Defining Critical Infrastructure
Critical infrastructure refers to those assets, systems and functions that are vital to the nation. They include transportation (land, water and air modes) and energy systems, defense installations, banking and financial facilities and networks, water supplies, chemical plants, food and agricultural resources, police and fire departments, hospitals and public health systems, government offices and national symbols.
Two characteristics of critical infrastructure make it a prime target for terrorist attacks. First, when U.S. infrastructure is tampered with, it disrupts normal day-to-day activities an objective of UnRestricted Warfare (URW) is to influence the minds of individuals by initiating non-traditional attacks that disrupt their way of life. Second, critical infrastructure is highly distributed, thus making it very difficult and costly to protect, which makes it a prime target.
Here are a few statistics for the U.S. which illustrate how tricky this problem is.
- Department of Homeland Security has classified 1,700 of the 33,000 entities in the national asset database as nationally critical.
- Just one natural gas supplier has over 35,000 miles of distribution pipeline.
- The electricity industry added 21 gigawatts of new generating capacity in 2004.
- Just one electrical utility has over 21,000 miles of distribution lines.
- There are nearly 10,000 airports in the country.
- There are approximately 1.5 million miles of gas pipe.
- There are nearly 7,000 bridges in the National Highway System inventory.
- There are nearly 10,000 high hazard dams.
- In the U.S., about 80% of critical infrastructure is privately owned.
There are 15 asset classifications, ranging from information technology to transportation to public health and drinking water. Its a significant task to protect them.
The responsibility for this huge task falls to the Department of Homeland Security (DHS). Even though no successful terrorist attacks have been launched against critical infrastructure to date, this does not mean we should reduce vigilance or be reluctant to apply new security methods and technology to safeguard critical infrastructure. The DHS publishes a daily infrastructure report identifying key assets defined in the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.
Lets examine two of the fifteen areas more closely. We will look at the energy sector, specifically the National Power Grid, and the chemical industry.
National Power Grid
Imagine a day, a week or a month without electricity. What would the economic damage be? The impact of a terrorist attack disrupting the flow of electricity is what makes this a high value target for terrorists.
Many will remember the Northeast blackout of 2003. Its economic cost was estimated at approximately $7 to $30 billion (including business losses). The impact of a terrorist attack today on the power grid could be much higher. Unlike the 2003 blackout, a terrorist attack on current infrastructure could not only damage transmission and distribution lines, but also generating, safety and switching equipment, which takes days or weeks to repair and recover.
GIS plays a pivotal role in monitoring and protecting the power grid. Electrical utilities have invested significantly in sophisticated monitoring systems for their generating, transmission and distribution systems. Use of geo-based data visualization of grid status and performance is already in place for the most part. Should it be modernized? The answer is yes. Investments need to be made in sensing and measurement, data/information processing and protection, communications and system security. In addition, a complete review of redundancy and single point failure analysis needs to be conducted, along with a new independent vulnerability assessment. Technologies such as GIS, network sensors, remote radio frequency monitoring capabilities and nano-materials offer increased capabilities and serve to increase the nations security. The cost will run into the billions of dollars and will be carried by all of us.
Terrorists, extremists and saboteurs can use chemicals common in industrialized nations to create improvised explosives, incendiaries and chemical agents or, in its pure state, an improvised chemical weapon. Chemicals are all too accessible, as they are manufactured and stored throughout the nation. Some of the more common types of chemicals that could be used in improvised chemical weapons include acids, ammonia, benzene, chlorine and propane. Sources include manufacturing plants, industrial facilities, gas stations and research laboratories, to name a few. Protecting these potentially lethal but necessary entities is a daunting challenge. For example, chemicals are routinely transported using other parts of our critical infrastructure - rail, water, roads and air, making them easy targets for sabotage and even more difficult to protect. This may come as a shock to many, but in 2005 the U.S. Department of Transportation hazardous materials information system identified more than 1,600 incidents in air transportation.
The development of chemical emergency response plans are required by Federal law. In many cases, state and local plans do not address chemical terrorism and many of those that do focus on terrorist use of weapons of mass destruction (WMD) agents.
There are currently about 600,000 workers in the chemical manufacturing industry. It is unclear how many have gone through background checks. In addition, people who support the facilities and who are involved in transporting chemicals add another uncontrollable dimension. When you combine the number of facilities, the number of tankers, trucks and barges with the number of locations where large quantities of these chemicals are stored, you begin to realize how large the GIS system would have to be. This does not include the number of sensors and monitoring stations that would also need to be incorporated into a geography-based surveillance system.
