for a significant portion of India, but not for the entire country. In Bangalore, a cyberattack or even a physical attack on local computer server farms could have a significant impact on a significant portion of the work force’s ability to function, resulting in a significant impact on the local economy. Again, as a society begins to get more complex and builds up an ever more complex and interdependent infrastructure—whether information technology (IT) or communications or electric power or a combination of the three—more complex, but fragile, targets for attack increase vulnerability and risk.
The following examples illustrate the fact that the process of assessing vulnerabilities requires the exploration of a series of scenarios. Catastrophic vulnerability can be viewed in a variety of ways. Perhaps the most obvious areas of vulnerability are high-value, high-visibility, high-consequence targets. Governmental buildings, religious sites, banks, and other major facilities become symbolic targets. Just as the World Trade Center was symbolic for the United States, and perhaps internationally, in India the attacks on Parliament and on temples are also symbolic.
Vulnerability extends far beyond the lives lost and the immediate physical damage. The impact of the September 11, 2001, attacks demonstrates this. They were
National Research Council. 2002. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, National Academies Press, Washington, D.C. The report is available in PDF format at http://books.nap.edu/hml/stct/index.html.
horrific in terms of loss of life—3,000 people from 80 countries—and the destruction of the World Trade Center and the Pentagon.
The economic impact of the September 11, 2001, attacks was felt on several levels. With the destruction of all the buildings that made up the World Trade Center, the insurance industry was assaulted on several fronts. Historically, in major catastrophic events, whether man-made or natural disasters, the economic impact has been felt by one particular insurance pool (life, casualty, liability, or property) rather than more broadly across the entire industry. The insurance costs associated with the World Trade Center event are in the range of $60 to $80 billion, and that impact is being applied against every major insurance pool.
Cutbacks in travel and tourism after the September 11, 2001, attacks have had severe effects on these industries. In fact, several airlines in the United States have gone bankrupt and others have been brought to the brink of bankruptcy.
Consequential impacts also are significant. Fear, anger, and similar emotional impacts were manifest because of the symbolic nature of the attacks on September 11, 2001. In addition, the U.S. populace has experienced an increased sense of vulnerability and loss of freedom. If someone believes that his or her daily routine has been compromised by the actions of terrorists, whether in a rural town or at an international airport, there is a sense of loss of freedom. After the September 11, 2001, attacks, people in the United States have had to adapt to the threat of terrorism as a way of life.
This threat requires that adequate tools be available to do a meaningful assessment of risk and consequences.
Physical infrastructure refers to the various systems that are required to maintain our society in today’s world. This paper will simply highlight broad areas of physical infrastructure with the objective of identifying basic themes that may offer opportunities for collaboration. These broad areas include energy, the civil infrastructure of cities, water and wastewater, and transportation. For convenience, the discussion of energy infrastructure will be split into two parts: electric power and hydrocarbon fuels.
Energy: Electric Power
For electric power we need to look at the entire supply and delivery system: fuel supply, generation, transmission, distribution, and the control systems involved at each of these stages. From a systems approach, electric power can be generated by nuclear power, coal, oil, gas, wind, or biomass. The use of nuclear power to generate electric power has unique aspects. An attack on any one plant in the United States, whether successful or not, would probably prompt the Nuclear Regulatory Commission to shut down all civilian nuclear power plants until the attack and the vulnerability of nuclear plants was reexamined. An attack on a nuclear power plant would also have radiological consequences.
In looking at the vulnerabilities of the electric power system, it is clear that the plants that are actual generation facilities—be they coal-fired, gas-fired, or nuclear
power—while attractive as large visible targets, are not per se major points of vulnerability. It is the disruption of the ability to deliver electric power to the end customer that causes the greatest vulnerability.51
The grid itself (and the control systems associated with it) is the most critical component in an electric power system. From a physical point of view within the grid, it is not the transmission towers, wires, and cables, but rather the substations that represent the greatest vulnerability. The substations, principally the transformers and their associated control systems, are the most vulnerable components because their failure has catastrophic effects on the ability to deliver electric power in a sustained manner. Extra high voltage (EHV) transformers are in limited supply, and while most utilities in the United States and around the world have some spare transformers available, their number is based on evaluating risks other than terrorist threats. Normally, only one, or possibly two, transformers would be kept on site.
