Calhoun: The NPS Institutional Archive

Faculty and Researcher Publications Video Collection

2008-06-07

Critical Infrastructure Protection Metrics

and Tools; Maritime Security Risk

Analysis Model (MSRAM) [June 5-7,

2008] [video]

Downs, Brady

Monterey, California: Naval Postgraduate School

http://hdl.handle.net/10945/34169

1

Maritime Security Risk Analysis Model (MSRAM)

“Balancing resources to risk”

Presentation for the

Critical Infrastructure Protection Workshop

The Center for Homeland Defense and Security June 2008

U.S. Coast Guard

Presented by LCDR Brady Downs, USCG Domestic Port Security Evaluations Division (CG-5142)

Directorate of Assessment, Integration and Risk Management US Coast Guard Headquarters, Washington, D.C.

2 2

2001 - 2005 2006 2008-2015 PSRAT MSRAM 1 MSRAM +

Focus: • Support COTP Risk

Security Management Improve: • Consistency & threat • Consequence data to

support Operation Neptune Shield

• Port Risk data supported Port Security Risk Assessments

USCG Security Risk Evolution

Focus: • Support Field &

Headquarters • Addresses threat

element from ICC & consistency issues

Supported: • COTP/Sectors • Operation Neptune

Shield • Transportation Worker

Identification Card •  Combating Maritime

Terrorism

2007 MSRAM 2

Focus: •  Improve training,

support, & data review/validation

• Expanded range of scenarios

Supported: • COTP/Sectors • Operation Neptune

Shield • Transportation Worker

Identification Card • Combating Maritime

Terrorism • Mounted Automatic

Weapon Project

Future updates: • Address full scope of

threat (Transfer & CBRN Threat)

•  Improve Consequence/ Vulnerability analysis

• Address 18 of 18 CIKR • Support DHS, OGA,

States, & other nation’s risk analysis

GAO: Good start – improvements needed

GAO: • Address concerns • Addresses 13 of 18

Critical Infrastructure & Key Resources

GAO: Most efficient tool for risk management in DHS

GAO: Maritime Security only area to receive the grade of “Substantial Progress”

3

OUR MISSION

o Prevent terrorist attacks within the United States - (PREVENT)

o Reduce America’s vulnerability to terrorism - (PROTECT)

o Minimize the resulting damage if prevention fails - (RESPOND)

o Recover from attacks that do occur- Ensure economic security - (RECOVER)

Homeland Security Act of 2002

4

MSRAM Analysis Crosses DHS Sectors

The complexity of the marine transportation system and the maritime domain creates a unique opportunity for the Coast Guard due to the vast array of critical infrastructure, assets, key resources, systems, & networks that make up our nation’s riverports, seaports and the maritime domain.

Maritime domain is a microcosm of the national economy. Risk crosses all 18 DHS Sectors Similar situation for Localities, Cities, State, National, International risk analysis

5

MSRAM Risk Calculator

The MSRAM was designed to enhance security and reduce the risk of terrorism by identifying and prioritizing critical infrastructure, key resources and high consequence transits and events across sectors using a common risk methodology, taxonomy and metrics to measure security risk at the local, regional, and national levels.

Support Senior Leadership risk based decision making process

6

MSRAM Security Risk Concept

X X = Risk

Threat Vulnerability Consequence

Vulnerability = Achievability X System Security X Target Hardness

Consequence = Death and Injury, Primary and Secondary Economic, Environment , National security, Symbolic Impacts X (Less Response Capability) And Secondary Economic Impact

Mitigated by Response Capability

Mitigated by Interdiction Capability

Threat = Capability X Intent (with confidence)

ICC Strategic Threat

7

MSRAM Risk Components T*C*V=R

Target / Asset Attack Mode Scenario

Inte

ntio

ns &

Con

fiden

ce

Cap

abili

ty &

Con

fiden

ce

Geo

grah

ic T

hrea

t

Dea

th In

jury

Prim

ary

Econ

omic

Impa

ct

Sym

bolic

Effe

ct

Nat

iona

l Sec

urity

Envi

ronm

ent I

mpa

ct

Res

pons

e -

Ow

ner/O

pera

tor

Res

pons

e - L

ocal

1st

R

espo

nder

Res

pons

e - U

SCG

Rec

over

abili

ty

Red

unda

ncy

Seco

ndar

y Ec

onom

ic Im

pact

Ach

ieva

bilit

y

Syst

em S

ecur

ity -

Ow

ner/O

pera

tor

Syst

em S

ecur

ity -

LEA

Syst

em S

ecur

ity -

USC

G

Targ

et H

ardn

ess

Threat Attack

ProbabilitySecondary Economic

Impact

X Scenario Consequence

RiskPrimary Consequence + X Vulnerability =

8

Breadth of MSRAM Risk Information 644,000 Data Points

Target Factors q  Target name q  Target Class q  Availability q  Maximum Consequence q  USCG Role (Lead, Support, Other) q  Maritime Transportation Security Act

