Security 101: A Physical Security Primer for Transportation Agencies (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

In today’s transportation operating environment, risk management is the appropriate start- ing point for any decisionmaking regarding homeland security. Before any plans are made or any money spent, security planners must know about the risks confronting the agency and the tactics or techniques available to them to respond to existing or potential homeland security challenges. This chapter offers a conceptual overview of risk management and then differenti- ates between risk management and risk assessment so as to eliminate some of the confusion asso- ciated with nomenclature. The chapter then summarizes the basic steps in the risk assessment process and describes transportation-related threat and vulnerability analysis and the perfor- mance of security surveys. (Critical asset identification is summarized, but is discussed in depth in Chapter 5, Infrastructure Protection.) So, what is risk management and how does it differ from risk assessment or vulnerability assessment? Understanding these relationships is essential to establishing an effective homeland security and defense strategy. In practice, the terms are often confused or used interchangeably, creating unnecessary communication difficulties. Risk management consists of the spectrum of activities that a transportation agency can take to resolve identified risks (see Figure 1-1). Such activities include the following: • Risk avoidance, accomplished by eliminating the source of the risk; • Risk reduction, characterized by the implementation of actions that lower the risk to the agency; • Risk spreading, through the distribution of risk across various program areas or activities; • Risk transfer, by the use of insurance to cover costs that would be incurred as the result of a loss; and • Risk acceptance, which reflects a knowledgeable determination that a risk is best managed by taking no action at all. Risk assessment steps can be summarized as follows: 1. Identification and valuation of assets, 2. Enumeration of credible threats to those assets, 3. Documentation of applicable vulnerabilities, 4. Description of the potential consequences of a loss event, and 5. Production of a qualitative or quantitative analysis of resulting risks. Risks generally are reported in order of priority or severity and attached to some description of a level of risk. Risk assessment answers the questions: What can go wrong? What is the likeli- hood that it would go wrong? What are the consequences? 3 C H A P T E R 1 Risk Management and Risk Assessment

The three components of risk assessment are threat assess- ment, vulnerability assessment, and consequence assessment. The U.S. Department of Homeland Security (DHS) defines threat assessment as “a systematic effort to identify and evaluate existing or potential terrorist threats to a jurisdiction and its target assets.” More broadly, security threat assessments for transporta- tion agencies should consider all threats of criminal activity, as well as terrorist activity. Threat definition has two areas of focus: • Potential threat scenarios and • Identification of likely adversaries, tactics, and capabilities. DHS defines vulnerability assessment as “the identification of weaknesses in physical structures, personnel protection systems, processes, or other areas that may be exploited by terrorists.” Such weaknesses can occur in facility characteristics, equipment prop- erties, personnel behavior, locations of people and equipment, or operational and personnel practices. Consequence assessment is an analysis of the immediate, short- and long-term effects of an event or event combination on an asset—that is, it is an estimate of the amount of loss or damage that can be expected. In a research project concluded in 2008, con- sequence assessment, rather than the more normative use of threat assessment information, is used as the basis for risk-based decisionmaking for transportation agencies. As stated in the preface to NCHRP Report 525, Volume 15: 4 Security 101: A Physical Security Primer for Transportation Agencies Source: Adapted from Vulnerability Assessment of Physical Protection Systems – Mary Lynn Garcia Sandia National Laboratories ** The use of insurance to transfer all or parts of liability to another business or entity is one of the traditional market mechanisms for estimating, pricing, and distributing risk. Risks related to natural hazards such as fire, earthquake, or flood have been identified and assessed and quantitative actuarial data about these types of incidents has been amassed as a means to valuate potential losses. However the process of understanding and managing terrorism risk is at its very beginning with the insurance industry now struggling to evaluate this relatively new threat. Currently terrorism risk insurance is available only on a limited basis because there is relatively little experience or actuarial data from which to draw conclusions. Prospective buyers of terrorism risk coverage do not have a reasonable basis for estimating their insurance needs. Similarly, sellers of insurance do not have a reliable means for costing out terrorism risk coverage. Figure 1-1. Risk management/risk mitigation structure. Risk is a Function of Vulnerability and Consequence Risk = [Threat × Vulnerability] × Consequence Threat is a measure of the likelihood that a spe- cific type of attack will be initiated against a specific target Vulnerability is a measure of the likelihood that various types of safeguards against threat sce- narios will fail Consequence is the magnitude of the negative effects if the attack is successful Source: Volpe Risk Assessment and Prioritization, Volpe Journal, 2003, pg. 13

