CRITICAL INFRASTRUCTURE Protecting Critical Infrastructure from Terrorism: A RiskBased Multi-Hazard Approach to Vulnerability Assessment Reducing the Risks and Consequences of Terrorism CREATE Conference November 18, 2004 Professor Rae Zimmerman New York University/Wagner Graduate School of Public Service Research Objectives Electric Power Case Develop Critical Infrastructure as a Focus for and Demonstration of the Assessment of Risk, Consequences, Emergency Response and Economic Impact Provide Inputs from Electric Power Case to Risk and Economic Modeling, including: electric power system configuration common mode failures indicators for interdependencies with other infrastructure Why Infrastructure? Attention of Federal Policy: 1996-2004 Public Concern; Contributes about 10% to Gross Domestic Product (Henry and Dumagan 2004) Highly Interdependent Centralized Production Systems and Networked Distribution Systems Large Consequences of an Attack: Extensive Number of Users Exposed Proven Targets of Terrorism Interconnections that Magnify Impacts Attention of Federal Policy: CHRONOLOGY OF SELECTED FEDERAL INITIATIVES INCORPORATING INFRASTRUCTURE 1996 1997 1997 1998 2001 2002 2003 2003 2004 Executive Order 13010 President’s Commission on Critical Infrastructure Protection U.S. Department of Commerce Critical Infrastructure Assurance Office Presidential Decision Directive (PDD) 63 USA Patriot Act Section 1016 National Strategy for Homeland Protection Homeland Security Presidential Directive (HSPD)7 and 8 National Strategy for the Physical Protection of Critical Infrastructures National Incident Management System (NIMS) Proven Targets of Terrorism or Sabotage: TRANSIT and WATER TRANSIT 1900s: Hundreds of Subway Attacks Outside U.S.(Mineta Institute) 1995: Tokyo Sarin Gas on 3 Separate Lines 1995: Subway Car Bombings - St. Michel-Notre Dame Station 1995: Derailment of Amtrak’s Sunset Limited (AZ) (vandalism) 2001: Destruction of Lower Manhattan Subway Lines (WTC) 2004: Madrid Subway Bombings WATER 2003: break-ins at water systems in 5 states and Canada Poisoning threats in Turkey, Germany and Malta Source: R. Zimmerman, “Water” in Digital Infrastructures, edited by R. Zimmerman and T. Horan (Routledge 2004). Proven Targets of Terrorism or Sabotage: ELECTRIC POWER Domestic attacks on power plants: “70 percent of energy and power companies experienced at least one severe cyber attack.” ( U.S. GAO 2004: 12) Transmission Towers: Vandalism occurred in October 2004, when two bolts were removed from a transmission tower in Milwaukee, WI disrupting power and rail service when the tower fell on to the lines (USA Today 2004). Crude oil and gas pipelines: Between June 2003-September 2004, in Iraq, over one hundred attacks on oil and gas pipelines were reported. System Interconnectedness (Macro and Micro Effects) ENERGY TRANSPORTATION WATER TELECOMMUNICATIONS Macro Interdependencies: 2003 Total Energy Consumption by Sector Source: Drawn from U.S. Department of Energy, Energy Information Administration, Monthly Energy Review, October 2004 27% 22% Residential Commercial Industrial 18% Transportation 33% Micro Interdependencies: Energy use at the East Bay Municipal Utilities District OAKLAND, CA Energy Inputs Onsite Power Generator 2.6 MW Western Area Power Authority 4.16 MW Pacific Gas and Electric EBMUD Oxygenation Activated Plant Sludge Mixing Headworks Lighting, Losses, Misc. Surplus Power Activated Solids Other Handling Sludge Pumping Motor Loads 27% 22% 18% 12% Energy Outputs 10% 7% 4% Diagrammed from Hake, Bray and Kallal (2004) Types of Potential Disruption and Vulnerability Associated with Interdependencies GENERAL EFFECTS Single System Effects Multiple System Effects (e.g., J. Peerenboom, R. Fisher, R. Whitfield): Common-Cause; Cascading; Escalating GENERIC ELECTRIC