The events and aftermath of September 11, 2001, have focused increasing and unprecedented attention on the protection of our nation's critical utility infrastructure. Utilities have been forced to evaluate and realistically address risks and potential vulnerabilities to previously improbable threats to their physical assets, as well as those embodied in their employees, knowledge base, information technology and customers.
Security threats from terrorist events are relatively new to the majority of utility industry sectors, and, as a result, standard protocols are in their developmental infancy. For instance, water and wastewater utility infrastructure assets are typically dispersed, so standard approaches to security (developed for enterprises with highly centralized assets such as nuclear weapons production facilities) are difficult to apply. A risk-based approach is needed, but most utility personnel are not trained in risk-assessment techniques.
Utilities must always assure their governing boards, customers and the public that they can withstand any crisis; have a thorough understanding of their vulnerabilities and risks of business failures associated with these vulnerabilities; can respond to crises with practiced, effective plans and a well-trained staff; and can recover from a crisis with minimal interruption of services to their customers. However, financing for security initiatives traditionally has not played a significant role in utility budgeting.
Although it has become an unfortunate cliché, responsible management simply cannot avoid the contemporary truth that, "Spending too much on security is foolish, but not spending enough is even more foolish." Determining of the right amount may even seem like an impossible quantification given the difficulty of defining the methods terrorists may use. Managers facing a balancing act between demands for security and the resources needed to enact and finance those actions are, therefore, in need of an approach to help establish a basis for evaluating and justifying investments, policies and procedural changes.
One available tool to help address these challenges is the Vulnerability Self Assessment (VSATTM ) methodology and software. VSAT provides a structured, cost-effective approach for utilities to assess their vulnerabilities and establish a risk-based methodology for making and prioritizing necessary changes.
"VSAT provided a logical procedure for inventorying and evaluating equipment and processes in our water operation and for determining potential security improvements," said Don Broussard, water operations manager, Lafayette, La., Utilities System. "I especially liked the way the software allowed for the analysis thinking to be documented within the application, in case decisions were challenged. The basis for the planned security improvement decision, including capital and O&M costs, is contained within the application."
Officials at EPA agree with Broussard:
"VSAT has been very valuable in assisting drinking water and wastewater utilities in performing vulnerability assessments, helping to better secure the nation's water infrastructure," said Curt Baranowski, environmental protection specialist, EPA Office of Ground Water and Drinking Water's Water Security Division. "Utility feedback on the tool has been extremely positive."
VSAT approach
The VSAT methodology and software are flexible, rapidly customized and user friendly. VSAT software is equally applicable to deliberately caused or natural disasters, and readily adapted to a variety of sectors. The software application is currently most commonly deployed in the context of water and wastewater utilities, and typically includes a pre-loaded library of default assets to assist in full customization of those specific to any given user. In addition, it contains libraries of both threats and common countermeasures, recognizing that many users, while familiar with the operation of their utility, may not have the same familiarity with the security industry from which to draw such information.
As users proceed through self-assessments, VSAT documents the analysis process during each step, capturing comments and decisions that easily can be exported for communication to colleagues unfamiliar with the software itself. During this process, VSAT helps users identify critical asset(s) and potential single points of failure (SPF). This process culminates in a series of reports that present findings in a clear and concise way, providing solutions that enable organizations to mitigate risks of business interruptions at least cost.
The VSAT Vulnerability Assessment (VA) methodology, which is manifested in the VSAT software, guides users through the following process:
The VSAT process compels a thorough evaluation of potential risks associated with threats against considered utility assets. Where risks are unacceptable, the software leads the user through a decision process to select new countermeasures that reduce risk in priority order according to risk reduction and cost-incurrence criteria.
Customization of asset inventories
VSAT comes with standard asset templates for water supply and wastewater systems that also can be adapted for other sectors (e.g., electric utility, gas utility, ports). These asset templates allow for easy initialization of the analysis. As mentioned earlier, five classes of assets can be considered in the analysis--physical plant, employees, customers, information technology and knowledge base. Organizations can choose to include all asset classes or any combination.