The Guide deploys a consequence driven methodology to provide a capital budgeting tool for senior transportation agency management. The Guide supplies a means to compare disparate asset classes across a range of threats and hazards on a common scale and establish risk levels for planning. It then provides guidance with regard to the development of a countermeasure program to approach threats and hazards selected by the user as likely to occur in their jurisdiction. Vulnerability assessment is also essential to risk assessment. In terms of security, it is an eval- uation, using either quantitative or qualitative criteria, to do the following: • Predict the overall effectiveness of a system, • Identify system weaknesses, and • Define existing asset protection capabilities against specific threat scenarios and actors. All risk assessment reflects the need to identify critical assets requiring security and protec- tion. Critical assets include the people, property, and information assets required to enable a transportation agency to execute its primary responsibilities, activities, and functions. Trans- portation agencies are complex organizations that must integrate many different functional, technical, and operating components and systems. Integration includes physical aspects of the transportation infrastructure and integration of business- and customer-related processes. Safety and reliability, operating policies and procedures, maintenance, training, and customer needs are all important system attributes that affect critical asset identification. All systems consist of an integrated collection of smaller systems or subsystems. How these systems or sub- systems are engineered determines how effectively a transportation agency performs. Assets should be considered critical based on their value as determined by the organization and the short- and long-term consequences of their loss, damage, or destruction. The research per- formed under NCHRP Project 20-59(17) can help transportation agencies in accomplishing this by the inclusion of a “data threshold model” that helps formulate consequence “thresholds” to determine and prioritize what represents an acceptable or unacceptable occurrence. FEMA’s ref- erence manuals, 426 Reference Manual to Mitigate Potential Terrorist Attacks against Buildings, Dec 2003 and 427 Primer for Design of Commercial Buildings to Mitigate Terrorist Attacks, Dec 2003 pro- vide similar support in the area of buildings and other facilities. DHS states, “Criticality assess- ments help planners determine the relative importance of assets, helping to prioritize the allocation of resources to the most critical assets.” Factors affecting the criticality of assets include • Loss and Damage Consequences—casualty risk (threat to life and limb), environmental impact, replacement costs, and replacement/down time; • Consequences to Public Services—emergency response functions, government continuity, and military importance; and • Consequences to the General Public—available alternatives, economic impact, public health impact, functional importance, and symbolic importance. Identification of critical assets must be undertaken before the performance of a risk assess- ment or in particular the vulnerability assessment part of the analysis. There are four “system risk views” that represent different ways to capture data about the critical infrastructure of transportation systems: • Modal View. The modal view treats all classes of assets within a mode as a system. Infrastruc- ture information in the modal view is categorized by interdependencies and supply implications that are specific to a particular mode of transportation. In addition to focusing on individual assets, nodes, and links, information specific to the modal view includes how those assets, nodes, and links interact within the mode and with other modes, their emergent properties and governing principles, or legislative information with specific modal impact. • Geographic View. The geographic risk view compiles transportation infrastructure data within specific regions of the Nation. The boundaries of those regions may vary based on the Risk Management and Risk Assessment 5

purpose and necessary parameters of an assessment. Because regions may contain markedly different assets and systems, the risks to those systems and the types of data collected from those regions will differ as well. Data collection in this view will allow an information set to be defined by what is physically located in that region and the processes or policies affecting the specific region. Therefore, assets, links, nodes, and emergent properties within a defined geo- graphic area are evaluated as an integrated system. • Functional View. The functional view of data collection assesses the function a system fulfills in the supply chain. Examples of a functional view of systems include all of the assets, links, nodes, processes, policies, and emergent properties associated with deliver of – Critical medicines, – Chlorine for drinking water or other purposes, or – Heating oil to the Northeast. By examining the function a system plays in society, the critical aspects of the system can be measured. This view is useful in identifying interdependencies with other critical infrastructure. • Ownership View. The ownership view examines information on ownership of assets, includ- ing the owner/operators decision structure, policies, and procedures, and recognizes those assets owned by the same entity as an integrated system. The Transportation Systems Sector-Specific Plan of the National Infrastructure Protection Plan (May 2007) identifies the individualized transportation agency approach to asset identification as the “ownership view.” Threat Assessment Threat analysis associated with both terrorism risk assessment and risk insurance has focused on • Threat types and • A combination of adversary motivations and capabilities. By approaching analysis in this way, transportation agencies can identify protective strategies that result in actions that deter the actual threat, mitigate vulnerabili- ties, and minimize the consequences of an attack. Threat Types The main categories of homeland security threats against transportation infrastructure are as follows: • Explosives, • Weapons of mass destruction, • Armed assault, • Arson, and • Cyber attacks. Using primarily international terrorist incidents as a historical frame of reference, experience has identified the following categories to describe terrorism-related event types related to phys- ical security: • Improvised Explosive Device (IED), • Vehicle Borne Improvised Explosive Device (VBIED), • Chemical, Biological, Radiological, Nuclear (CBRN), and • Armed Assault. 6 Security 101: A Physical Security Primer for Transportation Agencies Source: National Infrastructure Protection Plan, 2006 pg 7