Securing Critical Infrastructure
So who is protecting all these critical infrastructure assets? The answer is federal, state, and local agencies and private security firms. While somewhat coordinated by DHS, gaps remain. As with all security situations, intelligence is critical to being successful in the war on terrorism. I recently completed a project which looked at integrating GIS and multiple classified and un-classified intelligence sources to create an all-source intelligence view of information on the critical infrastructure. The ability to click on any part of critical infrastructure and instantly see the status, any known or suspected threats, and other critical data is still years off.
For now, the focus still remains on guns, guards and gates, although many components of the infrastructure are covered by video surveillance. According to terrorism experts, most terrorist cells are exposed during their surveillance attempts, as it is the only time they are visible. This fact makes it critical to have an alert, well-trained security force that can recognize and react to suspicious activities.
I spoke to one private security guard at a chemical plant who said he had participated in 32 hours of security and emergency training over the past four years and none of it focused on terrorist recognition. There are nearly 1.5 million private security guards working in the U.S. Over 28% of this workforce is assigned to protect critical infrastructure. There are currently no federal requirements to train these private security guards other than at airports and nuclear plants. A recent Report to Congress identified that 22 states do require basic training for licensed security guards, but few specifically require counter-terrorism training. State regulations regarding criminal background checks vary. Despite the recent terrorist attacks on public facilities around the world, 16 states here still have no background check requirements.
This attack scenario could be waged against a chemical plant, power plant or sub-station or almost any other target that terrorists could choose. This scenario has been developed using Scenario-based Intelligence Analysis (SBIA) developed by Spy-Ops.
Scenario name: Hidden in Plain Sight
Sophistication: Low to moderate
Skill required: Limited
Cost of attack: Low to moderate
Overall impact: Moderate to high
Access to materials: Fairly open
Attack method: Bomb
Secondary method: Chemical release (choking agent)
Input: It is common to see multiple delivery trucks at government buildings, corporate offices or industrial facilities. These delivery drivers are provided no counter-terrorism training. One said, The only thing we were told was if we see something suspicious, call someone.
Scenario Abstract: Terrorist cells plan to attack a facility near a moderately-sized city. A local industrial complex has two moderately-sized chlorine storage tanks. The terrorists observe the facility and record common deliveries made regularly by multiple vendors. The terrorists plan to hijack one of the common delivery vehicles as a mechanism for delivering a bomb inside the plant. Since no one would consider it unusual to see a uniform delivery truck or tool supplier truck at an industrial plant, this would create an opportunity to deliver the threat in plain sight.
The terrorists select the tool vendors delivery truck and lay in wait for the opportunity to hijack the vehicle and capture the driver. The terrorists drive the delivery truck to a warehouse, where they load an explosive device. They have created a bomb from materials that were easy to obtain.
Once the device is loaded, a terrorist puts on the delivery drivers uniform and drives the truck back to the industrial complex. Many delivery companies do not have company photo IDs, and even if they did, counterfeiting one is not a difficult.
The security guard at the industrial complex sees the vehicle and thinks nothing of it. He may even inquire where the normal driver is, but would not think anything out of the norm is happening given that the tool vendors vehicle routinely enters the plant and proceeds to the maintenance building to deliver orders.
The truck is driven close to the two chlorine storage tanks, the terrorist driver exits and heads upwind to a previously planned escape route, and then, after a few minutes and at a safe distance, he remotely detonates the explosive device via a cell phone. The resulting explosion breaches the tank, releasing a toxic cloud of chlorine gas.
The operation was simple, quick and low cost, with a huge potential for injuries and death. These are all trademarks of a terrorist attack.
This scenario was reviewed with major companies in the delivery industry - and it is a scenario they have considered and about which they are very concerned. One organization is in the planning stages of a GIS-based vehicle location information system that would be similar to the air traffic control system. Each vehicle would be equipped with telemetric devices that provide vehicle location and other operational data. Any deviation from a pre-planned route would automatically trigger an alarm. In addition, a few have plans in place to train their truck drivers in terrorist awareness skills and tactics.
It is not a question of if another terrorist attack will happen, but when and where it will happen. The American Academy of Actuaries recently disclosed that a future large terrorist attack in New York City could result in $778 billion in insured losses. Trans-disciplinary Intelligence Engineering estimates that total losses would top $1 trillion. Our mental models of security include armed security guards, chain-link fences and cameras. We need to change those models to include sophisticated information systems. Using GIS as the foundation for monitoring and assessing the threats against our critical infrastructure would be a major improvement in our capabilities. These systems would evolve into an analytic framework for threat assessment, decision-making, integration of intelligence and problem solving. While a system that would support the entire high-risk infrastructure would cost hundreds of millions of dollars and take years to implement, when compared to the cost of another terrorist attack, its reasonable.
While not impossible to accomplish, there are huge policy and legal issues that currently impede this from happening. As citizens we can only hope that our nation takes the necessary steps to begin implementing wide-scale protection systems for our critical infrastructure before another terrorist attack occurs.