The current philosophy of spares assumes that there might be a catastrophic loss of a transformer for a specific reason—an internal flaw, overheating, or a local natural disaster. If a transformer were lost, the installation of an available spare would cover the contingency. A well-planned terrorist attack would not occur at a single point, impacting a single transformer; rather it would be a multipoint attack. If we consider scenarios for multipoint attacks where each terrorist group involved had a high-powered rifle, rocket-propelled grenade, or a truck loaded with high explosives, then a significant number of transformers could be destroyed simultaneously. If such attacks were to occur in a country with a highly developed power grid, the power delivery capability of that country could be limited for months, if not years, because of a lack of spare transformers.
In addition to scenarios for physical attacks like those described above, we must also consider a potential cyberattack on the electric power system. A cyberattack on these systems would be similar to the general cyberattack that Seymour Goodman discussed earlier. Existing monitoring and control systems have some protection against generalized hacking, but terrorism scenarios are not contemplated in their design. It may be more appropriate to use something like a virtual private network (VPN) to interconnect control systems and equipment for data transfer.
Generally speaking, there is an energy management or state estimator system atop the hierarchy of intelligence and control of a power grid. This state estimation and control system calculates state estimates in quasi-real time. It estimates how the grid would react to the loss of one or two of the most critical (weakest link) components in a grid. These (n-1) or (n-2) contingency estimates are adequate for most cases of equipment failure or natural causes. However, a multipoint attack on an electric utility grid would be an (n-k) contingent event, one that the grid is not capable of handling. Can science and technology help to develop an algorithm that would allow the grid to recognize that it is under a multipoint attack and take action to preserve the grid as much as possible?
Deregulation, which was a contributing factor in the blackout in the United States on August 14, 2003, would have a similar negative effect in a multipoint terrorist attack. Before deregulation there were 25,000 transactions a year between utilities in the United
States that were buying and selling electricity. With deregulation the number of transactions a year jumped to 2 million in only 5 years, representing an eightyfold increase in the number of interactions. Since deregulation, the state estimation algorithm is being asked to handle more numerous power transfers that cross any number of utility boundaries, with generators attempting to follow demand signals that are not based on local conditions. The electric power grid and its controls are now much more complex because of deregulation, and this directly increases the vulnerability of the grid to catastrophic loss. This was amply demonstrated on August 14, 2003, by the failure to recognize that parts of the grid were under severe stress and failing sequentially.
Energy: Hydrocarbon Fuels
The discussion on hydrocarbon fuels will focus on petroleum and natural gas. Coal is excluded because it does not have the same vulnerabilities to potential terrorist attacks as other hydrocarbon fuels. First, coal is mostly consumed in large facilities that keep extensive stockpiles on hand. Also, a significant attack on the coal transport system is difficult because it is redundant and diverse.
The same is not true for both petroleum and natural gas. These hydrocarbons have major potential vulnerabilities that run from production threats (both domestic and offshore) to extensive gathering, storage, and transportation systems. With petroleum, an extensive refining process is also involved. In addition, the distribution of both liquid and gaseous fuels requires extensive local storage and distribution systems. Thus, the logistic system for petroleum and natural gas extends for hundreds or thousands of miles and can have some components outside of a country’s national borders. This results in vulnerabilities that are much greater than those for coal.
Let us look closer at some of the vulnerabilities of the petroleum infrastructure. A simultaneous attack on one or several refineries would interrupt, at least in part, the adequate flow of products to the marketplace. We know from past experience that a disruption in the flow of gasoline causes price spikes and problems with availability. In fact, this would not be a highly vulnerable situation because it is rather a complicated process to attack and destroy an entire refinery. A refinery is made up of many trains producing product, so attacks have a very low probability of success.52
Having said that, a number of refineries have a unique vulnerability. It deals with a potential situation similar to what happened at Bhopal. This is not true in all refineries: it is not true for the very old or the very new refineries. It is true for a class of refineries that use toxic gases in the refining process. If these gases were released as a result of an attack, a catastrophic event similar to Bhopal would result. For this class of refineries, this vulnerability represents the greatest terrorist threat from petroleum although it is now less frequently used.
Obviously, the disruption of the supply of petroleum from offshore producers would have an economic impact. While the impact would be similar to that which was experienced during the gas shortages in the 1970s and early 1980s, the net result would not be characterized as catastrophic.
Threats to natural gas and electricity infrastructures look somewhat similar. In both cases you normally have production at a fixed point, transmission over long
distances, “decompression” stations at city gates, and delivery through a distribution system. Therefore, all that was said above about electric power grids would be applicable to natural gas transmission and distribution systems. Dissimilarly, storage of natural gas is possible both on the transmission system and, locally, on the distribution system. Of course, electricity is unique in that it cannot be stored. It must be generated as it is needed. Its instantaneous nature as an energy source is, in fact, one of its vulnerabilities. For that reason, electricity is the most vulnerable of all energy infrastructures.