Explosives Explosives include both conventional explosives devices (CE) and improvised explosives devices (IEDs). CE is made of components such as Trinitrotoluene (TNT), Semtex, or Plastic Explosives (C4) manufactured either by industry or the military. IEDs can be made of the same commercial or military components or other improvised materials such as ANFO (Fertilizer Bomb), or compounds featuring Ammonium Nitrate with Aluminum, Sugar, or Potassium Chlorate. In the transportation environment, the occurrence of attacks of this type is considered as more likely than for other types of threats. Explosives cause an instantaneous or almost instantaneous chemical reaction, resulting in a rapid release of energy. The energy is usually released as rapidly expanding gases and heat, which may be in the form of a fire- ball. The expanding gases compress the surrounding air, creating a shock or pressure wave. The pressure wave can cause structural damage, while the fireball may ignite other building materials leading to a larger fire. Explo- sives can cause the destruction of assets within a facility, structural damage to the facility itself, and injuries or fatalities. Explosions may start a fire, which may inflict additional damage and cause additional injuries and fatalities. The type and amount of explosive material used and location of the explosion will determine the over- all impact. Two methods of delivery of CEs or IEDs deserve particular attention—Vehicle Borne Improvised Explo- sives Devices (VBIEDs) and Suicide Bombings. According to the State Department’s Bureau of Diplomatic Security, VBIEDs are “far and away the weapon of choice for terrorist attacks.” Vehicles provide conceal- ment for the bomb as well as the delivery method. As Table 1-1 indicates, concealing a 200- to 500-pound bomb in a sedan is relatively easy. Risk Management and Risk Assessment 7 Threat Description Explosives Mass 1 (TNT equivalent) Building Evacuation Distance2 Outdoor Evacuation Distance3 Pipe Bomb 5 lbs 2.3 kg 70 ft 21 m 850 ft 259 m Suicide Belt 10 lbs 4.5 kg 90 ft 27 m 1,080 ft 330 m Suicide Vest 20 lbs 9 kg 110 ft 34 m 1,360 ft 415 m Briefcase/Suitcase Bomb 50 lbs 23 kg 150 ft 46 m 1,850 ft 564 m Compact Sedan 500 lbs 227 kg 320 ft 98 m 1,500 ft 457 m Sedan 1,000 lbs 454 kg 400 ft 122 m 1,750 ft 534 m Passenger/Cargo Van 4,000 lbs 1,814 kg 640 ft 195 m 2,750 ft 838 m Small Moving Van/ Delivery Truck 10,000 lbs 4,536 kg 860 ft 263 m 3,750 ft 1,143 m Moving Van/Water Truck 30,000 lbs 13,608 kg 1,240 ft 375 m 6,500 ft 1,982 m H ig h Ex pl o s iv e s (T N T Eq u iv a le n t) Semitrailer 60,000 lbs 27,216 kg 1,570 ft 475 m 7,000 ft 2,134 m 1 Based on the maximum amount of material that could reasonably fit into a container or vehicle. Variations possible. 2 Governed by the ability of an unreinforced building to withstand severe damage or collapse. 3 Governed by the greater of fragment throw distance or glass breakage/falling glass hazard distance. These distances can be reduced for personnel wearing ballistic protection. Note that the pipe bomb, suicide belt/vest, and briefcase/suitcase bomb are assumed to have a fragmentation characteristic that requires greater standoff distances than an equal amount of explosives in a vehicle. Source: Adapted from Improvised Explosive Device (IED) Safe Standoff Distance Cheat Sheet, National Ground Intelligence Center US Army Unclassified Table 1-1. Evacuation distance by threat and explosive mass.

