National Response Team Presentation: “Security Risk Assessment Methodologies: Community VAM 3/3/3 Presented By: Gloria E Chavez Sandia National Laboratories

Community Vulnerability Assessment Methodology (CVAMTM)

“Snapshot” of Community Process: today's message Community Vulnerability Assessment Methodology (CVAMTM) process Process is copyrighted / licensed to ensure appropriate use of training materials by qualified trainers and so resulting information is protected Part of the “family” of center processes for infrastructure Part of Center for Civil Force Protection Focus is on “planning” to allow appropriate response and to mitigate consequences by identifying weaknesses in systems

Vulnerability Assessment (VA)…What Is It Vulnerability assessment is A systematic approach Used to determine relative risk Based upon the effectiveness of a protection system Considering the consequences Resulting from a likely threat

Community Vulnerability Assessment Methodology Builds on prior VAM / RAM development – nuclear sites, dams, water, chemical facilities, prisons/jails Goals Useable by public safety personnel, emergency planners, private industry employees – don't need to be a "techie" Useful -provides information which significantly contributes to making security risk management decisions

Reasons for a Community VA include: Identify vulnerabilities in a systematic way (minimize gaps) For important vulnerabilities, communities may be able to request additional resources For significant identified vulnerabilities, community may consider ways to mitigate – such as provide a backup for a vulnerable mission with no existing backup Can use identified vulnerabilities to better plan future projects i.e., two communication routes (backup) Can help prepare, in event of attack, to mitigate consequences Helps communities make security decisions based on a process including risk assessment Community may decide to improve response or an aspect of physical security

Scope of Analysis Screening Analysis Characterize a Community, critical Facilities & Consequences Define the Threat and Likelihood of Attack Review Physical Protection Systems Make Observations and Recommendations

Community Vulnerability Assessment Process Planning Screening, Team, Decisions/ Risks R=PA*(1-PE)*C Characterize Assets Facility Characterization, ID Targets Determine Consequences Site Specific Consequence Table, Prioritize Targets Community Protection Goals: Defined Threat (DT) Define Threats Understand PPS: Detect, Delay, Response Other Action Define Safeguards System Effectiveness, Scenario Analysis Analyze System Cost Benefit Analysis ? Risks Risks Acceptable ? Y Upgrade PPS, Mitigate Consequences N Proposed Upgrades/ Actions End

CVAMTM process consists of Community Screening workshop (optional) Training Course on VA Process -including VA on selected facilities Follow-up visit/assist on reporting (optional)

Who is Involved in the Process? Players for a community include decision makers in the community working with emergency management, police, risk management, fire departments, civic leaders, financial leadership, chamber of commerce, others Process takes time and requires information about the community Process requires difficult decisions (…what is an acceptable risk?)

CVAMTM Course We teach a Vulnerability Assessment Course, not a Security Assessment Course The course, for a community, is an intense week of: class material describing process Exercises, based on facilities in community, to demonstrate the process We also teach a “trainer course” for qualified trainers with backgrounds in training and community policing, or risk management

Community Screening - Definition: Selecting facilities of most concern, using a documented process Requires participation by decision makers in a community Uses Consequence Analysis, determination of acceptable risk First Step in Process

CVAMTM Screening: Consequence and Target Identification Severity of Undesirable Consequences Loss of human life Loss of revenue Loss of vital equipment Loss of vital capabilities

CVAMTM Community Characterization: Many elements Communications Power/Electric Gas/Oil Industry Water Banking/Financial Education Government Transportation Emergency Foreign Represented Governments Recreational Venues Special Classification

Development of Defined Threat (DT) for a Community List, collect and organize information for DT 1. Use historical and current intelligence data 2. Threat policy may be specified by community leaders or others 3. Consider developing a range of potential threats 4. Use a combination of above

Collect Threat Information National and international sources Intelligence organizations Literature search, crime studies, analysis Professional organizations Local sources Local police agencies Local professional organizations Industry Security City, county, state agencies

Lots of Weapon Options:Bushmaster (used in Virginia -$750)…web site

Discuss Adversaries: Adversary Types Overlap (collusion is possible), Insiders… ???

Potential Agents Biological Chemical Radiological Explosive

Uranium Oxide Reactor Fuel Pellet ( 10mm X 15mm ) 16,000 cpm Want to Buy something Radioactive??…Go to the web… Reactor Fuel Pellets Uranium Oxide Reactor Fuel Pellet ( 10mm X 15mm )     16,000 cpm Reactor Fuel Pellet: $100.00 These are Uranium Oxide Fuel Pellets made of highly compressed Uranium Oxide. They are from a "Slow-Poke" Ammonia-Cycle Nuclear Reactor and are slightly out of spec. Each is 10mm in diameter and 15mm long. Uranium Ore - Super High Radiation Level

Physical Protection Systems (PPS) Potential PPS objectives are: Protect lives Protect property Prevent loss of services Other PPS and their objectives will vary Consequence mitigation may be option PPS includes detection, delay, response

Risk Equation: R=PA*(1-PE)*C Equation is discussed and estimated values obtained for parameters, given existing community PPS What happens with upgrades? Data is often poor or missing for communities Now What?…

Security is a Continuum Approach: “Buy Cameras” “Manuals” “Performance Tests, Analysis, Computer Models Systems Engineering Approach Standards & Criteria No Security Expert Opinion Typical Application: homes homes new construction nuclear facilities low risk low - moderate moderate – high high consequence risk facilities profile government

How Much Is Enough? Decisions What to protect What’s important? Crime Consequences Military Action What to protect against? What’s important? Mission Liabilities How well are you protected? Terrorism Is risk acceptable Decisions Operational trade-off Cost options

Goal in Performing a Community VA: Identify Where Vulnerabilities Are, And Then Decide How to Allocate Resources… High Resources = $$$$ $ to Fix Likelihood Of Occurrence $$ to Fix $$$$ to Fix Low Terrorist Acts Violence by criminals Theft or vandalism THREAT

Community Vulnerability Assessment Methodology Focus is on physical protection. Considers physical protection systems (PPSs) Need to understand how to evaluate PPSs But, probably not likely to implement effective PPSs at community facilities due to cost. More likely to use adverse consequence reduction and mitigation measures (e.g. insurance, redundant capabilities, improved response) or acceptance of risk.

CVAMTM Application To Date Miami-Dade, Florida Sterling Heights, Michigan Bismarck, ND Hennepin County, MN Norfolk, VA Rochester, NY Albuquerque, NM (Trainer Class) We learned something new every time and incorporated improvements

What Have We Learned? Communities are surprised at identified vulnerabilities Communities learn who in their own community is a resource May choose to get redundancy (back-up 911 center or incident command center, or communications equipment, good blueprints) Need to test procedures and response in many situations (off-hours, various scenarios) Lots of requests for help from communities!

Caution for Communities!!!! Illegal intelligence gathering Operations Security Protect information...may have a ”blueprint for attack” Need to know Control release of information Document

What are our plans? Future community VA training… VA training program for law enforcement academies More Trainer classes

Summary Community Vulnerability Assessments come from applying nuclear security approaches The CVAM process is a systematic way to assess vulnerabilities and make decisions based on risk We have a community tested process Call me for more information and help Gloria Chavez Phone:505-845-8737 Email: gechave@sandia.gov

What is the appropriate response to a situation? Depends…