Civil Infrastructure: Cities
The other portion of the physical infrastructure encompasses civil systems, including cities, water and wastewater, and transportation. These areas may prove more fruitful for potential joint science and technology projects, since the United States and India have experienced attacks on buildings. While the attack on the World Trade Center was dramatic and highly visible, there have been a number of attacks on symbolic buildings in India as well. What are the lessons learned from these events? Do they offer us opportunities for collaborative efforts? The first thing that comes to mind is the way in which the response to the attack is handled.
First, communication and coordination is required. When the September 11, 2001, terrorist attacks occurred, the New York City Response Center was in the World Trade Center. So the ability of the fire and police departments within New York City to respond was hampered severely because there was no way to centralize and coordinate the actions of the first responders. The lesson to be learned is that redundant response centers are needed for just this sort of contingency. The lack of communication was another lesson coming from the World Trade Center disaster. There is a definite need to have common systems that will allow all parties to communicate seamlessly.
There are other considerations for first responders. They are asked to enter dangerous or hazardous situations, and they need to know in real time whether or not there are any toxic materials present. Whether it is asbestos, biological materials, or chemical materials, the first responder needs a real-time detection system that will alert him or her to the danger.
Regarding building structures, another lesson can be drawn from the attack on the Pentagon. The Pentagon was hit exactly at the point between a newly restored portion of the Pentagon and the old Pentagon. While there was damage to the newly restored section, there was no structural failure to that part of the building. The walls absorbed the energy of the crash. In contrast, the old Pentagon suffered severe damage. Its walls collapsed. Most of the loss of life was in the old part of the Pentagon. The lesson here is to incorporate blast-resistant designs and materials into high-profile buildings.
The September 11, 2001, experience showed us that we must revisit our assumptions of the way people should exit buildings, specifically in emergency situations. Again, there are lessons to be learned about the size and structural design of stairways, and the control of airflows within them.
Water and Wastewater
As a system, water has many of the same attributes that natural gas and electric power have, namely, a source of supply, a means of transport to urban areas and cities, local storage, and distribution. Generally speaking, the transmission portion of a water system is not as complicated as in the other two cases; however, attacks on water systems can be serious, especially in contamination of the water supply.
Water also has a flip side, namely wastewater: its collection, treatment, and disposal. The major threat here is the potential for large-scale contamination if the wastewater collection and treatment systems were rendered inoperative. This could lead to human health problems as well as to contamination of the receiving waters—rivers, lakes, and oceans.
Dams and reservoirs are special components of a water supply system. Reservoirs are multipurpose. They are used for freshwater supply, power, irrigation, and recreation. They are a very important part of our infrastructure. As such, their location is also a critical element. They may be targets of terrorism, since the failure of a dam may result in the catastrophic loss of life of people living downstream.
The interdependence of infrastructure systems was dramatically demonstrated by the August 14, 2003, blackout in the northeastern United States. Parts of the city of Cleveland, Ohio, were without a freshwater supply for 5 days because the only means of delivering water required pumping and the only power supply for the pumps was from the power grid that was completely down. Fortunately, the existence of a bottled water infrastructure meant that there was water at least for drinking purposes.
In recent years, elements of the transportation system have become the mechanisms for terrorist attacks. On September 11, 2001, commercial airliners were used as cruise missiles. The automobile has become a favorite mechanism of terrorists in such places as India, Iraq, Israel, and Palestine. Ground transport is a favored approach for bringing terror to a local population, whether by planting explosive materials on a bus or by a suicide bomber boarding a bus or driving a vehicle into a crowded venue or building.
Terrorism by means of transportation systems is very difficult to prevent because these systems generally are open systems. While security at airports and on airplanes has been greatly strengthened, most other transportation systems, for example, roads, rail, ships, are open. The situation is compounded by the large diversity of owners of the various transportation systems. There are fixed systems such as airports, railroads, and highways that are generally owned by governmental bodies. The vehicles—airplanes, ships, trains, and trucks—that are used within the fixed systems are generally owned by private entities. Transportation is vast, it is diverse, and it is global. It is integral to the global economy.