Suicide bombings are characterized as an attack on a target in which an attacker intends to kill others, knowing that he or she will either certainly or most likely die in the process. The means of attack have included vehicles filled with explosives, passenger planes carrying large amounts of fuel, and individuals wearing explosives-filled vests. Weapons of Mass Destruction Weapons of Mass Destruction or Effect (WMD)/(WME) include chemical, biological, radio- logical or nuclear (CBRN) devices designed to inflict mass casualties. Harmful chemicals available for use as terrorist weapons include warfare agents developed for military use, nerve agents (e.g., Sarin and VX), blister agents (e.g., Mustard), blood agents (e.g., Hydrogen Cyanide), and choking agents (e.g., Chlorine and Phosgene). Also of concern are toxic industrial and commercial chemicals manufactured in the mak- ing of petroleum, textiles, plastics, fertilizers, paper, foods, pesticides, household cleaners, and other products. From a transportation perspective, these types of chemicals, known as hazardous materials (HazMat), are particularly important because freight railroads and high- ways are used to transport them in large quantities, often through high population density areas. For passenger, commuter, or transit agencies that share railroad lines with these carri- ers, protective strategies designed to reduce the risks associated with transport are a high priority. Finally there are the chemical toxins of biological origin such as Botulinum or Ricin. These are highly toxic products of plants, animals, and bacteria. They can be natu- rally occurring or prepared in a laboratory. Botulinum toxin is the most poisonous sub- stance known to science. Chemical agents can be released in the form of poisonous gases, liquids, or solids. Typically liquids and vapors are more lethal than solids. Chemical agents are usually fast acting, with the major exception of mustard agents for which symptoms appear hours after exposure. Poisoning by chemicals is not contagious, but the presence of residual chemical agents on the skin or cloth- ing of an exposed individual can cause others to be affected. Once the agent is neutralized or removed, the illness stops spreading. The toxicity, measured in parts per million (PPM) and con- centration of a chemical agent determines the severity of an attack. Chemical agents are typically more deadly in confined or crowded areas such as buildings or subways. They can be deployed by spraying with wet or dry aerosol sprayers, vaporizing the chemical for release, using an explo- sive device to disperse the chemical, pouring, or contamination of food, water, or another ingestible such as pharmaceutical drugs. The toxicity of chemicals varies greatly. Some are acutely toxic (cause immediate symptoms); others are not very toxic at all. Table 1-2 lists the effects and treatment of some chemical weapons developed for military use. The varying toxic- ity of chemicals is listed in Table 1-3. Weaponized biological agents are naturally occurring microbes or microorganisms deployed in their existing state or modified to increase virulence, designed to cause mass casualties through disease and death. The Centers for Disease Control and Prevention (CDC) groups biological agents into three categories (A, B and C), based on factors such as availability, capability of dis- semination, mortality or illness rates and impact on the public health system. Category A agents include Anthrax, Botulinum Toxin, Plague, Smallpox, Tularemia, and Viral Hemorrhagic Fevers (e.g., Ebola, Marburg virus, Lassa, and Machupo). These “highest priority agents” are the so-called “bio-weapons” because they provide the building blocks for weaponization. Category B agents include Brucellosis, Epsilon Toxin, Food Safety Threats (e.g., E. coli 0157:H7, Salmonella, Shigella), Glanders, Melioidosos, Psittacosis and Q Fever, Ricin Toxin, and Staphylococcal Enterotoxin B [SEB], Typhus Fever, Viral Encephalitis, and Water Safety Threats (e.g., Cholera, Giardiasis, and 8 Security 101: A Physical Security Primer for Transportation Agencies

Risk Management and Risk Assessment 9 Cryptosporidiosis). Scientists have experience with Category B agents as infectious diseases but are unclear about their potential for weaponization. Category C agents include emerging infectious diseases such as Nipah virus and Hantavirus. Biological agents are grouped as being either (1) infectious or (2) infectious and contagious. A microorganism that causes infectious disease invades the body, making the person sick by attacking organs or cells. Sometimes called pathogens, these microscopic organisms include both viruses and bacteria. There is usually a delay in the onset of symptoms—an “incubation period.” Diseases that are both infectious and contagious can be caught by a person who comes in contact with someone else who is infected. The level of contact required to transmit the illness between people can be slight—through a sneeze or cough. But the contagiousness of a particular disease has nothing to do with the seriousness of the illness. For example, both plague and the com- mon cold are both highly contagious, but plague is a much more serious disease. Some infectious diseases are not contagious at all such as Botulism or Tularemia. Biological agents can enter the body through absorption, inhalation, ingestion, or injection. Bio- logical weapons can be prepared for delivery in wet or dry form. Delivery can be through aerosol sprayers; explosive devices; trans- mission through insects, animals, or humans; introduction into food or water; or, in some cases, on or inside of objects (e.g., anthrax in envelopes). Table 1-2. Effects and treatment of some chemical weapons developed for military use. Source: Chemical Attack Warfare Agents, Industrial Chemicals and Toxins, National Academy of Sciences 2004 Table 1-3. Varying toxicity of chemicals. Source: Chemical Attack Warfare Agents, Industrial Chemicals and Toxins, National Academy of Sciences 2004

