+1443 776-2705 panelessays@gmail.com
  

 

Risk assessment,  threat management, and disaster response are critical elements across  all levels of government and the private sector. This partnership has  grown considerably since 9/11 and continues to evolve as it pertains to  manmade and natural disasters. For this assignment, you write a will  develop a response plan for the following scenario addressing the ten  questions below:  

Central City is fictional city that is part of Columbia County. The  Roaring River is located in Columbia County and runs through downtown  Central City. On March 8, after several days of unusually heavy rain and  melting mountain snow, the Roaring River overflowed, flooding Central  City’s downtown business area and the state’s utility complex. The  entire downtown area is underwater and without basic utilities (electric  and water). Business in the area has come to a standstill with many  small store owners fearing the worst once night sets in. Also affected  by the power outage is a nearby senior assisted living facility with  more than 500 elderly residents unable to leave and in need of medical  care. A low-income community located along the river’s edge has been  isolated from the rest of the city due to the rising floodwaters. Storm  and sewer drains are beginning to back up and garbage can be seen  floating in the streets.

Due to the lack of transportation, many city residents were unable to  leave the area when initial flood warnings were posted and are now  stranded. There have been numerous requests for medical attention in the  area, and several fires can be seen burning in the distance. Because  the river twists and turns throughout Columbia County, other cities  within the county are experiencing similar flooding conditions. The rain  is expected to continue for the next 12-24 hrs, followed by a drying  out and turning windy and cold.

  1. Who are the 1st responders? What are their responsibilities?
  2. What will be their biggest challenge?
  3. What will is an immediate concern and what can wait?
  4. What additional types of assistance (other than initial 1st responders) would be helpful here? How would they be used? 
  5. Does the fact that other Columbia County cities are also flooded and  experiencing similar problems affect Columbia County’s capabilities to  respond? What problems do you foresee? What are some solutions?
  6. How would you classify this incident? Is it a high likelihood-low impact or a low likelihood-high impact? Explain.
  7. Using the ICS, decide what type of command structure will be employed. Who will be part of your command structure?
  8. What two circumstances may turn this event from an emergency to a disaster and what are your options once that happens?
  9. What type of assistance can you expect from state? Describe the process for requesting state / federal assistance.
  10. Once the floodwaters recede and the conditions return to normal,  city council members will be looking for suggestions to avoid this type  of disaster in the future. What mitigation recommendations can you make?

Paper Submission Requirements

Resources for Assignment

This activity is matched to the following Learning Outcomes: Discuss  how protective measures are being implemented within public-private  partnerships within the homeland security sector. Analyze and discuss  the basic risk analysis principles. Examine and discuss the four phases  of disaster management.

Congressional Research Service ˜ The Library of Congress

CRS Report for Congress
Received through the CRS Web

Order Code RL32561

Risk Management and Critical Infrastructure
Protection: Assessing, Integrating, and Managing

Threats, Vulnerabilities and Consequences

Updated February 4, 2005

John Moteff
Specialist in Science and Technology Policy

Resources, Science, and Industry Division

Risk Management and Critical Infrastructure Protection:
Assessing, Integrating, and Managing Threats,

Vulnerabilities, and Consequences

Summary

The 9/11 Commission recommended that efforts to protect various modes of
transportation and allocation of federal assistance to state and local governments
should be based on an assessment of risk. In doing so, the Commission was
reiterating existing federal policy regarding the protection of all the nation’s critical
infrastructures. The Homeland Security Act of 2002 (P.L. 107-296) and other
Administration documents have assigned the Department of Homeland Security
specific duties associated with coordinating the nation’s efforts to protect its critical
infrastructure, including using a risk management approach to set priorities. Many
of these duties have been delegated to the Information Analysis and Infrastructure
Protection (IA/IP) Directorate.

Risk assessment involves the integration of threat, vulnerability, and
consequence information. Risk management involves deciding which protective
measures to take based on an agreed upon risk reduction strategy. Many
models/methodologies have been developed by which threats, vulnerabilities, and
risks are integrated and then used to inform the allocation of resources to reduce
those risks. For the most part, these methodologies consist of the following
elements, performed, more or less, in the following order.