Regulated q  Area q  Captain of the Port q  CG Station q  Port q  Waterway q  Latitude / Longitude q  County (link to FEMA regions) q  River Mile Marker q  DHS MCI/KR sector q  DHS Grant Port

q  Ability to add additional DOD target factors as necessary

Scenario Factors (Scenarios = Target +Attack Mode) q  Threat

o  Intent o  Capability

q  Consequence o  Death/Injury o  Primary Economic o  Secondary Economic (Recoverability/Redundancy) o  Environmental o  National Security o  Symbolic o  Response Capability (Owner/Operator, 1st

Responders, USCG) q  Vulnerability

o  Achievability o  System Security (Owner/Operator, LE, USCG) o  Target Hardness

q  Risk o  Organic: 24 hour, steady state owner/operator

response o  Mitigated: risk including impact of USCG & LEA o  Primary: primary economic impact only o  Total: risk including secondary economic

9

Depth of MSRAM Risk Information Over 74,000 Judgements

Target Categories/Classes q  Barge

o  10 classes q  Facility

o  14 classes q  Infrastructure

o  7 classes q  Key Asset

o  8 classes q  Other

o  2 classes o  High Population o  Events

q  Vessel o  21 classes

Attack Modes q  Attack by Hijacked Vessel q  Boat Bomb q  Boat Bomb (while vessel is present) q  Car/Truck Bomb q  Hijacking of Vessel q  Passenger/Passerby Explosives/Improvised

Explosive Devices q  Sabotage q  Standoff Weapon Launched from Water and

Land (including Man-Portable Air Defense Weapon)

q  Swimmer/Diver/Underwater Delivery Systems q  Terrorist Assault Team (Hostage Taking) q  Attack by Hijacked Large Aircraft q  Small Suicide Aircraft q  Chemical, Biological, Radiological, Nuclear q  Cyber Attack q  Mines (Aquatic) & Mines (Land) q  Transfer of Terrorist, weapons/materials q  Ability to add additional DOD attack modes as

necessary MSRAM target classes link to DHS sectors

10

MSRAM – Synergizes the Use of Other Risk Tools, Models, and Assessments

Vulnerability q  Assessments (AMSC, VSP,

FSP, RAM-D, MAST, PSA, RAMCAP, CRs, SAV, PIVA, HLS-CAM, JISVA, FHWA).

q  Tools (ACAMS, ViSAT) q  Studies / Grants ( BZPP) q  Workgroups (SME)

Consequence q  Studies (Blast & Consequence) q  Plans (AMSP) q  Tools (Chemtap, Oiltap,

CAMEO, Aloha, Marplot) q  Consequence Data (RMP,

GCOA, HASZUS)

Inten

tions

&

Conf

idenc

eCa

pabil

ity &

Co

nfide

nce

Geog

rahic

Thre

at

Death

Injur

y

Prim

ary E

cono

mic

Impa

ct

Symb

olic E

ffect

Natio

nal S

ecur

ity

Envir

onme

nt

Impa

ctRe

spon

se

Capa

bility

Reco

vera

bility

Redu

ndan

cy

Seco

ndar

y Ec

onom

ic Im

pact

Achie

vabil

ity

Syste

m Se

curit

y -

Owne

r/Ope

rato

rSy

stem

Secu

rity -

LE

ASy

stem

Secu

rity -

US

CG

Targ

et Ha

rdne

ss

RiskPrimary Consequence +

X Vulnerability =Threat Attack

ProbabilitySecondary Economic

Impact

X Scenario Consequence

Outputs

Threat ICC Strategic Threat Analysis q  Intent w/Confidence q  Capability w/Confidence q  Time Horizon when terrorist

Capability Acquired

q  Prioritized Risk Ranking - Common Risk Model (NADB)

q  Security Risk Profiles q  Risk Drivers q  Data for Risk Management

Analysis q  Risk Management Priorities

Strategic Risk Analysis Process Protective Security Analysis Center (PSAC)

National Infrastructure Simulation and Analysis Center (NISAC) Coast Guard R & D Center / National Labs