Table 1-4 outlines the disease, incubation period, and symptoms for selected Category A and Cat- egory B biological agents. Concern exists about the potential for a terrorist attack involving radio- active materials, possibly through the use of a Radiological Dispersion Device (RDD). The best known type of RDD is a “dirty bomb,” a device that uses a conventional explosion to disperse radioactive material so that the blast will contaminate an area with radioactive particles. RDDs include other means of dispersal such as opening a container of radioactive materials in a populated area or dispersing powdered or aerosolized materials using sprayers or even airplanes. Radioactive isotopes are considered to have either a high-level or low-level of radioactivity. This is based on the rate of radioactive decay. The faster an isotope decays, the faster it releases, and exhausts, its radiation. The radioactivity of a mass of material is measured in Curies (Ci; 1 Ci = 3.7 × 1010 disintegrations per second). Cobalt-60 (the number is the number of neutrons plus protons in the atom’s nucleus), with a half-life of 5.3 years, is highly radioactive; uranium-235, with a half-life of over 700 million years, is not. High-level radioactive materials are difficult for terrorists to acquire so there is a greater chance that the radioactive materials used in a dirty bomb would come from low-level radioactive sources. Low-level radioactive sources are found in hospitals, on construction sites, and at food irradiation plants. If low-level radioac- tive sources were to be used, the primary danger from a dirty bomb would be the blast itself. Most dirty bombs and other RDDs would have very localized effects, ranging from less than a city block to several square miles. The effective range would depend on factors such as the 10 Security 101: A Physical Security Primer for Transportation Agencies Source: Biological Attack Human Pathogens, Biotoxins, and Agricultural Threats, National Academy of Sciences, 2005 Table 1-4. Onset, health impacts, and treatments for some agents of concern.

amount and type of material, method of dispersal, and local weather conditions. According to the CDC, “at the levels created by most probable sources, not enough radiation would be present in a dirty bomb to cause severe illness from exposure to radiation.” Radiation is energy moving in the form of particles or waves. Examples of electromagnetic radia- tion are heat, light, radio waves, and microwaves. Radiation strikes peo- ple constantly, but most of it, like radio waves and light, is not “ion- izing,” meaning it does not have enough energy to damage cells sig- nificantly. Ionizing radiation is a very high-energy form of electromag- netic energy that can adversely affect health in the human body. The extent of the effect depends on the amount of energy absorbed meas- ured in “rem.” Higher doses pro- duce direct clinical effects, including tissue damage, radiation sickness and, at very high levels, rapid death. With chronic low-level exposure, no clinical effects are observed, but the exposed individual may have an increased lifetime risk of developing cancer. Common types of radio- active materials include Cobalt-60, Strontium-90, and Plutonium-238. What is ionizing radiation? When radioactive elements decay, they produce energetic emissions (alpha particles, beta particles, or gamma rays) that can cause chemical changes in tissues. The average person in the United States receives a “background” dose of about one-third of a rem* per year—about 80% from natural sources including earth materials and cosmic radiation, and the remaining 20% from man-made radiation sources, such as med- ical x-rays. There are different types of radioactive materials that emit different kinds of radiation: Gamma and x-rays can travel long distances in air and can pass through the body exposing internal organs; it is also a concern if gamma- emitting material is ingested or inhaled. Beta radiation can travel a few yards in the air and in sufficient quantities might cause skin damage; beta-emitting material is an internal hazard if ingested or inhaled. Alpha radiation travels only an inch or two in the air and cannot even penetrate skin; alpha-emitting material is a hazard if it is ingested or inhaled. *A rem is a measure of radiation dose, based on the amount of energy absorbed in a mass of tissue. Dose can also be measured in Sieverts (1 Sievert = 100 rem) Source: Radiological Attack, Dirty Bombs, and Other Devices, National Academy of Sciences, 2004 Risk Management and Risk Assessment 11 What are some common radioactive materials used in our society? GAMMA EMITTERS Cobalt-60 (Co-60)—cancer therapy, industrial radiography, industrial gauges, food irradiation. Cesium-137 (Cs-137)—same uses as Cobalt-60 plus well logging. Iridium-192 (Ir-192)—industrial radiography and medical implants for cancer therapy. BETA EMITTER Strontium-90 (Sr-90)—radioisotope thermoelectric generators (RTGs), which are used to make electricity in remote areas. ALPHA EMITTERS Plutonium-238 (Pu-238)—research and well logging and in RTGs for space missions. Americium-241 (Am-241)—industrial gauges and well logging. Source: Radiological Attack, Dirty Bombs, and Other Devices, National Academy of Sciences, 2004