Determination, association of threats
The threats that will be included in the analysis are determined by review of current threat levels and discussion with local law enforcement agencies. Once established, these threats are loaded into the database. VSAT also includes a threat library that can be used to assist in selecting threats of concern. The selected classes of assets described above are then reviewed to associate with the relevant threats. In the analysis, not all threats are appropriate to consider for all assets. For example, a contamination threat is a threat against customers - not against the physical plant, even though the contamination may be introduced at the plant.
Security risk assessment
Beginning with a baseline analysis, the risk for each asset-threat combination is determined by considering the two components of risk - criticality and vulnerability. VSAT has built-in criticality and vulnerability evaluation tables to help make and document decisions. For instance, while adaptable to unique contexts, the suite of standard criticality evaluation criteria will lead analysts to consider personnel safety, facility/equipment damage, process loss, environmental and community impacts, temporal effects and recoverability. Vulnerability is typically considered to be the joint probability of failure and occurrence. Criticality and vulnerability criteria can be customized for each organization to include its terminology, risk acceptance levels, and criteria for decisionmaking. Based on site visits, review of policies and discussions with organization staff, information on the criticality and vulnerability of each asset, along with the existing countermeasures, are determined in the baseline risk assessment of all assets.
Potential improvements; analysis, prioritization
At the end of the baseline analysis, risk levels will have been assigned to all significant assets. Once the baseline level of risk is determined, the next step is to determine if risk can be reduced. VSAT includes a countermeasure library that describes potential countermeasures, its technology basis, the pluses and minuses, and relative capital and operating expense.
Applying additional countermeasures and introducing of redundancies may change the risk level of the analyzed asset/threat combination. For such movement between risk matrix cells, VSAT calculates the risk reduction units (RRUs) resulting from the criticality and/or vulnerability reduction. RRUs are determined on a scale weighted to emphasize assets evaluated as possessing the greatest risk. These units serve as a quantitative evaluation of countermeasure effectiveness, which in coordination with accurate cost estimates, allow users to make informed investment decisions.
VSAT users then compile cost and risk profiles for scenarios that describe various combinations of countermeasures that quickly can be exported into reports for standalone discussion with colleagues unfamiliar with VSAT. The cost/risk analysis can be based on capital costs, annualized costs, total RRU, those with the best dollar per RRU or other specified measures. VSAT has more than 25 standard reports that can be used to prepare analysis, brief management and communicate among the security team or with outside parties, as appropriate.
"The Water Environment Federation (WEF) continues to work with funding from EPA to train all size water and wastewater treatment plan managers and operators on how to conduct a vulnerability assessment of their facility and to subsequently develop a prioritized plan for risk reduction," said James K. Sullivan, water security project manager, WEF.
"We use VSAT as the training tool for our workshops because we believe that the system operator knows his or her system better than anyone else. Based on the more than 50 WEF training sessions conducted across the country over the past two years, water and wastewater systems operators have found VSAT to be customizable, user-friendly and a highly effective way to reduce a utility's vulnerabilities to man-made threats and natural disasters," Sullivan said.
Summary
Designed to be used by workers outside the security profession, the VSAT process nevertheless provides a rigorous evaluation of risk and allows an informed basis for decisionmaking on countermeasure investment. VSAT methodology and software offers several distinct advantages:
- An asset-based approach scalable from very small to very large facilities
- Accommodation the full range of utility assets, not just physical assets
- Standardized asset templates to allow utilities to quickly begin their analysis
- Built-in libraries of threats and countermeasures
- Provides a means for risk assessment by personnel who do not have an extensive risk-assessment background
- Provides a method to evaluate potential improvements analysis on a quantitative basis.
- Is easily updated as assets, threats or countermeasures change
- Documents all decisions and assumptions, enabling managers to re-create their thought processes leading to decisions.
While VSAT was originally developed for the water and wastewater industry, it has been adapted for use in public buildings, airports, electric utilities and gas utilities. VSAT's approach to risk assessment and its functionality is widely applicable to any enterprise with substantial physical, IT and/or employee assets. About 5,000 copies of VSAT software are in use today, available free of charge to public and private water and wastewater utilities, as well as associated local, state and federal agencies and related organizations.
This article originally appeared in the March 2004 issue of Security Products magazine, pgs. 78-79.
