RISK ANALYSIS FOR TERRORISM

While there exist numerous approaches for risk assessment of food and drinking water with respect to human health, as by Benford (2001), Dawson (2003), Dufouret al.(2003), Koopmans and Duizer (2003), Thoey et al.(2003), Larsonet al.(2006), Dechesne and Soyeux (2007), Schroederet al.(2007), ILSI (2008), Parkin (2008), Riha (2009), USDA & EPA (2011), not so many publications focus on intentional contamination of drinking water by terrorists. The last decade brought a considerable body of literature on risk analysis of terrorist attacks that form the foundation for any specific scenario. Materials can be found in IRM (2002), Tuduk (2004), FEMA (2005), Williset al.(2005), Masseet al.(2007).

Risk analysis of bio-terroristic attacks on drinking water systems 9

The risk analysis approach used in this report uses the following sequential steps described in Leson (2005):

(1) Critical infrastructure and key asset inventory (consider what can be threatened and what must be protected).

(2) Criticality analysis (a set value, it determines the ultimate importance of the asset).

(3) Threat analysis.

(4) Vulnerability analysis (identification of weaknesses).

(5) Risk Evaluation (as defined above), Leson (2005) uses the term“risk calculation”.

Leson (2005) defines the steps 2–4 asassessment, while it is termed hereanalysis, according the definitions above. The steps 1–4 combine the stepsRisk IdentificationandRisk Descriptionin a different way according to the parameters Criticality, Threat and Vulnerability.

2.3.1 Critical infrastructure and key asset inventory

This step considers what can be threatened and what must be protected. This is usually done on a national, regional or organisational level. Generally, the assets have to be defined, but in specialized literature the assets are presumed to be known, so does for example, the EPA (2009) microbial risk analysis approach does not explicitly ask for an asset evaluation since it is silently understood that it is about the drinking water system at hand. Since this report focuses on the drinking water system, no further considerations are given.

2.3.2 Criticality assessment

Criticality assessment considers theconsequencesof the loss of or serious damage to assets. The measure of criticality, orasset value, determines the ultimate importance of the asset. The loss can economic or the loss of lives, but an assets value is also determined by its visibility and symbolic value.

Shockalso has to be considered in the criticality assessment. Shock combines the health, psychological, and collateral national economic impacts of a successful attack on the target system, as explained in Catlin and Kautter (2007). The psychological impact of an attack will be increased if there are a large number of deaths or the target has historical, cultural, religious or other symbolic significance. Psychological impact will be increased even further if victims are members of sensitive subpopulations such as children or the elderly.

2.3.3 Threat assessment

Most civil applications are dealing with hazards and not with threats according to the definition above, as confirmed by EPA’s microbial risk assessment EPA (2009) or the WHO’s water safety plans (Bartramet al.

2009), where this step is calledhazard identification. When considering security issues, the term threat is more appropriate since it includes the intent and directedness of a man-made hazard.

When modelling the risk, the distinction becomes even easier to understand. Accidental hazards are usually random, even when they include human error and man-made products. The frequency of occurrence is commonly described statistically by distribution functions. Threat on the other hand is estimated as the likelihood of an attack being attempted by an adversary. Intentional hazards have to be treated differently and psychological, social and political factors have to be included in the assessment.

Mostly qualitative methods will have to be used.

Threat assessment of terrorist attacks has to consider the adversaries, their tactics and their choice of weapon.

Adversary

First all adversaries should be listed and then characterized by several parameters:

• Type of adversary: Terrorist, activist, employee, other.

• Category of adversary: Foreign or domestic, terrorist or criminal, insider and/or outsider of the organization.

• History of Threats. What has the potential threat element done in the past, how many times, and was the threat local, regional, national, or international in nature? When was the most recent incident and where, and against what target?

• Objective of adversary: Theft, sabotage, mass destruction (maximum casualties), socio-political statement, other.

• Number of adversaries: Individuals, groups or“cells”of operatives/terrorists, gangs, other.

