Vulnerability of Public Infrastructure A Systems Perspective 2002 Capital Projects Workshop Integrated Technology Workshop National Conference Center Lansdowne, Virginia November 13, 2002
Robert Prieto Chairman Parsons Brinckerhoff
Many Things Went Right on 911 Emergency Services Responded Immediately 55,000 People Safely Egressed Area of Attack
Trains Ordered to Bypass WTC Locations No Transit Workers or Passengers
Injured or Killed
All Bridges and Tunnels in NYC Closed 16 Min. After the Second Plane Attack
Buses Removed People from Emergency Site 300 Buses Mobilized to Transport Firefighters,
Rescue Workers, Construction Workers
Many Things Went Right on 911 Engineering and Construction Industry Self Mobilized
Structural Inspection of Buildings Heavy Construction Equipment
Emergency Operations Center Successfully Relocated
Private Ferry Operator Self Mobilized for
Evacuation and Stepped-up Ferry Service to Lower Manhattan
Lower Manhattan Evacuated Air Traffic Control System Safely Shut Down
Many Things Went Right on 911 Emergency Generators Mobilized to Site Infrastructure Systems Protected Against Further Damage
After Initial Impacts, Infrastructure Service Restored
‹ Reconfiguration Continued Over
Subsequent Period
Overview Critical Infrastructure Defined The 3 Rs: Lessons Learned from 911 Be SMART: The New Vulnerabilities Challenges Ahead
Critical Infrastructure Defined
Critical Infrastructure Systems Whose RAPID Failure Would
Lead to a Catastrophic Loss of Life. (Rapid is Relative to the Consequences Possible as Opposed to an Absolute Time Scale)
Systems Whose Failure or Significant
Degradation Would Lead to Unacceptable Economic Consequences
Critical Infrastructure Systems Whose RAPID Failure Would Significantly Impact Rescue and Response Efforts (Should the Emergency Ops. Center Have Been Located in Proximity to High Profile Target?)
Systems Whose Significant
Degradation Significantly Impact Recovery Efforts
Remember . . . Not Everything is Critical Must Have a Systems Perspective Must Apply Resources Where They Will
Be Most Effective
Next Threat Will Be Different From The Last
The 3 Rs: Lessons Learned from 911
3 Rs of Critical Infrastructure
Resist Respond Recover
The First “R” – Resist Critical Infrastructure Must Be Defined Not Everything is Critical
Critical Infrastructure Must Be Designed to Resist Attack Catastrophic Failure
Open Role of Infrastructure Limits Ability to Resist Deliberate Attack
The Second “R” – Respond 5 Lessons Learned Link Between Infrastructure and Development Highlighted
“Core Capacity” of Infrastructure Systems Essential
Deferred Maintenance = Real Cost, Real Risk Operational/Emergency Response Training Essential
Need to Reconfigure “First-Responder” Team
Lesson #1: Recognize the Linkage Between Infrastructure and Development
“Localized” Failure of “Development” Led to . . .
“Localized” Destruction of Attendant Infrastructure
Transit, Power, Telecom
Led to . . .
Remember That These Two “Systems” Are Tightly Coupled
September 11, 2001 Underground Structures
Lesson #2: “Core Capacity” of Infrastructure Systems is Essential
Core Capacity Degree of Interconnectivity of Various Elements
of a System
Number of Alternative Paths Available Flexibility and Redundancy
Traditional Project Evaluation Models Have Rewarded New Connections vs. Responsiveness and Reliability
Lesson #2: “Core Capacity” of Infrastructure Systems is Essential
Complex Systems Require a New Model Dislocations Can Be Profound Improved Reliability, Availability and
Performance Pay Hidden Dividends
“Quality” of the System Counts
Lesson #3: Deferred Maintenance Represents A Real Cost and A Real Risk
Critical to Sustain Ability to Respond Backlog of Deferred Maintenance
Should be Reviewed as Element of Systems’ Risk Systems in “State of Good Repair” Fared Better in Both Response and Recovery Phases Key to Integrity of “New” Security and “Safety” Systems
Lesson #4: Operational and Emergency Response Training is an Integral Element of Critical Infrastructure Response
Operational Training Integral to Engineering of Critical Infrastructure
‹ Establish Evacuation Routes and Off-Property
Staging Areas
Lesson #4: Operational and Emergency Response Training is an Integral Element of Critical Infrastructure Response
Scenario Training Must be Evolutionary as New Threats Emerge
Review Existing Emergency Response Plan Revamp Unusual Incident Reporting Consider: z Weapons of Mass Destruction z Higher Risk of Collateral Physical and Economic Damage z Extended Time Frames Need to be Addressed
Lesson #4: Operational and Emergency Response Training is an Integral Element of Critical Infrastructure Response