A nuclear attack by terrorists is a high-order-of- magnitude event that could kill a large number of peo- ple. As mentioned previously, a dirty bomb containing high-level radioactive material could be a means to deliver a nuclear attack. The use of an improvised nuclear device (IND) or a nuclear weapon must also be considered. INDs, also called “suitcase bombs or suit- case nukes,” describe a small nuclear weapon, small enough to fit in a suitcase, which can produce a nuclear blast. According to the Department of Health and Human Services “the design and destructive nature of an IND is comparable to the bomb dropped on Hiroshima Japan, at the end of World War II.” Larger nuclear weapons and the explosions that result from their use are classified based on the amount of energy they produce or “yield.” A nuclear weapon deployed by terrorists would be expected to have a yield of less than one to several kilotons. A kiloton is not the weight of the bomb but rather the equivalent energy of an amount of the explosive TNT (1kT=1,000 tons of TNT). Large military nuclear weapons are in the mega- ton (MT) range (1MT=1,000kT). The highly purified plutonium and uranium needed to make a nuclear weapon or suitcase bomb are difficult to acquire. Considerable engineering skill and expertise would be required to construct a nuclear device using plutonium; devices using uranium are technically easier to construct. A nuclear event involves nuclear fission (splitting of atoms) and a highly destructive explosion that creates instant devastation. Significant fatalities, injuries, and infrastructure damage result from the heat and blast of the explosion and persistent high levels of radioactivity are the aftermath of both the initial nuclear radiation and the subsequent radioactive fallout that occurs. 12 Security 101: A Physical Security Primer for Transportation Agencies Nuclear Bombs at Hiroshima and Nagasaki The August 1945 bombings of Hiroshima and Nagasaki have been the only use or detonation of nuclear weapons except for testing purposes. The Hiroshima bomb was approximately a 16-kiloton uranium bomb; the Nagasaki bomb was approximately a 21-kiloton plutonium bomb. Both were detonated in the air at an altitude of approx- imately 1,600 feet. The bomb at Hiroshima destroyed buildings over roughly 4 square miles of the city, and about 60,000 people died immediately from the blast, thermal effects, and fire. Within 2–4 months of the bombings, a total estimated 90,000 to 140,000 deaths occurred in Hiroshima and about 60,000 to 80,000 deaths occurred in Nagasaki, mostly as a result of the immediate effects of the bomb and not to fallout. In a group of 87,000 survivors exposed to radiation who were followed in health studies over the past 60 years,* there were about 430 more cancer deaths than would be expected in a similar but unexposed population (there were 8,000 cancers from all causes compared to an expected 7,600). The additional cancer deaths are attributable to radiation. Nearly half of the people in those studies are still alive. *The mean dose of those survivors was 16 rad. Source: Nuclear Attack, National Academy of Sciences, 2005 Characteristics of a Nuclear Explosion A fireball, roughly spherical in shape, is created from the energy of the initial explosion. It can reach tens of millions of degrees. A shockwave races away from the explosion and can cause great damage to structures and injuries to humans. A mushroom cloud typically forms as everything inside of the fireball vaporizes and is carried upwards. Radioactive material from the nuclear device mixes with the vaporized material in the mushroom cloud. Fallout results when the vaporized radioactive material in the mushroom cloud cools, condenses to form solid particles, and falls back to the earth. Fallout can be carried long distances on wind currents as a plume and con- taminate surfaces miles from the explosion, including food and water supplies. The ionization of the atmosphere around the blast can result in an electromagnetic pulse (EMP) that, for ground detonations, can drive an electric current through underground wires causing local damage. For high-altitude nuclear detonations, EMP can cause widespread disruption to electronic equipment and networks. Source: Nuclear Attack, National Academy of Sciences, 2005

Risk Management and Risk Assessment 13 Armed Assault Terrorist-related Armed Assault by one or more gunmen, although rare in the United States, occurs much more frequently in other parts of the world. In particular, in Afghanistan and Iraq, terrorists have deployed “hit and run” tactics as a form of “asymmetrical warfare” designed to reduce personnel losses and inflict maximum casualties. “Hit and run” assault involves a sudden attack on a target and immediate withdrawal to avoid adversary response or retaliation. In some instances, the tactic is coupled along with the use of a massive amount of firepower without con- cern for target accuracy. This type of indiscriminate attack would likely prove difficult to prevent or overcome. Another tactic seen repeatedly in the school shootings at incidents like Columbine and Virginia Tech is the suicide gunman who bears multiple firearms and fires at will until either killed or committing suicide. This type of attack is carried out using small arms which can include pistols, rifles, shotguns, or submachine guns that can be either military issue or civilian weapons. Adversary Types and Motivations In Figure 1-2, the FTA makes the point that security countermeasures should be designed commensurate with the type of adversary who may attack the transportation facility. Concep- tually, this represents sound practice; however, transportation agencies should not draw threat- related conclusions from presumptions about adversary classification assessments taken in isolation. Care should be taken to ensure that threat assessments are also scenario-based and driven by both factual information and credible intelligence. As a part of the Department of Defense Unified Facilities Criteria (UFC), DOD published Security Engineering Facilities Planning Manual Draft UFC 4-020-01 in March 2006. The manual contains an overview of aggressor types, capabilities, and tactics; this material has been adapted in Tables 1-5 through 1-7 for transportation agency security planning purposes. Aggressors per- Source: Security Design Considerations, FTA, 2004 Figure 1-2. Security countermeasures by type of adversary.