SCIENCE AND TECHNOLOGY OPPORTUNITIES: RISK ASSESSMENT
It was mentioned earlier that there is a need to prioritize the vast number of possible terrorist scenarios. Everything cannot be done at once. How can we go about systematically ordering and making decisions about the parts of the fabric of society that should be considered first? How do we apply limited resources to a wide set of threat scenarios? To accomplish this requires that adequate tools be available to do a meaningful assessment of risk and consequences.
Quantitative risk assessment (QRA) methodology will allow decision makers to prioritize risks and vulnerabilities so that they can be dealt with in an orderly fashion. Risk assessments have been used in a variety of industries. They have been used most extensively in the commercial nuclear power industry to do low-probability, high-risk assessments of damage in nuclear plants. The chemical and transportation industries have also used QRAs to some extent.
The basic approach to QRAs involves answering three questions:
What can go wrong?
What are the consequences?
What is the probability that the scenarios will occur?
Thus, a QRA analysis has three parts:
threat assessment to analyze the initiating events of a terrorist attack
systems analysis to define the damage states of the system being attacked
The output is translated into a structured scenario connecting the initiating events with the end states. To carry out QRAs for a wide variety of possible threats is a daunting task. It may be an area of possible cooperation between the United States and India.
SCIENCE AND TECHNOLOGY OPPORTUNITIES: NEAR TERM
What are the science and technology options for strengthening the various infrastructures discussed above? For cities, one of the areas that is most in need of immediate attention is the ability to respond to catastrophic events. There is a need for simulation models, improved communications, and associated training. There is also a need to conduct systems analyses of responses to events in both space and time.
For transportation systems, there is an immediate need for intelligent “information agents” for cargo. These agents would include a combination of global positioning systems and sensors to detect intruders and, possibly, the presence of certain materials as well as shipping documents detailing the contents. Such agents would be installed on every freight car in a rail system, every container on a ship, and every container
transported by truck. Thus, one could monitor at every point in time exactly where each container or rail car is, what it contains, its destination, and whether there has been any attempt to tamper with or enter it. The various pieces of the so-called intelligent agent exist today and have been used on a limited basis. Efforts are under way to marry these various components into the type of agent I have described.
Cargo scanning technology is complementary to the intelligent agents. While cargo scanners do exist, there is a need to integrate various components into a “one-stop shop” to monitor for specific items or radioactivity. The scanning equipment should be located at the point of embarkation of the container to prevent lethal weapons from reaching their intended destination. What good would it be to identify a nuclear weapon in a container as you offload it in New York Harbor?53
Transportation technology needs to extend beyond the cargo. There is a compelling need to develop means of rapidly identifying people, checking them and their luggage. Although there are systems in place today, the sheer numbers of people and locations is daunting. The use of biometrics would greatly alleviate this problem, while increasing the confidence level of the security forces.
Rapidly deployable barriers to keep underground structures and tunnels from being flooded are another need. Such barriers would be deployed if an attack was imminent or had begun.
Reliability standards are not mandatory and are applied unevenly in most countries. The results of the power outage in the northeastern United States on August 14, 2003, demonstrated the need to do something in this area. There is a definite need for a grid to increase its resilience at the onset of an outage. The use of QRA would be an asset.
To repel physical attacks and cyberattacks, existing physical security and cybersecurity technologies can be applied. Generally, physical barriers at facilities were installed to keep people out for their own safety. Keeping people out for safety reasons and keeping them from intruding because they want to do physical harm to equipment are two separate matters. For example, a fence surrounding a substation will not deter terrorists. They can fire a high-velocity bullet or a rocket-propelled grenade into a transformer from far away, or they can drive a truck loaded with explosives through a fence. Therefore, the hardening of critical facilities is a must.
In substations, various components can be upgraded or modernized to be able to react to sudden changes in power over transmission lines when the line is under electrical stress. New electronic, solid-state devices called FACTS (Flexible Alternative Current [AC] Transmission Systems) can be used. The various FACTS devices are based on the use of solid-state power electronic controllers and thyristors, which provide fast-acting control capability to allow54
greater control of power flows (elimination of parallel path or “loop flow”)
loading of transmission lines closer to their thermal limits
greater power transfer capability (thereby reducing reserve requirements)
prevention of cascading outages (by limiting failure consequences)
damping of power system oscillations
FACTS devices are derived from technology developed in the 1960s for high-voltage direct current applications. They have been introduced into AC systems on a limited basis over the past 10 to 15 years. The devices can range from static volt-ampere (VAR) compensators, static synchronous compensators, static synchronous series compensators, thyristor-controlled braking resistors, or series capacitors or reactors, thyristor-controlled voltage regulators, and phase-shifting transformers and unified power flow controllers. In addition to the control capabilities themselves, it should be recognized that these devices are electrical in nature and, as a consequence, can act much faster than the current state-of-the-art electro-mechanical devices (circuit breakers, switches, relays, and so forth).