Emergency Operation Centers Must be Safe, Redundant and Integrated with Other Relevant EOCs
Lesson #4: Operational and Emergency Response Training is an Integral Element of Critical Infrastructure Response
Quick Response Essential ‹ Interoperability of First Responders ‹ First Responder Training Must Be Integrated with
Infrastructure System Operational Training z z z z
Actions Interactions Communications Decision Making
Lesson #5: Today’s Highly Engineered Environment Requires a First Responder Team that Goes Beyond the Traditional Triad of Fire, Police and Emergency Services
Role of the Engineer and Constructor The New Fourth Responder
The Third “R” – Recover Engineer for Recovery
Providing for Accessibility to the Sites of “Critical Infrastructure”
Ensuring Availability of Specialized
Construction Equipment, Contracts and Materials
Developing a Well-Documented System with Clear Interface Points
Pre-Planning and Rehearsing Response and Recovery Scenarios for High Probability Events (Earthquake, Hurricane, Flood in Prone Areas)
But Also . . . Understand our Engineered Environment
Not Only Past and Present More Importantly – Future
Understand How It Will Evolve Understand How 3 “Rs” Will be Built in As System Expands
Have a Vision
Be Smart: The New Vulnerabilities
Be Smart: The New Vulnerabilities Build on “Lessons Learned” From WTC Also Consider Other Large Scale Events
Fall Into 5 SMART Categories S ystems Maintenance & Operation
A ttitude R isk Taking T ransitional
System Vulnerabilities Focus:
Ensuring the Right Systems Put in Place
Failure to Recognize the “Built
Environment” As A Growing And Ever More Complex System
Inadequate “System” Understanding What May Go Wrong, How To Detect and Remedy
Positive Feedback Loop Risks “Progressive” Failures
System Vulnerabilities Centralized Control Weaknesses in Complex Systems
Need For “Interoperability” Need to “See” the Situation Partial Decentralization of Systems Required
“Tight Coupling” of Systems An Event in One System Leads to an Event in
Another in Short Order (Lesson #1)
System Vulnerabilities Failing to KISS KISS – Keep It Simple Stupid Some Classes of Systems/Technology Are Inherently
Open to Chains of Failure
z Adding Safety Systems Only Raises Level of
Complexity
Inadequate “Core Capacity” “Reach” Emphasized Over “Responsiveness”
(Lesson #2)
Keys to System Responsiveness to Unplanned Events z Interconnectivity z Flexibility z Redundancy
Maintenance & Operation Vulnerabilities Focus:
Keeping the “Right” System That Way
Failing to Recognize Importance of
“State of Good Repair” (Lesson #3) Tendency Will Be to “Add” On Top Of
Existing Base “System”
z Can Create New Risks in Complex Systems z The “Foundation” Must Be Strong
Maintenance & Operation Vulnerabilities Inadequate Renewal of Emergency Training (Lesson #4)
“Built Environment” Exists in Dynamic
Environment “Built Environment” Has Its Own Inherently Dynamic Nature
Inadequate Operating Provisions to Limit Disturbances
Avoid “Tight Coupling” Effects Good Example – Power-Grid Inter-ties
Attitude Vulnerabilities Focus:
Willingness to Accept Unexpected or Undesired “Truths”
“Cognitive Lock” Holding On to a Course of Action Against All
Contradictory Evidence
z Disastrous When Combined With a Complex System z Fermi Breeder Reactor Accident z Requires a Fresh Pair Of Eyes
Haste Risks Incurred, Unknowingly While Blindly
Charging Ahead
z Poor Quality Control on Slag Inclusions Did More To
Sink The Titanic Than The Iceberg
Attitude Vulnerabilities Over Commitment to Bureaucratic Goals
‹ Growing Problems Ignored for Sake of
Meeting Goals
z NASA and Morton Thiokol z Congress and TSA on Aviation Security
Attitude Vulnerabilities Prisoner to Heuristics Broader Look Constrained by… z Past Experience (Never Happened So Not Credible) z What We Heard (Often Narrow and Limited) Failure to Consider Lessons Learned in Analogous
Settings or System
Denial Failure to Consider the Unlikely z “Core Capacity” Provides the Tools to Address
Absence of Contingency Plans for Future
Failure to Learn “Lessons Learned”
Risk Taking Vulnerabilities Focus:
How We Perceive Risks and Handle Mistakes
Litigation Constrains Risk-Taking in “Respond” and “Recover” Phases
Inadequate Good Samaritan Legislation for Engineers
and Constructors (Lesson #5)
Fear of “Satisficing” Satisficing – A Workable and Fast-Acting Solution
Without Complete Information
Driven By How We “Handle Mistakes”
Transitional Vulnerabilities Focus: Vulnerability During “Change” Process Inadequate Use of Currently Deployed Resources
“Silver Bullet” Syndrome