POWER CASE: Disruption by Terrorism Multiple modes of attack possible Numerous cascading effects Many second and third level consequences Enormous economic impacts of sustained regional electricity disruption ILLUSTRATIVE EXAMPLE: U.S. and Canadian Blackout of August 14, 2003 One set of initiating events: cyber failures Series of cascading failures of electrical systems Interdependencies: transportation, water, sanitation, communications failures Economic and social impacts: health and recreation; job disruption; disruption and redistribution of economic sectors Numerous analogies to consequences of a terrorist attack Source: Graphed from North American Electric Reliability Council (NERC) data Number of Customers Affected 60,000 50,000 Selected Major Blackouts in the U.S. Customers ('000) 50,000 40,000 30,000 30,000 20,000 10,000 0 9,000 2,000 7,500 152 Maximum Duration 40 35 30 26 19 13 9 3 36 Hours 1965 1977 1996a 1996b 1998 2003 25 20 15 10 5 0 1965 1977 1996a 1996b 1998 2003 Research Approach: Electric Power 1.Identify Event Case Databases (“all-hazards” approach): U.S. DOE, U.S. DHS, websites, etc. 2.Case Diagnosis of Failures: Identify and code– characteristics of failures – Interdependencies with other infrastructure – vulnerable components and consequences 3.Develop and Apply Indicators of Infrastructure Interdependency 4.Identify Risk Reduction Options (U.S. DOE Database) Source: New York University Critical Infrastructure Project, CREATE Number of Incidents 60 50 No. of incidents 40 30 20 10 0 90 91 92 93 94 95 96 97 98 99 00 01 20 19 19 19 19 19 19 19 19 19 19 20 20 02 Indicator Application and Preliminary Analysis of Interdependencies and Failures Type of Infrastructure Ratio of # Times Infrastructure Causes Failures vs. is Affected by Failure Water mains 3.4 Roads 1.4 Gas lines 0.5 Electric Lines 0.9 Fiber Optic/Telephone 0.5 Sewers/ sewage treatment 1.3 Source: R. Zimmerman, “Decision-making and the Vulnerability of Critical Infrastructure,” Proceedings of IEEE International Conference on Systems, Man and Cybernetics, 2004. Based on an illustrative data set of approximately 100 cases. Risk and Consequence Reduction Options for Electricity: Post 9/11 (WTC) Examples Redundancy/Service Alternatives – Spare transformer vaults at the South Street Seaport provided energy to damaged areas Use of Slack Resources – Ability to access portable generators provided temporary power Decentralization and Decoupling – Alternative, portable energy sources used Decentralize/De-Couple Energy: Renewable Energy - Trends Compared With Other Resources, 1973-2001 (Quadrillion Btu) Source: Department of Energy, Energy Information Administration; Monthly Energy Review September 2002; http://www.eia.doe.gov/emeu/mer/pdf/pages/sec10_2.pdf; (Accessed 30 October 2002). Conclusions Electric power is a key driver of other infrastructure and impacts other infrastructure in extreme events Grid configurations, common component failures and their consequences guide risk estimates of terrorist attacks Risk reduction alternatives exist that can alter vulnerability of energy service configurations to attack Outputs of case-based diagnostic methods and indicators provide inputs to risk and economic models ACKNOWLEDGMENT AND DISCLAIMER This work is supported by the U.S. Department of Homeland Security (DHS) through the University of Southern California for CREATE and several grants from the National Science Foundation (NSF). Any opinions, findings, and conclusions or recommendations expressed in this document are those of the author(s) and do not necessarily reflect the views of the U.S. DHS or the NSF. The staff at NYU-Wagner are also acknowledged for their valuable assistance with the data, namely Carlos Restrepo, Nicole Dooskin, Ray Hartwell, Justin Miller, and Wendy Remington.