One major added feature of FACTS devices is their ability to increase power flows over existing lines and measurably add to the overall reliability of power systems. It is possible that a study of the use of FACTS systems within the Indian power grid may be beneficial.
For oil and gas, there is a need to look at process technology at specific refineries to mitigate the risk of toxic gas release. Beyond that, what is mentioned for electric power applies equally to oil and gas systems.
SCIENCE AND TECHNOLOGY OPPORTUNITIES: LONG TERM
Cities and Fixed Infrastructures
One of the most important needs is for advanced sensors to aid the people put in harm’s way, namely first responders. They are being asked to respond to situations in which they may not know exactly what is present. The vision here is a sensor that would be located on their body that could indicate that they have a particular chemical or biological agent in their environment and that they need to take certain precautions. If we do not do this, it makes it a lot more difficult to ask first responders to go into burning buildings or to other locations.
This same class of sensors would be useful in the heating and ventilating systems of hotels, large office buildings, and banks. Since the air in large buildings tends to travel some distance from the intake and fan system, one could include intelligence with the sensor that would cause action to be taken. For example, if some danger were detected, the damper would close before the air is delivered to habitable spaces, similar to what is done in nuclear plants today.
For transportation, the main focus has to be on a systems approach to the development and rollout of a coherent layered transportation security system. Many of the parts of this system were discussed above. It will involve advanced sensors and biometrics as well as intelligent agents. With the development and marrying of technologies, more sophistication will be possible. For example, the intelligent agent for
a truck cargo container may include a “permissive” that allows only a select number of people to drive a particular truck and requires that an eye scan be done for confirmation. There are many ways to bring together technology to minimize potential terrorist threats.
The most important technological need is for an intelligent, adaptive power grid. We need to develop a state estimation program that can sense in real time that the grid is undergoing simultaneous attacks to selected key components. As a result, it would automatically adopt an islanding scheme to keep as much of the system up as possible. This would mitigate the effects of an attack. The modernization of the grid is required to accomplish this.
Today the grid is a mélange of equipment, some of which dates back nearly 100 years. In one sense the electric power system in just about any country is at the same point that telephone switching was at 40 years ago in transitioning from electromechanical systems to solid-state electronic systems. The transformation of electric power grids from clumsy, slow-acting, electromechanical devices to electronic ones will make the adaptive grid a reality.
One last electric power technology worth mentioning is the modular EHV transformer. Historically, utilities have just a few spare transformers in stock in the event of an outage. Obviously, the planning for spares has not considered the potential need for a large number of transformers at the same time. Given that fact, and the long lead time for the manufacture of new transformers, the concept of a modular, portable, universal EHV transformer makes sense. It would not be the most efficient, most economical unit, but several of these transformers could be held at utility or regional locations to be used in emergencies and if terrorist attacks occur. Their sizing should be dictated by the ability to move them quickly and conventionally by truck to the places where they are needed.
Data Mining and Evaluation
Technology exists, and all parties want to use it to their advantage. This includes terrorists. Terrorists are going to become more intelligent and use technology for their benefit; thus, it behooves us to use technology to our advantage and to always keep at least one step ahead of the opposition.
One of the stated goals of this symposium was to select items for potential collaboration. The major themes addressed in this paper are listed in Box 11-1. The interdependency of the various infrastructures cannot be overlooked. Serious thought needs to be given to this subject and to approaches to mitigate the effects of terrorist threats to major urban infrastructure systems.
QRA is a logical first step to facilitate the prioritization of science and technology needs. C3, planning, modeling, simulation, and training are needed for first responders as well as for the major players in each of the infrastructures. Sensors and intelligent agents are more important for transportation, fixed infrastructure (buildings), and first responders, but their applicability is fundamental to improving security. Finally, surveillance and materials are needed quite broadly.
There are several recommendations for collaboration that are worthy of further discussion between India and the United States. First, QRA is valuable in helping to set science and technology priorities. Second, given the scientific talent that exists in both countries, bilateral efforts would also be worthwhile on the topic of biometric identification technologies. Studies on the use of FACTS-based technology for power grids would also be worthwhile. Finally, a review of blast- and fire-resistant materials and the design of safer buildings (egress in emergencies, ventilation systems, and so forth) are excellent topics for discussion.