! identify assets and identify which are most critical
! identify, characterize, and assess threats
! assess the vulnerability of critical assets to specific threats
! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets)
! identify ways to reduce those risks
! prioritize risk reduction measures based on a strategy

The IA/IP Directorate has been accumulating a list of infrastructure assets

(specific sites and facilities). From this list the Directorate is selecting assets that
have been judged to be critical from a national point of view. The Directorate
intends to assess the vulnerability of all the assets on this shorter list. According to
Directorate officials, vulnerability assessments and threat information are considered
when determining the risk each asset poses to the nation. This risk assessment is
then used to prioritize subsequent additional protection activities. The IA/IP
Directorate’s efforts to date, however, raise several concerns, ranging from the
process and criteria used to populate its lists of assets, its prioritization strategy, and
the extent to which the Directorate is coordinating its efforts with the intelligence
community and other agencies both internal and external to the Department. This
report will be updated as needed.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
IA/IP’s Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
A Generic Model for Assessing and Integrating Threat, Vulnerability,

and Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using Assessments to Identify and Prioritize Risk Reduction

Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Status of DHS’s Implementation of Its Critical Infrastructure Protection

Effort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Questions and Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Identifying Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Selecting High Priority Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Assessing Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assessing Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Assessing Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Prioritizing Protection Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1 The Intelligence Reform and Terrorism Prevention Act of 2004 (S. 2845, P.L. 108-458),
legislating some of the recommendations of the Commission’s report, included a
requirement to develop a National Strategy for Transportation Security that includes the
development of risk-based priorities.

Risk Management and Critical Infrastructure
Protection: Assessing, Integrating, and
Managing Threats, Vulnerabilities, and

Consequences

Introduction

As part of its chapter on a global strategy for protecting the United States against
future terrorist attacks, the 9/11 Commission recommended that efforts to protect
various modes of transportation and allocation of federal assistance to state and local
governments should be based on an assessment of risk.1 In doing so, the
Commission was affirming existing federal policy regarding the protection of all the
nation’s critical infrastructures. The Homeland Security Act of 2002 and other
Administration documents have assigned the Department of Homeland Security
specific duties associated with coordinating the nation’s efforts to protect its critical
infrastructure. Many of these duties have been delegated to the Information Analysis
and Infrastructure Protection (IA/IP) Directorate. In particular, the IA/IP Directorate
is to integrate threat assessments with vulnerability assessments in an effort to
identify and manage the risk associated with possible terrorist attacks on the nation’s
critical infrastructure. By doing so, the Directorate is to help the nation set priorities
and take cost-effective protective measures.

This report is meant to support congressional oversight by discussing, in more
detail, what this task entails and issues that need to be addressed. In particular, the
report defines terms (e.g. threat, vulnerability, and risk), discusses how they fit
together in a systematic analysis, describes processes and techniques that have been
used to assess them, and discusses how the results of that analysis can inform
resource allocation and policy.

While the IA/IP Directorate has been given this task as one of its primary
missions, similar activities are being undertaken by other agencies under other
authorities and by the private sector and states and local governments. Therefore,
this report also discusses the Department’s role in coordinating and/or integrating
these activities.

CRS-2

2 Office of Homeland Security, National Strategy for Homeland Security, July 2002.
3 Ibid. p. 33.
4 Ibid. p. 64.

Background

IA/IP’s Responsibilities

The Homeland Security Act of 2002 and other Administration documents have
assigned the Department of Homeland Security specific duties associated with
coordinating the nation’s efforts to protect its critical infrastructure. Many of the
duties discussed below have been delegated to the Information Analysis and
Infrastructure Protection Directorate.

The National Strategy for Homeland Security,2 anticipating the establishment
of the Department of Homeland Security, stated:

! “… the Department would build and maintain a complete, current,
and accurate assessment of vulnerabilities and preparedness of
critical targets across critical infrastructure sectors…[This
assessment will] guide the rational long-term investment of effort
and resources.3”

! “… we must carefully weigh the benefit of each homeland security
endeavor and only allocate resources where the benefit of reducing
risk is worth the amount of additional cost.4”

Among the specific tasks delegated to the Undersecretary for Information
Analysis and Infrastructure Protection by Section 201(d) of the Homeland Security
Act of 2002 (P.L. 107-296, enacted November 25, 2002) were:

! “… identify and assess the nature and scope of terrorist threats to the
homeland;”

! “… understand such threats in light of actual and potential
vulnerabilities of the homeland;”

! “… carry out comprehensive assessments of the vulnerabilities of the
key resources and critical infrastructures of the United States,
including the performance of risk assessments to determine the risk
posed by particular types of terrorist attacks within the United States
….”

! “… integrate relevant information, analyses, and vulnerability
assessments … in order to identify priorities for protective and
support measures ….”

! “… develop a comprehensive national plan for securing the key
resources and critical infrastructure of the United States ….”