14 Security 101: A Physical Security Primer for Transportation Agencies Type Description Typical Targets Unsophisticated Unskilled in the use of tools and weapons and having no formal organization. Theft by insiders is also common. Targets that meet their immediate needs such as drugs, money, and pilferable items. Opportune targets that present little or no risk. Breaking and entering or smash-and-grab techniques are common. Sophisticated Skilled in the use of certain tools and weapons. Efficient and organized. They plan their attacks and have sophisticated equipment and the technical capability to employ it. Often assisted by insiders. They target high-value assets and frequently steal in large quantities, but target assets with relatively low risk in handling and disposal. Organized Groups Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01, 2006 Highly sophisticated, can draw on specialists, and can obtain the equipment needed to achieve their goals efficiently. These groups form efficient, hierarchical organizations which can employ highly paid insiders. Examples include drug cartels, organized crime “families,” the Yakuza, and MS-13. Organized criminal groups may target goods, commodi- ties, or opportunities where there is a high degree of risk in handling and disposal such as large quantities of money, equipment, and arms, ammunition, and explosives. Table 1-5. Criminals by levels of sophistication. Table 1-6. Protesters. Type Description Objectives Typical Targets Vandals/Activists Usually unsophisticated. Superficially destructive. Actions may be covert or overt. No injury to people. Limited damage to targets. Symbolic targets that pose little risk to them. Extremist Protest Groups Moderately sophisticated and usually more destructive than vandals. Actions are frequently overt More extensive damage and may include possible injury to people Symbolic targets and things they consider environmentally unsound Note: In this text, only violent protesters are considered a threat. Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01 2006 form hostile acts against assets such as equipment, personnel, and operations. The UFC presents four major aggressor objectives to describe aggressor behavior: • Inflicting injury or death on people; • Destroying or damaging facilities, property, equipment, or resources; • Stealing equipment, materiel, or information; and • Creating adverse publicity. The three broad categories of aggressors are criminals, protesters, and terrorists. Criminals are grouped into three categories; all are assumed to share the objective of theft of assets (see Table 1-5). The two categories of protestors are vandals/activists and extremist protest groups. Regard- less of category, these groups are either politically or issues oriented and act out of frustration or anger against the actions of other social or political groups. The primary objectives of both groups commonly include destruction and publicity. Table 1-6 provides additional information. Terrorists are grouped into three categories: domestic, international, and state-sponsored. Domestic terrorists are indigenous to the United States, Puerto Rico, and the U.S. territories and

not directed by foreign interests. International terrorists are either connected to a foreign power or they transcend national boundaries. State-sponsored terrorists generally operate indepen- dently, but receive foreign government support. Terrorists are motivated by ideology, politics, or specific issues. They often work in small, well- organized groups or cells. They are sophisticated, skilled with tools and weapons, and can plan efficiently. Terrorist objectives usually include death, destruction, theft, and publicity. Table 1-7 provides additional information. Vulnerability Assessment Managing security risk for transportation agencies is a threat- and scenario-based activity. Threat definition is the tool by which vulnerabilities of transportation operations and systems are measured. Agency police or security personnel, assisted by federal, state, and local law enforcement and homeland security professionals, must evaluate the actual and potential threats against their respective agencies in terms of both threat types and aggressor types. After the base- line of threat information has been identified, security management should collect data and information about the specific organization at risk in order to determine the existing status of systems and security countermeasures. Weaknesses and opportunities for aggressor exploitation must be analyzed so as to establish the current capabilities of the organization to block, thwart, or mitigate an attack. The performance of a vulnerability assessment, sometimes referred to as a security vulnerability assessment (SVA), is used to address this issue. Vulnerability assessment starts with an examination of the transportation agency’s assets in order to establish what needs to be protected. Next, the capabilities of existing protection systems to secure those assets are Risk Management and Risk Assessment 15 Types Description Orientation Examples Domestic Typically operating in distinct areas of the country. Most acts of terrorism in the United States by domestic terrorists have been less severe than those outside the United States, and operations have been somewhat limited. A notable exception was the bombing of the Alfred P. Murrah Building in Oklahoma City. Politically oriented Ethnic and white supremacy groups, many with ties to groups that originated during the 1960s and 1970s. International Typically better organized and better equipped than their domestic counterparts. More severe and more frequent attacks than those by domestic terrorists in the United States. Politically, ethnically, or religiously oriented Foreign terrorist groups designated by the U.S. Department of State include the Revolutionary Group 17 November, the Aum Shinrikyo Group, Basque Fatherland and Liberty (ETA), Sendero Luminoso (Shining Path), and the al-Aqsa Martyrs Brigade. State- Sponsored Foreign government support may include intelligence and even operational support. Often, they have military capabilities and a broad range of military and improvised weapons. They have historically staged the most serious terrorist attacks, including suicide attacks. Some have legitimate political wings in addition to their terrorist wings. Predominantly ethnically or religiously oriented State-sponsored terrorist groups designated by the U.S. Department of State include al Qaida, the Palestinian Islamic Jihad, Hezbollah, and the Revolutionary Armed Forces of Columbia (FARC). *Based on their areas of operation and their sophistication. Source: Adapted from Security Engineering Facilities Planning Manual Draft UFC 4-020-01, 2006 Table 1-7. Terrorists by areas of operation and levels of sophistication.