• Range of adversary tactics: Stealth, force, deceit, combination, other.

• Capabilities or Expertise of adversary: Knowledge, motivation, skills, weapons and tools. The general level of skill and training that combines the ability to create the weapon and the technical knowledge of the systems to be attacked. Knowledge and expertise can be gained by surveillance, open source research, specialized training, or years of practice in the industry.

Terroristic tactics

Terrorists act rationally to reach their destructive goals. They follow principles of human behaviour, and can be analysed by methods from social psychology, game theory, and network analysis (Leson, 2005; Rios, 2010). Woo (2008) describes the terrorists’ selection of weapons and attack modes to be dominated by accessibility to the weapon. Terrorist usually choose weapon modes and targets, against which the technical, logistical and security barriers to mission success are least.

Woo (2008) models the terrorists’target selection process with these rules:

• Terrorists may substitute one target with another, according to the relative security of the targets.

• Local security enhancement transfers threat elsewhere.

• Terrorist attacks are geographically focused, with attack likelihood decreasing logarithmically for descending target tiers.

Fedra (2008) classifies the mode of terroristic attack as such:

• Direct attacks: paramilitary, explosives, suicide attacks, water supply, food chain, biological agents

• Man-made accidents: transportation system (air, rail)

• Indirect attacks: dams, chemical installations, nuclear establishments

• Denial of service (DOS): water, energy, communication Weapons

TheStrategic Homeland Infrastructure Risk Assessment (SHIRA) (DHS & FBI, 2008) analysis is based on a defined set of 15Identified Terrorist Attack Methodsthat combine both theweapon category(biological attack, conventional,…) and the chosen target (Population, Building, Livestock,…) and tactics (direct, indirect,…). Four of the 15 attack methods include biological agents:

• Biological Attack: Contagious Human Disease

• Biological Attack: Noncontagious Human Disease

• Biological Attack: Livestock and Crop Disease

• Food or Water Contamination

Risk analysis of bio-terroristic attacks on drinking water systems 11

A more detailed analysis of threat identification for the case of water contamination is done below.

It deals mainly with the choice of weapon, that is pathogen by the attacker.

2.3.4 Vulnerability assessment

A vulnerability assessment identifies weaknesses that may be exploited by terrorists. It evaluates the potential vulnerability of the assets against the identified threats. Vulnerability is measured by the ease of accomplishing an attack. It also considers what possibilities for interventions are already in place that might thwart an attack and may suggest options to eliminate or mitigate those weaknesses.

Among others location, accessibility and recognisability are important factors to consider when determining vulnerability:

Location: Geographic location of potential targets, entry and exit routes; location of target relative to public areas, transportation routes, or easily breached areas.

Accessibility: Accessibility is the openness of the target to the threat. It describes how accessible a target is to the adversary; how easy it is for someone to enter, operate, collect information, and evade response forces.

It also determines:

○ Detectability of the attack

○ The volume of a contaminant that can be injected without undue concern of detection

○ The amount of readily available information on the target

Recognisability: The ease by which an attacker can identify the target without confusion with other targets

2.3.5 Risk evaluation

Almost every available risk evaluation technique addresses the following three questions to aggregate the information obtained in each of the assessment steps:

• What is the likely impact if an identified asset is lost or harmed? (Criticality)

• How likely is it that an adversary will attack? (Threat)

• What are the most likely vulnerabilities that the adversary will use to target the identified assets?

(Vulnerability).

In“Failure Modes and Effects analysis”(FMEA), a safety engineering method, the three components of risk estimation areSeverity, OccurrenceandDetection Rate, which sometimes are more readily understood.

So, risk evaluation combinescriticality, threat, and vulnerabilityassessment to generate a risk profile for an asset using often the simplerisk equation: Risk=Criticality×Threat×Vulnerability.

2.4 RISK ANALYSIS OF BIO-TERRORISTIC ATTACKS ON DRINKING