Approaches and Tools to Quantifying Facility Security Risk Steve Fogarty, CSO
ARES Security Corporation ARES is a high-performing Technology Solutions provider with more than 20 offices around the world. Certified and accredited products that have performed by identifying over $5M in cost avoidance for multiple users Product management that supports over 200 accounts with more than 4,500 users worldwide Product development that is CMMI Level 3 certified Aggressive roadmap supported by over $1M in yearly IRAD Extensive multi-industry perspective 2
ARES provides technology to Protect the Worlds Most Critical Assets. DECISION SUPPORT SOFTWARE for assessing threats and vulnerabilities while optimizing security budgets INTERACTIVE TRAINING SIMULATOR without the expense, site disruption, danger, or potential security concerns of conventional training ADVANCED CYBER security analysis to identify vulnerabilities and threats earlier and provide a better response to attacks ENHANCED SITUATIONAL AWARENESS and sensor correlation to better manage response and operations. 3
Computer-based Modeling & Simulation for Security Security Modeling Security Simulation Facility Characterization Site Layout Infrastructure Security layers Elevation / Terrain Barrier Systems Perimeter structure Barriers Delay systems Detection Systems Sensors & cameras Command / control Communications Response Force Patrol & response Capabilities Training Analysis of Alternatives Define Scenario Threat capabilities Targets Site Conditions Sensitivity (counterfactual) Analysis Constructive Simulation Attack planning or vulnerability Overall system response to attack Determine KPIs: system effectiveness, detections, interruption, neutralization Virtual Simulation Response of real and virtual agents to scenario Compare human response to anticipated/optimal response Determine KPIs: exposure and response time, neutralization given response Decision Metrics Baseline Option A Option B Option C Effectiveness Cost 4
Facility Characterization: Model Building Virtual Model Expectations 3D geometric representation (i.e., solid model) of the exterior of the facility as well as interiors of critical areas such as reactor building and fuel storage. Realistic visual representation overlayed (i.e., textured ) on geometric representation 3D Solid Model Textured Model
Facility Characterization: Security Laydown Expectations Those entering security configuration data (both technology and personnel) into the model are typically different than those that built the model geometry/texturing. Knowledge and expertise resides within the security professionals at the site, so they are ideally suited to provide the laydown of the security Tools should provide straightforward user interface with guided steps for common activities (e.g., wizards). Easiest if quantification/simulation engine connects directly to the tools used for laydown
System Performance Data Tool(s) leverage performance data from NRC, DOE, and DoD to assess the system effectiveness of physical protection at their facilities Library of performance data for protective measures used at nuclear facilities Performance data includes: terrains, detection tools, vehicles/platforms, weapons, barrier systems, environmental conditions, armor, equipment, security access, etc. 7
Perform Evaluation Provides a more consistent and systematic approach to define an adversary s attack Attack plan analysis considers site layout (terrain, detection, delay, response), adversary starting point, target set, and strategy (detection, firepower, speed) Remove subjectivity (e.g., time to breach) Consistently identifies new vulnerabilities Simulate numerous (100s to 1000s) attacks, each simulation is equivalent to a table-top drill or force-on-force exercise Monte Carlo techniques Combat simulation uses Ph/Pk Explicit treatment of detection, interruption, and neutralization Simulations use an adaptive adversary which may alter its attack paths based on circumstances 8
History of AVERT In the late 1990s the Defense Threat Reduction Agency led large scale PRAs for peacetime nuclear operations. These assessments used many of the same PRA techniques known as Weapon System Safety Assessments (WSSAs) initially developed and implemented for the commercial nuclear power industry. Focused on the accident-induced risk of nuclear material dispersal. Although it was recognized at the time that radiological dispersal could be initiated by intentional acts (e.g., terrorism), the tools to quantify such risk did not exist for these events as they did for accident (i.e., safety) events. This led to the DoD initiating funding under their Small Business Innovation Research program to evaluate methods for quantifying risks of intentional acts. The AVERT tool was initially developed under the three phases of this Small Business Innovation Research funding from DoD. Tool was fully commercialized in 2007 with significant R&D since that time.
AVERT - What can happen (i.e., What can go wrong)? Early development of the tool was focused on a predictive method for determining adversary attack plans (i.e., vulnerabilities). These attack plans are analogous to accident sequences used in traditional commercial nuclear PRAs Key difference is that typical event sequence models for safety are static and based upon expertise needed to determine possible states. The adaptive and thinking nature of an adversary made traditional PRA approaches inappropriate for this portion of the risk assessment. The unique approach created focuses on general adversary strategies to automatically predict how the security system could be defeated. Used either individually or in combinations, the factors in these strategies include the adversaries desire to: 1. proceed to their objective(s) as quickly as possible 2. minimize probability of detection by the security system 3. avoid fire from the opposing security force. A critical element of this process is the characterization of all aspects of the security system to include both security technology and security personnel.