! “… recommend measures necessary to protect the key resources and
critical infrastructure of the United States ….”

CRS-3

5 Office of Homeland Security, The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets, February 2003.
6 Ibid. p. 23.
7 Homeland Security Presidential Directive Number 7, Critical Infrastructure Identification,
Prioritization, and Protection, December 17, 2003.
8 The Clinton Administration referred to these as Lead Agencies in its Presidential Decision
Directive Number 63 (PDD-63, May 1998). HSPD-7 supercedes PDD-63 in those instances
where the two disagree.
9 The Department did not meet this deadline. A draft plan is still in review. The
Department intends to release elements of the plan in 2005. See, See CQ Homeland
Security, Jan. 28, 2005, “Still Waiting: Plan to Protect Critical Infrastructure Overdue from
DHS,”at [http://homeland.cq.com/hs/display.do?docid=1507251&sourcetype=31]. This site
was last viewed on February 4, 2005. It is available only by subscription.
10 Just as one example, the 9/11 Commission Report (released July 22, 2004, see page 396)
when discussing the basis upon which federal resources should be allocated to states and
localities, stated that such assistance should be based “strictly on an assessment of risks and
vulnerabilities.” Later, in the next paragraph, it stated “the allocation of funds should be
based on an assessment of threats and vulnerabilities.” In the next paragraph it stated that

(continued…)

The National Strategy for the Physical Protection of Critical Infrastructure and
Key Assets 5 stated:

! “DHS, in collaboration with other key stakeholders, will develop a
uniform methodology for identifying facilities, systems, and
functions with national-level criticality to help establish federal,
state, and local government, and the private-sector protection
priorities. Using this methodology, DHS will build a comprehensive
database to catalog these critical facility, systems, and functions.6”

Homeland Security Presidential Directive Number 7 (HSPD-7)7 stated that the
Secretary of Homeland Security was responsible for coordinating the overall national
effort to identify, prioritize, and protect critical infrastructure and key resources. The
Directive assigned Sector Specific Agencies8 the responsibility of conducting or
facilitating vulnerability assessments of their sector, and encouraging the use of risk
management strategies to protect against or mitigate the effects of attacks against
critical infrastructures or key resources. It also gave the Secretary to the end of
calendar year 2004 to produce a comprehensive, integrated National Plan for Critical
Infrastructure and Key Resources Protection.9 That Plan shall include a strategy and
a summary of activities to be undertaken to: define and prioritize, reduce the
vulnerability of, and coordinate the protection of critical infrastructure and key
resources.

The terms “vulnerabilities,” “threats,” “risk,” “integrated,” and “prioritize” are
used repeatedly in the documents cited above. However, none of the documents
defined these terms or discussed how they were to be integrated and used. Also, in
hearings, articles in the press, and other public discourse these terms are used loosely,
clouding the intent of what is being proposed or discussed.10 What might seem trivial

CRS-4

10 (…continued)
resources “must be allocated according to vulnerabilities.”
11 Roper, Carl. A. Risk Management for Security Professionals, Butterworth-Heinemann.
1999.

differences in definitions can make a big difference in policy and implementation.
The following section provides definitions and a generic model for integrating them
in a systematic way.

A Generic Model for Assessing and Integrating Threat,
Vulnerability, and Risk

Many models/methodologies have been developed by which threats,
vulnerabilities, and risks are integrated and then used to inform the cost-effective
allocation of resources to reduce those risks. For this report, CRS reviewed
vulnerability assessment models or methodologies, including some developed and
used, to varying degrees, in certain selected sectors (electric power, ports, oil and
gas). These are listed in the Reference section of this report. In addition, this report
draws upon information contained in a book by Carl Roper entitled Risk Management
for Security Professionals.11 Essential elements of these models/methods have been
distilled and are presented below. They may provide some guidance in overseeing
DHS’s methodology as it is developed and employed.

For the most part, each of the methodologies reviewed consist of certain
elements. These elements can be divided into: assessments per se; and, the use of the
assessments to make decisions. The elements are performed, more or less, in the
following sequence:

Assessments
! identify assets and identify which are most critical
! identify, characterize, and assess threats
! assess the vulnerability of critical assets to specific threats
! determine the risk (i.e. the expected consequences of specific types

of attacks on specific assets)
Using Assessments to Identify and Prioritize Risk Reduction Activities
! identify and characterize ways to reduce those risks
! prioritize risk reduction activities based on a risk reduction strategy

Assessments.