Exercises: PREP, PORTSTEP, AMSTEP, TOPOFF

Analyze & Exercise

MSRAM Risk Calculator

11

MSRAM Data Review Process Local, Regional and National

District Review Provide consistency/normalization

between Sectors

Area Review Provide consistency/normalization

between Districts

2

HQ Assessment, Review & Analysis Provide consistency/ normalization between Areas

RED = Data is at the Secret

level

Green = Data is at the Security Sensitive Information level

Review

and Direction

è

4

COTP/Sector Assessment with AMSC Input - Identifies risk

profile for individual targets

3

1

12

One Dimension Consequence Scale

Ferry

Defense Facility

Nuclear Power Plant

Previous Consequence-Based Approach

Chemical Plant

CDC Barge

HIGH Consequence LOW Consequence

Cruise Ship

Waterway Refinery Bridge

Oil Tanker

Freight Ship

13

Like

lihoo

d (T

hrea

t * V

ulne

rabi

lity)

CDC Facility – Car/Truck Bomb

National Icon – Boat Bomb

Bridge – Attack By Hijacked Vessel

High Capacity Ferry Terminal- Car/Truck

Bomb

Petroleum Refinery – Car/Truck Bomb

Cruise Terminal – Car/Truck Bomb

Bridge - Boat Bomb

HIGH Consequence LOW Consequence

LOW

HIGH

MSRAM creates a Risk-Based Risk-Informed Security Profile

Nuclear Power Plant – Car/Truck Bomb

High Capacity Ferry – Boat Bomb

Ferry 150 -1000 – Boat

Bomb

Cruise Ship - Boat Bomb

Cruise Ship - Car/Truck Bomb

Cruise Ship – Attack By Hijacked Vessel

LPG Tanker - Boat Bomb

LPG Tanker – Stand-Off Weapon

Oil Tanker – Boat Bomb

High Capacity Ferry - Car/Truck Bomb

14

MSRAM creates reports for analysis Risk by Target Class Use reports to

quickly scan for risk by target

classes

Bridges & Tunnels

SAMPLE DATA

15

Comparison of Chemical facilities

0

2000

4000

6000

8000

10000

12000

14000

Chlorine #1 Chlorine #2 Chlorine #3 Ammonia #1 Ammonia #2 Ammonia #3 LNG #1 LNG #2 LNG #3

Ris

k In

dex

Num

ber (

RIN

)

RIN

Chlorine Ammonia LNG

ILLUSTRATIVE SAMPLE DATA

RISK

16

MSRAM Analysis – Compare Risk Density by State

Risk Density for Type Target by Gulf State (Illustrative)

020004000

60008000

Florid

a

Alabam

a

Louis

iana

Mississ

ippi

Texa

s

OtherVesselsKey AssetsInfrastructureFacilitiesBarges

SAMPLE DATA

17

MSRAM change case supports Risk Mitigation Decision Strategies

18

MSRAM National Risk Profile

CONSEQUENCE

LIK

ELIH

OO

D (T

hrea

t * V

ulne

rabi

lity)

X# target represent top 60% of the

total risk

18,000+ targets represent 100 % of the total risk

X# target represent top 40% of the

total risk

X# target represent

top 20% of the total risk

Response/Recovery

Prev

entio

n/Pr

otec

tion

19

Senior Leadership can utilize MSRAM to illustrate High Risk Scenarios

by Attack Mode locally, regionally, nationally

If we receive a threat advisory for high capacity passenger vessels? This slide illustrates MSRAM’s ability to support decisions in times of crisis by identifying what scenarios are the highest risk, the risk drivers and where they are located.

6

1 18

3

18

15 12

13

3

Illustrative Attack Modes

Car / Truck Bomb Boat Bomb (while vessel is present) Swimmer/Diver/Underwater Delivery Systems Standoff Weapon Launched from Water Attack by Hijacked Vessel

9

13

10 7

13

11

6

11

23 12

2

19

9

11

20

MSRAM assists to identify where are the greatest risks and risk drivers are in your AOR

Geographic distribution of high risk attacks in Sector Miami

This slide illustrates the geographic distribution of high risk scenarios within an AOR. The highlights the richness of MSRAM risk information and how it can be used to inform the operational commanders

Attack Modes Car / Truck Bomb Boat Bomb (while vessel is present) Swimmer/Diver/Underwater Delivery Systems Standoff Weapon Launched from Water Attack by Hijacked Vessel

Illustrative for demonstration purposes

21

MSRAM supports Local, Regional and National applications

q  Strategic Uses o  Provides an understanding of:

•  the types of targets and attacks that present the highest risk •  the risk-based distribution of targets regionally (Risk Density)

o  Strategic planning outcomes measure o  Support of Strategic planning effort-Combating Maritime Terrorism (CMT) o  Transportation Worker Identification Credential (TWIC) implementation o  DHS Port Security Grant Process (risk formula and grant evaluation) o  National Maritime Security Risk Assessment (NMSRA) o  National Maritime Threat Assessment Methodology o  Strategic Operational Planning Process (SOPP)

q  Operational Uses o  Operation Neptune Shield o  Geospatial Risk Map o  Area Maritime Security Plans (AMSP) / Action Plans / Contingency plans o  Mounted Automatic Weapon allocation project

q  Tactical Uses o  Incident Command System (ICS) risk management cycle o  National Special Security Event (NSSE) o  Communication tool amongst stakeholders-AMS Committee o  Supports updates to NVIC 09-02 AMSPs and 03-03 Facility security plans

22

Global Supply Chain Security Risk MSRAM can assist in determining the risk & interdiction capability along critical nodes

24 Hour Advance Shipment Notice

CBP Booking Information

CTPAT

Factory Truck, Rail, Barge

Transport

Truck, Rail, Barge

Transport

Truck, Rail, Barge

Transport

Distribution Center

Port of Lading Water

Conveyance Air

Conveyance

Distribution Center

Port of Entry

Trans-shipment

Port

Security Risk Analysis

MSRAM DR. Lewis

Regulatory Regime

Enforcement Critical Network Analysis

CFR

International Ship & Port Facility Compliance

96 Hour Notice of Arrival

DNDO, Deep Water, Domain Awareness

Container Security Initiative

State / Local Entry

Carrier Movements

Transportation Security

23

0

1000

2000

3000

4000

5000

6000

7000

8000

Floo

ding

-Sin

king

Pers

onne

l Mish

apDr

ug S

mug

glin

gNa

tura

l Disa

ster

Atta

ck o

n Po

rt In

frast

ruct

ure

or M

TSCo

llisio

n-Al

lisio

nFo

reig

n Ille

gal F

ishin

gO

il Spi

llNa

tion

Stat

e At

tack

Non-

Mar

itime

Incid

ent

Dom

estic

Ille

gal F

ishin

g

Inva

sive

Spec

ies

Intro

duct

ion

Disc

harg

e of

Deb

ris/S

ewag

eG

roun

ding

Mar

ine

Casu

alty

Affe

ctin

g W

ater

way

Inte

rrupt

ion

of M

ilitar

y O

pera

tions

Seas

onal

Con

ditio

nsFi

re-E

xplo

sion

Illega

l Mig

rant

Ent

ryRe

leas

e of

HAZ

MAT

Spec

ies

Dam

aged

by

Mar

ine

Ope

ratio

ns

Category-8Category-7Category-6Category-5Category-4Category-3Category-2Category-1

Sum of Total

Incident

Severity

Unified Risk Coast Guard Missions Expected Residual Loss (Risk) that the CG has the ability to influence due to:

All incidents (excluding transfer of WMD)

0

1000

2000

3000

4000

5000

6000

7000

8000

Floo

ding

-Sin

king

Pers

onne

l Mish

apDr

ug S

mug

glin

gNa

tura

l Disa

ster

Atta

ck o

n Po

rt In

frast

ruct

ure

or M

TSCo

llisio

n-Al

lisio

nFo

reig

n Ille

gal F

ishin

gO

il Spi

llNa

tion

Stat

e At

tack

Non-

Mar

itime

Incid

ent

Dom

estic

Ille

gal F

ishin

g

Inva

sive

Spec

ies

Intro

duct

ion

Disc

harg

e of

Deb

ris/S

ewag

eG

roun

ding

Mar

ine

Casu

alty

Affe

ctin

g W

ater

way

Inte

rrupt

ion

of M

ilitar

y O

pera

tions

Seas

onal

Con

ditio

nsFi

re-E

xplo

sion

Illega

l Mig

rant

Ent

ryRe

leas

e of

HAZ

MAT

Spec

ies

Dam

aged

by

Mar

ine

Ope

ratio

ns

Category-8Category-7Category-6Category-5Category-4Category-3Category-2Category-1

Sum of Total

Incident

Severity

Important Note: These are not suggested resourcing profiles! Context is required before these profiles are able to meaningfully inform planning and budgeting decisions.

MSRAM data contributes to this risk profile

24

Maritime Security Risk Analysis Model

Questions? Topics for Discussion!

Support Senior Leadership risk based/informed decision making process

“In the absence of emotion and Political influence Risk is where risk is.”

Quote by LCDR Brady Downs, USCG during Congressional briefing 2007