Change Processes Will Further Stress Existing Systems Air Travel Just-in-Time Commerce z Seaport Security z Border Crossings First Responders “Narrow” Approach May Increase Overall Risks z More Holistic Approach Required
Transitional Vulnerabilities New System Failure Rates Not Planned Don’t Know What You Don’t Know Systems Must Be Learned Under Good
Conditions and Bad
Technology Put Ahead Of People Technology Needs to Fit People – Not the
Other Way Around
Challenges Ahead
Challenges Ahead--Best Viewed From Critical Infrastructure/3Rs Perspective
Systems Whose Rapid Failure Would Lead to Catastrophic Loss of Life Type 1 – Resistance (Life)
Systems Whose Failure Would Lead to
Unacceptable Economic Consequences Type 2 – Resistance (Economic)
Systems Whose Failure Would Significantly Impact Rescue and Response Efforts Type 3 – Response
Systems Whose Degradation Would
Significantly Impact Recovery Efforts Type 4 – Recovery
Resistance Challenges Type 1 (Life)
Internally Introduced z Airports z Nuclear/Chemical Plants z Major Public Spaces – Transport
Terminals/Hubs/ Large Public Gathering Spaces z Water Supply z Issues Airports/Nuclear & Chemical Plants As Sources
of Threat (Plane, Radiation, Toxin) Open Nature of Infrastructure Terminals
• Looking Past Fire to Biological/Chemical Threats Slow to Detect Biological Contamination of Major
Water Supply
Resistance Challenges Type 1 (Life)
Recommendation ‹ National Test Bed Focused On Port Security
Resistance Challenges Type 2 (Economic)
Single Point Failure Threats
(Conventional or Unconventional Weapons)
Major Infrastructure Links With z Extended Repair Times or Costs z Limited or No Alternate “System” Connections z Broad “System” Degradation Potential
Particularly At Risk Are z Major Bridges & Subaqueous Tunnels z Transit & Road Tunnels in Major Cities z Electric Power Transmission Lines, Inter-ties and
Critical Switchyards z Transcontinental Gas Pipelines z Major Aqueducts, Dams, Wastewater Treatment Facilities z Cable Landing Stations and Trans-oceanic Cables
Resistance Challenges Type 2 (Economic)
Degraded Ubiquitous Infrastructure
System Control/Capability (Conventional or
Unconventional Weapons, Cyber or Insider Threat)
‹ Major Control Centers and Functionality z Gateway to Other Systems
‹ Particularly At Risk Are: z Telecommunication Switching Facilities z Internet Switching and Data Centers z Power Dispatch Facilities
Resistance Challenges Type 2 (Economic)
Trade Interruption or Degraded Trade System Major Port Facilities z Cargo (NY, Seattle, LA) and Energy (SPR, LOOP)
Select Border Crossings with Canada
and Mexico
Increased Supply-Chain Transit Times Due
To Increased Security Requirements
Examples z Bridge/Tunnel Links to Detroit z Key Shipping Channels Including Those Outside U.S.
Resistance Challenges Type 2 (Economic)
Recommendation ‹ Risk Weighted Design Standards For
Critical Infrastructure
Response Challenges Type 3
First Responder Protection & Interoperability Equipment & Training for Fuller Range of Threats Process for Assessing/Handling Unplanned
Scenarios Mission Reliable Communications Enhanced Communication At Responder Level Between First Responder Elements (CAPWIN) Enhanced Rapid Toxin Identification Issue z Sufficiency of Specialized First Responder Elements z First Responder Elements Are Not Universally
Capable of Communicating Directly with Each Other At The Field Level
Response Challenges Type 3
Emergency Operation Center Survivability
Enhanced Site Selection & Screening Hardening and Protection for EOC Sites
and Facilities
Issue z Lessons Learned in National Defense Sector
Need to Be Considered in EOC
Response Challenges Type 3
Recommendations National First Responder Training Facility
For WMD Events
Deploy National First Responder
Interoperability System z Build on CAPWIN
Develop Disaster Response Network of
Engineers and Constructors as Part of First Responder Team
Recovery Challenges Type 4
Inadequate Specialized Personnel, Facilities and Equipment
‹ Needs Not Well Defined in Homeland
Security Context
‹ Examples Include: z Decontamination Teams and Equipment z Laboratory and Specialized Manufacturing and
Process Facilities
z Heavy Construction Equipment and Engineers z Network of Disaster Recovery Specialists
Recovery Challenges Type 4
Inadequate Legislative, Financial,
Contracting and Risk Management Framework
Recovery Challenges Type 4
Recommendation National “Good Samaritan” Legislation for
Engineers and Constructors Involved in Disaster Response and Recovery
Summary Critical Infrastructure 3 Rs – Resist, Respond, Recover “SMART” Vulnerabilities Challenges Ahead