16 Security 101: A Physical Security Primer for Transportation Agencies evaluated. Finally, security gaps that should be addressed to reduce or buy down security risk are determined. Security Surveys The preferred means to conduct an SVA is by performing a security survey. The survey is a fact-gathering question-based process that uses various data collection tools to obtain necessary information about the characteristics of the organization, its systems and operations, and the consequences to the organization that would result from a successful attack against identified threat targets. SVA methodology varies greatly. Different approaches and techniques for assessing agency vulnerabilities are numerous. In the transportation sector, some of the more frequently used methodologies include Analytical Risk Methodology (ARM), Maritime Sector Risk Analy- sis Methodology (MSRAM), DHS Transit Risk Analysis Methodology (DHS-TRAM), CARVER, Sandia National Labs Risk Assessment Methodologies (RAM), and the Homeland Security Com- prehensive Assessment Model (HLS-CAM). In May 2002, the American Association of State Highway and Transportation Officials (AASHTO) posted on-line a comprehensive Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection. The 2002 Guide presents a six-step approach to conducting a security vulnerability assessment. Additionally, self-directed vulnerability assessments methods and checklists are available from various organizations, including DHS, DOE, and the FBI. The plethora of methodologies has resulted partly from lack of precision in the formulation of data collection elements and a less- than-rigorous quality review of process by government and the security industry. However, this variation in methodologies also results from the fact that vulnerability assessment of industry sectors, in this case the transportation sector, is significantly industry and agency specific. In fact, different modes within the transportation sector (e.g., aviation, rail, highway, or maritime) all have unique organizational characteristics and operating environments. What works in the closed and highly regulated aviation sector from the standpoint of SVA would not transfer well to the open and ubiquitous public transit system. Performing the Security Survey Ideally, the SVA should be conducted by a trained team of security professionals using an industry-accepted methodology rather than a self-assessment question list or checklist. Asses- sors must be able to understand and interpret the protection objectives, operating environ- ment, priorities, and inherent weaknesses of the transportation agency under review. The team should include a project manager responsible for the final report product of the assessment, as well as subject matter experts in transportation sector and mode security. The security-trained component of the team should be assisted by a cross-disciplinary group of management and operating personnel with expertise in agency operations, including communications, engi- neering, mechanical, facilities, and transportation. To the extent necessary, this group should be supported by specialists (e.g., information technology professionals, human resources trainers, finance and procurement officers, and systems analysts). Figure 1-3 illustrates how an SVA team works through the critical asset evaluation step of the 2002 Guide approach. Note the presence of threat experts, vulnerability experts, and transportation professionals on the SVA team. The result of the SVA is the publication of a report that establishes the current security status of the transportation agency, in terms of Source: Guide to Highway Vulnera- bility Assessment for Critical Asset Identification and Protection, Ameri- can Association of State Highway and Transportation Officials, 2002 Step 1: Identify Critical Assets Step 2: Assess Vulnerabilities Step 3: Assess Consequences Step 4: Identify Countermeasures Step 5: Estimate Countermeasures Cost Step 6: Review Operational Security Planning

• Critical asset identification, • Threats and vulnerabilities existing against those assets, and • Consequences or ramifications of successful attacks against those assets. The efficacy of this report will be determined primarily by the comprehensiveness and deri- vation of facts and opinions resulting from interviews, examinations, observations, analysis, and investigations. To the extent practicable, opinions should be expressed as such. The report should conclude with findings and recommendations that can be used to help formulate the transportation agency’s security needs and requirements planning documentation. Risk Management and Risk Assessment 17 Source: Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, AASHTO, 2002 Threat Experts Criticality Assessment Likelihood Assessment Impact Assessment Reduce Likelihood Reduce Impact Vu ln er a bi lity Criticality LOW MEDIUM HIGH Mitigation Strategies Transportation Professionals Vulnerability Experts Figure 1-3. Critical asset evaluation step.