Identifying Assets and Determining Criticality. The infrastructure of a
facility, a company, or an economic sector, consists of an array of assets which are
necessary for the production and/or delivery of a good or service. Similarly, the
infrastructure of a city, state, or nation consists of an array of assets necessary for the
economic and social activity of the city and region, and the public health and welfare
of its citizens. The first step in the process is to determine which infrastructure assets
to include in the study. The American Chemistry Council, the Chlorine Institute, and
the Synthetic Organic Chemical Manufacturers Association, in their Site Security

CRS-5

12 American Petroleum Institute and the National Petrochemical and Refiners Association,
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical
Industries, May 2003, p. 4.

Guidelines for the U.S. Chemistry Industry, broadly define assets as people, property,
and information. Roper’s Risk Management for Security Professionals (and DOE’s
Energy Infrastructure Risk Management Checklists for Small and Medium Sized
Energy Facilities) broadly define assets as people, activities and operations,
information, facilities (installations), and equipment and materials.

The methodologies reviewed do not provide a definitive list of such assets but
suggest which ones might be considered. For example, people assets may include
employees, customers, and/or the surrounding community. Property usually includes
a long list of physical assets like buildings, vehicles, production equipment, storage
tanks, control equipment, raw materials, power, water, communication systems,
information systems, office equipment, supplies, etc. Information could include
product designs, formulae, process data, operational data, business strategies,
financial data, employee data, etc. Roper’s examples of activities and operations
assets include such things as intelligence gathering and special training programs.
Many methodologies suggest considering, initially, as broad a set of assets as is
reasonable.

However, not every asset is as important as another. In order to focus
assessment resources, all of the methodologies reviewed suggest that the assessment
should focus on those assets judged to be most critical. Criticality is typically
defined as a measure of the consequences associated with the loss or degradation of
a particular asset. The more the loss of an asset threatens the survival or viability of
its owners, of those located nearby, or of others who depend on it (including the
nation as a whole), the more critical it becomes.

Consequences can be categorized in a number of ways: economic; financial;
environmental; health and safety; technological; operational; and, time. For example,
a process control center may be essential for the safe production of a particular
product. Its loss, or inability to function properly, could result not only in a
disruption of production (with its concomitant loss of revenue and additional costs
associated with replacing the lost capability), but it might also result in the loss of
life, property damage, or environmental damage, if the process being controlled
involves hazardous materials. The loss of an asset might also reduce a firm’s
competitive advantage, not only because of the financial costs associated with its
loss, but also because of the loss of technological advantage or loss of unique
knowledge or information that would be difficult to replace or reproduce. Individual
firms, too, have to worry about loss of reputation. The American Petroleum Institute
and the National Petrochemical and Refiners Association (API/NPRA) in their
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical
Industries also suggested considering the possibility of “excessive media exposure
and resulting public hysteria that may affect people that may be far removed from the
actual event location.12”

CRS-6

While the immediate impact is important, so, too, is the amount of time and
resources required to replace the lost capability. If losing the asset results in a large
immediate disruption, but the asset can be replaced quickly and cheaply, or there are
cost-effective substitutes, the total consequence may not be so great. Alternatively,
the loss of an asset resulting in a small immediate consequence, but which continues
for a long period of time because of the difficulty in reconstituting the lost capability,
may result in a much greater total loss.

Another issue which decision makers may consider is if the loss of a particular
asset could lead to cascading effects, not only within the facility or the company, but
also cascading effects that might affect other infrastructures. For example, the loss
of electric power can lead to problems in the supply of safe drinking water. The loss
of a key communications node can impair the function of ATM machines.

The initial set of assets are categorized by their degree of criticality. Typically
the degree of criticality is assessed qualitatively as high, medium, or low, or some
variation of this type of measure. However, even if assessed qualitatively, a number
of methodologies suggest being specific about what kind of consequence qualifies
an asset to be placed in each category. For example, the electric utility sector
methodology suggests that a highly critical asset might be one whose loss would
require an immediate response by a company’s board of directors, or whose loss
carries with it the possibility of off-site fatalities, property damage in excess of a
specified amount of dollars, or the interruption of operations for more than a
specified amount of time. Alternatively, an asset whose loss results in no injuries,
or shuts down operations for only a few days, may be designated as having low
criticality.