AVERT - How likely is it that, that will happen? Determining the likelihood of an attack for each of the previously determined attack plans. The biggest hurdle in this problem is finding a method to justify the frequency of attack by the adversary. Data to justify such estimates are generally scarce, and just as we begin to utilize such data, the adversary is likely to adapt so as to invalidate any estimate. Fortunately, we do find an excellent application of quantitative risk techniques toward the remainder of likelihood calculations. In addition to attack frequency, our second risk question also requires an understanding of whether the security system can successfully neutralize such an attack (Pe), thereby preventing the adversary from accomplishing their objective.
AVERT - How likely is it that, that will happen? (contd.) AVERT s architecture contains a simulation engine that can virtually attack the facility along each of the previously determined attack plans. In this way, the system performance can be evaluated as a whole and the system s effectiveness determined simply by dividing the number of attacks where the system succeeded at stopping the adversary, by the total number of simulated attacks. One key consideration is replicating the adversaries or security force s ability to adapt to the situation on the ground as an attack plays out. The previously algorithm used in the attack planning phase is adjusted to allow adversaries and security forces to begin the simulation with a plan, but also let them deviate or adapt as desired. The flexibility and dynamic nature of this adaptation has proven to be a primary reason why the DoD and DOE have implemented AVERT for their nuclear facilities.
AVERT - If it does happen, what are the consequences? Historically, nuclear reactor safety risk assessments focus on answering only the first two questions in the triplet risk definition. These Level 1 PRAs, have the risk of core damage as the focus. Regulations and guidance for security align well with these safety PRAs in that they also require prevention of core or spent fuel damage. AVERT s focus is on assisting with risk decisions for the security professional who designs, maintains, and operates the security system and therefore, the risk calculation in AVERT is geared to cover those risks that a licensee can control. If a determination of consequence is desired beyond spent fuel or core damage, the same techniques utilized in Level 2 and 3 reactor safety PRAs can be directly applied.
Computer-based Modeling & Simulation for Security Security Modeling Security Simulation Facility Characterization Site Layout Infrastructure Security layers Elevation / Terrain Barrier Systems Perimeter structure Barriers Delay systems Detection Systems Sensors & cameras Command / control Communications Response Force Patrol & response Capabilities Training Analysis of Alternatives Define Scenario Threat capabilities Targets Site Conditions Sensitivity (counterfactual) Analysis Constructive Simulation Attack planning or vulnerability Overall system response to attack Determine KPIs: system effectiveness, detections, interruption, neutralization Virtual Simulation Response of real and virtual agents to scenario Compare human response to anticipated/optimal response Determine KPIs: exposure and response time, neutralization given response Decision Metrics Baseline Option A Option B Option C Effectiveness Cost 14
Rapidly Produce Charts, Graphs & Visuals Rapidly produce powerful visualizations of pathways and points of breach, detection, neutralization and charts on detection, neutralization Graphs on Detection, Interruption, Neutralization over time and distance Compare points of neutralization 22 Nov 2013 Plot results over heat maps that show the fields of fire View shots taken during exercise 15
Visualization of Results: Weapon LOS Heat Maps
Visualization of Results (contd.) Model Visualization: New design changes Determine tower height for new camera that minimizes cable run length but ensures visibility of area Easy visual access to areas of nuclear facility where access is difficult due to safety or security reasons. Simulation Visualization Diagnostic tool for M&S validation Once scenarios of particular interest have been identified (via performance or risk assessment), they can be replayed in 3D using high-fidelity simulators Visualization is Key For Communicating The Benefits Of M&S To The Organization. 17
How to make tools that work for the community Vendors need feedback to ensure M&S tools are meeting the needs Operators need to select tools that have undergone verification and validation testing for their intended purpose Operators needs tools that are matched to the skills of their staff Otherwise M&S will remain only in the domain of specialized external consultants
Summary There has been a significant leap forward in simulation capability Accredited and proven solution for nuclear security Targeted to the needs and capabilities of the facility security user Well suited for analysis of alternatives and what-if analyses. Can create very realistic simulations that represent a facility including situations that are not practical to do live Metrics of overall performance of the security system as well as risk drivers, maximize benefit