For those sectors not vertically integrated, ownership of infrastructure assets
may span a number of firms, or industries. Whoever is doing the analysis may feel
constrained to consider only those assets owned and operated by the analyst or
analyst’s client. For example, transmission assets (whether pipeline, electric, or
communication) may not be owned or operated by the same firms that produce the
commodity being transmitted. Both the production assets and the transmission
assets, however, are key elements of the overall infrastructure. Also, a firm may rely
on the output from a specific asset owned and operated by someone else. The user
may consider that asset critical, but the owner and operator may not. Some of the
methodologies reviewed encourage the analyst to also consider (or at least account
for) the vulnerability of those assets owned or operated by someone else that provide
critical input into the system being analyzed. These “interdependency” problems
have been talked about, mainly in the context of inter-sector dependencies (e.g the
reliance of water systems on electric power), but they may also exist intra-sector.
The interdependency issue is both a technical one (i.e. identifying them) and a
political/legal one (i.e. how can entity A induce entity B to protect an asset).

Identify, Characterize, and Assess Threat. Roper and the API/NPRA
define threat as “any indication, circumstance or event with the potential to cause loss

CRS-7

13 American Petroleum Institute, op. cit., p. 5.
14 Roper, op. cit. , p. 43.
15 This quote is taken from the Government Accountability Office testimony, Homeland
Security: Key Elements of a Risk Management Approach, GAO-02-150T, before the
Subcommittee on National Security, Veteran’s Affairs, and International Relations, House
Committee on Government Reform, October 21, 2001. It is used in several of the other
methodologies reviewed.

or damage to an asset.13” Roper includes an additional definition: “The intention and
capability of an adversary to undertake actions that would be detrimental to U.S.
interests.14”

To be helpful in assessing vulnerability and risk, threats need to be characterized
in some detail. Important characteristics include type (e.g. insider, terrorist, military,
or environmental (e.g. hurricane, tornado)); intent or motivation; triggers (i.e events
that might initiate an attack); capability (e.g. skills, specific knowledge, access to
materials or equipment); methods (e.g. use of individual suicide bombers, truck
bombs, assault, cyber); and trends (what techniques have groups used in the past or
have experimented with, etc.).

Information useful to characterizing the threat can come from the intelligence
community, law enforcement, specialists, news reports, analysis and investigations
of past incidents, received threats, or “red teams” whose purpose is to “think” like
a terrorist. Threat assessment typically also involves assumptions and speculation
since information on specific threats may be scant, incomplete, or vague.

Once potential threats have been identified (both generically, e.g. terrorists, and
specifically, e.g. Al Qaeda) and characterized, a threat assessment estimates the
“likelihood of adversary activity against a given asset or group of assets.15” The
likelihood of an attack is a function of at least two parameters: a) whether or not the
asset represents a tempting target based on the goals and motivation of the adversary
(i.e. would a successful attack on that asset further the goals and objectives of the
attacker); and, b) whether the adversary has the capability to attack the asset by
various methods. Other parameters to consider include past history of such attacks
against such targets by the same adversary or by others, the availability of the asset
as a target (e.g. is the location of the target fixed or does it change and how would the
adversary know of the target’s existence or movement, etc.). The asset’s
vulnerability to various methods of attack (determined in the next step) may also
affect the attractiveness of the asset as a target.

As an example of a threat assessment technique, the U.S. Coast Guard, using an
expert panel made up of Coast Guard subject matter and risk experts, evaluated the
likelihood of 12 different attack modes against 50 different potential targets (i.e. 600
scenarios). Attack modes included “… boat loaded with explosives exploding along
side a docked tank vessel,” or “… tank vessel being commandeered and intentionally
damaged.” The Coast Guard also considered scenarios where port assets could be
stolen or commandeered and used as a weapon or used to transport terrorists or
terrorism materials. Potential targets included various types of vessels (including
ferries), container facilities, water intakes, utility pipelines, hazardous materials

CRS-8

16 Roper, op. cit., p. 63.
17 American Petroleum Institute, op. cit., p. 5.
18 Federal Register, Department of Homeland Security, Coast Guard, Implementation of
National Maritime Security Initiatives, Vol. 68, No. 126, July 1, 2003, p. 39245.

barges, etc. The panel of experts judged the credibility of each scenario. For
example, using a military vessel for transporting terrorists or terrorism materials was
judged not to be credible given the inherent security measures in place, but an
external attack on a military target was considered credible. Each credible scenario
was assigned one of 5 threat levels representing the perceived probability (likelihood)
of it occurring, after considering the hostile group’s intent, its capabilities, prior
incidents, and any existing intelligence.

The Electricity Sector’s methodology uses a checklist which asks for the
specific attack mode (such as the use of explosives, truck bomb, or cyber attack) and
whether it is likely that such an attack would be carried out by: a) an individual; or
b) by an assault team of up to five